Data Processing Agreement

February 7, 2024

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Kudos Terms of Service (order form or other written or electronic agreement governing Customer's use of the Service (“Main Agreement”) between Customer and Kudos (each a “party” and together the “parties"). In the course of providing the Service to Customer, Kudos may process Customer Data (defined below) and the parties agree to comply with the following provisions with respect to any processing of Customer Data by Kudos as a processor or service provider to Customer.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1. DEFINITIONS

“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement.

“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code, including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA.

“Customer Personal Data” means the Personal Data processed by Kudos Inc. on behalf of Customer or Customer Affiliate in connection with the provision of the Services.

"Data Protection Laws" means the applicable data protection and privacy laws and regulations in the United Kingdom, United States, European Union, and Canada, including but not limited to a. In the United Kingdom, the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR); b. In the United States (US), the California Consumer Privacy Act (CCPA), and any other relevant federal and state data protection laws; c. In the European Union, the GDPR, as well as any additional or modified data protection laws of EU member states; and d. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial data protection laws.

“Data Subject” means a natural person whose Personal Data is Processed.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.

“Instruction” means any documented instruction, submitted by Controller to Processor, directing Processor to perform a specific action regarding Customer Personal Data, including but not limited to the description of the Services to be provided by Processor under the Agreement.

“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “Personal Data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.

“PIPEDA” means the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

“Processing” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.

“Security Incident” means a breach of security or other event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Personal Data.

“Services” means the services provided by Processor to Controller under the Agreement.

“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

“Sub-processor” means an entity appointed by Processor to Process Personal Data on its behalf.

“US Data Protection Laws” means federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.

2. INTERACTION WITH THE AGREEMENT

2.1. This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Personal Data.

2.2. This Addendum shall apply to the Processing of Personal Data by Kudos Inc. on behalf of the Customer. Data

2.3 The Processing of Personal Data shall be carried out in accordance with the terms and conditions set forth in this Addendum, and in compliance with the Applicable Data Protection Laws.

3. ROLE OF THE PARTIES.

The Parties acknowledge and agree that:

3.1. For the purposes of the GDPR, Kudos Inc. acts as “processor” or “sub-processor” (as defined in the GDPR). Processor's function as processor or sub-processor will be determined by the function of Controller:

a) In general, Customer acts as a controller, Processor acts as a processor.

b) In certain cases, Customer acts as a processor on behalf of another controller, Processor acts as a sub-processor.

3.2. For the purposes of the US Data Protection Laws, Kudos Inc. will act as a “service provider” or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

4. DETAILS OF DATA PROCESSING

4.1. The details of data processing (such as subject matter, nature and purpose of the processing, categories of personal data and data subjects) are described in the agreement and in Schedule 1.

4.2. Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The agreement and this DPA shall be customer's Instructions for the processing of Customer Personal Data.

4.3. If Customer’s instructions will cause Kudos Inc to process Personal Data in violation of applicable law or outside the scope of the Agreement or the DPA, Kudos Inc. shall promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs).

4.4. Kudos Inc. may store and process Personal Data anywhere Kudos Inc. or its sub-processors maintain facilities, subject to Clause 5 of this DPA.

‍5. SUB-PROCESSORS

5.1. Customer grants Kudos Inc. general authorization to engage sub-processors, subject to Clause 5.2, as well as Kudos Inc.’s current sub-processors listed in Schedule 3 as of the Effective Date.

5.2. Kudos Inc. shall (i) enter into a written agreement with each sub-processor imposing data protection obligations no less protective of Personal Data than Kudos Inc.’s obligations under this DPA to the extent applicable to the nature of the services provided by such sub-processor; and (ii) remain liable for each sub-processor’s compliance with the obligations under this DPA.

5.3. Kudos Inc. shall provide Customer with at least fifteen (15) days’ notice of any proposed changes to the sub- processors it uses to process Customer Personal Data (including any addition or replacement of any sub- processors). Customer may object to Kudos Inc.’s use of a new sub-processor (including when exercising its right to object under Clause 9(a) of the SCCs) by providing Kudos Inc. with written notice of the objection within ten (10) days after Kudos Inc. has provided notice to Customer of such proposed change (an “Objection”). In the event Customer objects to Kudos Inc.’s use of a new sub-processor, Customer and Kudos Inc. will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such objection period, Kudos Inc. may suspend the affected portion of the services.

6. DATA SUBJECT RIGHTS REQUESTS

6.1. As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data (“Data Subject Request”).

6.2. Kudos Inc. will forward to Customer without undue delay any Data Subject Request received by Kudos Inc. or any sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.

6.3. Kudos Inc. will (considering the nature of the processing of Customer Personal Data) provide Customer with functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under applicable law to respond to Data Subject Requests.

7. SECURITY AND AUDITS

7.1. Audit Rights. Kudos Inc. shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, industry standard security practices, and allow for and contribute to audits, including inspections by Customer to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Clause 7.1 and where applicable, the SCCs) and any audit rights granted by Data Protection Laws, by instructing Kudos Inc. to comply with the audit measures described in Clause 7.2 and 7.3 below.

7.2. Security Reports. Customer acknowledges that Kudos Inc. is regularly audited against SSAE 18 standard by independent third party auditors. Upon written request, Kudos Inc. shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”), to Customer and any other relevant reports or independent evaluations so that Customer can verify Kudos Inc’s compliance with the audit standard against which it has been assessed and this DPA.

7.3. Security Due Diligence. In addition to the Report, Kudos Inc. shall respond to all reasonable requests for information made by Customer to confirm Kudos inc.’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request to privacy@kudos.com.

8. SECURITY INCIDENTS

8.1. Kudos Inc. will notify Customer in writing without undue delay after becoming aware of any Security Incident (but in no event later than 48 hours after becoming aware of such Security Incident), and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities.

8.2. Kudos Inc. shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Kudos Inc.’s notification of or response to a Security Incident under this Clause 8 will not be construed as an acknowledgement by Kudos Inc. of any fault or liability with respect to the Security Incident.

9. DELETION AND RETURN

Kudos Inc. shall, within 90 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Customer within that period, return a copy of all Customer Personal Data or provide self-service functionality allowing Customer to do the same; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Kudos Inc. or any sub-processors.

10. CONTRACT PERIOD

This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Kudos Inc.’s deletion of all Customer Personal Data as described in this DPA.

11. STANDARD CONTRACTUAL CLAUSES

The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Kudos Inc. (as data importer).

12. SUPPORT FOR CROSS-BORDER DATA TRANSFERS

Kudos Inc. will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Personal Data. Kudos Inc. will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA“) under Applicable Data Protection Laws. If as a result of such TIA, it is determined that supplementary measures are required, Kudos Inc. further agrees to implement the supplementary measures to be agreed upon by both parties to enable Customer’s compliance with requirements imposed on international transfers of Personal Data under Applicable Data Protection Laws.

13. JURISDICTION-SPECIFIC TERMS

To the extent Kudos Inc. Processes Customer’s Personal Data originating from and protected by Data protection Laws in the following Jurisdictions EU, UK, US, and Canada Data Protection Laws. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Kudos Inc.

14. LIMITATION OF LIABILITY

Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s entire liability, taken in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements or security addendum signed by the parties in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, will be subject to the exclusions and limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, and this DPA.

Schedule 1 - Details of Processing

A. LIST OF PARTIES

A.1. Data Exporter

Name: Customer and Customer Affiliate’s as defined in the Kudos Inc. Terms of Service

Address: Customer's address, as set out in the Order Form

Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Kudos Account.

Role: Controller

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter (customer) who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement.

A.2. Data Importer

Name: Kudos Inc.

Address: 2500, 500 4 Avenue SW, Calgary, Alberta T2P 2V6, Canada

Contact person’s name, position and contact details: Kudos Privacy team, privacy@kudos.com

Role: Processor

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in Clause 7 and 8 of this Schedule 1 and in the Agreement.

B. DESCRIPTION OF TRANSFER

B.1. Categories of Data Subjects

Categories of data subjects whose Customer’s Personal Data will be transferred: Employees of Customers and Customer Affiliates

B.2. Categories of Personal Data

Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and include the following types of minimum required personal data: Employee first name, last name, and email address available optional fields includes department, job title, line manager, external ID (employee ID), employment start dates, bio, accreditations, education, preferred name, favorites, location, country, birthday(day and month only), supervisor email, phone number and extension.

B.3. Sensitive Data

Kudos Inc. does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.

B.4. The Frequency of Processing

Continuous and as determined by the Customer.

B.5. Nature of the Processing

Kudos Inc. shall Process Personal Data only in accordance with the Agreement.

B.6. Purpose(s) of Processing

Processor is providing the Services described in the Agreement.

B.7. Duration of Processing and Period for which Personal Data will be Retained

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period as contained in the term of the Agreement and as outlined in Clause 9.

Schedule 2 - Technical and Organisational Measures

Technical and organizational measures including technical and organizational measures to ensure the security of the data.

EXPLANATORY NOTE:

The technical and organizational measures are described below. Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Governance and Assurance

Kudos annually engages an independent auditor to verify service commitments and system requirements meet SOC 2 Trust Services Criteria. Our SOC 2 Type II report, available upon request, provides detailed insights into our security practices.
Kudos maintains a comprehensive information security program to ensure information confidentiality, integrity, and availability through technical, physical, and administrative controls.
Annual penetration tests conducted by industry experts help Kudos identify and address security vulnerabilities.

Access Control and User Management

Kudos enforces strong password policies and unique IDs for both Kudos systems and customer accounts.
Customer access requires multi-factor authentication, or through single sign-on (SSO).
Access to systems containing customer data is strictly limited to authorized users with job-critical needs, following the principle of least privilege, granting the minimum access necessary for each role.
All-access requests, approvals, and modifications are logged for audit purposes.
Customer data resides in secure, multi-tenant storage and is segregated from other users.

Personnel Security

All new employees undergo thorough background checks before their first day.
Employees receive mandatory security and privacy awareness training at onboarding and annually.
User accounts are reviewed regularly to ensure alignment with job responsibilities.
All employees are required to acknowledge our code of conduct outlining ethical expectations and consequences of non-compliance

Cloud and Vendor Security

Kudos platform is hosted on Amazon Web Services (AWS).
Agreements are signed with all our vendors ensuring data security and confidentiality are aligned with our Data Processing Agreement.
AWS handles the physical and environmental security based on its shared responsibility model. The physical and environmental security controls are independently verified and assessed to meet SOC 2 Type II, ISO 27001, and other applicable standards.
Kudos regularly assesses its vendors, including reviewing their SOC reports, to ensure appropriate data security scope, address any identified exceptions, and confirm applicable complementary user entity controls.

Data Protection

Data transmission between systems are secured using the latest TLS protocols and industry-standard 256-bit AES encryption.
All customer data is encrypted at rest using a secure key management service.

Threat Detection and Monitoring

Kudos employs proactive measures like intrusion detection and infrastructure monitoring to identify and respond to potential threats.
Kudos leverages logging, alerts, and performance monitoring applications to detect unusual activity, track system performance, and optimize resource utilization.
Kudos uses web application firewalls to filter incoming traffic and prevent unauthorized access.

Incident Response, Recovery and Resilience

Kudos maintains a detailed record of all security incidents, including timestamps, descriptions, and resolution steps. Our security, operations, and support teams investigate any suspicious or confirmed incidents and implement appropriate solutions. Customers will be promptly notified of any confirmed incidents in accordance with our agreement.
Policies and procedures for the entire system development lifecycle are documented, ensuring all changes are tracked, tested, approved, and validated before deployment.
Kudos regularly scans our systems for vulnerabilities and prioritizes remediation of critical, high, and medium-risk issues.
A disaster recovery plan is maintained and tested annually or when there is a significant change within the organization to ensure business continuity in case of emergencies.
Databases are replicated and backed up regularly to ensure data availability in case of disruptions.
Kudos will provide 99.7% uptime exclusive of scheduled outages which will be done whenever possible during non-active hours.

Other Measures

No.

Measures

Description

Measures of pseudonymization of personal data

Kudos Inc. has implemented a de-identification process that uses random values for PII values and columns so that personal data can no longer be associated with a specific data subject.

Measures of encryption of personal data

Data is encrypted at rest using AES-256 Algorithm. Employees laptops are encrypted.
In addition, Data transfers between users and the Kudos platform are secured by using 256-bit AES encryption.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

System is designed to permit users access to information based on least privilege provisioning. Encryption protocols are used to protect customer data at rest and in transit.
Kudos conducts annual SOC 2 Type II Audit by an independent service Auditor.
Penetration tests are conducted annually by an independent third-party assessor.
Disaster recovery plans including restoration of backups have been developed and tested annually. The outcomes of tests are evaluated, and consequently, contingency plans are updated.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

All security related incidents are logged, tracked, and communicated to affected parties. Kudos Incident Response Plan ensures that all incidents are resolved in a timely manner in accordance with our incident management process. Tabletop exercises are performed at defined intervals.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

An assessment over the effectiveness and efficiency of the internal controls, processes and policies is reviewed by management on at least an annual basis and identified deficiencies are remediated in a timely manner.

Measures for user identification and authorization

A user access policy and a process to register and authorize users prior to issuing system credentials and granting access to the system has been implemented.
Access to the Kudos infrastructure and supporting applications requires the use of unique user identifiers (IDs) and strong passwords. User accounts are required to use multi-factor authentication (MFA).

Measures for the protection of data during transmission

Encryption technologies are used to protect communication and transmission of data over public networks and between systems. (Using TLS 1.2 or greater)

Measures for the protection of data during storage

Data is encrypted at rest (stored and backup) using storage layer encryption.
Disk encryption is enabled for all employee laptops across the organization.

Measures for ensuring physical security of locations at which personal data are processed

Kudos employee recognition and rewards Platform is hosted in AWS (Amazon Web Services) Data center. AWS is responsible for providing physical and environmental security controls, administration of their infrastructure, and reporting any logical or physical security incidents.
Kudos performs reviews of SOC reports from AWS to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.

10.

Measures for ensuring events logging

Implementation of a robust logging and monitoring control for our infrastructure and application. Logging is enabled to monitor administrative activities; logon attempts and data deletions at the application and infrastructure level. Automated alerts are configured to notify IT management and issues identified are resolved in a timely manner.

11.

Measures for ensuring system configuration, including default configuration

Kudos ensures a secure configuration of the service environment by well-defined baseline standards when deploying and making changes to its environment.
Kudos has a Change Management and Access Control policy in place.

12.

Measures for internal IT and IT security governance and management

Kudos security and compliance program is based on industry standards including ISO 27001, SOC 2, COBIT, SANS CIS 18 and OWASP.
Security policies are reviewed and approved by management at least annually and accessible to all the employees of the organization.

13.

Measures for certification/assurance of processes and products

Kudos engages the services of an independent service Auditor to examine and provide reasonable assurance that Kudos’ service commitments and system requirements were achieved based on the trust services criteria relevant to security set forth in TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

14.

Measures for ensuring data minimization

Kudos ensures data minimization by processing only the data that is relevant and necessary for service delivery.
Access to personal data is restricted on a “need to know” principle.

15.

Measures for ensuring data quality

Kudos ensures data quality for data available within its systems by ensuring that such information are up-to-date, continuously reviewing data, and adhering to data deletion processes.
Kudos maintains a formal data retention and disposal procedure for ensuring secure retention and disposal of information.
The quality assurance team ensures that the product is tested and implemented as designed before deployment to production.

16.

Measures for ensuring limited data retention

Kudos ensures limited data retention in accordance with its policy on data retention and deletion. Contract provisions govern the system boundaries for data collection, use, retention, disclosure, and disposal.

17.

Measures for ensuring accountability

Kudos ensures accountability with automated monitoring systems that generate reports and notifications about user activities, exceptions, faults, and security events.
Designated personnel conduct routine reviews of event logs. Log information is protected from modification and unauthorized access. Employees must comply with these processes.

18.

Measures for allowing data portability and ensuring erasure

Kudos ensures data portability by allowing customers the right to receive their data in a structured, commonly used and machine- readable format.
Customers can exercise their data rights - right of access, rectification, erasure (deletion), restriction of processing, data portability, objection, and not to be subject to a decision based exclusively on automated processing - by submitting a request to privacy@kudos.com.

19.

Other

Privacy information is contained in the link provided - https://www.kudos.com/privacy-policy or contact the privacy team via privacy@kudos.com

Schedule 3 - List of Sub-Processors

To ensure Kudos Inc. deliver the Subscription Service, we engage Sub-Processors to assist with our data processing activities. A list of our Sub-Processors and our purpose for engaging them is listed below.

Sub-processor

Purpose of Transfer

Processing Location

Contact

Amazon Web Services

Cloud Computing Services for system infrastructure.

Canada (Central)

Privacy Officer -
‍aws-canada-privacy@amazon.com

Snowflake

Data warehouse solution for analytics and visualizations.

California, USA

Chief Information & Data Officer - privacy@snowflake.com