Orum - Data Processing Addendum

Data Processing Addendum

Last updated April 22, 2025

Orum Inc. (“Provider”) may process Licensee Personal Data on behalf of the customer entity that is a party to Provider’s Standard Software and Services Agreement, or another written or electronic agreement including, without limitation Orum’s Terms of Service, which govern the provision of the Service to Licensee, as such terms or agreement may be updated from time to time (the “Agreement”). Where this is the case, the Provider will Process such Licensee Personal Data in accordance with the terms and conditions of this Data Protection Addendum (“DPA”), which is supplemental to and subject to the terms of the Agreement entered into between the parties.

Unless otherwise set out below, each capitalized term in this DPA will have the meaning set out in the Agreement.

The parties hereby agree as follows:

Definitions.
1. “Adequate Data Protection Destination” means a country, a territory or one or more specified sectors within a third country, or an international organization (each a "Destination") determined by a supervisory authority under applicable Data Protection Law as a Destination to which Licensee Personal Data may be transferred or made available on the basis that the Destination provides an adequate level of protection for Personal Data and without specific authorization but does not include a Destination where such a determination has been revoked or found invalid either by a supervisory authority or a court with applicable jurisdiction from the time of such revocation or finding.
2. “Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity. For purposes of this definition, “control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
3. “Agreement” means the Software License Terms and the related Order Form, which together govern the provision of the Services to Licensee.
4. “Licensee Personal Data” means any Personal Data that Provider processes on behalf of Licensee as a Data Processor in the course of providing the Services, as more particularly set out in Annex I.
5. “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199.95), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102), and any related regulations or guidance provided by the California Attorney General, as amended or superseded from time to time. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Agreement.
6. “Controller” shall have the same meaning as set out in the GDPR.
7. “CPRA” means the California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations, as amended or superseded from time to time.
8. “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”), the UK Data Protection Act 2018 and the UK GDPR, the CCPA, the CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy, in each case to the extent applicable to the Processing of Licensee Personal Data by Provider on behalf of Licensee pursuant to the Agreement.
9. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
10. “Personal Data” shall have the same meaning as set out in the GDPR or under the applicable Data Protection Laws.
11. “Processor” shall have the same meaning as set out in the GDPR.
12. “Processing” shall have the same meaning as set out in the GDPR and “process”, “processes”, and “processed” will be interpreted accordingly.
13. “Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Licensee Personal Data.
14. “Standard Contractual Clauses” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as officially published at https://eurlex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, as may be amended, superseded, or replaced from time to time, and which includes ANNEX I (Processing Details), ANNEX II (Technical and Organisational Measures) and ANNEX III (List of Subprocessors) to this DPA.
15. “Services” means any product or service provided by Provider to Licensee pursuant to the Agreement.
16. “Sub-processor” means any Processor engaged by Provider to process Licensee Personal Data on Processor’s behalf.
17. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119(a) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time, incorporated herein via ANNEX IV, attached hereto.
18. “User” means any individual accessing and/or using the Services through the Licensee’s Account.
Relationship with the Agreement.
1. The parties agree that this DPA will replace any existing data protection addendum or similar agreement the parties may have previously entered into in connection with the Services.
2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict. In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data Protection Laws, or their interpretation by any court or regulatory agency with authority over the Licensee or Provider, such interpretation shall control. Where provisions of this DPA are different from those mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this DPA shall control.
3. Any claims brought under or in connection with this DPA will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
4. Any claims against Provider or its Affiliates under this DPA will be brought solely against the entity that is a party to the Agreement. Licensee further agrees that any regulatory penalties or other liability incurred by Provider in relation to the Licensee Personal Data that arise as a result of, or in connection with, Licensee’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws will count towards and reduce Provider’s liability under the Agreement.
5. Except as otherwise required under the Data Protection Laws, including Clause 3 of the Standard Contractual Clauses, no one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms.
6. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Scope and Applicability of this DPA. This DPA applies where and only to the extent that Provider Processes Licensee Personal Data that is subject to the Data Protection Laws on behalf of Licensee as Processor in the course of providing the Services pursuant to the Agreement. For clarity, where the concepts of Processor and Controller are not expressly contemplated by the applicable Data Protection Laws, the parties' obligations in connection with this DPA will be interpreted under those applicable Data Protection Laws to align as closely as possible with the scope of those roles while still complying fully with those Data Protection Laws.
Roles and Scope of Processing.
1. Role of the Parties. As between Provider and Licensee, Licensee is the Controller of Licensee Personal Data, and Provider will process Licensee Personal Data only as a Processor acting on behalf of Licensee.
2. Licensee Processing of Licensee Data. Licensee agrees that: (i) it will comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Licensee Data and any processing instructions it issues to Provider; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Provider to process Licensee Personal Data and provide the Services pursuant to the Agreement and this DPA.
3. Provider Processing of Licensee Personal Data. Provider will process Licensee Personal Data in accordance with (i) the Agreement, to the extent necessary to provide the Services to the Licensee, and (ii) Licensee’s written instructions, unless Processing is required by Data Protection Laws, in which case Provider will, to the extent permitted by Data Protection Laws, inform Licensee of that legal requirement before Processing the Licensee Personal Data. Processing otherwise outside the scope of this DPA will require prior written agreement between the Licensee and the Provider on additional instructions for processing.
4. CCPA and CPRA. The Parties acknowledge and agree that Provider will act as a “Service Provider” as such term is defined in the CCPA, in its performance of its obligations pursuant to the Agreement. Provider will Process Licensee Personal Information solely in accordance with the Agreement or other documented instructions of Licensee (whether in written or electronic form), or as otherwise required by applicable law or permitted by the CCPA. Provider is responsible for its compliance with its obligations as a Service Provider under the CCPA and the CPRA. Licensee is responsible for compliance with its own obligations as a Business under the CCPA and the CPRA and shall ensure that it has provided notice and has obtained (or shall obtain) all consents and rights necessary under the CCPA and the CPRA for Processor to Collect and process the Personal Information as set forth herein.
  Provider will not (i) “sell” or “share” Licensee Personal Information, as such terms are defined in the CCPA/CPRA; (ii) shall not retain, use, or disclose such Personal Information for any purpose other than performing the Services under the Agreement or as otherwise permitted under CCPA/CPRA; (iii) retain, use, or disclose the Personal Information for a commercial purpose other than providing the Services unless otherwise permitted under the Agreement; or (iv) retain, use, or disclose such Personal Information outside of the direct business relationship between Licensee and Provider unless otherwise permitted under the Agreement. Provider understands and agrees to comply with the restrictions set forth in the CCPA and CPRA as applicable to Provider in its provision of the Services to Licensee under the Agreement. Provider grants Licensee the right to take reasonable and appropriate steps to help ensure Provider’s compliance with its obligations under the CCPA and CPRA. Provider will promptly notify Licensee in the event that it makes a determination that it can no longer meet its obligations under the CCPA/CPRA, in which case Licensee shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Licensee Personal Information.
  Provider will hold Licensee Personal Information in confidence pursuant to the confidentiality provisions of the Agreement and will require Provider personnel granted access to Licensee Personal Information to protect all Personal Information accordingly. At Licensee’s request, Provider will assist Licensee, where possible, with Licensee’s obligation to respond to Individuals’ requests to exercise their rights under the CCPA, including to respond to requests for access, knowledge, deletion, or rectification. If applicable, Provider will direct any affiliate or subcontractor that Processes such Licensee Personal Information to promptly and securely delete or destroy such Personal Information. Provider will confirm to Licensee in writing that Provider has complied with its obligations under this section. Upon termination or expiration of the Agreement for any reason, Provider will return, destroy, or Deidentify Licensee Personal Information at Licensee’s request. Notwithstanding the foregoing, Provider may retain Licensee Personal Information to the extent required by applicable laws.
Subprocessors.
1. Licensee agrees that Provider has Licensee’s general authorisation for the engagement of Subprocessors to process Licensee Data on Licensee’s behalf from an agreed list, which current list is set forth on Annex III (“Subprocessor List”).
2. Provider will inform Licensee in writing, or by posting such updates here, of any intended changes to the Subprocessor List through the addition or replacement of sub-processors at least five (5) business days’ in advance. If a Licensee objects to Provider's change in such other Subprocessors, Licensee may, as its sole and exclusive remedy, terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected to new Subprocessor by providing 30 days’ prior written notice to Provider. If Provider wishes to be notified via email or through another method, please email privacy@orum.com with such request.
3. Subprocessor Obligations. Provider will: (i) enter into a written agreement with the Subprocessor imposing similar data protection terms as set out in this DPA that require the Subprocessor to protect the Licensee Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Provider to breach any of its obligations under this DPA.
Data Security, Audits, and Security Notifications.
1. Security Policy. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider will implement and maintain appropriate technical and organizational security measures designed to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Provider shall put in place and maintain technical and organisational measures designed to protect Licensee Personal Data against any Security Incidents.
2. Updates to Security Measures. Licensee is responsible for reviewing the information made available by Provider relating to data security and making an independent determination as to whether the Services meet Licensee’s requirements and legal obligations under Data Protection Laws.
3. Licensee Responsibilities. Notwithstanding the above, Licensee agrees that except to the extent expressly provided in this DPA, Licensee is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Licensee Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Licensee Personal Data uploaded to the Services.
4. Provider Personnel. Provider shall limit access to Licensee Personal Data to those employees or other personnel who have a business need to have access to such Licensee Personal Data. Further, Licensee shall ensure that such employees or other personnel are bound by a duty of confidentiality.
5. Security Incident Response. Provider shall notify Licensee without undue delay, and in any event within seventy-two (72) hours, of any Security Incident of which Provider becomes aware. Provider shall provide commercially reasonable cooperation in identifying the cause of such Security Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within Provider's control. In addition, Provider shall provide Licensee with information reasonably required by Licensee to enable it to comply with its obligations relating to ‘eligible data breaches’ under applicable Data Protection Laws.
6. Security Audits. To the extent expressly required in writing by a competent data protection authority or following a Security Incident involving Licensee Personal Data, the Licensee may, at Licensee’s cost and upon reasonable notice and at reasonable times no more than once per year, audit Provider’s compliance with the security measures set out in this DPA.
International Transfers.
1. Processing Locations. Provider may process data anywhere in the world where Provider, its Affiliates or its Subprocessors maintain data processing operations, provided that Provider will at all times provide an adequate level of protection for the Licensee Personal Data processed, in accordance with the requirements of applicable Data Protection Laws.
2. Transfers of Personal Data. To the extent that the Processing of Licensee Personal Data by Provider involves the export of such Licensee Personal Data to a third party to a country or territory other than an Adequate Data Protection Destination , such export shall be governed by the Standard Contractual Clauses, which are hereby incorporated into and form part of this DPA. In the event of a conflict between any of the provisions of the Standard Contractual Clauses and this DPA, the provisions of the Standard Contractual Clauses shall prevail.
  1. Transfers Outside the EEA. In relation to transfers of Licensee Personal Data originating from the EEA and subject to GDPR to any country other than an Adequate Data Protection Destination, the Standard Contractual Clauses shall apply as follows:
    1. the Module Two terms shall apply where Licensee is the controller of Licensee Personal Data and the Module Three terms shall apply where Licensee is a processor of Licensee Personal Data;
    2. in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede to the Standard Contractual Clauses under the same terms and conditions as Licensee, subject to the mutual agreement of the parties;
    3. in Clause 9, option 2 (“General Authorization”) is selected and the time period for prior notice of Subprocessor changes shall be five (5) business days, and the process for Sub-processor changes shall be as set out in the DPA;
    4. in Clause 11, the optional language shall not apply;
    5. in Clause 17, option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law;
    6. in Clause 18, disputes shall be resolved before the courts of Ireland; and
    7. ANNEX I and ANNEX II shall be deemed completed with the information set out in ANNEX I and ANNEX II to this DPA, respectively.
  2. Transfers Outside the UK. In relation to transfers of Licensee Personal Data originating from the UK to any country other than an Adequate Data Protection Destination, the Standard Contractual Clauses as implemented by Subsection (a) above shall apply, as modified and interpreted in accordance with the UK Addendum.
  3. Transfers Outside Australia. To the extent that the Processing of Licensee Personal Data for an Australian data subject involves the export by the Provider of such Licensee Personal Data to a country outside Australia, Provider will take reasonable steps to ensure that the recipient will not breach the Australian Privacy Principles in relation to that Licensee Personal Data.
  1. Governmental Requests. If Provider receives a request from a governmental authority for access to any Licensee Personal Data, Licensee will evaluate challenging such request before transferring such data to the governmental authority.
  2. Encryption. Licensee Personal Data will be encrypted at rest using AES-256 or better and in transit using HTTPS and TLS 1.2 or later.
Return or Deletion of Data. Upon termination of the Agreement, Provider shall, upon Licensee's request, return all Licensee Personal Data in Provider's possession to Licensee or securely destroy such Licensee Personal Data, unless applicable law prevents it from returning or destroying all or part of Licensee Personal Data.
Data Subject Rights.
1. Data Subject Requests. Unless otherwise required by applicable law, Provider shall promptly notify Licensee of any request received by Provider or any Subprocessor from a data subject in respect of the Licensee Personal Data and shall not respond to the data subject. Provider shall, where possible, assist Licensee with ensuring its compliance under applicable Data Protection Laws by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Licensee’s obligation to respond to requests for exercising data subject rights laid down in the Data Protection Laws and in particular shall:
  1. provide Licensee with the ability to correct, delete, block, access, or copy the Licensee Personal Data, or
  2. promptly correct, delete, block, access, or copy Licensee Personal Data within the Services at License’s request.
2. Government Requests. If a law enforcement agency sends Provider a demand for Licensee Personal Data (for example, through a subpoena or court order), Provider will attempt to redirect the law enforcement agency to request that data directly from Licensee. As part of this effort, Provider may provide Licensee’s basic contact information to the law enforcement agency. If compelled to disclose Licensee Personal Data to a law enforcement agency, then Provider will give Licensee reasonable notice of the demand to allow Licensee to seek a protective order or other appropriate remedy unless Provider is legally prohibited from doing so.
3. Data Protection Impact Assessments. To the extent Provider is required under applicable Data Protection Laws, Provider will (at Licensee’s expense to the extent legally permitted) provide reasonably requested information regarding the Services to enable the Licensee to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

ANNEX I

A. LIST OF PARTIES

Data exporter

The data exporter is the Licensee.

Name:
Address:
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses:
Signature and date:
Role (controller/processor): Controller

Data importer

The data importer is Provider.

Name: Orum Inc.
Address: 1401 Lavaca Street, #685 Austin, TX 78701 United States
Contact person’s name, position and contact details: Ryan Melvin, VP of Legal, ryan.melvin@orum.com
Activities relevant to the data transferred under these Clauses: The provision of the Services to the Licensee and the performance by Provider pursuant to the Agreement (including the DPA).
Signature and date:
Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Any individual: (i) whose personal data is provided by Licensee for use with the Services; (ii) whose information is stored on or collected via the Services, or (iii) to whom Users call via telephone or otherwise engage or communicate with via the Services.

Categories of personal data transferred:

Identification and contact data such as name, email address, IP address, telephone number; employment details such as employer, job title, geographic location, area of responsibility; such other personal data that may be provided by Licensee in its sole discretion

Frequency of the Transfer

Continuous basis

Nature of the processing

Transmitting, collecting, storing and analysing data in order to provide the Services to the Licensee, and any other activities related to the provision of the Services or specified in the Agreement.

Purpose(s) of the transfer and further processing

The provision of the Services by Provider to Licensee, as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Until the termination of the Agreement in accordance with its terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

See Annex III.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

..............................................................................................

The parties shall follow the rules for identifying such authority under Clause 13 and, if a competent supervisory authority is not listed above, the parties hereby select the Irish Data Protection Commission to the extent legally permissible.

ANNEX II

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

Provider will maintain administrative, technical, and organizational safeguards for protection of the security, confidentiality and integrity of Licensee Personal Data, such measures are outlined below. Provider will not materially decrease the overall security of the Services during a subscription term.

Provider’s data protection and security concepts around technical and organizational measures follow International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) standards. The following measures are subject to change based on operational requirements and the evolution of technology and security threats. These measures apply generally to all transfers contemplated by this Agreement.

The information security organization has established relevant technical standards documented as follows:

Measures of encryption of personal data:

All sensitive data is hashed using an HMAC function based on SHA512
HTTPS encryption for data in transit (using TLS 1.2 or greater) on every login interface, using industry standard algorithms and certificates.
Encryption of data at rest using the industry standard AES-256 algorithm

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

Multi-Factor Authentication (MFA)
Differentiated rights system based on security groups and access control lists.
Secure transmission of credentials using TLS 1.2 (or greater)
Passwords require a defined minimum complexity. Initial passwords must be changed after the first login.
Automatic account locking
Guidelines for handling of passwords
Access controls to infrastructure that is hosted by cloud service provider
Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights.
Training and confidentiality agreements for internal staff and external staff
Network separation
Segregation of responsibilities and duties
Secure network interconnections ensured by firewalls etc.
Logging of transmissions of data from IT system that stores or processes personal data.
Logging authentication and monitored logical system access
Documentation of data entry rights and logging security related entries
Customer data is backed up to multiple durable data stores and replicated across multiple availability zones
Protection and encryption of stored backup media
Intrusion Detection System / Intrusion Prevention System (IDS/IPS)

Measures for ensuring the ability to restore the availability and access to personal Data in a timely manner in the event of a physical or technical incident:

Continuity Planning and Disaster Recovery Plan
Disaster recovery processes to restore data and processes
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Maximum Tolerable Downtime (MTD)
Capacity management measures to monitor resource consumption of systems as well as planning of future resource requirements.
Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents.
Productive data is backed up hourly in incremental form and daily as a full backup. All backups are kept redundant and in encrypted form (AES-256).

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing:

Testing of emergency equipment
Documentation of interfaces and personal data fields
Internal and external audits
Security checks (e.g. penetration tests) conducted by external parties
Bug bounties
SOC 2 audits
Regular benchmarking and testing with industry standards, e.g. Cloud Security Alliance, Controls for Internet Security, NIST guidelines, etc.

Measures for user identification and authorization:

Secure network interconnections ensured by MFA, firewalls etc.
Logging of transmissions of data from IT system that stores or processes personal data
Logging authentication and monitored system access
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept in accordance with the “need-to-know” principle.
Intrusion Detection System / Intrusion Prevention System (IDS/IPS)

Measures for the protection of Data during transmission:

Remote access to the network via VPN tunnel and end-to-end encryption
HTTPS encryption for data in transit (using TLS 1.2 or greater)

Measures for the protection of Data during storage:

System inputs recorded via log files
Access Control Lists (ACL)
Multi-factor Authentication (MFA)

Measures for ensuring physical security of locations at which personal Data are processed:

Subdivision of the facility into individual zones with different access authorizations
Physical access protection (e.g. steel doors, windowless rooms or secured windows).
Electronic access control system to protect security areas.
Monitoring of the facility by security services and access logging to the facility.
Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms.
Central assignment and revocation of access authorizations.
Identification of all visitors by verification of their identity card and registration (a log of visitors is kept).
Mandatory identification within the security areas for all employees and visitors.
Visitors must always be accompanied by employees.

Measures for ensuring system configuration, including default configuration:

Access Control Policy and Procedures
Baseline configuration identification
Configuration Planning and Management
Configuration Change Management
Configuration Status Accounting
Configuration Verification and Audits
Mobile device management

Measures for internal IT and IT security governance and management:

Dedicated and identified person to oversee the company's information security and compliance program
Information and network security staff holding security certifications
Information Security Management System around development and maintenance of policy and technical standards
Audit programs that use Information Security frameworks for measurement (ISO 27001, NIST, Cloud Security Alliance, SOC 2)

Measures for certification/assurance of Processes and products:

Information security or quality management certifications such as ISO 27001, SOC 2, or PCI

Measures for ensuring Data minimization:

Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.
Strict time limits for data retention and operational mechanisms that guarantee compliance (e.g. automatic deletion of data after predefined time period).
Technological barriers to the unauthorized linking of independent sources of data.
Limitation to the level of detail used in personal data processing: for example, through techniques such as differential privacy, k-anonymity, obfuscation and added noise measurement.
Deletion of metadata generated during certain processes that are not necessary for the pursued goal.

Measures for ensuring Data quality:

Process for the exercise of data protection rights (right to amend and update information)
Clear documentation of requirements for all data conditions and scenarios
Rigorous data profiling and control of incoming data
Data pipeline design to avoid duplicate data
Quality Assurance team
Enforcement of data integrity

Measures for ensuring limited data retention:

In order to ensure the effectiveness and reliability of such retention schedule, the deletion of such data should be automated and tests should be conducted to ensure the effectiveness of such retention policies.

Measures for ensuring accountability:

Assign responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes.
Data protection impact assessments as an integral part of any new processing initiative.
Document all decisions that are adopted within the organization from a “privacy and security by design thinking” perspective.

Measures for allowing Data portability and ensuring erasure:

Documented processes in relation to the exercise by users of their privacy rights (e.g. right of erasure or right to data portability)
Use of open formats such as CSV, XML or JSON.

Applied restrictions or safeguards for sensitive data (if applicable):

Encrypting or hashing special category data, although not an explicit legal requirement, should be the norm.

ANNEX III

LIST OF SUBPROCESSORS

Name	Address	Contact Information	Description of Processing
Cumul.io Inc.	77 Sands Street, Office 9009, Brooklyn, New York 11201	dpo@luzmo.com	Data visualization
Deepgram Inc.	548 Market St., Suite 25104, San Francisco, CA 94104-5401	security@deepgram.com	Transcription services
Google	1600 Amphitheater Pkwy, Mountain View, CA 94043, USA	https://support.google.com/cloud/contact/dpo data-protection-office@google.com	Google apps, infrastructure
IBM Inc.	1 New Orchard Road, Armonk, NY 10504-1772, USA	ChiefPrivacyOfficer@ca.ibm.com	Artificial intelligence
Knock Labs, Inc.	175 Varick Street #413, New York, NY 10014	privacy@knock.app	Notifications
OpenAI, L.L.C.	3180 18th Street, San Francisco, CA	support@openai.com	Artificial intelligence
PIPL	510 S Clearwater Loop Ste 100 Post Falls, ID, 83854-6930 United States	(415) 373-0180 or https://pipl.com/customer-support	Data provider
Stream.io, Inc.	1215 Spruce Street Suite 300, Boulder, CO 80302	privacy@getstream.io	Text-based chat messages and files
Tavus Inc.	2101 CityWest, Houston, TX 77042	support@tavus.io	Video simulation
Twilio (SendGrid)	375 Beale Street, Suite 300, San Francisco, CA 94105	privacy@twilio.com	Email delivery platform
Vonage	217 Second Street 4th Floor, San Francisco, CA 94105 USA	privacy@vonage.com	Telephony provider; video provider

ANNEX IV

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Start date
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier):	Full legal name: Orum Inc. Trading name (if different): Main address (if a company registered address): 1401 Lavaca Street, #685 Austin, TX 78701 Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional): Job Title: Contact details including email:	Full Name (optional): Ryan Melvin Job Title: VP of Legal Contact details including email: privacy@orum.com
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)
1	No
2	Yes	Yes	No	General Authorisation	Five (5) business days
3	No
4	No

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Annex IA to the DPA

Annex 1B: Description of Transfer: Annex IB to the DPA

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II to the DPA

Annex III: List of Sub processors (Modules 2 and 3 only): Annex III to the DPA

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19:

Importer

Exporter

X Neither Party

Part 2: Mandatory Clauses

This Addendum hereby incorporates that certain Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.