US Data Processing Addendum
Last Updated: August 15, 2025
This Data Processing Addendum (“DPA”) is supplemental to, and forms part of your Agreement with Pogo Technologies, Inc. (“Pogo”).
This DPA is effective as of the Effective Date of your Agreement with Pogo.
1. DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Consumer Health Privacy Laws” means Washington’s My Health My Data Act and Nevada’s SB 370 Act.
“Controller” means the party that determines the purposes and means of processing the Covered Data including as applicable to any “business” as that term is defined by the Data Protection Laws.
“Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements in the United States relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including, without limitation, the Consumer Health Privacy Laws.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of Pogo to Processor in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Processor, or its agents or subcontractors, for purposes of providing the Services.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person, including, without limitation, “consumer health data” as defined under Consumer Health Privacy Laws; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Data Protection Laws.
"Pogo Affiliate" means an affiliate of Pogo who is a beneficiary to the Agreement.
“Processor” means the party that engages in the Processing of Covered Data at the direction of the Controller, including as applicable to any “service provider” or “contractor” as defined by the Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to) Covered Data.
"Services" means the services to be provided by Processor pursuant to the Agreement.
"Sub-processor" means an entity appointed by Processor to Process Covered Data on its behalf.
2. INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
2.2 Any Processing operation as described in clause 3 (Details of Data Processing) and Schedule 1 to this DPA will be subject to this DPA.
2.3 Pogo Affiliates will be beneficiaries under this DPA and, through Pogo (see clauses 2.4 and 2.5), be entitled to enforce all rights in relation to Covered Data provided by the respective Affiliate. Pogo will ensure that all obligations under this DPA will be passed on to the respective Pogo Affiliate.
2.4 Pogo warrants that it is duly mandated by any Pogo Affiliates on whose behalf Processor Processes Covered Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of Pogo Affiliates, and to act on behalf of Pogo Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Pogo Affiliates.
2.5 Pogo will be the only point of contact for all communication between Pogo Affiliates and Processor.
3. DETAILS OF DATA PROCESSING
3.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
3.2 Covered Data will only be Processed on behalf of and under the instructions of Pogo and in accordance with Data Protection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Pogo may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Processor is prohibited from:
(a) selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
(b) sharing Covered Data with any third party for cross-context behavioral advertising;
(c) retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Data Protection Laws;
(d) retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and
(e) except as otherwise permitted by Data Protection Laws, combining Covered Data with Personal Data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
3.3 Processor will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement.
3.4 Processor may Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to clause 4 of this DPA.
3.5 Processor will provide Pogo with information to enable Pogo to conduct and document any data protection assessments required under Data Protection Laws. In addition, Processor will notify Pogo promptly if Processor determines that it can no longer meet its obligations under Data Protection Laws.
3.6 Pogo will have the right to take reasonable and appropriate steps to ensure that Processor uses Covered Data in a manner consistent with Pogo’s obligations under Data Protection Laws.
4. SUB-PROCESSORS
4.1 Pogo grants Processor the general authorization to engage Sub-processors, subject to clause 4.2, including any current Sub-processors engaged by Processor as of the Effective Date.
4.2 Processor will (i) enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor’s obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
4.3 Processor will provide Pogo with at least thirty (30) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Pogo may object to Processor’s use of a new Sub-processor by providing Processor with written notice of the objection within thirty (30) days after Processor has provided notice to Pogo of such proposed change (an "Objection"). If Pogo does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Pogo objects to Processor’s use of a new Sub-processor, Pogo and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Pogo may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party.
5. DATA SUBJECT RIGHTS REQUESTS
5.1 As between the Parties, Pogo will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Data Protection Laws (each, a "Data Subject Request").
5.2 Processor will promptly forward to Pogo without undue delay any Data Subject Request received by Processor or any Sub-processor and may advise the individual to submit their request directly to Pogo.
5.3 Processor will provide Pogo with reasonable assistance as necessary for Pogo to fulfil its obligation under Data Protection Laws to respond to Data Subject Requests, including if applicable, Pogo’s obligation to respond to requests for exercising the rights set out in Data Protection Laws.
6. SECURITY AND AUDITS
6.1 Each party will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
6.2 Each party will implement and maintain as a minimum standard the measures set out in Schedule 2.
6.3 Each party will have the right to audit the other party's compliance with this DPA. The Parties agree that all such audits will be conducted:
(i) upon reasonable written notice to Processor;
(ii) only once per year, or more frequently if any audit indicates that Processor is in non-compliance with this DPA; and
(iii) only during Processor’s normal business hours.
6.4 To conduct such audits, the requesting party may engage a third-party auditor, provided that such auditor is suitably qualified and independent.
6.5 The requesting party will promptly notify the party being audited of any non-compliance discovered during an audit.
6.6 Upon request, a party will provide to the other party documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. The party replying to the request may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of the requesting party's audit request and the party replying to the request confirms there are no known material changes in the controls audited, the requesting party agrees to accept those findings in lieu of requesting an audit of the controls covered by the report
7. SECURITY INCIDENTS
Each party will notify the other party in writing without undue delay, and in any event within twenty-four (24) hours, after becoming aware of any Security Incident, and reasonably cooperate in any obligation of such party under Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Both parties will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send the other party timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. A party's notification of or response to a Security Incident under this clause 7 will not be construed as an acknowledgement by such party of any fault or liability with respect to the Security Incident.
The notifying party will provide reasonable assistance with the other party's investigation of the possible Security Incident and any notification obligation of the other party under Data Protection Laws, such as in relation to individuals or supervisory authorities.
8. DELETION AND RETURN
Processor will, within fifteen (15) days of a request to do so by Pogo, return a copy of all Covered Data or provide a self-service functionality allowing Pogo to do the same; and (b) delete all other copies of Covered Data Processed by Processor or any Sub-processors.
9. CONTRACT PERIOD
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.
10. DEIDENTIFIED DATA
If Processor receives Deidentified Data from or on behalf of Pogo, then Processor will:
(a) take reasonable measures to ensure the information cannot be associated with a Data Subject.
(b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
(c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Data Protection Laws.
11. GENERAL
11.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
11.2 Processor will indemnify, defend and hold harmless Pogo and Pogo Affiliates against all costs, claims, damages, or expenses incurred by Pogo or Pogo Affiliates, or for which Pogo or Pogo Affiliates may become liable due to any failure by Processor or its personnel, subcontractors, or other agents to comply with any of its obligations under this DPA or the Data Protection Laws.
11.3 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Data Protection Laws.
11.4 If any court or competent authority decides that any term of this DPA is held to be invalid, unlawful, or unenforceable to any extent, such term will, to that extent only, be severed from the remaining terms, which will continue to be valid to the fullest extent permitted by law.
11.5 Pogo’s failure to enforce any provision of this DPA will not constitute a waiver of that or any other provision and will not relieve Processor from the obligation to comply with such provision.
11.6 This DPA and the Agreement set forth the entire understanding and agreement between the Parties with respect to the subject matter hereof.
SCHEDULE 1
DETAILS OF PROCESSING
1. Categories of Data Subjects
The categories of Data Subjects whose Personal Data are Processed: Pogo users
2. Categories of Personal Data
The Processed categories of Personal Data are: survey response data and analysis, survey questions and analysis, standard attributes, text and voice transcriptions (if audio and video are applicable), audio and text files ( if audio and video are applicable).
3. Categories of Sensitive Information (if applicable)
The Processed Personal Data includes the following categories of Sensitive Information: racial or ethnic origin, biometric data (only to the extent a Data Protection Law considers audio or visual recordings to be biometric data), and heath data.
4. Frequency of the Processing
The Processing is performed continuously for the term of the Agreement and the DPA.
5. Subject matter and nature of the Processing
The subject matter of the Processing is market research and insights.
6. Purpose(s) of the Processing
The purpose of the Processing is: delivering services in accordance with the Agreement.
7. Duration
The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: only for the term of the Agreement and the DPA.
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Processor has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
1) Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Processor’s information security program.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organization, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
a) being transmitted by Processor over public networks (i.e., the Internet) or when transmitted wirelessly; or
b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
4) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
5) Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Processor’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
7) Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Processor facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Processor’s possession.
9) Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Processor’s technology and information assets.
10) Incident / problem management procedures design to allow Processor to investigate, respond to, mitigate, and notify of events related to Processor’s technology and information assets.
11) Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
13) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
