Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the MangoApps Master Subscription Agreement (or other written agreement between the parties governing Customer's use of the Service) (the "Agreement") between MangoApps, Inc. ("MangoApps") and the customer party to the Agreement ("Customer"). It reflects the parties' agreement on the processing of Personal Data by MangoApps on Customer's behalf. No signature is required for this DPA to be effective — it applies automatically to every customer with an executed Order Form, and, consistent with the Agreement, the version published as of the Order Form's date applies to that Order Form. Customers whose procurement process requires a countersigned copy may request one at legal@mangoapps.com.

1. Definitions

"Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and applicable US state privacy laws including the California Consumer Privacy Act as amended ("CCPA"). "Personal Data" means any Customer Data relating to an identified or identifiable natural person. "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. "Subprocessor" means a third party engaged by MangoApps to process Personal Data on Customer's behalf. "SCCs" means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914. Capitalized terms not defined here have the meanings in the Agreement.

2. Roles and Scope

For Personal Data within Customer Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and MangoApps is a Processor. Each party will comply with its obligations under Data Protection Laws. Customer is responsible for the accuracy and lawfulness of the Personal Data it submits, for having a lawful basis to process and to instruct MangoApps to process it, and for providing any required notices to and obtaining any required consents from Data Subjects. The details of processing are set out in Annex 1.

3. Customer Instructions

MangoApps will process Personal Data only on Customer's documented instructions — which consist of the Agreement, this DPA, Customer's use and configuration of the Service, and other written instructions agreed by the parties — unless required to do otherwise by applicable law, in which case MangoApps will inform Customer of that legal requirement before processing unless the law prohibits doing so. MangoApps will promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

Customer's documented instructions expressly include processing Personal Data: (a) to create de-identified and aggregated data as permitted by the Agreement, which, once it no longer identifies Customer or any individual, is not Personal Data and is outside the scope of this DPA; and (b) through the Service's AI features, including transmission to the third-party model providers identified as Subprocessors, subject to the AI terms of the Agreement (including MangoApps' commitment not to use Customer Data to train generalized foundation models without consent).

3a. Regulated Data

The Service is not designed to process payment cardholder data, and Customer will not submit it. Customer will not submit protected health information subject to HIPAA, or other data subject to sector-specific regulation imposing obligations beyond Data Protection Laws, unless the parties have executed a separate agreement covering that data — such as the MangoApps Business Associate Agreement. MangoApps is not responsible for regulated data submitted in breach of this Section.

4. Confidentiality of Processing

MangoApps ensures that persons authorized to process Personal Data are bound by contractual or statutory obligations of confidentiality and process Personal Data only as needed to provide the Service.

5. Security

MangoApps implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex 2 and in the Agreement. MangoApps may update those measures from time to time, provided updates do not materially reduce the overall protection of Personal Data.

6. Subprocessors

Customer provides general written authorization for MangoApps to engage Subprocessors to provide the Service. The current Subprocessor list is published at gdpr-subprocessors. MangoApps will (a) update that page before adding or replacing a Subprocessor — Customer may subscribe to change notices by emailing legal@mangoapps.com, and is otherwise responsible for monitoring the page; (b) impose data protection obligations on each Subprocessor that are no less protective than those in this DPA; and (c) remain responsible for each Subprocessor's performance. Customer may object on reasonable data-protection grounds to a new Subprocessor within thirty (30) days of notice; the parties will work in good faith to resolve the objection, and if it cannot be resolved, Customer may terminate the affected portion of the Service with a pro-rata refund of prepaid fees for the unused remainder of the term — as Customer's sole remedy for the objection.

7. Data Subject Requests

Taking into account the nature of the processing, MangoApps will assist Customer by appropriate technical and organizational measures — including the Service's built-in export, correction, and deletion tools — in fulfilling Customer's obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If a Data Subject contacts MangoApps directly regarding Personal Data processed under the Agreement, MangoApps will promptly redirect the request to Customer and will not respond substantively except as required by law.

8. Personal Data Breach

MangoApps will notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under the Agreement, and will provide information reasonably available to MangoApps about the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. MangoApps' notification of or response to a breach is not an acknowledgment of fault or liability.

9. Assistance; Costs

Taking into account the nature of processing and the information available to it, MangoApps will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities required under Data Protection Laws, to the extent they relate to MangoApps' processing of Personal Data under the Agreement. Assistance under Sections 7, 9, and 11 that exceeds the Service's self-service capabilities and standard support is provided at Customer's reasonable, documented expense.

9a. Government Requests

If MangoApps receives a legally binding request from a public authority for disclosure of Personal Data processed under the Agreement, MangoApps will (a) review the legality of the request and challenge it if, after careful assessment, it concludes there are reasonable grounds to do so; (b) seek to redirect the authority to request the data directly from Customer; (c) promptly notify Customer before disclosure unless legally prohibited, and if prohibited, use reasonable efforts to obtain a waiver of the prohibition; and (d) disclose only the minimum amount of Personal Data necessary to comply.

10. Deletion and Return

Upon expiration or termination of the Agreement, MangoApps will, at Customer's election made within thirty (30) days, return Personal Data (via the Service's export tools or the Return of Hosted Data terms of the Agreement) and thereafter delete Personal Data, including from backups, in accordance with the Agreement's data deletion timelines — unless applicable law requires continued storage, in which case MangoApps will protect the data per this DPA and process it only as required by that law. De-identified and aggregated data created under Section 3 is not subject to deletion or return.

11. Audits and Certifications

MangoApps will make available information reasonably necessary to demonstrate compliance with this DPA, including, upon written request and under confidentiality, summaries of its then-current third-party audit reports and certifications (such as SOC 2). Where Data Protection Laws grant Customer an audit right that cannot be satisfied by such reports, Customer may conduct (directly or through an independent auditor that is not a MangoApps competitor) an audit of MangoApps' relevant processing, no more than once per twelve (12) months, on at least thirty (30) days' written notice, during business hours, without disrupting MangoApps' operations, subject to MangoApps' security policies, and at Customer's expense.

12. International Transfers

MangoApps stores and processes Customer Data in the hosting region specified on or selected pursuant to the Order Form. To the extent MangoApps processes Personal Data protected by Data Protection Laws of the EEA, UK, or Switzerland in a country not recognized as providing adequate protection, the parties agree that the SCCs (Module Two: Controller to Processor) are incorporated into this DPA, with Customer as data exporter and MangoApps as data importer; the UK International Data Transfer Addendum and the Swiss adaptations apply to transfers subject to UK and Swiss law respectively. Annexes 1 and 2 of this DPA serve as the corresponding annexes to the SCCs, and the subprocessor list serves as Annex III. For these purposes: clause 9(a) uses the general-authorization option with the notice period in Section 6; clause 17 selects Irish law; clause 18 selects the courts of Ireland; the competent supervisory authority under clause 13 is determined by the data exporter's establishment or representative; and the tables of the UK Addendum are deemed completed with the corresponding information in this DPA and its annexes.

13. CCPA Service Provider Terms

Where the CCPA applies, MangoApps acts as Customer's "service provider." MangoApps will not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than providing the Service under the Agreement or as otherwise permitted by the CCPA; or (c) combine Personal Data with personal information it receives from other sources except as permitted by the CCPA. MangoApps certifies that it understands and will comply with these restrictions, and will notify Customer if it determines it can no longer meet its CCPA obligations.

14. Liability; Order of Precedence; Duration

Each party's liability arising out of or related to this DPA (including the SCCs) is subject to the exclusions and limitations of liability in the Agreement, except where Data Protection Laws or the SCCs do not permit such limitation. If there is a conflict, the SCCs control over this DPA, and this DPA controls over the Agreement, in each case with respect to the processing of Personal Data; the rights expressly granted to MangoApps in the Agreement and instructed in Section 3 are not a conflict. This DPA takes effect with the Agreement and remains in effect for as long as MangoApps processes Personal Data on Customer's behalf, surviving termination of the Agreement until all Personal Data is deleted or returned under Section 10.

Annex 1 — Details of Processing

Subject matter and duration: processing of Personal Data within Customer Data to provide the Service for the term of the Agreement plus the post-termination retention window stated in the Agreement. Nature and purpose: hosting, storage, transmission, display, backup, analysis, and related processing needed to provide, secure, and support the MangoApps workforce platform, including its communication, scheduling, HR, and AI-assisted features, per Customer's configuration and instructions. Categories of Data Subjects: Customer's employees, contractors, and other workforce members; candidates and onboarding hires; customer contacts and other individuals whose data Customer or its users submit to the Service. Categories of Personal Data: identification and contact data (name, email, phone, photo), employment data (role, department, schedules, time and attendance, performance, training, compensation where Customer enables those modules), user-generated content (posts, messages, files), and usage/log data. Special-category data is processed only to the extent Customer elects to submit it and is responsible for a lawful basis to do so. Frequency: continuous, for the duration of the Service.

Annex 2 — Technical and Organizational Measures

MangoApps maintains: encryption of data in transit (TLS) and at rest; industry-standard intrusion detection with monitoring by trained security specialists; firewalls and network segregation; logical tenant isolation; role-based access controls and least-privilege administrative access; periodic security log review; personnel confidentiality obligations and security training; nightly database backups retained on a 31-day rolling basis and highly durable file storage; vulnerability management and patching processes; a documented incident response plan; physical and environmental controls provided by its cloud infrastructure providers; and periodic third-party assessments and certifications. Further detail is published in MangoApps' data protection program and is available to customers under NDA on request.

Questions about this DPA, requests for a countersigned copy, or security documentation (SOC 2, HITRUST, FedRAMP): legal@mangoapps.com. See also the Master Subscription Agreement, GDPR compliance program, and subprocessor list.