EU General Data Protection Regulation - Data Privacy Annexure

Effective Date: 1st July 2025

This Jangosocial by Synoviq, Inc. (Company) Data Processing Agreement and its Annexes ("DPA") reflects the parties' agreement with respect to the Processing of Personal Data by Jangosocial by Synoviq, Inc. (Company) on behalf of Customer in connection with the Services under the Jangosocial by Synoviq, Inc. (Company) Master Service Agreement (including any Professional Services Statement of Work) between Jangosocial by Synoviq, Inc. (Company) and Customer (the "Agreement").

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an executed amendment to the Agreement. The terms and conditions of the Data Processing Agreement apply where the EU GDPR applies to Customer or to JangoSocial by Synoviq, Inc. (Company) or to any of their respective Affiliates.

We periodically update the terms of this DPA. Jangosocial by Synoviq, Inc. (Company) will let you know when we do via email.

The term of this DPA shall follow the Term of the Agreement. Word or phrases not otherwise defined herein shall have the meaning as set forth in the Master Service Agreement.

Definitions

"California Personal Information" means Personal Data in relation to which Customer is a Business under the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

"Business", "Sell" and "Service Provider" shall have the meanings given to them in the CCPA.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time.

"Data Subject" means the individual to whom Personal Data relates.

"European Data" means Personal Data, the Processing of which, is subject to European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Jangosocial by Synoviq, Inc. and/or its Sub-Processors in connection with the provision of the Services. "Personal Data Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.

"Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" means the standard contractual clauses for Processors approved pursuant to the European Commission's decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.

"Sub-Processor" means any Processor engaged by Jangosocial by Synoviq, Inc. or its Affiliates to assist in fulfilling Jangosocial by Synoviq, Inc.'s obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Jangosocial by Synoviq, Inc. Affiliates but shall exclude any Jangosocial by Synoviq, Inc. employee or consultant.

1. Security Best Practices

The Company should provide a secure environment for Confidential Information and any hardware and software, including servers, network and data components, to be supported as part of its performance under this Agreement and will at all times, remain at the higher of (i) applicable security and privacy laws and regulations, (ii) applicable privacy and security rules imposed by industry groups, (iii) Privacy & IT Security Best Practices (as defined by ISO 27001), and (iv) all security requirements, obligations, specifications and event reporting procedures as required in any applicable exhibit or schedule hereof.

2. Security Management

  • Company will develop, implement, maintain, and enforce a written information privacy and security program ("Security Program") that (i) complies with security best practices, (ii) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data and (iii) is appropriate to the nature, size and complexity of Company's business operations and the Customer Data involved.
  • Company will notify Client of details regarding any material changes to its Security Program that may adversely affect the privacy and security of any Client and Customer Data.
  • Company will designate a senior employee to be responsible for overseeing and carrying out its Security Program and for communicating with Client on information security matters. Upon Client's request, Company's Security Officer will provide Client with the contact information of one or more Company representatives who will be available to discuss any privacy and security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with Client and to communicate the level of risk associated with such concerns and any remediation thereof.

3. Personnel Security

  • Prior to assigning any of its Personnel to positions in which they will, or Company reasonably expects them to, have access to Customer Data. Company will conduct or verify background checks on such Personnel, except where expressly prohibited by law. For the purposes of this Exhibit, "Personnel" means Company's employees, independent contractors, and subcontractors that have access to Personal Data.
  • Company Personnel will, upon hiring, and at least annually thereafter, participate in privacy and security awareness training. This training will cover, at a minimum, Company's privacy and security policies, including acceptable use, password protection, data classification, Breach reporting, the repercussions of violations, and brief overviews of Applicable Laws and Regulations.
  • Company must maintain a security process to conduct appropriate due diligence prior to utilizing subcontractors to provide any of the Services. Company will assess the security capabilities of any such subcontractors on an annual basis to ensure subcontractor's ability to comply with this Exhibit and the terms of the Agreement.

4. Physical and Environmental Security

  • Company will maintain appropriate physical and environmental security measures to protect Customer Data from unauthorized physical access, theft, and environmental hazards.
  • Company will implement access controls, including visitor logs, security cameras, and restricted access areas where Customer Data is processed or stored.
  • Company will maintain environmental controls, including fire suppression systems, climate control, and power backup systems to ensure the availability and integrity of Customer Data.

5. Technical Security Controls

  • Company will implement appropriate technical security measures, including encryption, access controls, and network security to protect Customer Data.
  • Company will maintain secure network architecture with firewalls, intrusion detection systems, and regular security monitoring.
  • Company will implement secure development practices and regular security testing of applications and systems.
  • Company will maintain secure backup and recovery procedures to ensure data availability and integrity.

6. Data Processing and Storage

  • Company will process Customer Data only in accordance with Client's documented instructions and for the purposes specified in the Agreement.
  • Company will implement appropriate data retention and disposal procedures to ensure Customer Data is not retained longer than necessary.
  • Company will maintain accurate records of all data processing activities as required by applicable data protection laws.
  • Company will implement appropriate data minimization and purpose limitation practices.

7. Access Controls and Authentication

  • Company will implement strong authentication mechanisms, including multi-factor authentication where appropriate.
  • Company will maintain role-based access controls to ensure that personnel have access only to the Customer Data necessary for their job functions.
  • Company will regularly review and update access permissions and promptly revoke access for terminated personnel.
  • Company will maintain audit logs of all access to Customer Data and regularly review these logs for suspicious activity.

8. Data Encryption and Protection

  • Company will encrypt Customer Data both in transit and at rest using industry-standard encryption algorithms.
  • Company will implement secure key management practices and protect encryption keys from unauthorized access.
  • Company will use secure communication protocols (e.g., TLS 1.2 or higher) for all data transmissions.
  • Company will implement appropriate data masking and anonymization techniques where applicable.

9. Incident Response and Breach Notification

  • Company will maintain an incident response plan and team to handle security incidents and data breaches.
  • Company will notify Client of any security incident or data breach within 72 hours of becoming aware of the incident.
  • Company will provide detailed information about the incident, including the nature of the breach, affected data, and remediation measures taken.
  • Company will cooperate with Client and relevant authorities in investigating and responding to security incidents.

10. Business Continuity and Disaster Recovery

  • Company will maintain business continuity and disaster recovery plans to ensure the availability of Customer Data and services.
  • Company will regularly test and update these plans to ensure their effectiveness.
  • Company will maintain redundant systems and backup procedures to minimize service disruptions.
  • Company will provide Client with information about its business continuity and disaster recovery capabilities upon request.

11. Third-Party Risk Management

  • Company will conduct due diligence on all third-party service providers that have access to Customer Data.
  • Company will ensure that all third-party contracts include appropriate data protection and security requirements.
  • Company will regularly assess the security posture of third-party providers and require remediation of any identified risks.
  • Company will maintain a list of all Sub-Processors and notify Client of any changes to this list.

12. Compliance Monitoring and Auditing

  • Company will conduct regular internal audits of its security and privacy practices.
  • Company will maintain appropriate documentation of all security and privacy controls and procedures.
  • Company will cooperate with Client's reasonable requests for security and privacy audits.
  • Company will promptly address any findings from audits and implement necessary remediation measures.

13. Data Subject Rights

The Parties are responsible for ensuring the rights of data subjects in accordance with the following:

  • Right of Access: Data subjects have the right to obtain confirmation of whether their personal data is being processed and access to their personal data.
  • Right to Rectification: Data subjects have the right to have inaccurate personal data corrected and incomplete personal data completed.
  • Right to Erasure (Right to be Forgotten): Data subjects have the right to have their personal data erased in certain circumstances.
  • Right to Restriction of Processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
  • Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
  • Rights in Relation to Automated Decision Making: Data subjects have the right not to be subject to decisions based solely on automated processing.

The parties are responsible for assisting each other to the extent this is relevant and necessary for both parties to comply with their obligations to the data subjects.

14. Data Subject Requests

  • The Services provides Client with several categories of personal data that Client may use to retrieve, correct, delete, or restrict Personal Data, which Client may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").
  • To the extent that Client is unable to independently address a Data Subject Request through the Services, then upon Client's written request Company shall provide assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement.
  • If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Jangosocial, Jangosocial will promptly inform Client and will advise the Data Subject to submit their request to Customer. Customer shall be responsible for responding to any such Data Subject Requests or communications involving Personal Data.

15. Responsibilities of the Parties

  • The parties agree that Company (Jangosocial by Synoviq, Inc.) will process EU Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement.
  • Company (Jangosocial by Synoviq, Inc.) shall not (a) Sell EU Personal Information; or (b) retain, use, or disclose EU Personal Information for any purpose other than for the Business Purpose or as otherwise permitted by the GDPR without explicit consent from the customer or data subject.

16. Additional Provisions for European Data

This Section (Additional Provisions for European Data) shall apply only with respect to European Data.

  • Roles of the Parties: When Processing European Data in accordance with Customer's Instructions, the parties acknowledge and agree that Client is the Controller of European Data and Jangosocial by Synoviq, Inc. is the Processor.
  • Transfer Mechanisms for Data Transfers:
    • Jangosocial by Synoviq, Inc. shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws.
    • Client acknowledges that in connection with the performance of the Services, Jangosocial by Synoviq, Inc. is a recipient of European Data in the United States. The parties agree that Jangosocial by Synoviq, Inc. makes available the transfer mechanisms listed below.
    • Standard Contractual Clauses: Jangosocial by Synoviq, Inc. agrees to abide by and process European Data in compliance with the Standard Contractual Clauses. If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

17. Breach Notification and Response Procedures

  • Company will maintain incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of, Security Breaches. Upon discovering or otherwise becoming aware a Breach, Company will take all reasonable measures to mitigate the harmful effects of the Breach.
  • Company will also notify Client and Customer (users) of the Breach as soon as practicable, but in no event later than 72 hours after the Breach. Notice to Customer (user) will include: (i) the identification of the Customer Data which has been or Company reasonably believes has been used, accessed, acquired or disclosed during the incident; (ii) a description of what happened, including the date and time of the incident and the date and time of discovery of the incident, if known; (iii) the scope of the incident, including a description of the type of Customer Data involved in the incident; (iv) a description of Company response to the incident, including steps Company has taken to mitigate the harm caused by the incident; and (v) other information as Customer may reasonably request and is reasonably applicable.
  • Company agrees to cover the costs of any such notification, including reimbursing Client and Customer for any reasonable costs.
  • Company will retain all data related to known and reported Breaches or investigations until Company reasonably determines that the data is no longer needed. Upon Client's request, Company will permit Client or its third-party auditor to review and verify relevant video surveillance records, access logs and data pertaining to any Breach investigation.
  • Upon conclusion of investigative, corrective, and remedial actions with respect to a Breach, Company will prepare and deliver to Client a final report that describes in detail: (i) the extent of the Breach; (ii) the Customer/Client Data disclosed, destroyed, or otherwise compromised or altered; (iii) all supporting evidence, including, but not limited to, system, network, and application logs; (iv) all corrective and remedial actions completed; and (v) all efforts taken to mitigate the risks of further Breaches.

18. Contact Information

For questions about GDPR compliance and data protection, please contact us:

Address: Jangosocial by Synoviq, Inc.
131 Continental Dr Suite 305
Newark, DE, 19713, USA

Last Updated: 1st July 2025