DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") forms an integral part of, and is subject to, the agreement dated [DATE] (the "Agreement") by and between Asure Software, Inc. (together with any applicable affiliate, "Provider") and [CUSTOMER] ("Customer") to which it is attached. Capitalized terms used but not otherwise defined herein shall have such meanings as set forth in the Agreement. In the event that Provider Processes any Customer Personal Data (each as defined in Section 3 below) in the course of providing the Services to Customer under the Agreement, this DPA shall govern the Processing of such Customer Personal Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Customer Personal Data.

Customer and Provider hereby agree as follows:

  1. BACKGROUND
    1. Duties as a Processor. When providing the Services to the Customer, Provider will act as a Processor or Subprocessor (in circumstances in which Customer is acting as the Processor) of Customer Personal Data, and Provider undertakes to Process Customer Personal Data on behalf of the Customer in accordance with the Agreement, this DPA and the documented instructions of the Customer, including Annex 1 attached hereto. The Processing will be performed exclusively within the framework of the Agreement and this DPA or as otherwise required by applicable Data Privacy Laws. Except as required by applicable Data Privacy Laws, in its capacity as a Processor Provider shall not use the Customer Personal Data for any purpose other than as specified in the Agreement and this DPA. The Customer will inform Provider of any such purposes which may be prohibited by applicable Data Privacy Laws. All Customer Personal Data that is Processed by Provider in its capacity as a Processor on behalf of the Customer shall remain the property of the Customer and/or the applicable Consumers.
    2. Duties as a Controller. When Provider Processes Customer Personal Data subject to applicable Data Privacy Laws for business operations incident to providing the Services to the Customer (for example, to create de-identified data sets or to facilitate communication with the Customer about Provider or Provider's business partners, including to offer products and services to the Customer's employees), Provider will act as a Controller of Customer Personal Data, as specified in greater detail below in Section 5 of this DPA.
  2. APPLICABILITY OF THIS DPA
    1. The following sections apply when Provider is acting as a Processor or Subprocessor of Customer Personal Data: (i) Section 1.1 (Duties as a Processor); (ii) Section 4 (Data Processing (Processor)); (iii) Section 6 (Transfers of Personal Data); (iv) Section 7 (International Transfers); (v) Section 8 (Data Security, Audits and Security Notifications); (vi) Section 10 (Data Protection Impact Assessment and Prior Consultation); and (vii) Section 11 (Termination).
    2. The following sections apply when Provider is a Controller of Customer Personal Data: (i) Section 1.2 (Duties as a Controller); (ii) Section 5 (Data Processing (Controller)); and (iii) Section 7 (International Transfers).
  3. DEFINITIONS
    1. The following capitalized terms used in this DPA shall be defined as follows:
      1. "Consumer" has the meaning given in CCPA and/or any equivalent term under other Data Privacy Laws.
      2. "Controller" means (i) a "business" as that term is defined by the CCPA, and/or (ii) any equivalent term under other Data Privacy Laws.
      3. "Customer Personal Data" means (i) "personal information" as defined in the CCPA, and/or (ii) any equivalent term as defined in applicable Data Privacy Laws, all as further described in Annex 1 to this DPA, that, in each case, Provider collects from the Customer or that the Customer submits to the Services, including without limitation when such collection or submission occurs in situations where Customer is acting as a Processor. Customer Personal Data includes any Employee Personal Data Processor collects from the Customer or that the Customer submits to the Services, including without limitation when such collection or submission occurs in situations where Customer is acting as a Processor.
      4. "Data Privacy Laws" means (i) United States state privacy and data protection laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"); and (ii) any other data privacy or data protection laws that are presently applicable or may in the future become applicable to Customer and/or Customer Personal Data, together with their implementing and/or interpretive regulations, each of the foregoing as they may be amended, replaced or superseded from time to time.
      5. "Employee Personal Data" means any personal data of Customer's employees that Processor collects from the Customer's employees or that the Customer submits to the Services.
      6. "Processing", "Process" or "Processes" has the meaning given in the CCPA or the equivalent term under other applicable Data Privacy Laws.
      7. "Processor" means (i) a "service provider" as that term is defined by the CCPA, and/or (ii) any equivalent term under other applicable Data Privacy Laws.
      8. "Security Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data.
      9. "Services" shall have the meaning set forth in the Agreement, or, if not defined therein, "Services" shall mean those services to be provided by Provider to Customer pursuant to the Agreement.
      10. "Subprocessor" means any Processor engaged by Provider to whom Provider discloses Customer Personal Data, or, if the context clearly dictates, Provider when it Processes Customer Personal Data on behalf of another Processor.
      11. "Supervisory Authority" means the California Privacy Protection Agency or other regulatory authority specified under other applicable Data Privacy Laws.
  4. DATA PROCESSING (PROCESSOR)
    1. Instructions for Data Processing. When acting as Processor, Provider will only Process Customer Personal Data in accordance with Customer's written instructions. Except as may be otherwise required by applicable Data Privacy Laws, the Agreement, including all addendums thereto, and this DPA shall be Customer's sole, complete, and final instructions to Provider in relation to the processing of Customer Personal Data Provider Processes when acting as Processor. To the extent applicable Data Privacy Laws permit Customer to provide supplemental Processing instructions to Provider, Provider reserves the right to make corresponding reasonable adjustments to its fee schedule and/or to charge reasonable administrative fees commensurate with the costs of any new required Processing activities.
    2. When Provider is acting as Processor, Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior express written agreement between Provider and Customer, setting forth additional instructions for such Processing. Without limiting the foregoing, Provider agrees that, when acting as Processor, it will not (i) sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic means, any Customer Personal Data to any third-party for monetary or other valuable consideration, (ii) retain, disclose, or use any Customer Personal Data for any purpose (including any commercial purpose) other than the specific purpose of performing the Services as specified in this DPA or the Agreement, and/or (iii) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between Provider and Customer. Provider hereby certifies that it understands the restrictions described in the previous sentence, and shall comply with them. Where required by Data Privacy Laws, when acting as Processor Provider also will not combine Customer Personal Data with other personally identifiable information it receives from or on behalf of others or in its own capacity, except as permitted by such Data Privacy Laws.
    3. Permissions and Consents for Processing. Customer hereby represents and warrants to Provider that Customer has obtained all necessary permissions and consents, including any "opt-in" consents, for the Processing of Customer Personal Data by Provider in accordance with the Agreement and this DPA. Customer will furnish reasonable documentation evidencing such permissions and consents for Provider's Processing as may be reasonably requested by Provider from time to time.
    4. Sensitive Categories of Customer Personal Data. Customer hereby represents and warrants to Provider that Customer will not, without Provider's prior written consent, provide Provider with any Customer Personal Data that represents sensitive personal information (or any equivalent term), as defined in any applicable Data Privacy Laws, except for those categories of Sensitive Personal Information identified in Annex 1 to this DPA.
  5. DATA PROCESSING (CONTROLLER)
    1. When acting as Controller, to the extent Provider uses or otherwise Processes Customer Personal Data subject to applicable Data Privacy Laws for business operations incident to providing the Services to Customer, including, but not limited to, communicating with, or facilitating communication with, Customer's employees regarding Provider's, or Provider's business partners, products and service offerings, including to offer such products and service offerings to the Customer's employees, Provider will comply with the obligations of a Controller under applicable Data Privacy Laws for such use. Provider employs safeguards to protect Customer Personal Data in such Processing, including those identified in Section 8 of this DPA.
  6. TRANSFER OF PERSONAL DATA
    1. Authorized Subprocessors. Customer hereby consents and agrees to Provider's engagement of Subprocessors to Process Customer Personal Data, including, without limitation, Provider's engagement of the Subprocessors listed at [INSERT LINK TO WEBSITE WHERE PROVIDER SUBPROCESSORS ARE LISTED]. Upon Customer's reasonable written request, Provider shall provide Customer with a list of any additional Subprocessors currently engaged by Provider.
    2. Provider shall notify Customer from time to time of the identity of any new Subprocessors engaged by Provider following the Effective Date. Such notice may be provided by Provider via email or by providing Customer with a link to a webpage containing updated information regarding Provider's Subprocessors. If Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, Customer may request that Provider move the Customer Personal Data to another Subprocessor and Provider shall, if possible within a reasonable time following receipt of such request, use reasonable measures to accommodate such request. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason relating to protection of Customer Personal Data, either party may terminate the Agreement without additional liability on thirty (30) days' written notice. If Customer does not object within thirty (30) days of the date of Provider's notice, Customer will be deemed to have accepted the new Subprocessor.
    3. Liability of Subprocessors. Provider will be liable to Customer for the acts and omissions of any Subprocessor with respect to the Processing of Customer Personal Data to the same nature and extent that Provider is liable to Customer for its own acts and omissions hereunder and under the Agreement.
  7. INTERNATIONAL TRANSFERS
    1. Customer represents and warrants to Provider that Customer Personal Data does not, and will not without Provider's explicit prior written authorization, include personal data of individuals from any countries outside of North America.
  8. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
    1. Provider Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider will implement such appropriate technical and organizational measures as are required by applicable Data Privacy Laws that are designed to ensure a level of security appropriate to such risk, including the measures set out in Annex 2. Provider does not guarantee that such technical and organizational measures are effective under all circumstances.
    2. Customer will only make Customer Personal Data available to Provider if it is assured that the necessary technical and organizational measures have been taken.
    3. Upon Customer's reasonable request, Provider will disclose information reasonably necessary to demonstrate Provider's compliance with this DPA.
    4. Security Breach Notification. If Provider becomes aware of a Security Breach affecting Customer Personal Data in its possession or control, or receives notice of such Security Breach from one of its Subprocessors, Provider will without undue delay notify Customer of the Security Breach after becoming aware of such Security Breach. In the event of a Security Breach, Provider will (a) make available to Customer non-confidential information regarding the Security Breach that is reasonably available to Provider, and (b) reasonably cooperate with Customer in connection with Customer's investigation of the Security Breach. Except as may otherwise be required by applicable laws, the foregoing obligations described in this Section 8.4 shall constitute Customer's sole and exclusive remedy, and Provider's sole liability, in the event of any Security Breach.
    5. Customer Employees and Personnel. Provider will treat the Customer Personal Data as confidential, and shall ensure that any Provider employees or other personnel with access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of Customer Personal Data.
    6. Audits. Provider will, upon Customer's reasonable advance written request, and not more than once per year (unless requested by a Supervisory Authority), make available to Customer (or a third party on Customer's behalf) a copy of the results of Provider's then most recent third-party audits or certifications. Customer agrees that all third-party audit results and/or certifications, and any other information, documents, and other materials provided to Customer by Provider pursuant to this Section 8.6, constitute Confidential Information of Provider, and may not be used for any purpose other than to verify Provider's compliance with this DPA. Customer acknowledges and agrees that the rights set forth in this Section 8.6 satisfy any right to audit Provider under applicable Data Privacy Laws.
  9. ACCESS REQUESTS AND CONSUMER RIGHTS
    1. Government Disclosure. Provider will promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
    2. Consumer Rights. Customer shall ensure that the Consumers can avail themselves of their rights under applicable Data Privacy Laws, with the reasonable assistance of Provider as required by such Data Privacy Laws and as described in this Section 9.2. Where applicable, and taking into account the nature of the Processing, Provider will use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer's obligation to respond to requests by Consumers to exercise their rights under applicable Data Privacy Laws. Where permitted by applicable Data Privacy Laws, as to requests by Consumers made directly to Provider relating to Customer Personal Data in Provider's possession, Provider will notify Customer (email sufficing) and may inform the Consumer that the request cannot be acted upon because the request has been sent to a Processor.
  10. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
    1. To the extent required under applicable Data Privacy Laws, upon Customer's reasonable request, Provider will provide Customer with reasonably relevant information to enable Customer to carry out data protection impact assessments, transfer assessments, or prior consultations with any Supervisory Authority, in each case solely in relation to Provider's Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Provider; provided, however, that where Customer requests assistance of any type that (i) is unnecessary, (ii) is not required of a Processor under applicable Data Privacy Laws, or (iii) is highly burdensome or costly, Provider may charge a reasonable administrative fee as a condition to providing such assistance.
  11. MODIFICATION
    1. This DPA may be altered, waived in part, or amended only by written agreement duly executed by the Parties.
  12. TERMINATION
    1. Deletion of data. Except as otherwise set forth in the Agreement, and subject to Section 11.2 below, Provider will, at Customer's direction within ninety (90) days of the date of termination of the Agreement: delete and use all reasonable efforts to delete and/or procure the deletion of Customer Personal Data Processed by Provider or any of its Subprocessors; or return a complete copy of all Customer Personal Data by secure file transfer in a mutually-agreed method and format. This DPA will automatically terminate on any termination or expiration of the Agreement, provided that any provisions of this DPA which, by their nature, are intended to survive termination or expiration of the Agreement, shall do so.
    2. Provider and its Subprocessors may retain Customer Personal Data to the extent required by any applicable laws. Any retained Customer Personal Data shall continue to be subject to this DPA.

[Signature Page Follows]

IN WITNESS WHEREOF, Provider and the Customer, by their duly authorized representatives, have each executed this DPA.

ASURE SOFTWARE, INC. [FULL CUSTOMER LEGAL NAME]
By: ____________________

Name:

Title:

Date: 		By: ____________________

Name:

Title:

Date:

ANNEX 1

DETAILS OF THE PROCESSING

A. LIST OF THE PARTIES

Controller:

1. Name: The Party to the Agreement with Provider

Address: The controller’s address

Contact person’s name, position and contact details: The name, position and contact details provided by the data exporter.

Activities relevant to the data transferred under this Agreement: Processing Customer Personal Data in connection with the controller's use of the Services under the Agreement.

Signature and date: By using the Services to transfer Customer Personal Data to the processor, the controller will be deemed to have signed this Annex I.

Role (controller/processor): Controller.

Processor:

1. Name: Asure Software, Inc.

Address: 405 Colorado Street Suite 1800, Austin, TX 78701. United States

Contact person’s name, position and contact details:

Joshua Gohman
VP, Information Security
(813) 235-4134
Joshua.Gohman@asuresoftware.com

Activities relevant to the data transferred under this Agreement: The processor provides Services to the controller in accordance with the Agreement.

Signature and date: The processor will be deemed to have signed this Annex I on the transfer of Customer Personal Data by the controller in connection with the Services.

Role (controller/processor): Processor.

B. DESCRIPTION OF THE TRANSFER

Categories of Consumers whose personal data is transferred: The Customer Personal Data being processed concerns (i) Customer's officers, directors, executives, and other employees, or contractors of the Customer, who use the Services or who are involved in the administration and management of the Agreement and the Customer's relationship with Provider as it relates to the Services, and (ii) the employees or agents of Customer whose Employee Personal Data Customer uploads to the Services or otherwise makes available to Provider.

Categories of personal data transferred: The Customer Personal Data being processed concerns (i) email address, username, and password for Customer's employees or contractors who are authorized to use the Services, and (ii) any Employee Personal Data that Customer uploads to the Services or otherwise makes available to Provider. Employee Personal Data may include the following categories of sensitive personal data only: (a) social security, driver's license, state Identification card, passport number, or other similar government issued identification number, (b) precise geolocation data; (c) biometric information; or (d) personal information concerning an individual's health.

Frequency of the transfer: Continuous during the term of the Agreement.

Nature of the processing: The Customer Personal Data will be subject to the following basic processing activities: transmitting, collecting, analyzing, and storing data as necessary in order to provide the Services to the Customer, for Provider's business operations incident to providing the Services to Customer, and any other activities related to the provision of the Services or as specified in the Agreement.

Purpose of the processing: The processor provides Services to the controller in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in Section 11 of the DPA.

For transfers to (sub) processors, also specify subject matter, nature and duration of the processing: As set forth in Section 6 of the DPA.

ANNEX 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Introduction

Provider maintains internal policies and procedures, and/or ensures that Provider’s Subprocessors do so, which are designed to:

(a) secure any Customer Personal Data against accidental or unlawful loss, access or disclosure;

(b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data; and

(c) minimize security risks, including through risk assessment and regular testing.

Provider will conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against security standards in Provider's industry, and will use reasonable efforts to ensure that its Subprocessors do so as well.

Provider will periodically evaluate the security of its systems to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to ensure that its Subprocessors do so as well.

Access controls

Security layers will be employed to protect against unauthorized access to systems and Customer Personal Data. These will include the principle of least privilege and the use of strong passwords in accordance with Provider's information security policy.

Availability and back-up of Customer Personal Data

Backup copies of Customer Personal Data are created on a periodic basis to minimize risk and ensure the continued operation of the Services in the event of a man made or natural disaster. Backup copies will be encrypted both in transit and at rest. Backup copies will be treated as equally confidential and require equivalent security measures as applied to live Customer Personal Data.

Disposal of IT equipment

For Provider hardware, all computer equipment will be gathered from employees upon termination from Provider. Computer equipment will be wiped clean of data and re-purposed or destroyed such that data on the device is rendered unrecoverable. When hosted infrastructure is utilized, Provider will require the infrastructure provider to follow current industry standards in Provider's industry for wiping clean equipment when Provider no longer uses that equipment, as well as when the infrastructure provider decommissions equipment in accordance with current industry standards in Provider's industry.

Encryption

Encryption will be employed that meets or exceeds current industry standards in Provider's industry.

Device hardening

Anti-virus and intrusion detection software will be employed on appropriate devices and maintained with current updates to ensure current industry standards in Provider's industry are employed against security threats.

Physical security

Provider's physical office location will be secured and alarmed. The threat to the office location is minimized by the practices Provider utilizes to employ cloud hosting for software and infrastructure with reputable vendors, as opposed to on-site. Infrastructure and software providers will be selected based on their functional capabilities as well as their organization security practices.

Staff training and awareness

Staff training will be conducted periodically, at least annually, to ensure staff remains up to date on security best practices. Training will be tracked and documented per Provider policy.

You have Successfully Subscribed!