Relay.app Data Processing Addendum

Effective date: July 29, 2024

Relay.app Inc. (“Relay.app”) and the counterparty agreeing to these terms (“Customer”) have entered into a written or electronic agreement for the Services provided by Relay.app (the “Agreement”). This Data Processing Addendum (“DPA”) forms part of the Agreement.

1. Subject Matter of the DPA

   1. The DPA applies to the processing of personal data subject to EU Data Protection Law under the Agreement.

   2. The term “EU Data Protection Law” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

   3. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Other terms used in this DPA that have meaning ascribed to them in EU Data Protection Law, including but not limited to “Processing,” “Personal Data,” “Data Controller,” and “Processor” shall carry the meanings set forth under EU Data Protection Law.

   4. Insofar as Relay.app will be processing Personal Data subject to EU Data Protection Law on behalf of the Customer in the course of the performance of the Agreement, the terms of this DPA shall apply. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Annex 1.

2. Relay.app as Data Processor and Customer as Data Controller

   1. Subject to the provisions of the Agreement, to the extent that Relay.app's data processing activities are not adequately described in the Agreement, Customer will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Relay.app. Relay.app will process the Personal Data only as set forth in Customer’s documented instructions and no Personal Data will be processed unless explicitly instructed by Customer.

   2. Relay.app will only process the Personal Data on documented instructions of Customer to the extent that this is required for provision of the Services. Should Relay.app reasonably believe that a specific processing activity beyond the scope of Customer’s instructions is required to comply with a legal obligation to which Relay.app is subject, Relay.app shall inform Customer of that legal obligation and seek explicit authorization from Customer before undertaking such processing. Relay.app shall never process the Personal Data in a manner inconsistent with Customer’s documented instructions. Relay.app shall immediately notify Customer if, in its opinion, any instruction infringes EU Data Protection Law or other member state data protection provisions. Such notification will not constitute a general obligation on the part of Relay.app to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

   3. The parties have entered into the Agreement in order to benefit from the capabilities of Relay.app in securing and processing the Personal Data for the purposes set out in Annex 1. Relay.app shall be allowed to exercise its discretion in the selection and use of such means as it considers necessary to promote those purposes, provided that all discretion is compatible with the requirements of this DPA, in particular Customer’s documented instructions.

   4. Customer warrants that it has all necessary rights to provide the Personal Data to Relay.app for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the processing. To the extent required by EU Data Protection Law, Customer is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the processing are obtained, and that records of such consents are maintained. Should such a consent be revoked by a data subject, Customer is responsible for communicating the fact of such revocation to Relay.app, and Relay.app remains responsible for implementing Customer’s instruction with respect to the processing of that Personal Data.

3. Confidentiality

   1. Without prejudice to any existing contractual arrangements between the parties, Relay.app shall treat all Personal Data as confidential and shall inform all its employees, agents, and/or approved subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. Relay.app shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security

   1. Relay.app and Customer shall implement appropriate technical and organizational measures to ensure a level of security of the processing of the Personal data appropriate to the risk, taking into account state of the art, costs of implementation, and nature, scope, context, and purposes of processing. These measures shall include, at a minimum, the security measures agreed upon by the parties in Annex 2.

   2. Both Relay.app and Customer shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to Personal Data, conducting appropriate background checks, requiring employees, vendors, and other with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to Personal Data aware of the information security risks presented by the processing.

   3. The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of security measures. Relay.app will evaluate measures as implemented in accordance with this section on an ongoing basis in order to maintain compliance with these requirements.

5. Audit

   1. Relay.app conducts annual audits verifying adequacy of its security measures, and these annual audits will be performed according to SOC 2 by independent third party auditors. In addition to any information contained in this DPA, Relay.app will make available, upon Customer’s request, the following documents and information:
      1. Relay.app's latest SOC 2 Type 2 report,
      2. all further information reasonably necessary to demonstrate Relay.app's compliance with this DPA.
   1. Where applicable, the parties agree that Customer shall exercise its audit rights under the Agreement and EU Data Protection Law by instructing Relay.app to comply with the audit measures described in this section.

6. Data Transfers

   1. Relay.app shall promptly notify Customer of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorization from Customer, which may be refused at its own discretion by following the procedures in Section 8 herein. A list of transfers for which Customer grants its authorization upon the conclusion of this DPA can be found on Relay.app's subprocessor page, located at https://www.relay.app/subprocessors.
   2. To the extent that Customer or Relay.app are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Customer and Relay.app agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

7. Incident Management

   1. Upon discovering or becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, any Customer Data (hereinafter, “Data Incident”), Relay.app shall notify Customer without undue delay, take any additional steps reasonably necessary to mitigate the effects of the Data Incident, and reasonably cooperate in the investigation of the Data Incident. The term “Data Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

8. Subprocessors

   1. Customer provides general authorization to Relay.app's use of subprocessors to provide Services-related processing activities on Personal Data in accordance with this section. A list of subprocessors currently engaged by Relay.app is available at https://www.relay.app/subprocessors. Relay.app will update the website and provide Customer with a mechanism to obtain notice of that update, at least 30 days before Relay.app engages a subprocessor. Customer may object to the use of the subprocessor within 90 days of notice, by terminating the Agreement for convenience.

   2. Relay.app shall restrict any subprocessor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Agreement, and Relay.app will prohibit the subprocessor from accessing Customer Data for any other purpose. To the extent a subprocessor processes Customer Data, Relay.app will impose the provisions of this DPA by written agreement with that subprocessor. Consistent with the terms of the Agreement, Relay.app will remain liable for all acts and omissions of the subprocessor that cause Relay.app to breach any of its obligations under this DPA.

9. Return of Personal Data

   1. Upon termination of this DPA or upon Customer’s written request, Relay.app shall, at the discretion of Customer, either delete, destroy, or return all Personal Data to Customer, unless otherwise required to retain such data by EU Data Protection Law or other applicable law. Relay.app shall notify all third parties supporting its own processing of the Personal Data of the termination of the DPA and shall ensure that all such third parties delete, destroy, or return all Personal Data at Customer’s discretion.

10. Assistance to Customer in Fulfilling Customer’s Data Controller Obligations

    1. Relay.app will enable Customer, consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Data, and to export Customer Data.

    2. Relay.app shall assist Customer by appropriate technical and organizational measures, where possible, for the fulfillment of Customer’s obligation to respond to data subject requests relating to Customer Data under EU Data Protection Law. These measures may include the Services functionality described in subsection (a); if the functionality is insufficient, Relay.app shall provide Customer with additional reasonable cooperation and assistance.

Annex 1 – Categories of Personal Data, Data Subjects, and Processing Purposes

Categories of Data Subjects:

• Individuals about whom data is provided to Relay.app via the Services by Customer or its users.

Categories of Personal Data:

• Data relating to individuals about whom data is provided to Relay.app via the Services by Customer or its users.

Nature and Purpose of the Data Processing:

• Performance of the Services pursuant to the Agreement.

Duration of Processing:

• The Term provided under the Agreement.

Annex 2 – Security Measures

Relay.app shall implement and maintain the Security Measures described in this Annex 2.

1. Infrastructure Security

   1. Maintenance and Monitoring. Relay.app regularly maintains and patches the service infrastructure against known vulnerabilities, uses real-time database replication and intrusion detection, and ensures the hardening of servers and early detection of security threats. Infrastructure performance is continuously monitored with alerts for predefined thresholds.
   2. Access and Data Security. Production systems, databases, and networks are accessed only through secure methods such as multi-factor authentication (MFA), encrypted connections, and unique authentication mechanisms. Access is strictly controlled and revoked upon employee termination. Production data is segmented from non-production environments, and encryption key access is restricted.

2. Organizational Security

   1. Data Protection and Employee Policies. Relay.app employs encryption for portable media and anti-malware technology in susceptible environments. Employee background checks, mandatory security training, mobile device management (MDM), and confidentiality agreements for employees and contractors reinforce the security culture.
   2. Asset and Access Management. A formal inventory of production assets is maintained. Access to production deployment is restricted to authorized personnel, and a vendor management program is actively managed.

3. Product and Internal Security

   1. Testing and Logging. Annual penetration tests are performed, and system activities, including user actions, are extensively logged. Regular vulnerability scans on external-facing systems and quarterly access reviews ensure the integrity of security measures.
   2. Incident and Change Management. An incident response plan is regularly tested, and a robust change management process is in place for software and infrastructure modifications. Configuration management procedures ensure consistent deployment across the environment.

4. Data and Privacy

   1. Policies and Compliance. A comprehensive privacy policy, accessible to all stakeholders, outlines the handling of personal information. Customer data is securely managed, with deletion upon service termination and adherence to formal data retention and disposal procedures. Privacy-compliant processes are documented, and a data classification policy ensures the security of confidential data.