Confidential Terms

Standard Support Terms

Section 1. Defined Terms

Except as expressly defined in this Support Exhibit, capitalized terms will have the meaning ascribed to them in the Master Agreement. In addition, the following capitalized terms will have the following meanings:

“APIs” means the application programming interfaces provided by Odessa to Customer to enable interoperability or compatible data exchange between the Odessa Software and third party technology, including those specified as “APIs” in the Sales Order.

“Annual Support Fees” has the meaning ascribed to it in the Sales Order.

“Configuration” means a PSA Deliverable that consists of a separate file that uses certain functions and features in the Software that are designed to permit Customer to arrange its business logic, workflow and other items without modification to the source code of the Software.

“Customization” means a PSA Deliverable that represents a modification to the source code of the Software, either as altered source code, or as new source code. Customizations are categorized as “Product Customizations” or “Project Customizations”.

“Error” means any failure of the Supported Software to perform in all material respects in accordance with its Documentation.

“Fix” means a modification or an addition to the Supported Software or its Documentation that overcomes an Error when made or added to such Software or Documentation. Odessa may provide a Workaround in lieu of a Fix in Odessa’s sole discretion, but will provide a Fix to Customer as specified in Section 2.2 below.

“Product Customization” means any Customization that Odessa designates in writing as a “Product Customization” (or as a “Core Software Deliverable”), and that Odessa anticipates incorporating into a future general release version of the Software.

“Maintenance Release” means a patch, or a new release of the Supported Software with a change in the Z component of the Software’s X.Y.Z version number.

“Project Customization” means any Customization that Odessa designates in writing as a “Project Customization” (or as a “Non-Core Software Deliverable”).

“Odessa Standard Business Hours” means 8.00am to 5.00pm US Eastern time, and 9.30am to 6.00pm Indian standard time, Monday through Friday, excluding holidays observed by Odessa.

“PSA Deliverable” means any “Deliverable” (as defined in the Professional Services Agreement) finally provided by Odessa to Customer under the Professional Services Agreement.

“Reaction Time” means, for purposes of this Exhibit, the time between Odessa’s receipt of an Error notification from Customer which includes all appropriate information related to the Error, and an Odessa support technician beginning work on resolution of the Error.

“Response Time” means, for purposes of this Exhibit, the time between Odessa’s receipt of an Error notification from Customer, and Odessa’s acknowledgement of receipt of the notification.

“Software Release” means (i) the Odessa Software programs identified in the applicable Sales Order as “Odessa Programs”, (ii) to the extent specified as being subject to Support Services in the Sales Order, any APIs and Third Party Programs, and (iii) any Upgrade, Update or Maintenance Release.

“Support Term” has the meaning ascribed to it in the Sales Order.

“Supported Software” refers to the Software and PSA Deliverables for which Odessa is obligated to provide Support Services, and means:
(i) Software Releases made generally available for commercial release by Odessa within the two year period immediately preceding the reported occurrence of an Error (a “Qualifying Release”);
(ii) Product Customizations (once any Product Customization has been incorporated into a general release version of the Software, that Product Customization will be eligible for Support Services until the first to occur of (a) Customer’s adoption of the general release version in a production environment, or (b) the expiration of two years from the date on which Odessa first makes the general release version generally available);
(iii) Project Customizations that are Customizations of any Qualifying Release; and
(iv) Configurations that are Configurations of any Qualifying Release

“Third Party Programs” has the meaning ascribed to it in the Sales Order.

“Update” means a new release of the Supported Software with a change in the Y component of the Software’s X.Y.Z version number.

“Upgrade” means a new release of the Supported Software with a change in the X component of the Software’s X.Y.Z version number.

“Workaround” means a set of procedures that Customer may follow to circumvent or mitigate the impact of an Error, notwithstanding that the Error still exists.

Section 2. Odessa’s Provision of Support Services

2.1 Technical Support. Odessa will provide Customer with telephone and email support regarding use of the Supported Software and resolution of Errors in accordance with Table A 1 below. Except as specified in Table A-1 below, Odessa provides such support during Odessa Standard Business Hours. Odessa will provide such support to up to two (2) named support contacts designated by Customer as a primary and backup administrator, who will be knowledgeable in all material aspects of Customer’s network and operating environment, and who will have completed and remain current with Odessa’s recommended training for support contacts for the Supported Software. Customer will ensure that its support contacts direct queries and notifications to Odessa’s designated telephone support numbers and email addresses. Customer will notify Odessa of its initial support contacts promptly following the Sales Order Effective Date. Customer may change the contacts by written notice to Odessa.

2.2 Support Response. Odessa will notify Customer of Errors and other material problems detected by Odessa, and will assign all Errors one of four response priorities, dependent upon the problems caused by the Error, and consistent with the Severity Level descriptions below. Odessa will also respond to information and enhancement requests, consistent with the Severity Level 5 description below. The priorities will dictate the timing and nature of the response as specified in Table A-1 below. Response times are calculated from the moment at which Customer’s request for support first reaches Odessa’s customer support phone lines, or Odessa’s customer support email. Priority categories are as follows:

2.2.1 Severity Level 1 – Software Down or Unusable: An Error stops the Supported Software from running, or so severely impacts production use of the Supported Software that Customer’s business operations are critically affected and Customer cannot reasonably continue work.

2.2.2 Severity Level 2 – Functionality Disabled: An Error causes a major functional area of the Supported Software to be unavailable with no reasonable Workaround and there is a serious impact on Customer’s productivity, but production use of the Supported Software is continuing and Customer can reasonably continue work using the Supported Software.

2.2.3 Severity Level 3 – Degraded Operations: An Error which causes a major functional area of the Supported Software to be unavailable or to function other than as specified in the applicable Documentation but a Workaround exists; or an Error causes less significant functions of the Supported Software to be unavailable or to function other than as specified in the applicable Documentation, with no reasonable Workaround; or an Error which causes performance slowdowns in the Supported Software, but where Customer can still reasonably continue to work using the Supported Software.

2.2.4 Severity Level 4 – Minor Error: An Error which does not affect essential use of the Supported Software, but which represents a deviation from the applicable Documentation. Examples of such Errors include: screen formatting or placement; minor spelling errors; color Errors, and sorting Errors.

2.2.5 Severity Level 5 – Information/Enhancement Request: Customer requests information, an enhancement, or documentation clarification regarding the Supported Software but there is no material adverse impact on the operation of the Supported Software.

Priority	Coverage	Response Time	Reaction Time	Resolution Procedures
Severity Level One	Odessa Standard Business Hours	Within 2 business hours	Within 4 business hours	Odessa will use commercially reasonable efforts to provide a Workaround or a Fix as soon as reasonably practicable, and will dedicate necessary resources (including development engineers or their equivalents) to resolve the Error. Odessa will notify Customer of the Error resolution status on at least a daily basis, and more frequently as requested by Customer, until Odessa provides a Workaround. If Odessa provides a Workaround, then Odessa will provide a Fix as soon as reasonably practicable in the circumstances.
Severity Level Two	Odessa Standard Business Hours	Within 4 business hours	Within 6 business hours	Odessa will use commercially reasonable efforts to provide a Workaround as soon as reasonably practicable in all the circumstances, and to include a Fix for the Error in the next Maintenance Release.
Severity Level Three	Odessa Standard Business Hours	Within 4 business hours	Within 8 business hours	Odessa will use commercially reasonable efforts to provide a Workaround as soon as reasonably practicable in all the circumstances, and to include a Fix for the Error in the next Maintenance Release.
Severity Level Four	Odessa Standard Business Hours	Within 1 business day	Within 5 business days	Odessa will use commercially reasonable efforts to provide a Workaround as soon as reasonably practicable in all the circumstances, and to include a Fix for the Error in the next Maintenance Release.
Severity Level Five	Odessa Standard Business Hours	Within 3 business days	Within 10 business days	Odessa will consider enhancement and Documentation modification requests.

2.3 Error Status. Odessa will provide Customer with online access to Odessa’s Error ticketing system.

2.4 Escalation Process. The table below describes Odessa’s internal notification / escalation procedure with respect to Severity Level 1 Errors and Severity Level 2 Errors. Timeframes are during Odessa Standard Business Hours.

Odessa Personnel	Severity 1	Severity 2
Manager, Technical Support	Immediate, on problem report/identification	4 hours
Sr. Director, Customer Services	2 hours	4 hours
Chief Operating Officer	4 hours	As needed

2.5 Remote Support. Odessa and Customer have agreed that Odessa will provide all Support Services remotely from Odessa’s offices. Customer will provide Odessa with remote access (over a VPN, WebEx or other similar secure access system) to Customer’s testing and production servers on which the Supported Software is installed, to enable Odessa’s provision of Support Services. It is Customer’s responsibility to provide an environment on which any reported problem can be recreated or captured. Unless otherwise agreed between the parties, Customer will not provide Odessa with access to or copies of Licensed Program databases containing un-scrubbed or un-obfuscated customer data or Personal Information. Odessa will have no liability for any non-performance of Support Services arising out of any failure of Customer or its suppliers to provide Odessa with access to such servers.

2.6 On-Site Visits. Without limiting the generality of Section 2.5 above, if Odessa and Customer mutually determine that Odessa may more effectively resolve an Error with an on-site visit to any Customer location, then Customer will pay Odessa for Odessa’s travel, attendance and services on a time and materials basis at Odessa’s then current daily rates, and will reimburse Odessa for Odessa’s reasonable travel and living expenses.

2.7 Customer Cooperation. Customer acknowledges that Odessa may not be able to resolve an Error if Customer does not cooperate with and assist Odessa in resolving the Error (including in replicating the Error, in retrieving and sharing database, workstation, server and log file data relating to the Error, and in providing Odessa with access to Customer’s servers, databases and all other aspects of its operating environment as necessary for Odessa to diagnose and resolve the Error). Customer will use deployment automation tools as required by Odessa for deployment and promotion of all Software releases (including Fixes) in all Customer environments. Customer is responsible for obtaining, operating, maintaining and supporting all equipment, services and other software necessary to operate the Software.

2.8 Software Releases. Odessa will make Software Releases available to Customer if and when they are made generally commercially available by Odessa to Odessa’s customers. Odessa may provide Customer with a Maintenance Fix if Customer is experiencing, or in Odessa’s sole discretion may experience a Severity Level One or Two situation. Software Releases will constitute “Software” for purposes of the Master Agreement. Odessa will be solely responsible for determining whether derivative works of or improvements to the Software constitute a Software Release or new software programs not covered by the applicable Sales Order or Support Services.

2.9 Support Obligations Applicable to APIs and Third Party Programs. The following provisions apply only if Customer is acquiring APIs or Third Party Programs from Odessa, and only to the extent the Sales Order specifies that Odessa will provide Support Services for the APIs or the Third Party Programs.

2.9.1 Support, Error Resolution and Upgrades. Odessa will provide technical support and Error resolution services for the APIs and general release versions of Third Party Programs as part of the Support Services and also will provide, to the extent and subject to the limitations specified below, Software Releases for the APIs and Third Party Programs.

2.9.2 Odessa Upgrade Compatibility. Odessa will design general release Software Releases of the Odessa Programs to maintain compatibility with APIs and Third Party Programs that qualify as Supported Software, at no additional charge to Customer. With respect to APIs and Third Party Programs that do not qualify as Supported Software, Odessa will charge Customer at Odessa’s then standard rates for developing such compatibility.

2.9.3 Third Party Product Compatibility. If the suppliers of Supported Software Third Party Programs or the products or services with which Supported Software APIs are designed to interoperate modify such programs, products or services, then Odessa will provide compatibility between the Odessa Programs and the applicable APIs and general release versions of Third Party Programs. Odessa will charge Customer at Odessa’s then standard rates for developing such compatibility for any APIs or Third Party Programs that do not qualify as Supported Software. Customer acknowledges that Odessa requires reasonable advance notice in order to modify and test APIs and Odessa Program Software Releases that are designed to interoperate with new versions of Third Party Programs in order to maintain compatibility, and that Odessa will have no responsibility for any incompatibilities between the APIs or Odessa Program Software Releases and the third party products or services or new versions of Third Party Programs and consequent Errors unless and until Odessa has made its modifications available for general release.

2.9.4 Operating System Changes. Odessa may, but will not be obligated to, perform the work necessary to obtain compatibility between the APIs and changes in Customer’s operating environment. Odessa will charge Customer for such work at its standard rates.

2.9.5 Dependence on Third Party Licensors. Odessa does not have access to the source code of, nor rights to modify the Third Party Programs. The Parties each acknowledge that Odessa’s ability to resolve Errors in, and provide new releases of Third Party Programs is dependent upon the applicable Third Party Program supplier. Odessa will nonetheless be solely responsible for monitoring and enforcing the Third Party Program supplier’s support and maintenance obligations under the applicable supply agreement between them.

2.10 Scope of Support and Software Release Services. Odessa will have no obligation to correct Errors or support queries arising from Customer’s misuse or alteration of the Supported Software, failure or fluctuation of electrical power, maintenance of the Supported Software by anyone other than Odessa or Odessa’s authorized representatives, Customer’s combining or merging Supported Software with any hardware or software not identified as compatible by Odessa, use of the Supported Software other than in accordance with the Documentation or the provisions of this Agreement, or Customer’s provision to Odessa of incorrect configuration directions or other information. Odessa will have no obligation to correct Errors or support Software or PSA Deliverables except with respect to the Supported Software. Odessa will be obligated to comply with its response times and resolution commitments in this Agreement only with respect to Customer’s production use of the Supported Software: if Odessa, in its sole discretion, elects to address Errors or other problems with the Software outside the scope of this Exhibit (e.g., bugs occurring in non-production use, or bugs in old versions that Odessa is no longer obligated to support), then Odessa will handle such Errors on a reasonable efforts basis, and may charge for its services at its then current applicable rates. The Support Services exclude any configuration of any Software or PSA Deliverables. Odessa’s provision of support services and Software Releases is conditioned on Customer being current on its Support Services Fees payments for all of the Supported Software.

2.10.1 Customer Responsibilities. Except to the extent specified in a supplemental services agreement between Odessa and Customer, Customer will be responsible for each of the items described in this Section 2.10.1. This list of responsibilities is not intended to be exhaustive, but addresses primary issues for purposes of clarification. Odessa will not be obligated to resolve problems (including Errors) arising from Customer’s non-conformance with this Section 2.10.1. Odessa may, at Customer’s request, diagnose, resolve, or participate in resolution of such problems, but may charge Customer for its work at Odessa’s then standard rates.

(a) Systems and Network Administration. Customer is responsible for proper maintenance of all hardware, operating systems, and other support software that run beneath the Supported Software, including: disk space maintenance; log file maintenance; backups, clustering, load balancing, application server, administration, user administration; patch administration; routing, security, firewall, and other types of network administration. To the extent that Odessa accepts responsibility for Supported Software performance, that responsibility ends at the point where the Supported Software makes information available to its applicable web server. Odessa cannot, and has no obligation to control Supported Software performance through Customer’s network infrastructure and the subsequent “internet cloud.”

(b) Database Administration. Customer is responsible for proper maintenance of all hardware and software associated with the database required by the Supported Software (typically a Microsoft SQL Server application), including disk space and database file maintenance, database index maintenance, user administration, and all other activities described by the database administration documentation and as required for proper database performance and function.

(c) Capacity Planning. Customer is responsible for monitoring load on the systems and application and for projecting, planning, and executing any expansion in the number or type of application servers, database servers, report servers, document servers, and web servers required to maintain system performance at acceptable levels. In any event, Customer will ensure that its systems and their performance are at least as good as those of Customer’s systems as documented in Odessa’s QA exit report for the implementation project, or for any subsequent performance testing or capacity planning professional services engagements performed by Odessa under the Professional Services Agreement (the “Baseline Criteria”). If Customer wishes to materially change its systems or application configurations, or increase loads in excess of the Baseline Criteria, and if such change or increase causes performance issues in the Supported Software which are not the result of Errors inherent in the Software then, if Odessa and Customer agree that Odessa will provide Support Services for any such performance issues, Odessa may charge Customer for its services at its then current applicable rates, or Customer and Odessa may enter into a capacity planning project under a new statement of work to the Professional Services Agreement.

(d) Software Administration. Customer is responsible for performing normal administration of the Software as described in the applicable Documentation and in any training provided by or on behalf of Odessa, including: adding and deleting users, monitoring and cleaning up of “todo” items, adding and deleting customers, workflow maintenance, and running reports.

(e) Security. Customer is responsible for performing system and network administration including virus protection activities, and for designing, implementing, and managing security procedures and security infrastructure to ensure the security of the information and capabilities within the system on which Customer operates the Software.

2.10.2 Project Customizations. Except to the extent specified in a statement of work to the Professional Services Agreement or in a Sales Order or Sales Order addendum (for example, if Customer is purchasing an enhanced support package that specifically includes such support), Odessa is not obligated to:

(a) provide Error resolution for any PSA Deliverables that do not qualify as Supported Software, nor to provide new or updated versions of Project Customizations or of Configurations; nor

(b) provide or ensure compatibility between any Software Releases and any version of any Project Customizations or Configurations.

Odessa may provide error resolution, upgrade and compatibility services for Project Customizations or Configurations if requested by Customer, but will do so under the Professional Services Agreement, and will charge Customer for its services at Odessa’s then standard rates.

2.11 Modification of Support Services. Odessa may modify the nature and extent of the Support Services upon not less than thirty (30) days prior written notice to Customer; provided, however, that no modification will be effective without Customer’s prior written consent if it materially adversely affects Customer’s rights under this Support Exhibit.

Section 3. Termination; Reinstatement

3.1 Termination.

3.1.1 Termination of Sales Order. Support Services will terminate upon any termination or expiration of the License Term.

3.1.2 Termination by Customer. Following expiration of any minimum term specified in the Sales Order, Customer may terminate the Support Services for all (but not some) of the Supported Software for convenience, at any time upon notice to Odessa.

3.1.3 Termination by Odessa – Product Sunset. Following expiration of any minimum term specified in the Sales Order, Odessa may terminate the Support Services for any Supported Software on not less than one (1) year’s prior written notice to Customer, should Odessa determine in its sole discretion that it is no longer economically feasible for Odessa to provide such Support Services.

3.2 Refunds. Odessa will refund any Support Services Fees prepaid by Customer for the unutilized portion of the then current Support Term if: (i) Customer terminated the Sales Order as a result of an uncured material breach by Odessa, in accordance with Section 8.4 (Termination For Cause) of the Master Agreement; (ii) if Odessa terminated the Sales Order in accordance with Section 7.2 (Odessa’s Mitigation Rights For Third Party Infringement Claims) of the Master Agreement; or (iii) if Odessa terminated the Support Services pursuant to Section 3.1.3 (Product Sunset) above. No refund will be payable, nor will Customer be entitled to relief from Support Services Fees payable with respect to any minimum Support Services subscription term, in any other circumstances. Odessa will pay Customer any applicable refund within thirty (30) days of such termination.

3.3 Reinstatement. If Customer has cancelled any Support Services under a Sales Order, and Customer subsequently wants to reinstate Support Services, then Customer will pay Odessa a reinstatement fee equal to fifty percent (50%) of the Annual Support Fees last paid or payable by Customer, together with the Support Fees that would have been payable for the intervening period between cancellation of Support Services and reinstatement. The new Support Term will commence on the day that Odessa first recommences Support Services. Customer will pay Odessa the reinstatement fee and the Annual Support Fees for the new Support Term within thirty (30) days of receipt of Odessa’s invoice.

Service Level Availability

1. Definitions.

a.“Uptime” is defined as all times when the Odessa Solution is available and performing suitably to provide Customer the ability to conduct normal business functions.

b.“Downtime” is defined as all times when the Odessa Solution is not available or is not performing suitably to provide Customer the ability to conduct normal business functions, provided Downtime will not include Exception Times as described in the formula below.

c.“Exception Times” are exceptions to the calculation of Downtime. Exception Times include times that the Odessa Solution cannot be accessed or used due to: (i) maintenance performed during Scheduled Downtime (as defined below); (ii) a force majeure event; (iii) problems with Customer’s or a user’s network, desktop, third party software applications, hardware or network connectivity; and/or (iv) misuse of the Odessa Solution.

d.“Scheduled Downtime” consists of times when Odessa performs system maintenance, backup and upgrade functions for the Odessa Solution that will render the Odessa Solution unavailable. Odessa will provide forty-eight (48) hours’ notice for any Scheduled Downtime (except to the extent required to respond to a security or similar emergency in which case Odessa will provide as much notice as possible). Customer may request that Odessa reschedule (at Odessa’s discretion) any Scheduled Downtime for Customer’s convenience. Except to the extent required by a security or similar emergency, the amount of Scheduled Downtime that renders the Odessa Solution completely unavailable may not exceed five (5) hours during any three (3) month period of the Term.

2. Service Level Agreement Warranty. As long as applicable Fees are paid as they become due and Customer has not breached the terms of the Agreement, Odessa warrants to Customer (the “SLA Warranty”) that the Uptime SLA Percentage, as calculated below, for the Odessa Solution will be not less than 99.5% (the “SLA Target”).

where:

“n” is the total number of hours in a given calendar month excluding Scheduled Downtime, and Exception Times; and

“y” is the total number of Downtime hours in the given calendar month. For months in which services commence on other than the first day of the month, the calculation of Uptime SLA Percentage will be prorated accordingly.

3. Exclusions. Odessa will have no liability hereunder to the extent any non-conformance arises due to: (a) any modification, reconfiguration or maintenance of the Odessa Solution or Odessa Software performed by any party other than Odessa or at Odessa’s direction; (b) any use of the Odessa Solution on a system that does not meet Odessa’s minimum standards shown in the Documentation; (c) any software other than the Odessa Software, or (d) any hardware not provided by Odessa.

4. SLA Warranty Credit Remedy. In the event Odessa fails to comply with the SLA Warranty, then as Customer’s sole remedy and Odessa’s sole liability, Odessa will issue to Customer a credit to be applied against fees payable under the Agreement in accordance with the following:

First month of missed availability: 5% of the Fee paid for the applicable month for the Odessa Solution

Second consecutive month: 15% of the Fee paid for the applicable month for the Odessa Solution

Third consecutive month: 20% of the Fee paid for the applicable month for the Odessa Solution

Fourth consecutive month: 25% of the Fee paid for the applicable month for the Odessa Solution

Fifth consecutive month: 30% of the Fee paid for the applicable month for the Odessa Solution

In order to receive credit hereunder, Customer must make a written request to Odessa within thirty (30) days of the end of the applicable month.

5. Service Level Termination Event. If the Uptime SLA Percentage falls below 96% on a rolling three (3) months average (a “Service Level Termination Event”), then Customer may terminate the applicable Sales Order upon thirty (30) days’ notice to Odessa provided that such notice is given within sixty (60) days of the Service Level Termination Event. In the event Customer terminates a Sales Order as a result of a Service Level Termination Event, Odessa will refund to Customer any prepaid, unused Fees applicable to the period after the effective date of the termination.

Privacy Policy

1. Privacy and Your Information

Odessa Technologies, Inc. its affiliates and subsidiaries (collectively “Odessa,” “we”, “our” or “us”) knows, you care about how your Personal Information is used and shared, and we take your privacy seriously. This Privacy Notice describes how we leverage your personal information and respect your privacy rights.

2. Changes to this Privacy Policy

Odessa may make changes to this Privacy Policy. The most current version of the Privacy Policy will govern Odessa’s use of information about you and will be located at this space. If Odessa makes material changes to this Privacy Policy, Odessa will notify you by posting a notice on our website and may send an email to the official email address Odessa has on file for your account, if applicable. The “Last Revised” section at the bottom of this Notice states when this Privacy Notice was last amended, and we update this date each time a revision is posted.

3. What Information Do We Collect?

Odessa collects information as part of its business operations, to provide services, to respond to requests and offer customer support, to fulfill legal and contractual obligations and to build its innovative products. You provide some of this data directly, such as when you register your account with Odessa as a user of the Odessa Software or the Odessa Solution (including through registration as an employee, contractor or other user of the Odessa Software or the Odessa Solution on behalf of an Odessa customer (“Customer”). We also collect information through your interaction with Odessa Services and our website, for example, using embedded product technologies and cookies. We also obtain data from third parties.

Odessa may also collect certain technical information about your use of the Odessa Solution. This may include technical information about your device(s), MAC ethernet address, IP address, the URI (Uniform Resource Identifier) of the web application, Username, host name, other parameters regarding your operating system and device environment, computer make and model and connection information.

Further details of the data we collect are categorized below:

Identity Data includes first name, last name, title, and/or role at an organization.
Contact Data includes business address, delivery address, business email address, and business telephone numbers.
Interaction Data includes data collected when you interact with us by phone, email, or in person, and may include your preferences, opinions, feedback, and survey responses.
Technical Data includes internet protocol (IP) address, your login data, language, access times, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
Usage Data includes information about how you use our website, products and services, and web beacons, customized links or similar technologies to determine whether an e-mail has been opened and which links you click on in order to provide you with more focused e-mail communications or other information.
Marketing and Communications Data includes your preferences for receiving marketing from us, and your communication preferences.
Aggregated Data, such as statistical or demographic data. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy policy.

4. How Odessa Collects Your Information

4.1. Direct interactions You may give us your Identity, Contact, Interaction, Marketing, and Communications Data by filling in forms or by corresponding with us by post, phone, email, or otherwise:

Applying for information on our products or services on behalf of an organization you are affiliated with.
Request marketing materials and communications to be sent to you.
Providing us feedback or contacting us.
Form fills or enquiries made on the Odessa website.
Conferences, webinars conducted by Odessa.

4.2. Automated technologies or interactions As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see the Odessa’s Cookie Policy, for further details.

4.3. Third parties or publicly available sources We will receive personal data about you from various third parties and public sources as set out below:

Technical Data from Analytics providers such as Google.
Advertising networks like Google Adwords.
Search information providers such as Zoominfo.
Analyze the accuracy, effectiveness, and usability of the Odessa Solution or the Odessa Software.
Identity and Contact Data from data brokers or aggregators.
Identity and Contact Data from publicly available sources such as Companies House.

As part of using our Odessa Solution, Odessa’s Customers may submit to Odessa electronic data or information (“Submitted Data”) that constitutes personal information of other individuals. Such data may include an individual’s name, email address, phone number or any other data that the Customer chooses to submit to us.

The Odessa Solution collects data from its customers’ networks for analytics purposes and Odessa generally has no direct relationship with the individuals to whom Submitted Data may pertain. Odessa processes Submitted Data on behalf of our customers. Customer Data collected by Odessa is done so pursuant to our Terms and Conditions or a separate agreement/consent in place between Odessa and the applicable customer, which governs our treatment of Submitted Data.

5. How Odessa Uses Your Information

We use information that we collect for lawful purposes associated with the growth, maintenance and management of our business while also respecting your privacy. These uses include our internal operations and administration, communicating with you and fulfilling your service requests and to improve, develop, enhance and otherwise provide Odessa Solution.

More specifically, we use your data to:

Provide access to the Odessa Solution.
Personalize, customize, measure, and improve Odessa’s products, services, content, and advertising.
Prevent, detect, and investigate potentially prohibited or illegal activities or a breach of the applicable agreement(s) between you and Odessa.
Analyze the accuracy, effectiveness, and usability of the Odessa Solution or the Odessa Software.
Generate and review reports based on Submitted Data.
Compile aggregate data for internal and external business purposes.
Resolve and troubleshoot technical problems with the Odessa Solution.
Contact you with information, including promotional, marketing, and advertising information and recommendations that Odessa believes may be of interest to you.
Use as reference (only once permitted by you) in our pursuits.
Jira instances hosted by Odessa.
Run campaigns on marketing automation tools like Pardot.

6. Who We May Share Information With

Odessa may disclose the information we collect from you to the following third parties:

Users of the Odessa Solution; Public Information. When you share information with us via the Odessa Solution, Odessa may share your information to other users, in accordance with the privacy settings you or the respective Customer has chosen for your account or that are applicable to that information. To the extent you share any information to a public audience or via a publicly accessible portion of the Odessa Solution such as an online customer community or forum, that information may be available to anyone who has access to that customer community or forum.
Odessa’s solution Providers. Odessa may share your information with third-party contractors, agents, collaborators, or service providers who provide certain services to Odessa or on Odessa’s behalf, such as operating and supporting the Odessa Solution. Odessa may also request your information from a previous service provider, which we need to provide our services to you. Alternatively, Odessa may pass on your information to a service provider that Odessa Customers have chosen to replace Odessa.
Companies that Acquire Odessa’s Business or Assets. If Odessa becomes involved in a merger, acquisition, sale of assets, securities offering, bankruptcy, reorganization, or dissolution or if the ownership of all or substantially all of Odessa’s business relating to the Odessa Solution otherwise changes, Odessa may provide your information to a third party or parties in connection with the applicable transaction.
Odessa’s Affiliates. Odessa may share some or all of your information with Odessa’s parent company, subsidiaries and corporate affiliates, joint ventures or other companies under common control with Odessa.
Odessa Customers. If Odessa has received your information as part of Submitted Data, Odessa may share that information, or any modifications or revisions to that information with that Customer.
Switching Odessa Solution Providers. Odessa may request your information from your previous service provider, which we need to provide our services to you. Alternatively, Odessa may pass on your information to a service provider that you have chosen to replace Odessa.
Aggregate Information. Odessa may share information relating to our visitors and users with affiliated or unaffiliated third parties on an aggregate basis, however this information will not identify you personally.
Legal Requirements. Odessa may share your information with law enforcement, governmental agencies, or authorized third parties, in response to a request relating to a criminal investigation or alleged illegal activity or any other activity that may expose Odessa, you, or any other Odessa user to legal liability, or to protect Odessa’s rights or property, or during emergencies when safety is at risk. Odessa may also share your information in response to court orders, subpoenas, or other legal or regulatory requests, and Odessa may provide access to your information to Odessa’s legal counsel and other consultants in connection with actual or potential litigation.

7. Your Choices & Rights

Odessa respects your rights in how your personal information is used and shared. You may request access or corrections to your personal data and make choices about the kinds of marketing materials you receive (or choose not to receive marketing from Odessa at all). If you are in Europe, you may have additional rights under the GDPR.

Access, Correction to or Deletion of Your Information Customers may update or change their account information through their account settings accessible using the Customer account page included in the Odessa Solution. Access to your Odessa account page will require your Odessa Solution username and password or any other supported authentication mechanism. To update your Information or to delete your account information, please email notices@odessainc.com
You have the right to request access to any Personal Information which Odessa may have about you by contacting notices@odessainc.com The information will be provided in a machine-readable format. You may also ask that we transfer the Personal Information to a third party, which we will do if technically feasible.In addition, each Customer’s administrator of the Odessa Solution can retrieve or delete the data from the Odessa Solution.You also have the right to review, add and update your Personal Information. You may also request the deletion of your Personal Information where:

the personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed,
you withdraw consent to Odessa’s possession of the information on which the processing is based and where there is no other legal ground for Odessa’s retention of the information,
you object to Odessa’s possession of the information and there is no overriding legitimate basis for the retention,
the personal information has been unlawfully obtained or processed, or
the personal information has to be erased for compliance with a legal obligation in the European Union or other law to which Odessa is subject.

When you update information, however, we may maintain a copy of the unrevised information in our records. Some information may remain in our records after your deletion of such information from your account. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally.

If your individual personal information has been submitted to us by a Customer as Submitted Data and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please first inquire with the Customer (or his/her organization) directly.

Rights to Object or Restrict Processing of Personal Information
If Odessa has your Personal Information as a result of your relationship with one of Odessa’s Customers, you should first contact that Customer before contacting Odessa. You may, however, at any time revoke your consent to the collection, processing and use of your Personal Information by emailing notices@odessainc.com Upon receipt of your request, Odessa will delete your personal data provided Odessa may retain any data which is required for billing and accounting purposes, or which is subject to legal retention requirements. In addition, if you discover any errors in data, you may contact us by emailing notices@odessainc.com and we will correct it. You can always opt not to disclose information to us, but keep in mind some information may be needed to take advantage of product features or may be required by your relationship with one of Odessa’s customers.

Data Privacy Rights Specific to Residents of the European Economic Area If you are in the EEA, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. You can exercise these rights by making a written request at notices@odessainc.com Similarly, if we have collected your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect (1) the lawfulness of any processing we conducted prior to your withdrawal, or (2) processing your personal information under other legal bases.If you believe we are using your personal information in a way that is inconsistent with this Privacy Notice or for more information about your rights, contact your local data protection authority (contact details for data protection authorities in the European Economic Area are available here.)

Advertising and Marketing Choices We give you many choices regarding our use and disclosure of your personal information for advertising and marketing purposes to receiving Commercial Electronic Messages from Odessa about your use of the Website, the Odessa Solution, the Odessa Software and our Products. You may access or update your contact details and modify your communication preferences by using one of the methods provided under the “How to Contact Us” section below.

8. Other Privacy Related Information

Data Security Odessa Solution is designed to provide reasonable and appropriate administrative, technical and organizational security measures to protect your personal information against risks such as temporary or permanent loss, destruction, and unauthorized or unlawful access, alteration, use or disclosure. We require our suppliers and vendors to apply similar protections when they access or use personal information that we share with them. Users of Odessa Solution must also do their part in protecting the data, systems, networks, and service they are utilizing. No technology, data transmission or system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that your password to any Intel account has been compromised), please immediately notify us by contacting us at notices@odessainc.com

Retention of Your Information Odessa retains information about you only for as long as it is necessary and relevant for Odessa’s operations, and for Odessa’s customers to work with their consumers. Information about you that is no longer necessary and relevant for Odessa’s operations will be disposed of securely. Odessa may also retain information collected from you to comply with the law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, and take other actions permitted by law or disclosed in this Privacy Policy.

Appropriate safeguards where Personal Information is Transferred to a Third Country or to an International Organization Odessa enters into agreements with its customers regarding the safeguards that have been put in place to protect your Personal Information for transfer outside of Switzerland or the European Economic Area. For transfers to countries without an adequacy decision by Switzerland or the European Commission, Odessa puts appropriate safeguards through contractual obligations.

Linked Sites and Odessa Solution Odessa’s website or application may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

9. How to Contact Us

If you have questions or complaints regarding Odessa’s Privacy Policy or practices, please contact notices@odessainc.com or via postal mail at:

Two Liberty Place
50 South 16th Street
Suite 1900
Philadelphia, PA 19102

Attention: Data Protection Officer.

Last Revised: April 15, 2024

Odessa Data Processing Addendum

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Odessa Hosted Services Agreement or other written or electronic agreement (“Agreement”) between Odessa Technologies, Inc. (“Odessa”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies to the extent Odessa’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1 For this DPA:

1.1.1. “CCPA” means the California Consumer Privacy Act and its implementing regulations;

1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;

1.1.3. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;

1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to Odessa’s Processing of Customer Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;

1.1.5. “Data Subjects” means the individuals identified in Schedule 1;

1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;

1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);

1.1.8. “Personal Data”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;

1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;

1.1.10. “Sell” has the meaning given in the Data Protection Laws; and

1.1.11. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.

1.2 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

2.1. The parties acknowledge and agree that Customer is the Controller or Processor of Customer Personal Data and Odessa is a Processor of Customer Personal Data. Odessa will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Odessa Solution. Odessa is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Odessa Solution as set forth in the Agreement and this DPA. Odessa shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Odessa Solution, or as otherwise permitted by Data Protection Laws; or (2) Sell Customer Personal Data. Odessa certifies that it understands and will comply with the restrictions contained in this Section 2.1.

2.2. Odessa will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.

2.3. The details of Odessa’s Processing of Customer Personal Data are described in Schedule 1.

2.4. If applicable laws preclude Odessa from complying with Customer’s instructions, Odessa will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

2.5. Each of Customer and Odessa will comply with their respective obligations under the Data Protection Laws.

3. Cross-Border Transfers of Personal Data

3.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to Odessa in the United States, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Odessa as the “data importer.”

3.2. For the EU SCCs the parties agree that:

3.2.1. In Clause 7, the optional docking clause will not apply;

3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;

3.2.3. In Clause 11, the optional language will not apply;

3.2.4. In Clause 17, the EU SCCs shall be governed by the laws of France;

3.2.5. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of France;

3.2.6. In Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller and Odessa is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Odessa Solution pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

3.2.7. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Odessa’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Odessa Solution); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Odessa uses the Sub-Processors identified at Schedule 3 hereto to support the provision of the Odessa Solution.

3.2.8. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Odessa. Unless and until Customer communicates a competent supervisory authority to Odessa, the competent supervisory authority shall be the Irish Data Protection Commission.

3.2.9. In Annex II, Odessa has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.

3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs with the following modifications: (i) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection; (ii) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (iii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; and (iv) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs.

3.4. With respect to transfers from Customer to Odessa of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the UK SCCs: (i) Customer is the “data exporter”, and Odessa is the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for Appendix 2 to the UK SCCs, the security measures are as described in Schedule 2. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. If the Information Commissioner’s Office approves the EU SCCs for transfers from the UK, the parties agree that the EU SCCS as implemented by this DPA will be the mechanism to legitimize such transfers. Where necessary, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.

4. Confidentiality and Security

4.1. Odessa will require Odessa’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

4.2. Odessa will implement commercially reasonable technical and organisational measures, as further described Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

4.3. To the extent required by Data Protection Laws, Odessa will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

5. Sub-Processing

5.1. Customer agrees that Odessa may engage Sub-Processors to Process Customer Personal Data on Customer’s behalf. Odessa will inform Customer of any intended changes concerning the addition or replacement of Sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

5.2. Odessa will impose on its Sub-Processors substantially the same obligations that apply to Odessa under this DPA. Odessa will be liable to Customer for breaches of its Sub-Processors’ obligations as it would be for its own.

5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by Odessa to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5 of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs removed by Odessa beforehand; and, that such copies will be provided by Odessa, in a manner to be determined in its discretion, only upon Customer’s written request.

6. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Odessa receives any Requests during the term, Odessa will advise the Data Subject to submit the request directly to Customer or the appropriate Controller. Odessa will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

7. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Odessa will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. At Customer’s request, Odessa will reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Odessa’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Odessa of any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

Taking into account the nature of the Processing and the information available to Odessa, Odessa will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by Odessa of Customer Personal Data.

9. Deletion of Customer Personal Data

Customer instructs Odessa to delete Customer Personal Data within 30 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Odessa may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Odessa maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

10. Audits

10.1. Customer may audit Odessa’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Odessa suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Odessa’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Odessa will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Odessa Solution, as described below.

10.2. To request an audit, Customer must submit a detailed proposed audit plan to notices@odessainc.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Odessa will review the proposed audit plan and provide Customer with any concerns or questions (for example, Odessa may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Odessa confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.

10.3. Odessa may object to third party auditors that are, in Odessa’s reasonable opinion, not suitably qualified or independent, a competitor of Odessa, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.

10.4. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Odessa’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Odessa confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.

10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Odessa’s health and safety or other relevant policies and may not unreasonably interfere with Odessa business activities and shall be subject to terms Odessa may reasonably impose to protect its operations and the confidentiality of its information and the information of third parties to whom Odessa owes an obligation of confidentiality.

10.6. Any audits are at Customer’s expense. Customer will promptly disclose to Odessa any perceived non-compliance or security concerns discovered during the audit, together with all relevant details

10.7. The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.

11. Liability

11.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

11.2. Customer acknowledges that Odessa is reliant on Customer for direction as to the extent to which Odessa is entitled to Process Customer Personal Data on behalf of Customer in performance of the Odessa Solution. Consequently, Odessa will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Odessa in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

12. General Provisions

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK SCCs, the EU OR UK SCCs will prevail.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to Odessa’s Processing of Customer Personal Data relating to Customer’s employees, contractors, and end users of the Odessa Solution (“Data Subjects”).

2. Types of Personal Data. The extent of Customer Personal Data Processed by Odessa is determined and controlled by Customer in its sole discretion and includes names, contact information, employer, title, image, location, language preference, IP address, and any other Personal Data that may be transmitted through the Odessa Solution by Data Subjects.

3. Subject Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Odessa needs to perform in order to provide the Odessa Solution pursuant to the Agreement.

4. Purpose of the Processing. Odessa will Process Customer Personal Data for purposes of providing the Odessa Solution as set out in the Agreement.

5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

SCHEDULE 2

Security Overview

1. Purpose. Odessa is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for the Odessa Solution. This Security Overview describes the minimum security standards that Odessa maintains in order to protect Customer Personal Data from unauthorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve, Odessa continues to update its security program and strategy to help protect Customer Personal Data. Odessa reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. Any capitalized term not defined in this Security Overview will have the meaning given in the Agreement or the DPA.

2. Odessa Solution Covered. This Security Overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Odessa Solution.

3. Security Organization & Program. Odessa maintains a risk-based assessment security program. The framework for Odessa’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Personal Data. Odessa’s security program is intended to be appropriate to the nature of the Odessa Solution and the size and complexity of Odessa’s business operations. Odessa’s security framework includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Odessa employees for their reference.

4. Confidentiality. Odessa has controls in place to maintain the confidentiality of Customer Personal Data that Customer makes available to the Odessa Solution, in accordance with the Agreement. All Odessa employees and contract personnel are bound by Odessa’s internal policies regarding maintaining confidentiality of Customer Personal Data and contractually commit to these obligations.

5. People Security.

5.1. Employee Background Checks. Odessa carries out background checks on individuals joining Odessa in accordance with applicable local laws. Odessa currently verifies the individual’s education and previous employment, and also carries out reference checks. Where local labor law or statutory regulations permit, and dependent on the role or position of the prospective employee, Odessa may also conduct criminal, credit, immigration, and security checks.

5.2. Employee Training. At least once a year, all Odessa employees must complete the Odessa security and privacy training which covers Odessa’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training.

6. Third Party Odessa Management.

6.1. Odessa Assessment. Odessa may use third party vendors to provide the Odessa Solution. Odessa carries out a security risk-based assessment of prospective vendors before working with those vendors to validate that prospective vendors meet Odessa’s security requirements. Odessa periodically reviews each third party in light of Odessa’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Odessa ensures that Customer Personal Data is returned and/or deleted at the end of an Odessa relationship. For the avoidance of doubt, third-party services that Customer chooses to integrate via the Odessa Solution are not considered subcontractors of Odessa.

6.1. Odessa Agreements. Odessa enters into written agreements with all of its vendors which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Customer Personal Data that these vendors may process.

7. Security Certificates.

7.1. Odessa Certificates. Odessa has obtained the following security-related certifications for the Odessa Solution:

7.2. System and Organization Control (“SOC”) 2 – Type I. Odessa maintains SOC 2 – Type II certification for the Odessa Solution. SOC 2 audits for the Odessa Solution are conducted once a year by an independent third-party auditor. The SOC 2 audits validate Odessa’s physical and environmental safeguards for production data centers, backup and recovery procedures, software development processes, and logical security controls.

7.3. Azure Certifications. In addition, the Odessa Solution uses and leverages Azure data centers, with a reputation of being highly scalable, secure, and reliable. Information about Azure audit certifications are available at the Azure Security website https://learn.microsoft.com/en-us/azure/security/Azure.

8. Architecture and Data Segregation. The cloud communication platform for the Odessa Solution is hosted by Microsoft Azure (“Azure”). The current location of the Azure data center infrastructure used in providing the Odessa Solution is located in the United States. Further information about security provided by Azure is available from the Azure security webpage available at https://learn.microsoft.com/en-us/azure/security/. Odessa separates Customer Personal Data using logical identifiers tagging all communications data with the associated Customer ID to clearly identify ownership. Odessa’s APIs are designed and built to designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer’s communications cannot be accessed by another customer.

9. Physical Security.

9.1. Azure data centers that host the Odessa Solution are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Odessa headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit television), and overall office security. All contractors and visitors are required to wear identification badges.

10. Security by Design. The Odessa’s Software Development Lifecycle (SDLC) standard defines the process by which Odessa creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). Odessa engineers perform numerous security activities for the Odessa Solution including:

10.1. internal security reviews before products are launched;

10.2. periodic penetration tests performed by independent third-party contractors; and

10.3. conduct threat models for the Odessa Solution including documenting any detection of attacks.

11. Access Controls.

11.1. Provisioning Access. To minimize the risk of data exposure, Odessa follows the principles of least privilege when provisioning system access. Odessa personnel are authorized to access Customer Personal Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Personal Data is promptly removed upon termination of their employment. Before an Odessa employee is granted access to the production environment, access must be approved by management and the employee is required to complete internal trainings for such access including trainings on the relevant team’s systems. Odessa logs high risk actions and changes in the production environment. Odessa leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

11.2. Password Controls. Odessa’s current policy for employee password management follows a strict password standard, and as such, our policy is to use longer passwords, with multi-factor authentication but not require frequent changes. The Odessa Solution supports Single Sign On as well as application based custom authentication. In the case when custom authentication mechanism is leveraged, the Odessa solution stores Customer passwords in encrypted form.

12. Change Management. Odessa has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment. Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.

13. Encryption. For the Odessa Solution, Odessa’s cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Customer application and Odessa’s cloud infrastructure. When supported by integrations selected by Customer, Odessa’s cloud platform will also encrypt network traffic between Odessa’s cloud infrastructure and the integration provider. All Customer Personal Data is stored encrypted using 256-bit Advanced Encryption Standard (AES-256).

14. Vulnerability Management. Odessa maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Odessa uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Odessa’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested and applied proactively.

15. Penetration Testing. Odessa performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Results of penetration tests are prioritized, triaged and remediated promptly by Odessa’s engineering team.

16. Security Incident Management. Odessa maintains security incident management policies and procedures in accordance with industry standards and best practices. Odessa assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Odessa utilizes Azure platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Odessa Solution (DDoS) attacks.

17. Discovery, Investigation and Notification of a Security Incident. Upon discovery or notification of any Security Incident, Odessa will:

17.1. promptly investigate such Security Incident;

17.2. to the extent that is permitted by applicable law, promptly notify Customer.

18. Resilience and Odessa Solution Continuity. Odessa infrastructure for the Odessa Solution uses a variety of tools and mechanisms to achieve high availability and resiliency. For the Odessa Solution, Odessa’s infrastructure spans multiple fault-independent Azure availability regions. For the Odessa Solution, there are manual or automatic capabilities to re-route and regenerate hosts within Odessa’s infrastructure. Odessa leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone.. Odessa will also be notified immediately and have the ability to take prompt action to correct the cause(s) behind these issues.

19. Backups and Recovery. Odessa performs regular backups of the Odessa Solution account information, message templates, message logs and other critical data using Azure cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.

SCHEDULE 3

Subprocessors

Microsoft Azure

WhatFix

Licensespring

Information Security Policy

When you browse our website, you do so anonymously, unless you have previously registered with us. We do collect IP (Internet Protocol) addresses of computers for the purpose of maintaining and improving site quality and integrity.

Acceptable Use Policy

1. Introduction

This acceptable use policy (the “AUP”) specifies guidelines for users of the Odessa Solution. By using the Odessa Solution, you agree to the latest version of the AUP. Odessa may modify the AUP at any time by posting a revised version on Odessa’s website. If you violate the AUP or authorize or help others to do so, we may suspend or terminate your use of the Odessa Solution.

2. Acceptable Use Policy

The Odessa Solution shall not be used by any person or entity:

a. in any way that violates any applicable federal, state, local, or international law or regulation;

b. for fraudulent purposes;

c. for the purpose of exploiting, harming, or attempting to exploit or harm minors in any way, including by exposing them to inappropriate content;

d. to store, publish, display, or transmit defamatory, infringing, libelous, harassing, abusive, threatening or otherwise unlawful or tortious material;

e. to store, publish, display or transmit material in violation of third-party privacy rights;

f. to send unsolicited messages or postings, including bulk commercial advertising or informational announcements and “spam”;

g. to compromise or attempt to compromise the security of any Odessa or third-party network, system, server, or account;

h. to impersonate or attempt to impersonate Odessa, Odessa personnel, another subscriber or user, or any other person or entity; or

i. in any way that restricts or inhibits anyone’s use or enjoyment of the Odessa Solution or which, as determined by Odessa, may harm Odessa or users of the Odessa Solution or expose them to liability.

3. Reporting a violation of AUP

a. Any data placed in the Odessa Solution (“Customer Data”) is solely the responsibility of Odessa’s customers

b. Reports of a violation of the AUP by any Customer Data should:

i. be sent to abuse@odessainc.com or mailed to the following address:
Attention: Legal Department / Abuse
Odessa Technologies, Inc.
50 S 16th Street, Suite 1900
Philadelphia, PA 19102

ii. identify the exact content hosted, referenced or linked by Odessa that violates the AUP;

iii. document your efforts to contact the customer directly; and

iv. provide an email address to permit our customer or Odessa to contact you.

c. Odessa will promptly forward this report to the applicable customer. Odessa reserves the right to investigate any violation of the AUP or misuse of the Odessa Solution. Odessa may suspend or terminate a customer’s account or remove or disable access to any content that violates the AUP or any other agreement with a customer for use of the Odessa Solution.

4. Digital Millenium Copyright Act (“DMCA”)

a. Odessa complies with laws applicable to it and its services.

b. Odessa is entitled to rely upon (among other things) the DMCA safe harbor available to hosting service providers and search engines. Although it is Odessa’s policy to respond to clear notices of alleged copyright infringement, Odessa recommends that you submit a notice pursuant to the DMCA directly to the customer who provided the content. Odessa’s response to these notices may include forwarding the notice to the applicable customer or removing or disabling access to material claimed to be the subject of infringing activity. Odessa maintains policies and procedures to terminate subscribers that would be considered repeat infringers under the DMCA. See 17 U.S.C. 512 available at http://www.copyright.gov/

c. You may submit a DMCA notification to Odessa’s Designated Copyright Agent with the following information in writing (see 17 U.S.C. 512(c)(3) for additional information):

i. a physical or electronic signature of a person authorized to act on behalf of the owner of the allegedly infringed copyright;

ii. identification of the copyrighted work or works claimed to have been infringed;

iii. identification of, and information reasonably sufficient to permit Odessa or the applicable customer to locate, the material that is claimed to be infringing or is the subject of infringing activity;

iv. information reasonably sufficient to permit the applicable customer or Odessa to contact you, such as an address, telephone number, and, if available, an electronic mail address;

v. a statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and

vi. a statement that the information in the notification is accurate, and under penalty of perjury, that you are authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

d. Unless it is reasonably apparent to Odessa that the applicable customer has already received a notice of infringement from you regarding a particular content, Odessa will forward all the information you provide in your notice, including your contact information, to the applicable customer. Odessa’s Designated Copyright Agent to receive notifications of claimed copyright infringement is our Legal Department, Odessa Technologies, Inc., 50 S 16th Street, Suite 1900, Philadelphia, PA 19102, email: abuse@odessainc.com.