Mighty Networks California Data Processing Addendum

This California Data Processing Addendum (“DPA”) forms part of the Agreement between Mighty Software, Inc. (“Mighty Networks”) and you, a Host of a Mighty Network. The purpose of this DPA is compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (“CCPA”).

1. Definitions

Any capitalized term used but not defined herein shall have the meaning ascribed to it in the CCPA.

2. Relationship with the Agreement.

The parties agree that this DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with Personal Information of Consumers. This DPA shall have no effect on any data processing addendum regarding compliance with European laws and regulations.

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

3. Privacy of Personal Information.

Host is a Business as defined by the CCPA, and Mighty Networks is a Service Provider as defined by the CCPA, with respect to the Personal Information specified in Exhibit 1 below. The Personal Information that Host discloses to Mighty Networks is provided to Mighty Networks for a Business Purpose. Mighty Networks shall Process Personal Information only to the extent reasonably necessary for the performance of the Services. Except as disclosed in the California Privacy Notice, Mighty Networks is prohibited from Selling Personal Information and from collecting, retaining, using, disclosing, or otherwise Personal Information for a commercial purpose other than providing the Services as specified in the Agreement. Personal Information may be Deidentified or Aggregated as part of the Services, but only to the extent such Deidentification or Aggregation, as the case may be, meets the standard for such activity that is required under the CCPA.

4. Subcontractors; Authorized Disclosures.

Where Mighty Networks provides a third party with access to Personal Information, or contracts any of its rights or obligations concerning Personal Information to a third party, such subcontractor shall be subject to contractual terms at least as restrictive as set forth in this DPA; or (ii) as required by applicable law. Mighty Networks remains responsible and fully liable for the acts and omissions of each subcontractor.

5. Security

Mighty Networks shall operate and maintain the system and server on which Personal Information is stored in a locked and secured location, with access restricted to only authorized employees to whom access is necessary to provide the Service. Mighty Networks warrants the following in connection with the Service: (i) it has used adequate security safeguards, procedures and/or firewalls (to the extent reasonably practical with available technology) to ensure that third parties cannot alter any content contained within the Service; (ii) the Service shall receive and transmit all information in not less than a 256-bit encrypted format with Secure Socket Layer technology; and (iii) Mighty Networks shall be responsible for providing adequate logical and physical security measures to ensure the integrity of Personal Information used on the Service.

6. Data Subject Access Requests.

6.1 Mighty Networks shall cooperate with Host if a Member who is a Consumer under the CCPA requests from Host (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information is collected, or (iii) information about the categories or specific pieces of the Data Subject’s Personal Information.

6.2 Upon Host’s or Member Consumer’s request, Mighty Networks shall promptly delete a particular Member’s Personal Information from its records. In the event Mighty Networks is unable to delete the Personal Information for reasons permitted under the CCPA, Mighty Networks shall (i) promptly inform Host or Member of the reason(s) for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Information, and (iii) delete the Personal Information promptly after the reason(s) for Mighty Networks’ refusal has expired.

7. Compliance.

Mighty Networks agrees to negotiate in good faith any amendments to the Agreement that are necessary to comply with applicable law.

Exhibit 1: Specifics of Services and Personal Information

The nature of the Services that require use of Personal Information: The purpose of the data processing under this DPA is the provision of the Services to the Host and the performance of Mighty Networks’ obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.

Types of Personal Information: As identified in Section 1 of the California Privacy Notice.