Data Processing Addendum

Virtual Post Solutions, Inc. (“Virtual Post”, "VPM", “Company”, “we”, “us” or other similar terms) provides a variety of online business and administrative services aimed at enabling businesses to operate their business remotely (the “Services”), including Virtual Mailbox (postal mail receipt and mail processing services), TruLease (physical business address service), TruAssist (virtual assistant services), registered agent services, and TruStart (entity formation services).

This Data Processing Addendum (“DPA”) sets forth Virtual Post’s privacy practices in relation to Personal Information (as defined below) collected and processed by Virtual Post in connection with the Services. This DPA supplements, is incorporated into and forms a part of the Terms of Service, or other written or electronic agreement, contract or order between Virtual Post and Customer pursuant to which Virtual Post provides, and Customer accesses and receives, Services (as more fully defined below, the “Customer Agreement”). The term “Customer” as used herein refers to the customer that is a signatory or party to, or has otherwise contractually entered into and accepted, a Customer Agreement for Services.

Capitalized terms used in this DPA have the meaning set forth herein or have the respective meanings provided in your Customer Agreement. In the event of any direct conflicts between the terms of your Customer Agreement and the terms of the DPA, the terms of this DPA shall control but solely as applicable to the processing of Personal Information as set forth herein. This DPA shall be effective contemporaneously with the Effective Date of your Customer Agreement and shall terminate automatically upon the expiration or termination of your Customer Agreement.

The Parties hereby agree as follows:

1. Definitions

For purposes of this DPA, the following terms shall have the following meanings:

1. “Company”, “Virtual Post”, “us”, “we” or similar terms means Virtual Post Solutions, Inc.

2. “Customer Agreement” or “Agreement” means the Terms of Use, Terms of Service, Service Agreement, SaaS Agreement, License Agreement or another written contract or order form mutually agreed to between Virtual Post and Customer governing Virtual Post’s provision of, and Customer’s access to and use of, the Services.

3. “Data Protection Laws” means (i) the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any applicable laws and/or regulations that implement and/or exercise derogations under it and/or replace or supersede it (“EU GDPR”); (ii) all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom including the U.K. Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR” and, together with EU GDPR, “GDPR”); (iii)the EU ePrivacy Directive (2002/58/EC); (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii); and (v) the Swiss Federal Data Protection Act (“Swiss DPA”);(vi) all U.S. state data protection laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of Personal Information, including, but not limited to, the following: (1) California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”); (2) Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”); (3) Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (“CPOMA”); (4) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61- 404) (“UCPA”); and (5) Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”); and (vii) each of the aforementioned as amended, superseded or updated from time to time. In the event of a conflict in the meanings of defined terms in the Data Protection Laws, the meaning from the law applicable to the location of the relevant data subject/individual/household shall apply.

4. “European Economic Area" or “EEA” means the Member States of the European Union together with Switzerland, Iceland, Norway, and Liechtenstein.

5. “Personal Information” means any data or information that is considered “personal data”, “personal information” or other similar terms as defined by applicable Data Protection Laws and that is provided by Customer to Virtual Post in connection with the Services. Personal Information includes the information and data described in Annex I attached hereto.

6. “Sensitive Personal Information” means personal data or personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and/or biometric data (where used for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person's sex life or sexual orientation, and other personal data and personal information that is typically considered “sensitive” under applicable Data Protection Laws.

7. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data from controllers to processors (module two) established in third countries approved by the European Commission from time to time, as may be amended, superseded or replaced by the European Commission from time to time.

8. “UK Addendum” means the UK’s International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0), a copy of which is located at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer- addendum.pdf, and as may be amended, superceded or replaced from time to time.

9. The terms “business” “controller”, “data protection impact assessment”, “data subject”, “personal data”, “personal data breach”, “processor”, “processing”, “service provider” and “supervisory authority” shall be as defined under relevant Data Protection Laws.

2. Processing of Personal Information

1. General. Virtual Post shall comply with its obligations under applicable Data Protection Laws when processing Personal Information. The subject-matter of such processing is providing and making available Services to Customer in accordance with Customer’s Customer Agreement and such processing will continue until Customer’s Customer Agreement terminates or expires. Annex I attached hereto sets out, on a Service-by-Service basis, the nature and purpose of the processing, including the types of Personal Information we process and the data subjects whose Personal Information is processed. Virtual Post may update the descriptions of processing set forth on Annex I from time to time to reflect new products, features or functionality comprised within the Services.

2. Roles of the Parties. Virtual Post and Customer acknowledge that the status of each Party is a question of fact determined under applicable Data Protection Laws. Without limiting the foregoing, the Parties acknowledge and agree that Customer is the controller or business, Virtual Post is the processor or service provider acting on Customer’s behalf, and that Virtual Post may engage Subprocessors pursuant to the requirements set forth in Section 9 “Subprocessors” below. For the avoidance of doubt, the Parties acknowledge and agree that Customer is responsible for determining the processes and means by which the Personal Information is processed and for ensuring that Customer’s instructions for the processing of such Personal Information comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired such Personal Information.

3. Data Processing, Transfers and Sales. Customer hereby instructs Virtual Post to retain, use, disclose and otherwise process the Personal Information for the following purposes, and Customer shall provide the Personal Information to Virtual Post only for the following purposes, and Virtual Post shall only retain, use, disclose or otherwise process the Personal Information for the following purposes: (i) to provide the Services to the Customer in accordance with Customer’s Customer Agreement covering those Services; (ii) as otherwise set out in Customer’s Customer Agreement and this DPA; and/or (iii) as otherwise agreed upon in writing by the Customer and Virtual Post, all of which Virtual Post and Customer acknowledges to be instructions for the purposes of this DPA, unless a different manner of processing is required pursuant to any other applicable law to which Virtual Post is subject, in which case Virtual Post shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before processing that particular Personal Information.

4. Final Agreement. Customer’s Customer Agreement and this DPA shall be and are the Customer’s complete and final instructions to in relation to the processing of the Personal Information. Processing outside the scope of this DPA and the Customer Agreement will require prior written agreement between Customer and Virtual Post on additional instructions for such processing. If we reasonably believe any instruction Customer has provided with respect to the processing of Personal Information violates applicable Data Protection Laws, we shall notify Customer.

5. Limited Use. Virtual Post shall not retain, use, disclose or otherwise process Personal Information for any purpose other than for the specific purposes identified above, in the Customer Agreement or as otherwise permitted or required by applicable Data Protection Laws or otherwise pre-approved by Customer in writing. Virtual Post does not “sell” or “share” (as defined by applicable Data Protection Laws) Personal Information, which means that Virtual Post does not and shall not rent, disclose, transfer, make available or otherwise communicate Personal Information of Customer to any third party for monetary or other valuable consideration. In other words, neither Virtual Post, nor any of its nor any of its employees, agents, consultants or representatives shall have any right to process any of Customer’s Personal Information for their own commercial benefit in any form. Virtual Post shall require its employees, agents, and service providers to comply in all material respects with the obligations and restrictions applicable to Virtual Post under this DPA.

6. Combined, Aggregated or Anonymized Information. Virtual Post shall not combine any Personal Information that Virtual Post receives from, or on behalf of, Customer with information that it receives from, or on behalf of, another source provided that Virtual Post may combine Personal Information as authorized by applicable Data Protection Laws. Virtual Post may collect, use, retain, access, share, transfer, sell, or disclose information that (i) has been deidentified, anonymized or aggregated consistent with the terms and conditions of applicable Data Protection Laws or (ii) any information that is not Personal Information consistent with the terms of Customer’s Customer Agreement. Among other things, this means that Virtual Post may share aggregated and/or anonymized information regarding the use or results of the Services with third parties to assist with developing and improving the Services or to third parties for commercial purposes. Without limiting the above, this DPA does not apply to any data related to a Customer’s use of the Services unless it is Personal Information (e.g. this does not apply to Service analytics, activity logs, use patterns, etc.). For the avoidance of doubt, notwithstanding anything herein to the contrary, the parties acknowledge and agree that Virtual Post will not de-identify or create an anonymized and/or aggregated version of any Personal Information that is "protected health information" (as defined by HIPAA) that is subject to HIPAA.

7. Certification. Virtual Post hereby acknowledges, agrees and certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.

3. Required Consents

As the data Controller or business under applicable Data Protection Laws, please note that Customer is responsible for obtaining all necessary consents, and giving all necessary notices, to its employees, representatives, users, customers and other individuals whose Personal Information will be processed by Virtual Post in connection with the Services (“Users”), including any consents or notices required by this DPA, your applicable Customer Agreement or applicable Data Protection Law. With this in mind, Customer hereby warrants and represents that: (a) it has provided all applicable notices to, and obtained all necessary authorizations from, its Users required for the lawful processing of their Personal Information by Virtual Post in accordance with the Customer Agreement, this DPA and applicable Data Protection Law; and (b) in respect of any Personal Information collected or processed by Virtual Post on behalf of the Customer, it has obtained all necessary consents, authorizations and rights for the lawful processing of that Personal Information by Virtual Post in accordance with the Customer Agreement, this DPA and applicable Data Protection Law.

4. Assistance

Where applicable, taking into account the nature of the processing, and to the extent required under applicable Data Protection Laws, Virtual Post shall provide the Customer with any information or assistance reasonably requested or required by the Customer for the purpose of complying with any of the Customer’s obligations under applicable Data Protection Laws, including: (i) using reasonable efforts to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Customer’s obligation to respond to requests by Users to exercise rights provided by applicable Data Protection Laws, including providing reasonable documentation, product functionality and/or processes to assist Customer in retrieving, deleting or restricting Personal Information; and (ii) providing reasonable assistance to the Customer with any data protection impact assessments and responding to or assisting with any requests from or consultations to any governmental, regulatory or supervisory authorities relevant to Customer, in each case solely in relation to processing of the Personal Information and taking into account the information available to Virtual Post.

5. Access Requests

If Virtual Post receives a request submitted by a User to exercise a right it has under any Data Protection Laws in relation to that User’s Personal Information, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with the User in relation to such requests and, to the extent permitted by applicable law, Virtual Post shall not respond to the User.

6. Government Requests and Requirements

Virtual Post shall use reasonable efforts to notify Customer of any request or requirement for e closure of Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited or restricted by law, or by an order, request or requirement of such body or agency. Without limiting the foregoing, please note that certain Virtual Post Services are subject to compliance and regulatory obligations (“Legal Requirements”) imposed by governmental and regulatory authorities, and we comply with those Legal Requirements. In certain instances, the Legal Requirements may conflict with the terms of this DPA or may impose additional or different obligations on Virtual Post. In those instances, we will always comply with the Legal Requirements and will use reasonable efforts to also inform Customer of the Legal Requirements. For instance, if Customer receives Virtual Post’s Virtual Mailbox Services, Virtual Post is required to provide the United States Postal Services with a Form 1583 for purposes of appointing Virtual Post as Customer’s agent to receive mail. The Form 1583 will contain some of Customer’s Personal Information and it is necessary for Virtual Post to share that Personal Information with the United States Postal Services in order for Virtual Post to perform the Services. Virtual Post assumes no responsibility for the manner in which any governmental or regulatory body or law enforcement authority handles or processes Customer’s Personal Information and we refer you to the privacy policies of the applicable governmental or regulatory body or law enforcement authority to learn more about their privacy practices.

7. Audits

Provided that Customer has or does enter into a non-disclosure agreement acceptable to Virtual Post, Virtual Post shall (i) allow Customer and its authorized representatives who are reasonably acceptable to Virtual Post (who have also signed a non- disclosure agreement acceptable to Virtual Post) to access and review any Virtual Post documentation, certifications or other reports or files reasonably required to ensure compliance with the terms of this DPA; or (ii) where required by Data Protection Law or the Standard Contractual Clauses or UK Addendum (and in accordance with this Section), allow Customer and its authorized representatives who are reasonably acceptable to Virtual Post (who have also signed a non-disclosure agreement acceptable to Virtual Post) to conduct reasonable audits (including inspections) during the term of the Customer Agreement to ensure compliance with the terms of this DPA.

Notwithstanding the foregoing, any audit must be conducted during our regular business hours, with reasonable advance notice to us (at least 20 business days) and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to Customer or its authorized representatives, or to allow Customer or its authorized representatives to access: (1) any data or information of any other Virtual Post customer; (2) any Virtual Post internal accounting or financial information; (3) any Virtual Post trade secret; (4) any information that, in our reasonable opinion could: (a) compromise the security of our systems or premises; or (b) cause us to breach our obligations under Data Protection Law or our security, confidentiality and or privacy obligations to any other Virtual Post customer or any third party; or (5) any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws and our compliance with the terms of this DPA.

In addition, audits shall be limited to once per year, unless (x) we have experienced a security breach within the prior twelve (12) months which has impacted Customer’s Personal Information; or (y) an audit reveals a material noncompliance. If we decline or are unable to follow your instructions regarding audits permitted under this Section (or the Standard Contractual Clauses or UK Addendum, where applicable), Customer may terminate this DPA and the Customer Agreement for convenience.

All fees and expenses related to an audit shall be the responsibility of the Customer and Virtual Post is not responsible for and shall not be obligated to pay any such fees. In addition, Customer agrees to pay for, or other reimburse Customer for, any fees, expenses and internal costs and time incurred by Virtual Post in connection with any Customer requests, assistance or activities under this DPA (unless such payment or reimbursement by Customer is expressly prohibited by Data Protection Laws). For clarity and without limiting the foregoing, Customer agrees to pay Virtual Post (at Virtual Post’s standard hourly rates) for any internal time required by Virtual Post personnel in responding to any requests or in connection with any assistance or activities (e.g. audit) in related to this DPA.

8. International Transfers

1. General. Virtual Post is located in the USA. Therefore, any Personal Information we collect will be collected and stored in the USA. For Users that are in the EU, EEA, Switzerland or UK, this means that their Personal Information will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their Personal Information than the jurisdiction the User is typically resident in. Virtual Post adheres to, and the transfer will be subject to, the Standard Contractual Clauses which are deemed incorporated into and form a part of this DPA, as follows (including subject to the preferences, clarifications and mutual agreements set forth below):

   • Module Two of the SCCs will apply.
   • The audits described in Clause 8.9(c) and (d) of the SCCs shall be carried
     out in accordance with Section 7 of this DPA.
   • In Clause 9 of the SCCs, Option 2 will apply, and Customer acknowledges and expressly agrees that Virtual Post will appoint and engage new Subprocessors in accordance with Section 9 of this DPA (including the notice time periods specified in Section 9 of this DPA).
   • In Clause 11 of the SCCs, the optional language will not apply.
   • The liability described in Clause 12 of the SCCs shall in no event exceed the limitations set forth in the Customer’s Customer Agreement, and under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party or any third party for any lost profits, lost sales of business, lost data (being data lost in the course of transmission via Customer’s systems or over the Internet through no fault of Virtual Post), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this clarification shall not be construed as limiting the liability of either party with respect to claims brought by data subjects.
   • The Data Protection Commission of Spain shall be the competent Supervisory Authority pursuant to Clause 13 of the SCCs.
   • The certification of deletion of Personal Information that is described in Clause 16(d) of the SCCs shall be provided by Virtual Post to Customer only upon Customer’s request.
   • In Clause 17 of the SCCs, Option 1 will apply, and the SCCs will be governed by Spanish law.
   • In Clause 18(b) of the SCCs, disputes will be resolved before the courts of Spain;
   • Annex I of the SCCs is deemed completed with the information set out in Annex I to this DPA, as applicable to the particular Services covered by Customer’s Customer Agreement.
   • Subject to Section 11 of this DPA, Annex II of the SCCs is deemed completed with the information set out in Annex II to this DPA.
   • Annex III of the SCCs is deemed completed with the information set out in Annex III to this DPA.

2. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, in the event of any conflict or inconsistency between the provisions of the Customer Agreement (including this DPA) and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail to the extent of such conflict (subject to the clarifications set forth above).

3. UK Addendum. In the case of cross-border transfers of Customer’s Personal Information subject to UK GDPR, the Parties acknowledge and agree that the UK Addendum shall govern and apply and the SCCs shall be deemed amended as specified in the UK Addendum in respect of the transfer of such Personal Information. In such an event, the tables attached to the UK Addendum shall be deemed automatically populated and completed with the applicable information set forth in Annexes I, II and III attached to this DPA. Additionally, the parties’ preferences, clarifications and agreements set forth in Section 8 of this DPA shall also apply to and be used for purposes of interpreting the UK Addendum. Without limiting the foregoing, the parties acknowledge and agree that: (i) In Table 2 of the UK Addendum, the Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed to be completed according to the parties’ preferences outlined in this DPA; (ii) In Table 4 of the UK Addendum, the Parties agree that either Party may terminate the Addendum as set out in Section 19 of the UK Addendum; (iii) Any conflict between the terms of the SCCs attached hereto and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum; and (iv) the clarifications and preferences set forth in Section 8 of this DPA shall be interpreted as also applying to the UK Addendum.

4. Swiss DPA. In the case of cross-border transfers of Customer’s Personal Information protected by Swiss law, the SCCs shall apply subject to the following amendments: (i) references to “Regulation (EU) 2016/679” will be deemed to refer to the Swiss DPA; (ii) references to specific articles of “Regulation (EU) 2016/679” will be deemed replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU,” “Union,” and “Member State” will be deemed replaced with “Switzerland”; (iv) references to the “competent supervisory authority” are replaced with the “Swiss Federal Data Protection Information Commissioner”; and (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.

9. Subprocessors

Virtual Post may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the Services (“Subprocessors”). See Annex III for more information regarding the specific Subprocessors we use. For the avoidance of doubt, Customer hereby approves all applicable Subprocessors identified on Annex III to the extent applicable to the Services received by Customer. We may update Annex III from time to time and we recommend for each Customer to periodically review Annex III, including any links to Subprocessor Lists included on Annex III. By continuing to use our Services after any changes or modifications are made to Annex III (or any Subprocessor Lists linked to on Annex III), Customer is deemed to have automatically accepted the updated Annex. If Customer (acting reasonably) does not approve of any new Subprocessor being added for any reasonable or legitimate reason, they should (i) contact us at [email protected] so we can discuss the basis for the Customer’s disapproval and possible alternative Subprocessors, or (ii) object within forty-five (45) days by terminating the Customer Agreement for convenience.

Our Subprocessors may have access to Personal Information. Please know that Virtual Post carefully selects its Subprocessors based on their security practices and availability levels and we perform due diligence on the technical and organizational security measures of all Subprocessors. We have entered into agreements with each Subprocessor which impose in all material respects the same obligations on the Subprocessor with regard to their processing of Personal Information as are imposed on Virtual Post under this DPA and any Customer Agreements and which, as applicable, otherwise comply with the requirements of the Data Protection Laws. Virtual Post is responsible for the acts and omissions of Subprocessors in relation to Virtual Post’s obligations under this DPA and applicable Customer Agreements.

With respect to all Subprocessors having access to Personal Information of Users that are in the EU, EEA, Switzerland or UK: Customer acknowledges that in order for Virtual Post to provide the Services it may be necessary for certain Subprocessors to access or otherwise process the Personal Information outside the EEA, Switzerland or United Kingdom. In those circumstances, Virtual Post will only use Subprocessors that have and maintain certification to the EU-U.S. Privacy Shield (or a successor thereto or comparable privacy shield under other Data Protection Laws) or that comply with the Standard Contractual Clauses (as updated from time to time), UK Addendum or other applicable requirements of the Data Protection Laws.

10. Data Retention and Deletion

If Customer wishes to delete any Personal Information processed by the Services, the Customer should send a deletion request to [email protected]. Virtual Post will strive to respond to all such requests as soon as reasonably practical. If Customer ceases to subscribe to and use the Services, or Customer permanently discontinues or terminates a Customer’s access to the Services, Virtual Post will handle all of that Customer’s Personal Information as follows:

1. Subject to subsections (ii) and (iii) below, Virtual Post shall, to the greatest extent reasonably possible, within a reasonable period of time from the date of termination of the Customer Agreement: (1) upon the written request of Customer, return a complete copy of all Personal Information by secure file transfer in such reasonable format as notified by Customer to Virtual Post; and (2) delete and use reasonable efforts to procure the deletion of all other copies of Personal Information processed by Virtual Post or any Subprocessors. To determine the appropriate retention period and reasonable period for deletion for Personal Information, Virtual Post will consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of Personal Information, the purposes for which Virtual Post processes Personal Information and whether Virtual Post can achieve those purposes through other means, and the applicable legal requirements.

2. Subject to subsection (iii) below, Customer may in its absolute discretion notify Virtual Post in writing within thirty (30) days of the date of termination of the Customer Agreement to require Virtual Post to delete and procure the deletion of all copies of the Personal Information processed by Virtual Post. In such case, Virtual Post shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the Customer Agreement: (1) comply with any such written request; and (2) use reasonable efforts to procure that its Subprocessors delete all Personal Information processed by such Subprocessors.

3. Notwithstanding the foregoing, Customer acknowledges that it may be impossible to completely delete certain residual Personal Information. Additionally, Virtual Post and its Subprocessors may retain Personal Information to the extent required by and only to the extent and for such period as required by Legal Requirements and always provided that Virtual Post shall ensure the confidentiality of all such Personal Information retained by Virtual Post and shall ensure that such Personal Information is only processed by Virtual Post as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. For instance, the State of California requires Virtual Post to accept service of process for all California mailboxes for two years after termination, and Customer accounts that are subject to HIPAA and/or covered by a Business Associate Agreement signed by Virtual Post may require longer data retention timelines. We will always comply with applicable Legal Requirements relating to data retention notwithstanding any conflicting timelines specified in this DPA. To the extent permitted by applicable Data Protection Laws, Virtual Post may deidentify/anonymize or aggregate the Personal Information and may continue to collect, use, retain, access, share, transfer, sell or disclose such deidentified/anonymized or aggregated information following the termination of the Customer Agreement consistent with the terms and conditions of applicable Data Protection Laws.

11. Data Security Measures

Virtual Post shall utilize industry standard practices on information security management to safeguard sensitive information (such as Personal Information), including the measures set out in Annex II attached hereto. Our information security systems apply to people, processes and information technology systems on a risk management basis. Without limiting the foregoing, Virtual Post shall treat Personal Information as the confidential information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of such data and information. Upon request by the Customer, but no more frequently than once per calendar year (or more frequently if circumstances reasonably require) and only upon ten business days prior written notice, Virtual Post shall make available information reasonably necessary to demonstrate compliance with this DPA. Customer has assessed the security measures offered by Virtual Post to meet the standards required by applicable Data Protection Laws as at the effective date hereof.

If Virtual Post becomes aware of a security incident involving a Customer’s Personal Information, Virtual Post will (a) notify Customer of the security incident within 72 hours, (b) investigate the security incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the security incident, and (c) take steps to remedy any non-compliance with this DPA. Notwithstanding the foregoing, because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Virtual Post cannot guarantee that unauthorized parties will not gain access to Personal Information processed by the Services. To the extent permitted by applicable law, Virtual Post expressly excludes any liability arising from any unauthorized access to Personal Information. For the avoidance of doubt, Customer hereby acknowledges and agrees that the measures set forth in Annex II are reasonable technical and physical security practices and procedures for purposes of applicable Data Protection Laws and are compliant with applicable Data Protection Laws.

12. Affiliates

Depending on the terms of your Customer Agreement, we may in certain circumstances collect, receive or otherwise process Personal Information in connection with use of the Services by Customer’s affiliates. In such cases, Customer will act as a single point of contact for its affiliates with respect to compliance with applicable Data Protection Laws, such that if Virtual Post gives notice to Customer, such information or notice will be deemed received by Customer’s affiliates. Customer shall be responsible for such affiliates’ compliance with this DPA and all acts and/or omissions by a Customer affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer. The Parties acknowledge and agree that any claims in connection with this DPA (or applicable Data Protection Laws) will be brought by Customer, whether acting for itself or on behalf of an affiliate.

13. Customer Agreements

Customer agrees that it: (i) will comply with its obligations under all applicable Data Protection Laws and related laws with respect to its provision of, processing, security and handling of Personal Information, and will not do or omit to do anything which causes Virtual Post (or any Subprocessor) to breach any of its obligations under applicable Data Protection Laws; (ii) will determine the purposes and general means of Virtual Mail’s processing of Personal Information in accordance with the Customer Agreement; (iii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Information, such as pseudonymizing or backing-up Customer Personal Information; (iv) has obtained all consents, permissions and rights necessary under applicable Data Protection Laws and related laws for Virtual Post to lawfully process Customer’s Personal Information for the purposes, including, without limitation, Customer's sharing and/or receiving of Customer Personal Information with third-parties via the Services; and (v) unless the Parties have agreed otherwise in writing (via an amendment to Customer’s Customer Agreement, an order or statement of work thereunder, or otherwise), Customer shall only provide, deliver or otherwise make available to Virtual Post Personal Information to the extent required for the Customer to access and receive the Services consistent with their intended use and shall not provide, deliver or otherwise make available to Virtual Post any other Personal Information for any other purpose. Customer shall have sole responsibility for the accuracy, quality, and legality of all Customer Personal Information and the means by which Customer acquired the Personal Information. Customer specifically acknowledges that its use of the Services will not violate the rights of any data subject that has opted-out from sales or other disclosures of Personal Information, to the extent applicable under Data Protection Laws.

14. Limitation of Liability

Subject to the terms of the Standard Contractual Clauses and Section 8 of this DPA, Virtual Post’s aggregate liability to a Customer arising from or related to this DPA is subject to the applicable terms and conditions of the Customer’s applicable Customer Agreement.

15. Indemnity

Customer agrees to indemnify Virtual Post and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an "Indemnified Party", and collectively the "Indemnified Parties") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties arising out of any third party claim brought against Virtual Post relating to or arising out (i) any instructions given by the Customer to Virtual Post with respect to processing of Personal Information, (ii) any failure to obtain the consents or provide the notices required under Section 3, or (iii) any other breach or violation by the Customer of any of its obligations under this DPA or any breach or violation of any Data Protection Laws.

16. Sensitive Personal Information

If Customer chooses to provide us with Sensitive Personal Information, or if we receive Sensitive Personal Information on behalf of a Customer, Customer is responsible for complying with any regulatory controls and requirements of applicable Data Protection Laws regarding that Sensitive Personal Information and directing us as necessary to comply with Data Protection Laws as necessary or required by such law. In such event, Customer hereby instructs Virtual Post to access and use such Sensitive Personal Information as necessary to perform the Services, and Customer hereby consents to and approves of Virtual Post’s processing of such Sensitive Personal Information in accordance with this DPA. Customer hereby acknowledges and agrees that the protections, restrictions and security and organizational measures set forth in this DPA are reasonable and appropriate for purposes of processing the Sensitive Personal Information.

17. Enforceability of this Addendum

Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into the Customer Agreement.

18. Integrations

The Services may enable Customer to access, or include integrations with, third party services, stores, platforms, products or technologies (“Third Party Products”), including but not limited to Third Party Products which may be integrated directly into Customer’s online Service account. If Customer elects to enable, access or use such Third Party Products, its access and use of such Third Party Products is governed solely by the terms and conditions and privacy policies of such Third Party Products, and Virtual Post does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Products, including, without limitation, their content or the manner in which they handle personal information or personal data or any interaction between Customer and the provider of such Third Party Products. Without limiting the foregoing, please know that all Personal Information shared with or submitted to the Third Party Products by or on behalf of Customer will be entirely outside of Virtual Post’s control and will not be subject to this DPA or any of Virtual Post’s privacy policies. Virtual Post is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Third Party Products, or Customer’s reliance on the privacy practices, data security processes or other policies of such Third Party Products. The providers of Third Party Products shall not be deemed or treated as Subprocessors for any purpose under this DPA unless otherwise expressly identified as Subprocessors on Annex III (or any Subprocessor lists linked to on Annex III).

19. Amendment

Customer acknowledges and agrees that Virtual Post may amend this DPA from time to time by posting the relevant amended and restated DPA on Virtual Post's Terms and Privacy section of the website and such amendments to the DPA are effective as of the date of posting. The Customer’s continued use of the Services after the amended DPA is posted to Virtual Post’s website constitutes the Customer’s agreement to, and acceptance of, the amended DPA. If the Customer does not agree to any changes to the DPA, the Customer should cease use of the Services immediately.

Annex I

Description of Processing Activities / Transfer

A. List of Parties

B. Description of the Processing and Transfer

The parties acknowledge that Virtual Post’s processing of Personal Information will include all personal information and personal data submitted or uploaded to the Services by Customer from time to time, for the purposes of, or otherwise in connection with, Virtual Post providing the Services to Customer.

Set out below are descriptions of the processing and transfers of personal data and personal information in connection with each of the Services provided by Virtual Post as contemplated as of the date of this DPA. Such descriptions are subject to change or may be supplemented pursuant to Section 2(a) of the DPA. Additionally, if Customer receives multiple services bundled together in a single Service account (for instance, Virtual Mailbox, TruLease and Registered Agent services), see the descriptions applicable to each individual service below for purposes of understanding Virtual Post’s cumulative processing and transfer activities.

Annex II

Technical and Organizational Measures to Ensure the Security of the Data

The following describes Virtual Post’s security standards with respect to the administrative, technical, and physical controls applicable to the Service.

1. Incident Response and Disaster Recovery

1.1 Security Monitoring. Virtual Post will monitor its information systems to identify unauthorized access, unexpected behavior, certain attack signatures, and other indicators of a security incident.
1.2 Incident Response. Virtual Post will maintain a security incident response plan that is reviewed and tested at least annually to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, customer data transmitted, stored, or otherwise processed by Virtual Post.
1.3 Incident Notification. Virtual Post will promptly investigate a security incident upon becoming aware of such an incident. To the extent permitted by applicable law, Virtual Post will notify customers of a security incident in accordance with its obligations under the Data Processing Addendum.
1.4 Disaster Recovery. Virtual Post uses cloud infrastructure, which in turn uses distributed physical data centers that can be leveraged in the event of a natural disaster or other significant event to mitigate against loss of service. Distributed locations allow for server failover in the event of location specific disasters. Test of failover procedures and walkthroughs of Virtual Post’s established system specific disaster recovery plans will take place annually.

2 Access Control

2.1 Restricted Access. Access to Customer data is restricted to authorized Virtual Post personnel who are required to access Customer data to perform functions as part of the delivery of services. Access is granted based on the principle of least privilege and access granted is commensurate with job function. Access to Customer data must be through unique usernames and passwords and multi-factor authentication must be enabled. Access is disabled within one business day after an employee’s termination.
2.2 Password Management. Virtual Post requires all personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords to avoid password reuse, phishing and other password related risks.

3. Security Controls

3.1 SDLC. Virtual Post will maintain a formal Change Management Policy that ensures security is embedded throughout the software development lifecycle that takes into account the OWASP Top 10 Web Application Security Risks.
3.2 Code Review and Testing. All changes to code that impact Customer data will be reviewed and tested prior to being deployed to production.
3.3 Vulnerability Management. Virtual Post will maintain a vulnerability management program that ensures identified vulnerabilities are prioritized, addressed, and mitigated based on risk. Virtual Post will use commercially reasonable efforts to address critical vulnerabilities within 30 days.
3.4 Third-party Software Dependencies. Virtual Post must ensure that third-party libraries and components are appropriately managed and that updates are installed in a timely manner when it is determined that there is a potential to affect the security posture of our product.
3.5 Encryption. Virtual Post will encrypt Customer Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256).
3.6 Backups. Virtual Post will perform regular backups of Customer data and ensure that backups have the same protections in place as production databases.
3.7 Device Security. Virtual Post devices that access Customer data must be centrally managed and the following security settings must be enabled: hard drive encryption, local password enabled, and anti-virus and/or anti-malware software must be installed, continuously enabled, and automatically updated.
3.8 Physical Security. Virtual Post will ensure that all physical locations that process, store, or transmit Customer data are located in a secure physical facility. Physical mail is stored in secure facilities that are monitored with security alarm systems and access control systems.
3.9 Vendor Management. Virtual Post conducts an information security review of all vendors that will access personal data, and imposes heightened data security requirements for vendors which have access to Virtual Post’s critical systems. This review includes both initial onboarding and annual recertification.
3.10 Risk Assessment. Virtual Post will maintain a risk management program to identify, monitor, and manage risks that may impact the confidentiality, integrity, and availability of Customer data.
3.11 Personnel Security. Virtual Post will perform background verification checks on employees that have access to Customer Data in accordance with relevant laws, regulations, ethical requirements, and/or accepted local practices for non-US jurisdictions for each individual at least upon initial hire (unless prohibited by law). The level of verification shall be appropriate according to the role of the employee, the sensitivity of the information to be accessed in the course of that person’s role, the risks that may arise from misuse of the information, and the accepted local practices in non-US jurisdictions. The following checks shall be performed for each individual at least upon initial hire, unless prohibited by law or inconsistent with accepted local practices for non-US jurisdictions: (i) identity verification and (ii) criminal history.

Annex III

Subprocessors

The Controller has authorized the subprocessors available on the Subprocessors web page.