1. Definitions

    1.1 In this DPA:

    a) “Controller”, “Data Subject”, “Processing”, “Processor”, “Service Provider”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;

    b) “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other Data Protection Laws of the European Union, the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”); (ii) the California Consumer Privacy Act as amended by the California Privacy Rights Act (California Civil Code § 1798.100) (“CCPA”); and (iii) all laws implementing or supplementingthe foregoing and any other applicable data protection or privacy laws;

    c) “Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, suchas the right to information, access, rectification, erasure, restriction, portability, objection, andnot to be subject to automated individual decision-making;

    d) “Restricted Data Transfer” means any international transfer of Personal Data that would beprohibited under Data Protection Law in the EEA or UK without implementation of additionalsafeguards such as Standard Contractual Clauses.

    e) “Personnel” means any natural person acting under the authority of Thena;

    f) “Personal Data” means any information that constitutes “personal data” or “personalinformation” within the meaning of applicable Data Protection Law that Thena may access inperforming the services under the Agreement.

    g) “Personal Data Breach” means actual or reasonable degree of certainty of unauthorized destruction, loss, control, alteration, disclosure of, or access to, Personal Data for which Thena is responsible. Personal Data Breaches do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    h) “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;

    i) “Sub processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;

    j) “Standard Contractual Clauses” means the clauses annexed to the EU CommissionImplementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of theEuropean Parliament and of the Council as amended or replaced from time to time; and

    k) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner for parties making restricted transfers, available at https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fico.org.uk%2Fmedia%2Ffor-organisations%2Fdocuments%2F4019535%2Faddendum-international-data-transfer.docx&wdOrigin=BROWSELINK.

    1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.


  2. Roles

    2.1. Thena shall process Personal Data only as a processor acting on behalf of Customer and, with respect to CCPA and other applicable U.S. state privacy laws, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Personal Data.

  3. Scope

    3.1. This DPA applies to Processing of Personal Data by Thena in the context of the Agreement.3.2. The subject matter, nature and purpose of the Processing, the types of Personal Data and categoriesof Data Subjects are set out in Annex I, which is an integral part of this DPA.

  4. Instructions

    4.1. Thena will only Process Personal Data to provide the services to the Customer.4.2. It is the parties’ intent that Thena is a service provider, and Thena certifies that it will not (a) “sell” or“share” (as defined in the CCPA) the Personal Data; (b) (b) retain, use, or disclose the Personal Data to any person other than as necessary to provide the services or outside of the direct business relationship between the parties, unless required by applicable laws; or (c) combine the Personal Data that Thena receives from or on behalf of Customer with personal data that Reveal AI collects or receives from another person .4.3. Customer’s instructions are documented in Annex I, the Agreement, and any applicable statement of work.4.4. Customer may issue additional instructions to Thena as it deems necessary to comply with Data Protection Law. Such instructions must be provided to Thena in writing and acknowledged in writing by Thena as constituting instructions for purposes of this DPA, and Thena may charge a reasonable fee to comply with any such additional instructions.4.5. The parties acknowledge and agree that the disclosure of Personal Data by the Customer to Thena does not form part of any monetary or other valuable consideration exchanged between the parties.

  5. Customer Responsibilities

    5.1 Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable Data Protection Law for Thena to lawfully process Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) have complied with all DataProtection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Thena and its Sub processors; and (iv) ensure its processing instructions comply with applicable laws(including applicable Data Protection Law).

  6. Subprocessing

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  7. Restricted Data Transfers

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  8. Personnel

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  9. Security and Personal Data Breaches

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  10. Assistance

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  11. Accountability

    Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.

  12. Audit

    12.1. Upon Customer’s written request and no more than once in a calendar year, Thena will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations of Data Protection Law and this DPA and allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Customer or another auditor mandated byCustomer.

    12.2. If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Page 4 of 10Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

    12.3. Any Customer-requested audits are at Customer’s expense. Customer shall reimburse Thena for anytime expended by Thena or its Sub processors in connection with any Customer-requested audits or inspections at Thena’s then-current professional services rates, which shall be made available toCustomer upon request.

    12.4. If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Page 4 of 10 Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

  13. Liability

    13.1. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement and this DPA combined, will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.

  14. Confidentiality

    14.1. Thena must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.

  15. Analytics

    15.1. Customer acknowledges and agrees that Thena may create and derive from Processing related to the services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Thena’s products and services and for its other legitimate business purposes.

  16. Notifications

    16.1. Thena must make all notifications required under this DPA as agreed to in the Agreement or the then-established daily point of contact with the Customer

  17. Term and Duration of Processing

    17.1. The Processing will last no longer than the term of the Agreement.

    17.2. Upon termination of the Processing, Thena will, as soon as reasonably practicable, return or securely delete and destroy all Personal Data in Thena’s possession or control, except as otherwise required by law or set out in the Agreement. Upon request from Customer, Thena will certify such secure deletion in writing within thirty (30) days of Customer’s request.

    17.3. This DPA is terminated upon Thena’s deletion of all remaining copies of Personal Data in accordance with Section 17.2.


  18. Modification of this DPA

    18.1. This DPA may only be modified by a written amendment signed by both Customer and Thena

  19. Invalidity and Severability

    19.1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or un enforceability will remain in full force and effect.


Data

Data

ANNEX I
A. LIST OF PARTIES
B. DESCRIPTION OF TRANSFER

Thena’s provision of the Saas-based customer communication platform services to Customer.

Subject Matter

Duration of the Processing

Assessment

Frequency of the

Processing

Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

Thena will process Customer Personal Data for the purposes of providing the services to Customer in accordance with the DPA.

As and when the services are accessed.

Data relating to individuals provided to Thena in connection with the services, by (or at the direction of) Customer, including email address, name, user ID, and profile picture.

The services are not intended to Process special categories of data.

Customers’ end users

Categories of Data

Sensitive Data Processed

Data Subjects

Description

Security Control Category

Information Security

Program

In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits, assessments, and employee privacy and security training.

We undergo annual independent third-party SOC 2 Type II audits that include a risk assessment of the threats to the privacy, confidentiality, security, integrity and availability of personal data, the likelihood that these threats occur, and measures to mitigate these risks.We conduct penetration testing of the network and our application to evaluate the security of our production environment


Categories of Data

We only collect the personal data we need to accomplish our business purposes, including names, business email addresses, links to Slack profile pictures, and Slack user metadata. We do not store users’ conversation data on our systems.

When a customer uninstalls our solution, we securely dispose ofthe personal data in our possession by deleting the customer’sdata from our systems.

Data Collection,

Retention and Disposal

We conduct background checks on all of our employees using Checkr.

Personnel Background

Checks


We regularly train all our employees on our information security program, the importance of the security, confidentiality, and privacy of personal data, and the risks to our company and its customers associated with security incidents.

Personnel Training and

Education

We only permit access to personal data, sensitive information systems, and our premises to authorized employees based on their role and with prior approval.

Terminated employees are prevented from accessing personal data and lose access to all devices and applications upon termination.


Access Controls


In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits,assessments, and employee privacy and security training.

Secure User

Authentication

All communication between customer systems and our platform takes place using high levels of encryption (TLS 1.2/HPPS).

All stored data, session cookies, and backups are encrypted at rest. Our databases are also encrypted using custom keys for additional security.

We use industry-standard encryption and a monitoring agent to protect the data stored on company laptops.

Secure User

Authentication

We store all personal data on private networks that require VPN to access, and we conduct biannual penetration testing to evaluate the security of the network.

Network Security

We have implemented Snyk to detect and remedy malicious or unsecure code designed to perform an unauthorized function on, or permit unauthorized access to, any information system.

We remediate any malicious or unsecure code promptly upon identification.

Malicious Code Detection

We conduct biannual vulnerability assessments to detect vulnerabilities on the network, and we have implemented processes to remediate any detected vulnerabilities.

Vulnerability and Patch
Management

Application Security

Prior to implementing code changes, our employees follow a documented change management process to assess the potential security and product impact of such changes.

We document all changes to our information systems as part of merger requests.

Change Controls

We monitor and document the movement of records or media using Vanta, an automated security and compliance platform.

We have implemented strict password protection on all personal devices that access our systems.

Off-Premise Information

Security

We maintain restrictions on physical access to our offices and information systems through the implementation of strict access controls that are recorded in a digital registry

Off-Premise Information

Security

We maintain application security and software development controls, including private networks, custom key encryption, and biannual penetration testing, to detect and prevent the introduction of security vulnerabilities.

ANNEX II

SECURITY CONTROLS

Thena has implemented and maintains the information security controls listed below to protect personaldata during storage, processing, and transmission.

Vendor name

HQ

Description

Leadership

Description

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Thena is hosted on AWS Cloud servers

Amazon Web Services (AWS)

Amazon Web Services (AWS)

410 Terry Avenue North Seattle, WA98109

United States

Thena is hosted on AWS Cloud servers

Amazon Web Services (AWS)

United States

San Francisco, California, USA

Version control and code hosting.

Github

Thomas Dohmke (CEO)

San Francisco, California, USA

Real-time PostgreSQL backend with auto APIs

Supabase

Paul Copplestone (Co-founder & CEO)

MongoDB, Inc.,1633 Broadway,38th Floor NewYork, NY 10019

Database for storing application metadata

MongoDB Atlas

United States

Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, California, 94105

Servers for processing

Heroku (Server Hosting)

United States

California

Communication platform for teams and customers

Slack

United States

California

Communication platform for teams and customers

Zoom

United States

California

Product ticketing platform

Linear

United States

San Francisco, California, USA

Data Platform

Sentry

United States

California

Product Analytics

Amplitude

United States

Amsterdam

Real time technology

Pusher

United States

Massachusetts

Product analytics

Logrocket

United States

California

Data Platform


Retool

United States

ANNEX III

LIST OF SUB-PROCESSORS