Checkers Franchise Terms of Use

Checker’s Drive-In Restaurants, with offices at 4300 W Cypress St, Suite 600, Tampa, FL 33607 (“Checkers”) and Paradox, Inc., a Delaware corporation, with offices at 6330 E. Thomas Road, Scottsdale, Arizona 85251 (“Paradox”) entered into a certain Paradox, Inc. Order Form on November 23, 2022 (the “Checkers Agreement” or “Order Form”), pursuant to which Paradox shall make specific recruiting SaaS available to certain Checkers franchisees that have accepted the terms and conditions of these Checkers Franchise Terms of Use (the “Terms”). The Terms are incorporated into the applicable Subscription Signup (as defined below), which together constitute a single agreement (the “Agreement” or “Services Agreement”). Client and Paradox are each a “Party” under the Agreement and together are the “Parties”.

a) "Affiliate" means any person or entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with a Party. For purposes of this definition, the term “control” means the power to direct the management and policies of such person or entity, directly or indirectly, whether through ownership of voting securities, by contract or otherwise.

b) "Client" the legal entity that has entered into the applicable Subscription Signup.

c) “Client Data” means the electronic data or information submitted, provided, uploaded, transmitted, imported displayed, or otherwise made available by Client, its Affiliates and their Users to Paradox through the Services, except as expressly set forth in these Terms.

d) “Cloud Software” means all software programs provided to Client pursuant to the Agreement, including any related improvements, modifications, updates, and associated Documentation.

e) “Documentation” means operators’ and users’ manuals, training materials, guides, commentary, technical, design or functional specifications materials, and similar materials which Paradox provides to Client for use with the Services.

f) “Subscription Signup” means any ordering document, sign-up page, or agreement that references or incorporates by reference these Terms, pursuant to which Services are made available to a Checkers franchisee.

g) “Intellectual Property Rights” means any and all registered and unregistered rights granted, applied for, or otherwise now or in the future in existence under or related to any patent, copyright, trademark, trade secret, database protection, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, whether arising by operation of law, contract, license or otherwise, in any part of the world.

h) “Process” (and its derivatives) means any operation or set of operations performed upon Client Data, whether or not by automatic means, including without limitation, creating, collecting, aggregating, procuring, obtaining, accessing, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, restricting, erasing and/or destroying the information.

i) “Professional Services” means the professional services to be provided by Paradox or its Subcontractor to Client as described in an Order Form, which may include, without limitation, integration and implementation services.

j) “Services” means all products and services provided by Paradox pursuant to the Agreement, including, without limitation, Cloud Software and Professional Services.

k) "Sub-Processor” means any entity which is engaged by Paradox or any other sub-processor of Paradox who receives Client Personal Information for processing activities to be carried out on behalf of Client.

l) “Sub-Processor” means any entity which is engaged by Paradox or any other sub-processor of Paradox who receives Client Data for Processing activities to be carried out on behalf of Client.

m) “Subcontractor” means a third-party that supports Paradox in delivering the Cloud Software or Professional Services to Client, including, without limitation, Sub-Processors.

n) “User” means each Client or a Client Affiliate employee, contractor, service provider, or other user authorized by Client or a Client Affiliate to whom Client has provided a unique login ID and password for access to the Services pursuant to the Agreement.

a) Provision of Cloud Software; License Grant. During the Subscription Term, Paradox hereby grants Client and its Affiliates a worldwide, royalty-free, irrevocable (subject to Section 8), non-exclusive, non-transferable, non-sub- licensable (except to the extent assignable pursuant to Section 13.e.) license for Client and its Affiliates to access and use the Services, subject to the terms of the Agreement and the Order Form, and to display and distribute the Documentation (subject to Section 6 “Confidentiality”) as required to enjoy full use of the Services, for its business purposes in the ordinary course of its operations, including information that is generated or produced by or on behalf of Client as a result of Client’s and its Affiliates and their Users use of the Services, that includes identifiable Client Data, including information contained in reports and other output, subject to Paradox’s rights with respect to Output Data described in Section 7.d. In addition, Client’s and each Affiliate’s Users are authorized to exercise the rights provided to Client and its Affiliates in this Section in furtherance of Client’s and its Affiliates’ use of the Services in accordance with the Agreement and Applicable Order Form. Client represents that it possesses rights as an authorized franchisee of Checkers (an “Authorized Franchisee”). If Client ceases to be an Authorized Franchisee it shall promptly notify Paradox and Paradox shall terminate this Agreement. Client may also terminate this Agreement upon fifteen (15) days prior written notice to Paradox. Termination of this Agreement for either of the above will not be considered a breach of the Agreement or the Checkers Agreement.

b) Service Requirements. Paradox may make commercially reasonable changes to the Cloud Software without notification or consent, as long as the changes do not cause a material degradation in the features, functionality, or performance of the Services or any material components of the Services. Paradox warrants that it will comply with all laws and regulations applicable to Paradox’s provision of the Services. Client’s purchase of I-9 Services shall be governed by the terms and conditions available at https://www.paradox.ai/legal/i9-services.

c) Data Security. The security of your data is important to us. Paradox has implemented and will maintain administrative, technical, and physical safeguards designed to protect the Cloud Software and Client Data against accidental, unauthorized, or unlawful access, disclosure, destruction, loss, or misappropriation, consistent with our ISO 27001 certification and SOC 2 Type II (described below) audit compliance standards. On an annual basis, Paradox, at its own expense, shall require auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Standards for Attestation Engagements No. 18, Reporting on Controls at a Service Organization (or any successor standard) (“SSAE 18”), of the services performed by Paradox for or on behalf of Client and the Franchisees and issue SOC 2 reports (Type II) thereon (collectively “SOC Report”), together with an executed copy of an ISO 270001 standard in multiple locations throughout the world (“ISO Certification”) for the applicable calendar year. Paradox shall deliver to Client a copy of the SOC Report and ISO Certification upon request. Paradox shall prepare and implement a corrective action plan to correct any deficiencies and resolve any problems identified in the SOC Report and ISO Certification. Paradox shall correct any audit control issues or weaknesses identified in any SOC Report or ISO Certification, at no additional cost to Client. If specific audit recommendations are not implemented by Paradox, then Paradox should implement such alternative steps as are reasonably satisfactory to Client for the purposes of minimizing or eliminating the risks identified in any such SOC Report or ISO Certification.

d) Client Involvement in Services. Paradox’s ability to perform certain Services, including Professional Services, depends on information and responses that must be provided by Client. As a result, Client will: (i) provide the appropriate and necessary resources, and timely and accurate information and documentation, as reasonably requested by Paradox, to allow Paradox to perform the Services; (ii) carry out reviews and respond to requests for approval and information on a timely basis; (iii) ensure that Paradox has sufficient access to personnel familiar with Client’s requirements and with the expertise necessary to permit Paradox to undertake and complete the Services; (iv) Client will make available to Paradox all equipment, material, information, data, network access and/or facilities that Paradox may reasonably require to carry out its Services; and (v) designate a project management contact for the purposes of communication with Paradox, who will be the primary point of contact for Client for matters relating to Paradox’s provision of Services. Client acknowledges that any delay in the performance of its obligations may impact Paradox’s ability to perform the Services, and Paradox will not be liable for any delay to the extent caused by Client’s failure to meet its obligations under the Agreement, provided that Client’s failure to perform or delay in the performance of an obligation will excuse Paradox’s obligation to perform its corresponding obligations under the Agreement only if: (a) the failure was the direct cause of Paradox’s inability to perform; and (b) Paradox takes reasonable steps to mitigate the effects of Client’s or such third party’s failure to perform their obligations specified in the Agreement. In the event of (a) and (b), Paradox will be excused from performance of those tasks impacted by Client’s failure to perform only to the extent that, and for as long as, Client’s failure to perform its responsibilities prevents Paradox’s performance.

a) General. All Professional Services to be performed by Paradox will be described in the Order Form. In the event of a conflict between the Order Form and the Services Agreement, the terms of the Services Agreement will take precedence unless the Order Form expressly and specifically references the conflicting provision in the Services Agreement and provides that its terms control, or the Services Agreement expressly states that the Order Form may control with respect to that provision (in each case, such precedence takes effect solely with respect to the matters covered in such Order Form).

b) Paradox’s Obligations. Paradox will perform Professional Services in a timely, professional and workmanlike manner in accordance with customary industry standards for similar services using reasonable care and skill. Paradox will determine the method and means for performing the Professional Services, provided that such method and means will be consistent with generally accepted industry standards for similar services.

a) Use of Services.

• i. Client will use the Services in accordance with the terms of the Agreement. In addition, Client will: (A) use the Services solely for its ordinary day-to-day business purposes and not for the benefit of any third parties, except as permitted by the Services Agreement or applicable Order Form; (B) comply, and cause its Users to comply, with the Agreement; (C) obtain all consents from third parties that Client has a business relationship with (e.g. network providers or outsourced IT resource providers) that are required in order for Paradox to provide the Services; (D) prior to providing, making available or permitting Paradox to collect any Personal Data (as defined in Exhibit A, “Data Processing Addendum”) or other content or information in connection with the Services, provide or obtain, as the case may be, to or from applicable third parties (including, without limitation, Client’s contacts, resellers, distributors, administrators, candidates, and employees), all notices and consents required for Paradox to process such Personal Data, content and information under applicable law and ensure that all notices and consents are maintained as required by applicable law; promptly notify Paradox upon becoming aware of any unauthorized access or use of the Services, passwords, authentication credentials, or any unauthorized use, access, or disclosure of Client Data; and (E) comply with all laws applicable to Client’s use of the Services.
• ii. Client will not: (A) modify, reverse engineer, disable, decompile, translate, disassemble, create any derivative work of, or otherwise attempt to extract any or all of the source code, algorithms, proprietary technology, or analytics from the Services; (B) license, sublicense, sell, resell, rent, lease, lend, transfer, assign, distribute, time share, offer in a service bureau, or commercially exploit the Services, use the Services to provide hosting services to third parties, or otherwise make the Services available to any third party, except to the extent any of the foregoing are expressly permitted by the Agreement; (C) disable, interfere with or circumvent any aspect of the Services; (D) intentionally interfere with other users’ use of the Services; (E) engage in, promote or encourage illegal activity or the violation of the legal rights of third parties; (F) generate, distribute, publish, facilitate or send consumer marketing messages using the Services; (G) send any messages through the Service that are not directly related to recruitment, hiring, human capital management or candidate/employee engagement; (H) copy any features, functions, integrations, interfaces or graphics of the Services; (I) knowingly send or store known viruses, worms, time bombs, Trojan horses, and other harmful, destructive, deceptive or malicious code, files, scripts, agents or programs; (J) send or store infringing, obscene, threatening, defamatory, obscene, racially or ethically offensive, libelous, fraudulent or otherwise unlawful or tortious material, including material that is harmful to children or violates third party rights, including privacy rights; (K) knowingly interfere with or disrupt the integrity or performance of the Services or the data contained in the Services; (L) gain or attempt to gain, or fail to use commercially reasonable efforts to protect against, unauthorized access to the Services or its related systems or networks or to the data of another Paradox client; or (M) perform any technical, application, or infrastructure security integrity review, penetration test, or vulnerability scan of the Services without the prior written consent of Paradox.

b) Users. Where the Services are provided on a per User basis, User accounts cannot be shared or used by more than one User, except that Client may reassign access to new Users to replace former Users who no longer use the Services. Client will not create multiple Users to simulate or act as a single User or otherwise use the Services in a manner intended to avoid incurring fees. Client and Users will keep passwords for their use of the Services confidential and secure. Client will ensure that its Users adhere to the terms of the Agreement. Any act or omission by a User will be treated as if it is an act or omission by Client under the Agreement, and Client is responsible for all acts and omissions of its Users.

c) Equipment. Client is responsible for obtaining and maintaining all equipment and ancillary services needed to connect to, access, and use the Services, including without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively “Equipment”). Client is also responsible for maintaining the security of Equipment, Client accounts, Client passwords (including administrative and User passwords and PINs) and Client files. Paradox will have no liability for Client’s inability to use or access the Services due to Client’s failure to obtain, or due to any failure of, the proper Equipment.

d) Suspension. Notwithstanding anything to the contrary in the Agreement, Paradox may temporarily suspend Client’s and any User’s access to any portion or all of the Paradox Services if Paradox reasonably believes that continued use may result in imminent and material harm to the Cloud Services or its other users (a “Service Suspension”). Paradox will promptly provide written notice of any Service Suspension to Client (including notices sent to Client’s registered email address) and updates regarding resumption of access to and use of the Paradox Services following any Service Suspension. Where commercially reasonable, Paradox will limit the Service Suspension to the Users causing the harm. Paradox will promptly reinstate access to and use of the Services as soon as the event giving rise to the Service Suspension is cured or remediated.

a) Third-Party Services. Paradox will make Client Data available to Suppliers as needed for Suppliers to provide any third-party services that enable Paradox to deliver the Cloud Software (“Third-Party Services”).

b) Messaging Terms and Conditions. Paradox may provide Client and Client’s Users with access to Short Message Service (SMS), Multimedia Messaging Service (MMS) or other messaging services in connection with the Paradox Services. Client will ensure its and its Users full compliance with applicable law and the requirements of any and all regulatory agencies with respect to such services, including but not limited to the Telephone Consumer Protection Act (“TCPA”). For example, Client may be subject to the restrictions of the TCPA when Client messages any person for the purposes of marketing services to them through automated systems. As such, Client agrees to comply with all requirements of the TCPA in connection with any messages it sends using the Paradox Services. For additional information, Client may review the practices contained in the latest version of CTIA’s Short Code Monitoring Handbook and Messaging Principles and Best Practices Guide. The practices contained in these documents are designed to protect consumers in a manner approved by wireless carriers.

c) Short and Long Code Registration Requirements. Client agrees to cooperate fully with Paradox, and Client authorizes Paradox to take any and all action needed for Paradox to deliver SMS and MMS services to Client, including, as applicable, Paradox providing “know your customer” information to messaging and telecom providers, so that Paradox may deliver the Services. Know your customer information may include, without limitation, Client’s address, business type, entity type, registration or EIN number, industry, website, and region of operations, and will be used to develop a trust score, so that message throughput may be optimized. Client understands and agrees that Paradox does not control SMS or MMS message throughput and that failure or refusal to comply with the requirements of this Section 5(c) will materially affect Paradox’s ability to deliver the Services. Accordingly, notwithstanding anything in the Agreement, Paradox will have no liability for any damage, liabilities, losses or any other consequences that Client may incur as a result of any failure to comply with this Section 5(c).

d) Carrier Restrictions. Client acknowledges that all phone numbers used in connection with the Paradox Services are subject to rules and restrictions imposed by telecommunications and messaging providers (“Messaging Service Providers”). In order to comply with such rules and restrictions, Paradox and/or Client may be required to discontinue use of a number or short code. In such an instance, Paradox will use commercially reasonable efforts to obtain additional numbers or short codes and work with the applicable Messaging Service Providers to minimize any disruption in services delivered by Paradox to Client. If Paradox is unable to prevent discontinuance of its use of a number or short code and is unable to prevent material degradation in the Services due to restrictions imposed by Messaging Service Providers, Paradox may cease provision of the applicable portion of the affected Services., provided that Paradox refund to Client any pre-paid but unused Fees (defined below) for the affected Service as of the date of discontinuation. If the discontinuation of the Service causes a material degradation in the functionality or performance of (i) the Services as a whole, or of (ii) any material components of the Services, Client may terminate the Agreement without incurring any early termination fees or penalties, and Paradox shall have no right to claim liquidated damages. Paradox shall provide Client with a refund of any pre-paid but unused Fees as of the date of termination.

a) Definition of Confidential Information. As used in the Agreement, “Confidential Information” means all confidential or proprietary information belonging to a Party or its Affiliates (the “Disclosing Party”) disclosed, made available to or learned by the other Party (the “Receiving Party”) in connection with the Agreement, in any form or medium, including, without limitation, technical, business, financial, marketing or other information of every kind or nature (including, without limitation, trade secrets, know-how and information relating to the technology, Services, Cloud Software, designs, specifications and prototypes, clients, business plans, promotional and marketing activities, finances and other business affairs of such Party), including any technical or proprietary technical or business information of third parties that is made available to the Receiving Party in connection with the Agreement. The terms and conditions of the Agreement and Client Data constitute Confidential Information.

b) Exclusions. Except for Personal Data, to which these exclusions do not apply, Confidential Information does not include any information that: (i) is or becomes generally available to the public through no breach of the Agreement by the Receiving Party or any Representative of the Receiving Party; (ii) was independently known by the Receiving Party (without any obligation of confidentiality or restriction on use or disclosure), prior to the disclosure by the Disclosing Party; (iii) becomes known to the Receiving Party by a source other than the Disclosing Party without any obligation of confidentiality or restriction on use or disclosure), from a source other than the Disclosing Party, and such source was not under an obligation to treat the information as confidential; (iv) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information or breach of the Agreement; or (v) Disclosing Party has agreed in writing that Receiving Party may disclose, including without limitation, as set forth in Section 6(c) below. Notwithstanding anything to the contrary in this Section 6, the term “Confidential Information” specifically excludes any Personal Data, to which the terms of Exhibit A (Data Privacy Addendum) shall apply. If there is a conflict between Exhibit A and any provision in the body of this Services Agreement, the more stringent provision will apply.

c) Confidentiality Obligations. Except as otherwise set forth in the Agreement, each Party will: (i) hold in strict confidence all Confidential Information of the other Party, (ii) use the Confidential Information solely to perform its obligations or exercise its rights under the Agreement, and (iii) not transfer, display, convey or otherwise disclose or make available all or any part of such Confidential Information to any person or entity other than to its directors, officers, employees, consultants, subcontractors, attorneys, auditors, Affiliates, Suppliers, Sub-Processors, legal and financial advisors (collectively, “Representatives”) who need to know such Confidential Information in furtherance of the purposes of this Agreement or to exercise the Receiving Party’s rights hereunder and who are under confidentiality obligations and nondisclosure (or codes of professional conduct) at least as restrictive as those set forth herein. The Receiving Party will assume full responsibility for any breach of this Section 6 by any of its Representatives. Each Party will use the same degree of care to protect the Disclosing Party’s Confidential Information as it uses to protect its own information of a similar nature or importance, but in no event less than a commercially reasonable standard of care. The Parties agree that the Confidential Information of the other Party is, and will remain, the property of such other Party. The Receiving Party obtains no right, title, interest, or license in or to any of the Confidential Information of the Disclosing Party except for the rights expressly set forth in the Agreement.

d) Compelled Disclosures. Notwithstanding Section 6(c) above, the Receiving Party may disclose the Confidential Information of the Disclosing Party in response to a duly authorized court order, subpoena, or civil investigative demand, or as required by law, rule, regulation (including, without limitation, any securities exchange regulation), or other governmental action, provided that, to the extent permitted by law: (i) the Disclosing Party is notified in writing prior to disclosure of the information, (ii) the Receiving Party cooperates with the Disclosing Party’s efforts to obtain a protective order or other appropriate remedy protecting its Confidential Information from, or restricting such disclosure. If such protective order or other remedy is not obtained, the Receiving Party will (i) furnish only that portion of the Disclosing Party’s Confidential Information that it is legally required to furnish and, (ii) at the request of the Disclosing Party, use reasonable efforts to ensure that the party compelling disclosure of the Confidential Information will preserve its confidentiality.

e) Return of Confidential Information. Upon expiration or termination of this Agreement or the Order Form, or at any time upon the Disclosing Party’s request, the Receiving Party shall promptly return to the Disclosing Party all Confidential Information in the Receiving Party’s possession or control, or upon the Disclosing Party’s written request, securely destroy such Confidential Information and provide a written statement from an officer of the Receiving Party certifying that such destruction has occurred. All Client Data will be provided to Client in accordance with Section 8(e).

f) Privacy, Confidentiality and Information Security Addendum. In the event that Paradox obtains, accesses, or otherwise processes Personal Data in connection with the Agreement, Paradox shall comply with the terms of Exhibit A (Data Privacy Addendum). In the event of a conflict between any part of this Agreement and Exhibit A with respect to Personal Data, the more protective provision shall apply.

g) Remedies. Each Party agrees that the other Party may have no adequate remedy at law if there is a breach or threatened breach of this Section 6 and, accordingly, that either Party is entitled (in addition to any legal or equitable remedies available to such Party) to seek injunctive or other equitable relief, including specific performance (without posting any bond). The rights set forth in this Section 6 will survive any expiration or termination of the Agreement.

a) Reservation of Rights. Paradox is and will remain the exclusive owner of all right, title and interest in and to the Services, including any Intellectual Property Rights relating to the Services. All Intellectual Property Rights in any work arising from or created, produced or developed by Paradox, whether alone or jointly with others, under or in the course of the Agreement, will immediately upon creation or performance vest absolutely in, and will be and remain the property of, Paradox. Client will not acquire any right, title or interest in and to the Services or any related Intellectual Property Rights.

b) Ownership of Client Data. Client is and will remain the exclusive owner of all right, title and interest in and to Client Data, including, without limitation, any Intellectual Property Rights relating thereto. Paradox will not acquire any rights in Client Data or any related Intellectual Property Rights, except for those rights expressly set forth in the Agreement. Paradox may not use, disclose to or share with any third party any Client Data (whether in identifiable, de-identified, aggregated or in any other format) for any purpose without the prior written consent of Client, except as expressly provided in Section 7.d. of this Services Agreement.

c) Personal Data. If Paradox receives Personal Data from or on behalf of Client in connection with Paradox’s provision of Services under the Agreement, then, except as otherwise required by law: (i) Paradox will only Process such Personal Data for the purpose of providing the Services in accordance with the DPA; (ii) Paradox will not retain, use, or disclose such Personal Data for any purpose other than to perform the Services in accordance with the Agreement; and (iii) Paradox will not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate such Personal Data to any third party for monetary or other valuable consideration. Notwithstanding the foregoing, Client acknowledges that Paradox may Process certain Personal Data about the Client and/or its agents, representatives, employees, candidates, or other related third parties for Client support and reporting purposes in accordance with the DPA, including supporting Client, managing Client’s account, and fulfilling Paradox’s obligations under the Agreement. Personal Data shall be Processed in accordance with Exhibit A (“Data Processing Addendum”). Client may request access to and correction of applicable Personal Data or exercise any other rights it may have with respect to such Personal Data by law or the Agreement.

d) Enhancements to the Services; Improvement Data. Notwithstanding any other provision of the Agreement, Paradox may use data that we collect and process in connection with the Services, including Client Data and other information related to the provision, use and performance of various aspects of the Services and related systems and technologies only, (i) to detect security incidents and protect against fraudulent and illegal activity; (ii) to build, improve and enhance the quality or performance of the Services, including the Cloud Software, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source (“Improvement Data”), (iii) for other development, diagnostic and corrective purposes in connection with Paradox offerings, provided that such data is De- identified, and (iv) to produce analyses, data and/or reports relating to the Services that derive from and/or relate to the data processed through the Services that is not directly or indirectly attributable to Client, its Affiliates or Franchisees, provided that such data is De-identified (“Output Data”). For the avoidance of doubt, Output Data will not be directly or indirectly attributable to Client, its Affiliate or Franchisees and any Processing of Output Data is subject to Exhibit A (Data Privacy Addendum). Except for Client Data, which is owned by you, Paradox owns all right, title, and interest, including all Intellectual Property Rights, in and to the Output Data, which is the Confidential Information of Paradox, subject to Paradox’s compliance with Exhibit A (Data Privacy Addendum) and the use restrictions set forth in this subsection 8(d). “De-identified” means that the data and information cannot, whether alone or in combination with other data or information, identify, relate to, describe, be reasonably capable of being associated with, or reasonably be linked, directly or indirectly, with a particular individual or household.

e) Paradox will own and retain all right, title and interest in and to (i) all improvements, enhancements or modifications to the Services, (ii) any software, applications, inventions or other technology developed in connection with delivering the Services to Client, and (iii) all related Intellectual Property Rights.

f) Feedback. If Client sends or transmits any communications, comments, questions, suggestions, or related materials to Paradox, whether by e-mail, telephone, or otherwise (“Feedback”), suggesting or recommending changes to the Services, including, without limitation, new features or functionality, all such Feedback is Paradox’s. Client hereby assigns all right, title, and interest in, and Paradox is free to use, without any attribution or compensation to Client, any ideas, know-how, concepts, techniques, and all applicable Intellectual Property Rights relating to the Feedback, whether or not patentable, for any purpose whatsoever, including but not limited to, developing, manufacturing, having manufactured, licensing, marketing, and selling, directly or indirectly, products and services using such Feedback. Paradox is not obligated to use, display, reproduce, or distribute any such ideas, know-how, concepts, or techniques contained in the Feedback, and Client has no right to compel such use, display, reproduction, or distribution. NOTWITHSTANDING THE FORGOING, THE FEEDBACK AND ANYTHING PROVIDED IN CONNECTION WITH THE FEEDBACK IS PROVIDED BY CLIENT "AS-‘IS," WITHOUT ANY WARRANTIES OF ANY KIND. CLIENT HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO SUCH FEEDBACK. CLIENT WILL NOT BE LIABLE FOR ANY DAMAGES CAUSED BY ANY FEEDBACK.

a) Term. The term of Client’s subscription to the Services shall begin on the date Client completes and executes a Subscription Signup and shall expire or terminate concurrent with the Checker’s Agreement (the “Subscription Term”).

b) Termination for Cause. Either Party may terminate this Agreement if the other Party: (i) ceases doing business for a period greater than ninety (90) days, makes an assignment for the benefit of creditors or similar disposition of its assets, or becomes the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding; or (ii) materially breaches any of its obligations under the Agreement or the Order Form and fails to cure such breach within 30 days following receipt of written notice from the Party alleging the breach.

c) Termination Assistance. Upon Client’s request, provided all undisputed Fees due and owing have been paid in full, for up to 90 days following expiration or termination of the Agreement or the Order Form for any reason, Paradox shall: (i) continue to provide the Services and perform its other responsibilities pursuant to the terms of the Agreement; and (ii) provide such cooperation and assistance, as commercially reasonable, to support an orderly transition of the Services to Client or a successor provider (collectively, “Termination Assistance”). Termination Assistance will be subject to the Fees in effect immediately prior to the effective date of expiration or termination, prorated on a month to month basis, and such termination assistance must be paid for in full, in advance. The Term will not be deemed to have expired until the Termination Assistance is completed.

d) Consequences of Termination. Upon the effective date of expiration or termination of the Agreement or the Order Form(s) for any reason permitted in these terms, and subject to Section 8.d, (i) Client will immediately cease accessing or using the Services subscribed for under the applicable Order Form(s); (ii) all rights granted with respect to the Services subscribed for under the applicable Order Form(s) will immediately terminate; (iii) Client will immediately pay Paradox all undisputed amounts owing under the applicable Order Form(s); (iv) Paradox will cease collecting or processing Client Data under the affected Order Form(s); (v) unless otherwise instructed by Client where such data is being retained by Paradox pursuant to a continuing Order Form, Paradox will delete Client Data provided under the applicable Order Form(s) within 30 days of the applicable expiration or termination; and (vi) Paradox will promptly make available to Client the Client Data relevant to the Agreement, including the Order Form expiring or terminating, in a .csv file (at no additional cost) or such other format reasonably requested by Client (at Client’s expense).

e) Survival. Sections concerning the Parties’ rights and obligations that are designed to operate after termination or that are necessary to enforce any right will survive termination of the Agreement, regardless of whether there is an express statement regarding survival in any section of the Agreement.

a) Mutual Warranties. Each of Client and Paradox represents and warrants to the other Party that (i) it is a corporation or other entity duly organized and validly existing in good standing under the laws of the state of its incorporation or organization, and it has the corporate or other power to own its property and to carry on its business as now being conducted; (ii) it has full power and authority to enter into Agreement and to perform its obligations hereunder and thereunder; (iii) the Agreement constitutes the valid and legally binding agreement of it enforceable in accordance with its terms; (iv) there are no proceedings pending or threatened before any court or governmental or administrative agency that would reasonably be expected to affect the validity or enforceability of the Agreement as to it; and (vi) it is not a party to or otherwise bound by any contract or agreement which in any manner would prohibit it from entering into the Agreement or performing its obligations hereunder or thereunder.

b) Paradox Warranties. Paradox further represents and warrants to Client that (i) it will perform the Services in a timely and professional manner by qualified and experienced personnel; (ii) the Cloud Software and Services will materially conform to the requirements, specifications and descriptions set forth in the associated Documentation and the Agreement, including the applicable Order Form; (iii) it has sufficient right, title, and interest in the ownership rights and licenses in and to the Services to assign, transfer and convey the rights, and to grant the licenses, set forth in this Agreement, a (iv) and (v) the Cloud Software and Services comply with all federal, state and local employment, data protection, privacy and other laws and regulations applicable to Paradox in the performance of its obligations under the Agreement (“Laws”); Paradox will maintain throughout the term of the Agreement a commercially reasonable Virus prevention program designed to prevent any Virus from being introduced into the Software or Services interfacing with Client’s and the Client Franchisees’ systems. “Virus” means viruses, worms, time bombs, Trojan horses, and other malicious or disabling code including code which would have the effect of permitting improper or unauthorized use, access, deletion of modification of, or disabling, deactivating, damaging or shutting down one or more software programs or systems and or hardware or hardware systems.

c) Client Warranties. Client further represents and warrants to Paradox that all of the following comply and will comply with all applicable laws: (i) the questions, applications and other materials included or used in connection with the job listings posted or submitted by or on behalf of Client through the Services, (ii) the questions and other materials and technology used by Client in screening or making hiring decisions regarding potential employees, (iii) Client’s other hiring practices, and (iv) Client’s hiring decisions.

d) Performance in Accordance with Service Level Agreement. Paradox shall perform the Services in a manner that meets or exceeds the service levels set forth in Exhibit B (Service Level Agreement). Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Paradox or by third- party providers, or because of other causes beyond Paradox’s reasonable control, but Paradox will use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. However, Paradox does not warrant that the Services will be uninterrupted or error free; nor does it make any warranty as to the results that may be obtained from use of the Services.

e) Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THE AGREEMENT, THE SERVICES ARE PROVIDED “AS IS.” EACH PARTY, ON BEHALF OF ITSELF AND ITS REPRESENTATIVES DISCLAIMS ALL WARRANTIES AND MAKES NO OTHER REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CLIENT ACKNOWLEDGES THAT (A) NEITHER PARADOX NOR ITS REPRESENTATIVES CONTROL CLIENT EQUIPMENT, NETWORKS OR SYSTEMS OR THE TRANSFER OF DATA OVER THE INTERNET; (B) SUBJECT TO THE SERVICE LEVEL AGREEMENT, THE SERVICES MAY BE SUBJECT TO LIMITATIONS, INTERRUPTIONS, DELAYS, CANCELLATIONS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET; AND (C) (EXCEPT WITH RESPECT TO THE SERVICES) IT IS FULLY RESPONSIBLE TO INSTALL APPROPRIATE SECURITY UPDATES AND PATCHES. NEITHER PARADOX NOR ITS REPRESENTATIVES ARE RESPONSIBLE FOR ANY INTERRUPTIONS, DELAYS, CANCELLATIONS, DELIVERY FAILURES, DATA LOSS, CONTENT CORRUPTION, PACKET LOSS, OR OTHER DAMAGE RESULTING FROM THESE PROBLEMS.

a) Indemnification by Paradox. Paradox will defend, indemnify and hold Client and its trustees, officers, employees, agents, harmless from any and all liabilities, claims, damages, obligations, actions, lawsuits, losses, judgements, fines, penalties, costs or expenses (including reasonable attorney’s fees) in connection with claims, demands, suits or proceedings made or brought against Client by a third party alleging that the Cloud Software infringes any third party’s Intellectual Property Rights (each, an “IP Claim”); provided, that Client: (i) promptly gives written notice of the IP Claim to Paradox; (ii) gives Paradox sole control of the defense and settlement of the IP Claim; and (iii) provides to Paradox, at Paradox’s cost, all reasonable assistance requested by Paradox. If Client is enjoined from using the Services or Paradox reasonably believes it will be enjoined, Paradox will have the right, at its sole option, to obtain for Client the right to continue use of the Services or to replace or modify the Services so that they are no longer infringing. If neither of those options is reasonably available to Paradox, the use of the Services may be terminated at either Party’s option. In event of such a termination, Paradox will continue to indemnify, defend, and hold Client and its trustees, officers, employees, agents, and volunteers harmless, and will refund to Client any prepaid fees for the Services that were to be provided after the effective date of termination. This provision will survive the termination or expiration of the Agreement.

b) Exceptions. Paradox will not have any obligation under Section 9(a) to the extent any alleged infringement arises from: (i) use or modification of the Cloud Software by Client, its Representatives, or Users in conflict with Client’s obligations or as a result of any prohibited activity as set forth under the Agreement; (ii) use of the Cloud Software in a manner inconsistent with any applicable documentation; (iii) use of the Cloud Software in combination with any other product or service not provided by Paradox; (iv) use of the Cloud Software in a manner not otherwise contemplated by the Agreement; or (v) Third-Party Services.

c) Exclusive Remedies. CLIENT AGREES THAT SECTIONS 9(a) and 9(b) TOGETHER SET FORTH PARADOX’S SOLE AND EXCLUSIVE LIABILITY, AND CLIENT’S SOLE AND EXCLUSIVE REMEDY, FOR ANY IP CLAIM.

d) Indemnification by Client. Client will defend, indemnify and hold Paradox and its trustees, officers, employees, consultants, directors and agents, harmless from any and all liabilities, claims, damages, obligations, actions, lawsuits, losses, judgements, fines, penalties, costs or expenses (including reasonable attorney’s fees) in connection with claims, demands, suits or proceedings made or brought against Paradox based on: (i) Client’s breach of Section 4 of these Terms; (ii) Client’s use of the Services in violation of any applicable law to Client or Client’s use of the Services, or in a way that damages a third party; or (iii) Client’s Data actually or allegedly infringing a third party’s Intellectual Property Rights.

e) Indemnification Procedure. If either Party becomes aware of a claim for which it is entitled to indemnification pursuant to the Agreement (a “Claim”), such Party shall promptly provide the other Party with notice regarding the Claim; provided that the failure of a Party entitled to indemnification under this ‎Agreement (the “Indemnified Party”) to promptly provide such notice shall not relieve the Party obligated to indemnify the Indemnified Party (the “Indemnifying Party”) of any obligation it may have to indemnify, except and only to the extent that the Indemnifying Party’s ability to fulfill such obligation has been actually and materially prejudiced thereby. The Indemnifying Party shall control the defense of the Claim, but the Indemnified Party may participate in the defense of the Claim with its own counsel at its expense. The Indemnified Party shall, at the Indemnifying Party’s expense, cooperate fully with counsel selected by the Indemnifying Party in the defense of such Claim. The Indemnifying Party may not, without the Indemnified Party’s prior written consent, settle, compromise or consent to the entry of any judgment in any such commenced or threatened Claim, unless such settlement, compromise or consent: (i) includes an unconditional release of the Indemnified Party from all liability arising out of such commenced or threatened Claim and (ii) is solely monetary in nature and does not include a statement as to, or an admission of fault, culpability or failure to act by or on behalf of, the Indemnified Party.

a) Liability Cap and Damages Waiver. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT FOR (i) NONPAYMENT OF FEES DUE AND PAYABLE BY CLIENT UNDER THE AGREEMENT, (ii) DAMAGES ARISING OUT OF OR RELATING TO CLIENT’S VIOLATION OF PARADOX’S OR ITS SUPPLIERS’ INTELLECTUAL PROPERTY RIGHTS, (iii) DAMAGES ARISING OUT OF, OR RELATING TO, A PARTY’S BREACH OF SECTION 6 OF THE AGREEMENT THAT DOES NOT ARISE OUT OF OR RELATE TO THE PROCESSING OF CLIENT DATA HEREUNDER, AND (iv) A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 10: (A) THE CUMULATIVE, AGGREGATE LIABILITY OF EITHER PARTY AND THEIR RESPECTIVE AFFILIATES TO THE OTHER PARTY FOR ALL CLAIMS RELATED TO THE SERVICES AND/OR THE AGREEMENT (INCLUDING ALL ANY SUBSCRIPTION SIGNUP) WILL NOT EXCEED THE TOTAL AMOUNT OF ALL FEES PAID OR PAYABLE TO PARADOX FOR THE SERVICES GIVING RISE TO THE CLAIM IN THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; AND (B) NEITHER PARTY (NOR THEIR RESPECTIVE AFFILIATES OR SUPPLIERS) WILL BE LIABLE FOR ANY LOST PROFITS, LOST REVENUE, INTERRUPTION OF BUSINESS, LOSS OF BUSINESS INFORMATION, LOSS OF USE, DELETION OR LOSS OF DATA OR FAILURE TO STORE DATA, COSTS OF RECREATING DATA, OR THE COST OF ANY SUBSTITUTE EQUIPMENT SOFTWARE OR SERVICES (IN EACH CASE WHETHER DIRECT OR INDIRECT IN NATURE) OR FOR SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, INDIRECT OR PUNITIVE DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE SERVICES OR THE AGREEMENT REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING BUT NOT LIMITED TO NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND EVEN IF A PARTY IS INFORMED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES IN ADVANCE.

b) BOTH CLIENT AND PARADOX AGREE THAT THE LIMITATIONS AND WAIVERS SET FORTH IN THIS SECTION 11 APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE AND BUT FOR THOSE LIMITATIONS, PARADOX WOULD NOT HAVE ENTERED INTO THE AGREEMENT. Any right of action, proceeding or claim permitted under or in connection with the Agreement must be brought within twenty-four (24) months after the occurrence of the act, omission or event first giving rise to the liability or is irrevocably waived.

a) Relationship of Parties. The Parties are independent contractors. The Agreement is not intended to, and does not create, a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.

b) Notices. All notices must be in writing and in English and may be sent by e-mail, except for notice of breach or demands for indemnification or other notices affecting a Party’s legal rights or remedies under the Agreement, which must be sent by either certified mail or nationally recognized courier to the address indicated in the first paragraph of the Services Agreement.

c) Waiver. No waiver of any right under the Agreement will be deemed effective unless contained in a writing signed by a duly authorized representative of the Party to be bound, and no waiver of any past or present right arising from any breach or failure to perform will be deemed a continuing waiver or a waiver of any future right arising under the Agreement.

d) Force Majeure. Neither party shall be liable to the other Party if such Party’s performance under the Agreement is delayed or prevented by reason of labor disputes, strikes, lockouts (other than problems with a Party’s personnel or Subcontractors related to the foregoing), pandemic, riots, war, terrorism, earthquake, fire, floods, acts of God governmental restrictions, or other causes beyond the reasonable control of a Party hereto (“Force Majeure Event”), provided that, the party so prevented from complying with the Agreement will (i) have provided prompt notice of such event to the other party (including an explanation of the Force Majeure Event and its cause and status), and(ii) have used reasonable diligence to avoid such Force Majeure or ameliorate its effects. If Paradox is the Party affected by the Force Majeure Event and is not able to resume performance of the Services within 30 days of providing notice of such Force Majeure Event, then Client shall have an additional right to terminate this Agreement immediately without owing any early termination fees, liquidated damages or other penalties to Paradox under the Agreement. Notwithstanding any other provision of this Section, a Force Majeure Event shall not relieve Paradox of its confidentiality and data security obligations set forth in the Agreement. For the avoidance of doubt, Force Majeure Event shall not include (a) financial distress nor the inability of either party to make a profit or avoid a financial loss, (b) changes in market prices or conditions, or (c) a party's financial inability to perform its obligations hereunder.

e) Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other Party (which consent will not be unreasonably withheld, conditioned or delayed), except that either Party may assign the Agreement in its entirety without consent to: (i) its Affiliate; or (ii) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets or shares so long as the assignee agrees to be bound by all of the terms of the Agreement and all undisputed past due fees are paid in full. Any attempt by a Party to assign its rights or obligations under the Agreement other than as permitted by this Section will be void and of no effect. Subject to the foregoing, the Agreement will bind and inure to the benefit of the Parties, their respective successors and permitted assigns.

f) Governing Law. The Agreement will be governed exclusively by the internal laws of the State of Delaware, without regard to its conflict of laws rules. Venue will be in the state and federal courts of Delaware. The Parties agree that the United Nations Convention on Contracts for the International Sale of Goods and Uniform Computer Information Transaction Act are expressly excluded from the Agreement.

g) Export. Each Party will comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Services. Without limiting the generality of the foregoing, Client will not make the Service available to any person or entity that: (i) is located in a country that is subject to a U.S. government embargo; (ii) is listed on any U.S. government list of prohibited or restricted parties; or (iii) is engaged in activities directly or indirectly related to the proliferation of mass destruction

h) Publicity. Except as may be required by law, neither Party shall disclose, publicize or advertise in any manner the discussions or negotiations giving rise to the Agreement or the existence or terms of the Agreement without the prior written consent of the other Party, which may be withheld in such Party’s sole discretion. Neither Party will use the other Party’s or that Party’s Affiliates’ name, logos or trademarks, without the prior written consent of the other Party, in any written press releases, advertisements, marketing materials, or other promotional materials of any kind, without the prior written consent of the other Party.

i) Purchase Orders. No terms or conditions contained in any purchase order, “shrink-wrap,” “click-through” or “click- wrap” agreement, or similar electronic notification or contract will in any way modify or add any additional terms or conditions to the Agreement, and any such modified or additional terms or conditions shall be of no force or effect.

j) Entire Agreement; Amendments. The Services Agreement, including any appendices, schedules, or exhibits attached hereto, or the Order Form or addenda executed hereunder, sets forth the entire understanding and agreement between the Parties with respect to the subject matter of this Agreement, and all prior agreements, letters, proposals, discussions and other documents regarding the Services and the matters addressed in the Agreement are superseded. No terms and conditions contained in any “shrink-wrap,” “click-through” or “click-wrap” license or similar electronic notification or contract shall be of force or effect. The Agreement may be amended or supplemented only by means of a physical writing manually signed by the Parties.

k) Counterparts and Execution. The Agreement may be executed in counterparts, each of which shall be deemed an original and all of which, which, when taken together will form one binding legal instrument. The Parties consent to the use of electronic signatures in connection with the execution of the Agreement, and further agree that electronic signatures to the Agreement will be legally binding with the same force and effect as manually executed signatures, provided that such signatures must be made using a technology designed for electronic signatures and a mere email which appears to state consent to an agreement or action will not be considered an electronic signature.

m) Equitable Relief. Notwithstanding anything to the contrary in the Agreement, either Party may immediately seek equitable relief (without the necessity of posting bond), including, without limitation, temporary injunctive relief, against the other Party in any court of competent jurisdiction with respect to any and all equitable remedies sought in connection with the Agreement. In addition, either Party may, at its option, pursue any and all remedies available at law and in equity in any court of competent jurisdiction with respect to any breach of the Agreement.

n) Cumulative Remedies. Except as otherwise set forth in the Agreement and subject to the terms of the Agreement, all remedies available to either Party under the Agreement at law and in equity shall be cumulative and may be exercised concurrently or separately, and the exercise of any one remedy will not be deemed an election of such remedy to the exclusion of any other remedies.

o) Interpretation. In the event of a dispute between the Parties, the Agreement will not be construed for or against either Party but will be interpreted in a manner consistent with the intent of the Parties as evidenced by the terms of the Agreement. Unless otherwise specified, “days” means calendar days.

p) Severability. If any provision in the Agreement is held invalid or unenforceable, that provision will be construed, limited, or modified or, if necessary, severed to the extent necessary to eliminate its invalidity or unenforceability, and the other provisions of the Agreement will remain in full force and effect and will be construed to carry out the intent of the Parties hereto.

Data Processing Addendum

This Data Processing Addendum (“DPA”) reflects the parties’ agreement with regard to the Processing of Personal Data pursuant to the Agreement. Client enters into this DPA on behalf of itself. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In providing the Services to Client pursuant to the Agreement, Paradox may Process Personal Data on behalf of Client, and the parties agree to comply with the following provisions with respect to any Personal Data.

DPA DEFINITIONS

“CCPA/CPRA” means the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), California Civil Code sections 1798.100 et seq., and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, without limitation, any entity that is a business (as the term “business” is defined under the CCPA/CPRA).

“Data Protection Laws and Regulations” means all laws and regulations currently in effect and as they become effective, including laws and regulations of the United States and its states such as the CCPA/CPRA, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information (i) relating to an identified or identifiable natural person, or, (ii) that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, where for each (i) or (ii), such data is (a) Processed at any time by Paradox pursuant to the Agreement or (b) derived by Paradox from such information.

“Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller and includes, without limitation, the term service provider (as the term “service provider” is defined under the CCPA/CPRA).

“Paradox” means the Paradox entity which is a party to this DPA, as specified in the section “Application of this DPA” above, being Paradox, Inc., a company incorporated in Delaware with its primary address being 6330 E. Thomas Rd., Scottsdale, Arizona 85251.

“Paradox Group” means Paradox and its Affiliates engaged in the Processing of Personal Data.

“Restricted Transfer” means, to the extent applicable under applicable Data Protection Laws and Regulations, a Transfer of Personal Data to a country other than the country of origin which is not subject to an adequacy determination by the authorities competent for the country of origin.

“Standard Contractual Clauses (EU/EEA)” the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91.

"Standard Contractual Clauses (UK)" means the Standard Contractual Clauses (Processors), dated 5 February 2010, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR, approved by European Commission Decision 2010/87/EU and recognized by the regulatory or supervisory authorities of the United Kingdom for use in connection with data transfers from the United Kingdom.

“Sub-processor” means any (i) Processor engaged by Paradox, including a member of the Paradox Group, and (ii) Processor engaged by a member of the Paradox Group.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

“Business Purpose”, “Share” and “Sell” shall have the meaning ascribed to each term in the CCPA/CPRA.

DPA TERMS

Paradox and the signatory below at the address below (“Client”) hereby enter into this DPA effective as of the last signature date below. This DPA is incorporated into and forms part of the Agreement.

1. Provision of the Service. Paradox provides the Services to Client under the Agreement. In connection with the Services, the parties anticipate that Paradox may Process Personal Data relating to Data Subjects.

2. The Parties’ Roles. The parties agree that with regard to the Processing of Personal Data, Client is the Controller, Paradox is the Processor, and that Paradox will engage Sub-processors pursuant to the requirements of this DPA.

3. Client Responsibilities. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of applicable Data Protection Laws and Regulations, including any applicable requirements to provide notice to Data Subjects of the use of processors. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with applicable Data Protection Laws and Regulations. With respect to Personal Data provided by Client to Paradox, Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired such Personal Data. Subject to Paradox’s provision of Services in accordance with the Agreement, including this DPA, Client specifically acknowledges that its use of the Service will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.

4. Processing Purposes.

• a) Paradox shall keep Personal Data confidential and shall only Process Personal Data on behalf of and in accordance with Client’s documented instructions for only the following specified and limited Business Purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Service; and (ii) Processing to comply with other documented, reasonable instructions provided by Client (for example, via email) where such instructions are consistent with the terms of the Agreement. Paradox shall not be required to comply with or observe Client’s instructions if such instructions would violate applicable Data Protection Laws and Regulations, provided that Paradox promptly notifies Client of any such determination by Paradox that Client’s instruction would violate applicable Data Protection Laws and Regulations. At any time, upon Client’s written notice to Paradox, Paradox will provide Client with a .CSV file of its data, promptly cease any further Processing of any Personal Data, and/or delete any Personal Data in its possession.
• b) Paradox shall not (i) Sell or Share Personal Data, (ii) retain, use or disclose Personal Data (a) for any purpose other than for the specific purpose of performing the Services specified in the Agreement, or (b) outside of the direct business relationship between Client and Paradox.
• c) Paradox may retain, use, or disclose Personal Data obtained in the course of providing the Services (i) for internal use by Paradox to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source, or (ii) to detect data security incidents, or protect against fraudulent or illegal activity. Paradox shall not combine Personal Data received pursuant to the Agreement with personal data received from or on behalf of another person, or collected from Paradox’s own interactions with individuals.
• d) Paradox shall comply with all Data Protection Laws and Regulations applicable to Paradox in the performance of its obligations under the Agreement and provide the level of privacy protection for Personal Data as is required by such Laws and Regulations. Client may take any reasonable and appropriate steps to ensure that Paradox uses Personal Data in a manner consistent with Client’s obligations under applicable Data Protection Laws and Regulations. Paradox shall enter into any further contractual terms required for Client to comply with Data Protection Laws and Regulations. Paradox shall promptly notify Client if at any time Paradox makes a determination that it can no longer meet its obligations under this DPA or applicable Data Protection Laws and Regulations.

5. Scope of Processing. The subject-matter of Processing of Personal Data by Paradox is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1 to this DPA.

6. Data Subject Requests. To the extent legally permitted, Paradox shall promptly notify Client if Paradox receives a request from a Data Subject to exercise the Data Subject's privacy rights (“Data Subject Request”). Factoring into account the nature of the Processing, Paradox shall assist Client by appropriate organizational and technical measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Paradox shall, upon Client’s request, provide reasonable efforts to assist Client in responding to such Data Subject Request, to the extent that Paradox is not legally prohibited from doing so.

7. Paradox Personnel. Paradox shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and have executed written confidentiality agreements. Paradox shall take reasonable steps to ensure the reliability of any Paradox personnel engaged in the Processing of Personal Data. Paradox shall ensure that Paradox’s access to Personal Data is limited to those personnel assisting in the provision of the Service in accordance with the Agreement.

8. Data Protection Officer. Members of the Paradox Group have appointed a data protection officer. The appointed person may be reached at privacy@paradox.ai

9. Paradox’s Sub-processors. Paradox has instructed or authorized the use of Sub-processors to assist Paradox with respect to the performance of Paradox's obligations under the Agreement and Paradox agrees to be responsible for the acts or omissions of such Sub-processors to the same extent as Paradox would be liable if performing the services of the Sub-processors under the terms of the Agreement. Upon written request of the Client, Paradox will provide to Client a list of its then-current Sub-processors. Client acknowledges and agrees that (a) Paradox’s Affiliates may be retained as Sub-processors; and (b) Paradox and Paradox’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Paradox shall ensure that each Sub-processor is subject to a written agreement that imposes obligations on the Sub-processor that are consistent with those imposed on Paradox under this DPA and requires the Sub-processor to provide at least the same level of protection as is required by this DPA. Paradox shall only retain Sub-processors that it reasonably determines are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data. The parties agree that the copies of the Sub-processor agreements that must be provided by Paradox to Client pursuant to the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Paradox beforehand; and, that such copies will be provided by Paradox, in a manner to be determined in its discretion, only upon request by Client.

10. Liability for Sub-processors. Paradox shall be liable for the acts and omissions of its Sub-processors to the same extent Paradox would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

11. Security Measures. Paradox shall maintain appropriate physical, administrative, organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Personal Data or Client Data), confidentiality, availability and integrity of Personal Data and Client Data, including without limitation, maintaining the measures as set forth in Schedule 1. Paradox regularly monitors compliance with these measures. Paradox will not materially decrease the overall security of the Services during a subscription term.

12. Third-Party Certifications and Audit Results. Paradox has attained its ISO 27001 certification and shall obtain annually ISO 27001 and SOC2 Type II audit results, including for operations, systems and processes that are relevant to performance of the Services. Upon Client’s written request at reasonable intervals no less than annually, and subject to the confidentiality obligations set forth in the Agreement, Paradox shall make available to Client a copy of Paradox’s then most recent third-party certifications and audit results, including a SOC2 Type II report. Paradox shall prepare and implement a corrective action plan to correct any deficiencies and resolve any problems identified in such reports at no additional cost to Client. If specific audit recommendations are not implemented by Paradox, then Paradox should implement such alternative steps as are consistent with commercially reasonable industry standards for the purposes of minimizing or eliminating the risks identified in any such report.

13. Notifications Regarding Client Data. Paradox has in place reasonable and appropriate security incident management policies and procedures, and shall notify Client without undue delay (and within no more than 72 hours) if it reasonably suspects or is aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Client Data or Personal Data, transmitted, stored or otherwise Processed by Paradox or its Sub-processors (hereinafter, a “Client Data Incident”). Paradox shall make reasonable efforts to identify the cause of such Client Data Incident, and take those steps reasonably necessary in order to remediate the cause of such a Client Data Incident, to the extent that the remediation is within Paradox’s reasonable control, including with respect to Sub-processors. Paradox shall cooperate with Client’s reasonable requests to investigate and shall mitigate such Client Data Incident. Paradox shall use reasonable efforts to preserve all applicable evidence relating to the Client Data Incident and provide such evidence to Client upon Client’s reasonable request. Paradox shall not issue any communications related to a Client Data Incident, in any manner that identifies Client, without Client’s prior approval. Notice under this paragraph shall be provided to Client by phone and email to Client designee as listed below, and to Client’s administrative users via the Services:

Subject to applicable law, Paradox shall notify Client promptly in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Client shall have the right to defend such action in lieu of and/or on behalf of Paradox. Client may, if it so chooses, seek a protective order. Paradox shall reasonably cooperate with Client, at Client’s expense, in any such defense.

14. Return of Client Data. Upon Client’s request, Paradox shall promptly return Personal Data and Client Data to Client and, unless prohibited by applicable law, promptly delete Personal Data and Client Data in accordance with the procedures specified in Schedule 1, unless the retention of the data is requested from Paradox according to mandatory statutory laws. In the event Paradox is unable to delete Personal Data or Client Data, for reasons required under applicable law, Paradox shall (i) promptly inform Client of the reason for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Data or Client Data, and (iii) delete the Personal Data or Client Data promptly after the reason for retention has expired.

15. Franchisees. By executing the DPA, the Client enters into the DPA on behalf of itself. Each Franchisee Services Agreement establishes a separate DPA between Paradox and each such Franchisee. Each Franchisee agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. A Franchisee is not and does not become a party to the Agreement. All access to and use of the Service by Franchisee(s) must comply with the terms and conditions of the Franchisee Services Agreement and each Franchisee shall be solely responsible for any violation thereof.

16. Intentionally Deleted.

17. Data Protection Impact Assessment. Upon Client’s request, Paradox shall provide Client with reasonable cooperation and assistance needed to fulfil Client’s obligation under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Paradox. Paradox shall provide reasonable assistance to Client in the cooperation or prior consultation with a regulatory authority in the performance of its tasks relating to the Processing of Personal Data, to the extent required under applicable Data Protection Laws and Regulations.

18. Restricted Transfers.

• a) EEA Restricted Transfers. To the extent applicable, with respect to Restricted Transfers from the EEA or Switzerland, effective from the commencement of the relevant Restricted Transfer, Client and Paradox hereby enter into, and incorporate into this DPA by reference, the Standard Contractual Clauses (EU/EEA) in respect of any Restricted Transfer (or onward transfer) or Personal Data by or on behalf of the Client to Paradox from: (1) the EEA, (2) Switzerland, or (3) any country in which the competent authorities have approved the use of the Standard Contractual Clauses (EU/EEA) and where such Restricted Transfer (or onward transfer) would otherwise be prohibited by Data Protection Laws and Regulations (or by the terms of data transfer agreements put in place to address Data Protection Laws and Regulations). In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (EU/EEA) shall be deemed complete as follows:
  • In Clause 7, the optional docking clause will not apply;
  • In Clause 9(a), Option 2 will apply, and the time period for prior notice of additions or replacements of Paradox Sub-Processors shall be:thirty (30) days;
  • In Clause 11, the optional language will not apply;
  • In Clause 17, Option 1 will apply, and the Standard Contractual Clauses (EU/EEA) will be governed by the law of Ireland; As per Clause 18(b), disputes shall be resolved before the courts of Ireland;
  • Annex 1 to Standard Contractual Clauses (EU/EEA) shall be deemed to be pre-populated with the Processing Details in Appendix 1 hereto; and
  • Annex 2 to the Standard Contractual Clauses (EU/EEA) shall be deemed to be pre-populated with the security measures set forth in Schedule 1 hereto.
• b) UK Restricted Transfers. Restricted Transfers from the United Kingdom. To the extent applicable, with respect to Restricted Transfers from the United Kingdom, effective from the commencement of the relevant Restricted Transfer, Client and Paradox hereby enter into, and incorporate into this DPA by reference, the Standard Contractual Clauses (UK) in respect of any Restricted Transfer (or onward transfer) of Personal Data by or on behalf of Client to Paradox from the United Kingdom ("UK"). In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (UK) shall be deemed complete as follows:
  • Appendix 1 to the Standard Contractual Clauses (UK) shall be deemed to be pre-populated with the Processing Details in Appendix 1 hereto; and
  • Appendix 2 to the Standard Contractual Clauses (UK) shall be deemed to be pre-populated with the security measures set forth in Schedule 1 hereto.
  • If at any time the UK Government approves the Standard Contractual Clauses (EU/EEA) for use under the UK privacy laws, the provisions of the Standard Contractual Clauses (EU/EEA) shall apply in place of the Standard Contractual Clauses (UK), subject to the terms set forth in section 2.6 (A) through (C), (F) and (G) above and any modifications to the Standard Contractual Clauses (EU/EEA) required by the UK privacy laws (and subject to the governing law being English law, the competent courts being the English courts and the competent supervisory authority being the Information Commissioner’s Office).
• c) In the event of a conflict between (i) the Agreement, and (ii) the Standard Contractual Clauses (EU/EEA) or the Standard Contractual Clauses (UK), the latter shall prevail.
• d) If, at any point during the Subscription Term, changes in Data Protection Laws and Regulations require amendments to this DPA in order to ensure the lawful transfer of Personal Data, Client and Paradox will cooperate in good faith to implement such amendments without undue delay.

19. Client’s Processing Instructions. This DPA and the Agreement are Client’s complete and final instructions at the time of signature of the Agreement to Paradox for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses (UK) and Clause 8.1(a) of the Standard Contractual Clauses (EU/EEA), the following is deemed an instruction by the Client to process Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.

20. Audits. Paradox shall make available to Client all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. To the extent applicable, the parties agree that the audits described in the Standard Contractual Clauses or otherwise required by Data Protection Laws shall be carried out in accordance with the following specifications: following Client’s written request, and subject to the confidentiality obligations set forth in the Agreement, Paradox shall make available to Client information regarding the Paradox Group’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits set forth in Section 12 of this DPA. Client may contact Paradox in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Client and Paradox shall mutually agree upon the scope, timing, and duration of the audit and Client shall promptly notify Paradox and provide information about any actual or suspected non-compliance discovered during an audit. To the extent applicable, the provision in this section shall by no means derogate from or materially alter the provisions on audits as specified in the Standard Contractual Clauses or applicable Data Protection Laws.

21. Data Deletion. The parties agree that certification of deletion of Personal Data that shall be provided by Paradox to Client upon Client’s request.

22. Order of Precedence. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. To the extent applicable, in the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, to the extent the Standard Contractual Clauses are applicable.

Security Measures

1. Asset Management

• Paradox maintains and shall continue to maintain an inventory of IT assets that Process Personal Data or Client Data, including internal and external systems.

2. Governance

• Paradox maintains and shall continue to maintain an Information Security Program (ISP) based on the ISO/IEC 27001 framework
• Paradox maintains and shall continue to maintain an information security risk management program that includes oversight by of Paradox’s Security & Compliance Director and Information Security Committee, which are responsible for oversight of the information security program.

3. Risk Management

• Paradox maintains and shall continue to maintain risk management processes to identify, assess and manage risks to Personal Data and Client Data and IT systems and Sub-processors supporting the Services.
• Paradox conducts and shall continue to conduct an information security risk assessment at least once annually and manage risks to Personal Data and Client Data and IT systems and Sub-processors supporting the Services in accordance with documented risk management procedures.
• Paradox conducts and shall continue to conduct vulnerability scans against infrastructure and applications in accordance with their risk to Personal Data , Client Data and the Services, to help identify vulnerabilities and promptly remediate any security vulnerabilities and misconfiguration.
• Paradox conducts and shall continue to conduct penetration testing of its applications at least one time per year using independent testing professionals.

4. Awareness and Training

4.1 Paradox ensures and shall continue to ensure that its personnel complete information security awareness training and are made aware of their responsibilities with regards to information security and the handling of Personal Data and Client Data.

4.2 Paradox provides and shall continue to provide its personnel with instructions and awareness for using Personal Data and Client Data, including but not limited to, the following requirements:

• a) Keep Personal Data, Client Data and IT equipment secure at all times, including when travelling or working out of the office or from home;
• b) Keep User ids, passwords and PINs for IT systems and devices, confidential and protect them from unauthorized access;
• c) Do not connect untrusted removable media devices to IT systems or laptops;
• d) Keep devices used to access Personal Data, Client Data and IT systems up-to-date with security updates;
• e) Handle Personal Data and Client Data in accordance with Paradox’s classification and documented handling procedure and this DPAs;
• f) Only share Personal Data and Client Data with authorized individuals on a need-to-know basis;
• g) Be aware of phishing and do not click on links in emails or documents or provide any Personal Data or Client Data over the phone without verifying the caller;
• h) Maintain a clear desk and a clear screen so that Personal Data and Client Data cannot be viewed or accessed by unauthorized individuals;
• i) Securely dispose of paper and other media using correct procedures in accordance with this DPA; and
• j) Report security events and non-compliance to security policies promptly and without delay.

5. Access Control

5.1 Paradox restricts and shall continue to restrict physical and logical access to IT systems supporting the Services to only the minimum levels of access and privileges required to perform a function or role.

5.2 New access to network, systems, and data (including to Personal Data and Client Data) are and shall continue to be approved and documented.

5.3 Paradox assigns and will continue to assign Users a unique ID; shared accounts are and shall continue to be prohibited.

5.4 Paradox implements and will continue to maintain identity and access management processes to control access and authenticate Users prior to granting access to Personal Data, Client Data or IT systems.

5.5 Paradox reviews and shall continue to review User accounts and their privileges on a regular basis, to verify that access to Personal Data , Client Data and IT systems used in supporting the Services is correct.

5.6 Paradox ensures and shall continue to ensure that remote access to Personal Data, Client Data and IT systems and networks supporting the Services is restricted to only authorized individuals using secure entry-points and approved devices.

6. Data Center Security

6.1 Data centers used by Paradox use and shall continue to use a card-key access control system. Only appropriate personnel are and shall continue to be issued card-keys.

6.2 Data centers used by Paradox require and shall continue to require visitors to sign a log and visitors are escorted at all times by data center personnel.

6.3 Data centers used by Paradox employ and shall continue to employ security surveillance cameras, installed to record activity at the data center.

7. Data Security

7.1 Paradox maintains and shall continue to maintain procedures and controls designed to protect the security of Personal Data and Client Data.

7.2 Paradox maintains and shall continue to maintain the security of systems and employee laptops using standardized builds that include a hardened operating system, malware protection, and host-based security software.

7.3 Configuration changes are and shall continue to be limited to authorized individuals, in accordance with documented change management procedures and using approved systems and tools.

7.4 On Client’s request, Paradox will securely delete Personal Data or Client Data in Paradox’s possession, custody or control, including from IT systems, in accordance with current industry standards for secure deletion of Personal Data.

Application Security

8.1 Paradox only uses Client Data for testing as necessary to deliver the Services to Client as prescribed in the applicable agreement. Paradox shall not use any Client Data or Personal Data for testing purposes.

Operational Security

Paradox maintains and shall continue to update and patch (including security patching) IT systems in a timely manner, in accordance with change management procedures that meet industry security standards for patch management and change management.

9.2 A 24-hour on-call procedure is implemented and shall continue to be maintained to provide 24/7 Paradox internal support for production systems.

9.3 Commercial anti-virus software is loaded and shall continue to be updated and maintained on production servers to mitigate the risk of virus threats.

Security Monitoring & Detection

10.1 Paradox’s security department is and shall continue to be responsible for security monitoring and detection activities.

10.2 Paradox maintains and shall continue to maintain content filtering technologies to monitor and appropriately manage connections to the internet.

10.3 Paradox monitors and shall continue to monitor CERT notifications that may affect any element of its IT systems and patch systems in accordance with a documented procedure that prioritizes the remediation of vulnerabilities based on risk and industry security standards.

Incident Response

11.1 Paradox maintains and shall continue to maintain security incident response plans to manage response to security events, and these are tested and shall continue to be tested on at least an annual basis.

11.2 Paradox assesses and shall continue to assess security events and suspected incidents against defined criteria and responds to incidents in such a way that takes into consideration their potential impact to the Client and the Client’s Affiliates and enables Paradox to satisfy its obligations to Client with respect to Client Data Incidents under this DPA.

11.3 Paradox will contain and mitigate incidents in accordance with documented incident management procedures and response plans, which shall enable Paradox to satisfy its obligations to Client with respect to Client Data Incidents under this DPA.

11.4 Paradox will conduct post incident reviews to identify root-causes and identify actions required to minimize the risk of similar incidents re-occurring. Response strategies and plans will be updated in response to any lessons learned.

Third Party Risk Management

12.1 Paradox’s security department maintains and shall continue to maintain a third-party risk management program to ensure that third parties maintain security controls at least as stringent as Paradox’s security controls and continually assess the third party on a regular basis to ensure security in accordance with this DPA.

12.2 Third parties are obligated, by contractual agreement, to maintain security controls at least as stringent as Paradox’s security policies dictate and in accordance with this DPA.

12.3 Third parties are obligated, by contract, to securely delete data at the end of contract and in accordance with this DPA.

This Appendix forms part of the Standard Contractual Clauses and the Standard Contractual Clauses (UK) (together the “Clauses”) and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Data exporter is the legal entity that has executed the DPA based on the Clauses as a Data Exporter established within the European Economic area and Switzerland that have purchased the Service on the basis of one or more Order Form(s).

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Data importer, Paradox, Inc., a provider of SaaS software for human capital management and recruiting purposes.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

1. 1. Past and present employees, consultants, independent contractors, agents, and non-employee workers;

1. 2. Data exporter’s Users;
2. 3. Job applicants and candidates;
3. 4. Students and interns.

Categories of data

The Personal Data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data:

• Email addresses;
• Phone numbers;
• Name (first and last);
• Title;
• Candidate inquiries;
• IP Address;
• Resumes;
• Professional employment history;
• Education history;
• Emergency contact info.

Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

None.

Processing operations

The Personal Data transferred will be subject to the following basic processing activities (please specify):

The objective of Processing of Personal Data by the data importer is the performance of the Services pursuant to the Agreement.

Data importer has implemented and will maintain appropriate technical and organisational measures to protect Client Data (as defined in the DPA) against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The measures described in Schedule 1 of the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.

This Appendix forms part of the Clauses and must be completed and signed by the parties. The list of Sub-processors approved by the parties as of the effective date of the DPA is as set forth below:

Depending on the geographic location of Client or its Users, and the nature of the Services provided, Paradox may also engage one or more of the following Affiliates as Sub-processors to deliver some or all of the Services provided to Client:

This Paradox Service Level Agreement (“SLA”)

Unless otherwise defined herein, capitalized words and phrases have the meaning specified in the Agreement.

1. SERVICE COMMITMENT: 99.9% UPTIME

Paradox will use commercially reasonable efforts to make the Paradox Services available with a Monthly Uptime Percentage of at least 99.9% during any monthly billing cycle (the “Service Commitment”). Subject to the terms of this SLA, if Paradox does not meet the Service Commitment, Client will be eligible for a Service Credit.

2. DEFINITIONS

“Client” or “you” has the meaning set out in the Agreement.

“Paradox” has the meaning set out in the Agreement.

“Paradox Services” for purposes of this SLA, mean the Cloud Software and related services provided to Client and under the Agreement.

“Maintenance” means the total amount of time during any calendar month, measured in minutes, during which Client or any User is not able to access and use the Paradox Services, or any component thereof, due to planned system maintenance performed by or on behalf of Paradox. Paradox will provide at least five (5) days’ notice to Client prior to such maintenance occurring.

“Monthly Uptime Percentage” will mean, with respect to any particular calendar month, the ratio obtained by subtracting Unavailability during such month from the total time during such month, and thereafter dividing the difference so obtained by the total time during such month. Represented algebraically, Monthly Uptime Percentage for any particular calendar month is determined as follows:

“Service Credit” is defined in Section 3.

“Total Monthly Time” is deemed to include all minutes in the relevant calendar month, to the extent such minutes are included within the Term of the Agreement.

“Unavailable” and “Unavailability” means the total amount of time during any calendar month, measured in minutes, during which the Cloud Software as outlined in the Agreement that is not accessible by Client due to Paradox’s actions or inactions, other than Maintenance, as defined above.

3. SERVICE CREDITS

In the event Unavailability occurs, Client will be entitled to credits against its then-current or subsequent payment obligations according to the following:

In the event that the Monthly Uptime Percentage falls below the applicable Service Commitment for a given month, Client shall receive a credit (“Service Credit”) equal to one percent (1%) of fees paid in the prior month for Monthly Uptime Percentage in a month that is less than 99.9% but greater than or equal to 98.9%. If Monthly Uptime Percentage in a month is less than 98.8% but greater than or equal to 97.9%, Client shall receive a credit equal to two percent (2%) of fees paid in the prior month. If Monthly Uptime Percentage in a month is less than 97.8% but greater than or equal to 96.9%, Client shall receive a credit equal to three percent (3%) of fees paid in the prior month. If Monthly Uptime Percentage in a month is less than 96.8%, Client shall receive a credit equal to four percent (4%) of fees paid in the prior month.

4. CLIENT SUPPORT

Paradox shall provide phone and email support Monday through Friday between the hours of 8am and 5pm, Arizona Time, excluding holidays (“Standard Support Hours”). Paradox shall also provide 24/7 engineering support to address any critical issues (engineering personnel will not be directly available to Client) and access to a ticketing system through which issues may be reported and recorded 24/7.

5. CREDIT REQUEST AND PAYMENT PROCEDURES

Service uptime may be monitored at status.paradox.ai, where Client will find real time information concerning system metrics and past incidents.

To receive a Service Credit, Client must submit a claim by emailing support@paradox.ai. To be eligible, Paradox must receive the claim by the end of the calendar month following the month in which the incident occurred. For example, if the Incident occurred on April 15th, Paradox must receive the claim and all required information by May 31st. The credit request include:

• 1. the words “SLA Credit Request” in the subject line;
• 2. the dates and times of each Unavailability incident that you are claiming;
• 3. the account name(s); and
• 4. screenshots and/or descriptions that document the errors and corroborate your claimed outage.

These Service Credits represent negotiated amounts on the basis of reduced performance of service levels and shall not be deemed or construed as a measure of damages. Any Service Credits shall be made without limitation of any of Client's other rights and remedies pursuant to the Agreement. In addition, if Client becomes entitled to any Service Credits for any three (3) months in a twelve (12) month period, Client may, at its option, terminate the Agreement for cause with no opportunity to cure.

If the Monthly Uptime Percentage of such request is confirmed by Paradox and is less than the Service Commitment, then Paradox will issue the Service Credit to you within forty-five (45) days of receipt. Paradox is not liable for any SLA failure under the Agreement, to the extent, (i) such failure arises from or is related to Client’s failure to provide the request and other information, or perform Client’s obligations as required in the Agreement, and (ii) any SLA exclusions listed in Section 7 will disqualify Client from receiving a Service Credit.

6. SUPPORT AND ISSUE REPORTING

The Paradox engineering team monitors the Olivia application 24 hours/day 7 days/week for any critical issues. Additionally, Paradox will provide the following methods of ongoing support:

1. Client Success Manager: Client will be provided a dedicated Paradox Client Success Manager (“CSM”) throughout the course of the subscription term. Client’s CSM is available via phone or email, as described below:

• a) Phone: Phone support will be provided between the hours of 8am and 5pm MST,   excluding holidays and weekends (“Normal Business Hours”).
• b) Email: Client may email its CSM 24 hours/day 7 days/week and will receive a response during Normal Business Hours.

2. Olivia Assist: Online support functionality is available to Client in the Olivia application, via the Olivia assistant (“Olivia Assist”). Olivia Assist is available 24 hours/day 7 days/week.

3. Ticketing System: Client may submit issues to Paradox via web form 24 hours/day 7 days/week, at support.paradox.ai. Supplemented by email support and phone support during Normal Business Hours, the Paradox ticketing system will be used as the central communication platform for dealing with and continuing to track outstanding issues.

All Incidents must be submitted via the Ticketing System, as the Ticketing System is the source of truth for the recording and tracking of all Incidents. Paradox will respond to Incidents submitted by Client as set forth in Table 1: Prioritization (“Table 1”) and Table: 2.

Client’s “Client Success Manager” or “CSM” shall serve as Client’s primary point of contact during the subscription term. Where Paradox has failed to materially comply with the requirements set forth below, Client may request that the CSM escalate the issue to increasingly senior Paradox personnel (starting at Escalation Level 1 and moving to Escalation Level 3) so that the parties may work in good faith to resolve such issues and problems that may arise in the performance or receipt of the Services.

7. PARADOX SLA EXCLUSIONS

Paradox is not liable for any Unavailability of the Paradox Services to the extent resulting from:

1. A suspension by Paradox in accordance with the Agreement;

2. Factors outside of Paradox’s reasonable control (including a Force Majeure Event or a network or device failure external to Paradox’s data centers or the facilities of Paradox’s Affiliates or Subcontractors);

3. Any actions or inactions of Client or any third-party that is not a Subcontractor or Affiliate of Paradox;

4. The equipment, software or other technology of Client.