Data Processing Addendum

1. Scope and Term

1.1 Roles of the Parties

(a) Customer Personal Data. Bekind Labs processes Customer Personal Data solely on behalf of the Customer, acting as the Customer’s processor, and only in accordance with the Customer’s instructions as described in Section 2.1 (Customer Instructions). Customer Personal Data includes data relating to both the Customer and the Authorized Users invited by the Customer to access and use the Service.

For clarity, “Customer Personal Data” as used in this DPA may form part of “Your Content,” as defined in the Tracker Boot Agreement, to the extent that such content includes personal information provided or uploaded by the Customer or its Users.

(b) Tracker Boot Account Data. Bekind Labs acts as an independent controller when processing Tracker Boot Account Data. This includes processing data to:

1. deliver and continuously improve Tracker Boot;
2. manage Customer relationships, including account communications, technical support, and user preferences;
3. ensure product security, fraud prevention, performance, and operational continuity;
4. fulfill internal business functions such as accounting, billing, and tax compliance.

(c) Tracker Boot Usage Data. Bekind Labs also acts as an independent controller when processing Tracker Boot Usage Data. This includes:

1. operating, maintaining, and securing Tracker Boot;
2. analyzing usage trends to improve functionality and user experience;
3. supporting product development, business strategy, and service optimization.

(d) Description of the Processing. A detailed overview of how Bekind Labs processes Personal Data is outlined in Schedule 1 (Description of Processing).

1.2 Term of this DPA

This DPA remains in effect for the duration of the Agreement. It will automatically terminate upon the expiration or earlier termination of the Agreement, or when Bekind Labs no longer processes any Customer Personal Data, whichever comes later.

1.3 Order of Precedence

If there is any inconsistency between the following documents, they shall be interpreted in this order of precedence:

1. Schedule 2 (Region-Specific Terms, including data transfer provisions);
2. this DPA; and
3. the Agreement.

2. Processing of Personal Data

2.1 Customer Instructions

Bekind Labs will process Customer Personal Data solely based on the documented, lawful instructions provided by the Customer, as described in the Agreement (including this DPA) and any applicable Order Forms. This includes processing as necessary to:

1. deliver the Tracker Boot product and any related support or advisory services;
2. enable use of product features and functionalities in accordance with our Documentation; and
3. comply with Bekind Labs’ legal obligations.

If Bekind Labs becomes aware, or has a reasonable basis to believe, that a Customer instruction violates Applicable Data Protection Law, it will promptly notify the Customer.

2.2 Confidentiality

Bekind Labs will treat Customer Personal Data as the Customer’s Confidential Information under the Agreement. All personnel authorized to process such data will be subject to written or statutory obligations of confidentiality.

3. Security

3.1 Security Measures

Bekind Labs has implemented, and will continue to maintain, appropriate technical and organizational measures to protect the security, confidentiality, integrity, and availability of Customer Personal Data, and to guard against Security Incidents.

Customers are responsible for configuring their Tracker Boot environment and using the available features to help ensure appropriate protection based on the nature of the data they process.

Bekind Labs’ current security practices are outlined here.

Customers acknowledge that these measures may evolve over time due to technical advancements. Bekind Labs may update or enhance the Security Measures from time to time, provided that such changes do not materially reduce the overall level of protection during an active Subscription Term.

3.2 Security Incidents

In the event of a Security Incident, Bekind Labs will notify the Customer without undue delay, and where feasible, no later than seventy-two (72) hours after becoming aware of the incident. Notification will be sent via email to relevant contacts designated by the Customer.

Bekind Labs will make reasonable efforts to investigate the incident, mitigate its effects, and remediate the root cause to the extent within its control.

Upon request, and considering the nature of the Processing and the information available, Bekind Labs will assist the Customer in meeting any data breach notification obligations required under applicable data protection laws. For any inquiries related to Security Incidents, please contact: trackerboot@bekindlabs.com.

Notification of a Security Incident by Bekind Labs does not constitute an admission of fault or liability.

4. Sub-processing

4.1 General Authorization

By entering into this DPA, Customer grants Bekind Labs a general authorization to engage Sub-processors for the processing of Customer Personal Data.

Bekind Labs will:

1. enter into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those required under this DPA and applicable data protection laws; and
2. remain responsible for the actions of any Sub-processor it engages, to the extent such Sub-processor fails to meet its data protection obligations related to the relevant Processing.

4.2 Notice of New Sub-processors

Bekind Labs maintains a current list of its Sub-processors here, which includes a mechanism for Customers to subscribe to receive updates.

Bekind Labs will notify subscribed Customers at least thirty (30) days in advance of authorizing any new Sub-processor to process Customer Personal Data (the “Sub-processor Notice Period”).

4.3 Objection to New Sub-processors

If the Customer objects to the use of a new Sub-processor during the Sub-processor Notice Period, the Customer may, as its sole and exclusive remedy, terminate the affected Order related to the Tracker Boot service by providing written notice in accordance with Section 12.2 (Termination for Convenience) of the Agreement.

5. Assistance and Cooperation Obligations

5.1 Data Subject Rights

Taking into account the nature of the Processing, Bekind Labs will provide reasonable and timely assistance to the Customer to support responses to data subjects exercising their rights under Applicable Data Protection Laws. These rights may include:

• Access to specific Customer Personal Data processed by Bekind Labs;
• Rectification or deletion of inaccurate or outdated Customer Personal Data;
• Restriction or suspension of processing for certain data sets;
• Objection to specific types of processing;
• Portability of Customer Personal Data in a structured, commonly used, and machine-readable format.

If a data subject exercises the right to object to specific types of processing that are essential to the delivery of the Service, Bekind Labs may notify the Customer that continued provision of the Service may no longer be feasible. Assistance under this clause is limited to Customer Personal Data processed by Bekind Labs on behalf of the Customer and will be provided to the extent the Customer is responsible for responding to the request.

5.2 Cooperation Obligations

Upon the Customer’s reasonable request, and where the Customer is unable to fulfill its obligations using available documentation alone, Bekind Labs will provide reasonable assistance with:

• conducting data protection impact assessments (DPIAs), and
• engaging in consultations with relevant supervisory authorities,

in accordance with Applicable Data Protection Law.

5.3 Third-Party and Government Requests

Unless prohibited by law, Bekind Labs will notify the Customer without undue delay upon receiving any valid and binding legal request (such as a subpoena, court order, or warrant) from law enforcement or government authorities requiring the disclosure of Customer Personal Data.

Bekind Labs may disclose Customer Personal Data if legally required to do so, or in response to such lawful requests. Where permitted, Bekind Labs will notify the Customer in advance of any such disclosure. In responding to government access requests, Bekind Labs will follow internal guidelines consistent with applicable law and industry best practices.

If Bekind Labs receives any inquiry or request from a third party, such as a regulatory authority or data subject, regarding the Processing of Customer Personal Data, it will promptly redirect such requests to the Customer, unless legally obligated to respond directly.

6. Deletion and Return of Customer Personal Data

6.1 During the Subscription Term

During the Subscription Term, the Customer and its authorized Users may access, retrieve, or delete Customer Personal Data at any time using the available features within the Tracker Boot product.

6.2 After Termination

Upon expiration or termination of the Agreement, Bekind Labs will delete all Customer Personal Data in accordance with the Tracker Boot Documentation.

Unless otherwise agreed in writing, Bekind Labs will retain Customer Personal Data for a period of thirty (30) days following termination to support data portability. During this period, Customer Personal Data will no longer be accessible through the Service.

After this 30-day period, Bekind Labs may permanently delete Customer Personal Data unless:

1. retention is required to comply with applicable laws, or
2. retention is permitted under Bekind Labs’ standard backup or record retention policies.

Any retained Customer Personal Data will remain subject to the confidentiality and data protection obligations outlined in this DPA and will not be processed further except as required by law.

7. Audit

7.1 Audit Requests

Bekind Labs does not currently undergo formal third-party security audits. However, upon Customer’s written request, and provided the Customer has signed an appropriate non-disclosure agreement, Bekind Labs will provide relevant information about its security and data protection practices to demonstrate compliance with this DPA and applicable data protection laws.

If the Customer reasonably determines that further assurance is needed, Bekind Labs will make a good-faith effort to respond to reasonable questions in writing, subject to confidentiality obligations. This right may be exercised no more than once in any twelve (12) month period.

7.2 On-site Audits

On-site audits or inspections of Bekind Labs’ facilities may only be requested:

1. where explicitly required by applicable data protection law or a competent regulatory authority, and
2. where such compliance cannot reasonably be demonstrated by other means.

Any such audit must:

• be subject to mutual agreement,
• occur during Bekind Labs’ regular business hours,
• be requested with at least sixty (60) days’ prior written notice,
• be limited to information relevant to the Customer’s use of Tracker Boot, and
• be subject to reasonable confidentiality controls.

8. International Provisions

To the extent that Bekind Labs processes Personal Data subject to data protection laws in any of the jurisdictions listed in Schedule 2 (Region-Specific Terms), the region-specific terms will apply in addition to this DPA. This includes any terms related to the international transfer of Personal Data, whether directly or via onward transfer.

9. Definitions

“Applicable Data Protection Law” refers to all applicable laws and regulations governing the processing of Personal Data under this Agreement, including but not limited to:

• (a) Australia: The Australian Privacy Act.
• (b) Brazil: The Brazilian Lei Geral de Proteção de Dados (LGPD).
• (c) Canada: The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
• (d) Europe: (i) The General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR); (ii) The ePrivacy Directive (Directive 2002/58/EC), as amended or replaced.
• (e) Japan: The Act on the Protection of Personal Information (APPI).
• (f) Singapore: The Personal Data Protection Act (PDPA).
• (g) South Korea: The Personal Information Protection Act (PIPA) and its Enforcement Decrees.
• (h) Switzerland: The Swiss Federal Act on Data Protection (FADP) and its implementing regulations.
• (i) United Kingdom: The UK Data Protection Act 2018 and the UK GDPR.
• (j) United States: Applicable state privacy laws including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar U.S. State Privacy Laws.

“Customer Personal Data” means any Personal Data that is submitted by or on behalf of the Customer through the Tracker Boot Service and that Bekind Labs Processes on behalf of the Customer in its role as a Processor under the terms of this DPA. This includes project content (such as user stories and attachments), user profile information (such as names, email addresses, and avatars), and any other Personal Data described in Schedule 1.

“Tracker Boot Account Data” means Personal Data relating to a Customer’s relationship with Bekind Labs, such as account registration details, billing contact information, and support-related data submitted by Users, including emails, names, or payment contact details.

“Tracker Boot Usage Data” means data collected regarding how the Tracker Boot Service is accessed and used by Users, including device information, system logs, user actions, timestamps, file sizes, and other diagnostic or analytics data. Usage Data does not include Customer Personal Data.

“Personal Data” refers to any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. This includes, but is not limited to, names, contact information, account identifiers, and online activity data.

“Authorized Users” means individuals who are authorized by the Customer to access and use the Tracker Boot Service, such as employees, contractors, or other permitted users acting on behalf of the Customer.

“Processing” (or “Process”) means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, storage, access, use, disclosure, deletion, or destruction.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data, whether alone or jointly with others.

“Processor” refers to the entity that processes Personal Data on behalf of the Controller.

“Security Incident” means any confirmed or reasonably suspected unauthorized access to or disclosure of Customer Personal Data, or any accidental or unlawful destruction, loss, alteration, or compromise of such data, in connection with Processing performed by Bekind Labs or its Sub-processors.

“Sub-processor” means any third party, including affiliates of Bekind Labs, who is authorized under this DPA to Process Customer Personal Data on behalf of Bekind Labs.

“Deidentified Data” means data that cannot reasonably be used to infer information about or otherwise be linked to an identifiable individual.

“Data Privacy Framework” refers to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, each operated by the U.S. Department of Commerce.

“EU SCCs” means the Standard Contractual Clauses issued by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as amended or replaced, for the transfer of Personal Data to third countries under the GDPR.

“UK Addendum” refers to the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (ICO), version B1.0, in force as of 21 March 2022, as amended or replaced.

“Service Provider” has the meaning given under the California Consumer Privacy Act (CCPA), as amended by the CPRA.

Schedule 1: Description of Processing

1. Categories of Data Subjects

The data subjects whose Personal Data is Processed include:

• Customers (Organizations or individuals who subscribe to Tracker Boot)
• Authorized Users (Project Members invited to access and use the Service)

2. Categories of Personal Data Processed

a. Tracker Boot Account Data. Personal data provided by the Customer or its Users during account registration, profile setup, or project invitations. It includes:

User Identification

• Full name
• Email address (UserID)
• Username
• Avatar URL
• Organization name

Authentication & Access

• OAuth2 provider details (e.g., Google)
• Authentication tokens (e.g., session tokens, OAuth2 access/refresh tokens)
• API key(s)
• Login credentials (e.g., passwords)

Usage & Technical Metadata

• IP address and browser/device information

Administrative Information

• Billing and payment contact details

b. Tracker Boot Usage Data. Data generated through the use of the Tracker Boot Service, collected for analytics, diagnostics, and service optimization. It includes:

• Feature interaction logs
• Event timestamps
• Number of collaborators and projects
• Number of projects a user is part of
• Project size and storage usage
• System performance and diagnostics metadata
• API usage metrics

c. Customer Personal Data. Personal data uploaded or submitted by the Customer or its Users as part of project content. Bekind Labs does not control or monitor this content, and the nature of data is determined solely by the Customer. It includes:

• Full name
• Email address
• User ID
• Organization / Company / Department name
• Profile picture
• User stories, tasks, and project tickets
• Comments, tags, and labels
• File attachments and images
• Custom field entries and free-text data
• Any personal data embedded in project content

3. Sensitive Data Processed

Bekind Labs does not intentionally collect Sensitive Data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation). However, Customers or their Users may upload such content at their own discretion. Customers are solely responsible for ensuring lawful Processing of any Sensitive Data submitted to Tracker Boot.

4. Frequency of Processing / Transfer

Processing occurs on a continuous and on-demand basis, as initiated by Users interacting with the Service.

5. Nature of the Processing

Bekind Labs Processes Personal Data to deliver, maintain, and improve the Tracker Boot Service and its features. Processing activities include:

• Collection
• Recording
• Structuring
• Storage
• Retrieval
• Consultation
• Transmission
• Deletion

6. Purpose(s) of the Processing

• Customer Personal Data: Processed by Bekind Labs as a Processor, according to Customer’s instructions, for the purpose of operating the Tracker Boot service and enabling project collaboration and management features.
• Tracker Boot Account Data & Usage Data: Processed by Bekind Labs as a Controller for legitimate business purposes, including service improvement, performance monitoring, usage analytics, customer support, and legal compliance.

7. Duration of Processing

• Customer Personal Data: Retained during the term of the Agreement and deleted according to Section 6 of this DPA upon termination, unless otherwise required by law or covered under standard backup retention policies.
• Tracker Boot Account Data & Usage Data: Retained as long as necessary to fulfill the purposes stated in Section 1.1 and comply with applicable laws and internal business needs.

8. Transfers to Sub-processors

Bekind Labs may transfer Customer Personal Data to authorized Sub-processors to facilitate hosting, analytics, monitoring, and support services, in accordance with Section 4 (Sub-processing). A current list of Sub-processors is maintained here and subject to change with notice.

Schedule 2: Region-Specific Terms

1. Europe, United Kingdom, and Switzerland

1.1 Customer Instructions. In addition to Section 2.1 (Customer Instructions) of this DPA, Bekind Labs will only Process Customer Personal Data on documented instructions from the Customer, including with regard to international transfers, unless otherwise required to do so under applicable laws. Where required by law, Bekind Labs will inform the Customer of such legal obligations unless prohibited by that law.

1.2 European Transfers. For transfers of Personal Data protected by EU Data Protection Laws to countries outside the EEA not recognized as providing adequate protection:

The EU Standard Contractual Clauses (SCCs) are incorporated into this DPA by reference.

The SCCs apply as follows:

• Controller to Controller (Module One): applies to Tracker Boot Account Data and Usage Data.
• Controller to Processor (Module Two): applies to Customer Personal Data where Bekind Labs acts as Processor.
• Processor to Processor (Module Three): applies where the Customer is acting as a Processor and engages Bekind Labs as another Processor.

Each party is deemed to have executed the SCCs in full as of the effective date of the Agreement.

The following SCC options apply:

• Clause 7 (docking clause): not included.
• Clause 9: Option 2 (prior notice of new Sub-processors), using the notice period stated in Section 4 of this DPA.
• Clause 11: not included.
• Clause 17: governed by Irish law.
• Clause 18(b): disputes resolved in the courts of Ireland.

Annex details:

• Annex I(A) and I(B): see the Agreement and Schedule 1 of this DPA.
• Annex I(C): supervisory authority determined under applicable EU Data Protection Law.
• Annex II: available here (Security Measures).
• Annex III: see Section 4 (Sub-processing).

Note: This section applies only where EU data protection law governs the transfer of Customer Personal Data.

1.3 Swiss Transfers. For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply as above, with the following adjustments:

• References to EU laws are interpreted as references to the FADP.
• Clause 13: The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the supervisory authority.
• Clause 17: governed by Swiss law.
• Clause 18(b): disputes resolved in Swiss courts.
• “Member State” includes Switzerland.

Note: This section applies only where Swiss data protection law governs the transfer of Customer Personal Data.

1.4 United Kingdom Transfers. For transfers subject to the UK GDPR:

The UK Addendum to the EU SCCs applies, with the following:

• Table 1: Parties’ details found in the Agreement and Order Forms.
• Table 2: EU SCCs and modules listed in Section 1.2 above.
• Table 3: see Schedule 1 and Section 4 of this DPA.
• Table 4: both parties may terminate the UK Addendum.

Note: This section applies only where UK data protection law governs the transfer of Customer Personal Data.

1.5 Data Privacy Framework (if applicable). If Bekind Labs becomes certified under the Data Privacy Framework, we will provide the same level of protection required by its Principles. If we determine we can no longer meet those obligations, we will notify the Customer and take reasonable steps to remediate any non-compliance.

2. United States of America

Where Bekind Labs Processes Personal Data subject to U.S. State Privacy Laws (e.g., CCPA/CPRA):

2.1 Bekind Labs will:

• Not retain, use, or disclose Personal Data for any commercial purpose other than to provide the Service or as otherwise permitted by law.
• Not sell or share Personal Data as defined under U.S. State Privacy Laws.
• Not combine such data with other data except as permitted by law.

2.2 Bekind Labs will notify the Customer if it can no longer meet its obligations under U.S. privacy laws, allowing the Customer to take appropriate action.

2.3 For any Deidentified Data, Bekind Labs will:

• Maintain it in de-identified form and not attempt to re-identify it.
• Contractually bind any recipients (e.g., Sub-processors) to uphold the same standards.

3. South Korea

3.1. Customer confirms that it has obtained all necessary consents and rights under applicable Korean data protection laws for Bekind Labs to Process Account Data and Usage Data in accordance with the Agreement.

3.2. With respect to Deidentified Data, Bekind Labs will:

• Maintain such data in a de-identified form and not attempt to re-identify it.
• Ensure that any recipient of such data (including contractors and Sub-processors) is contractually obligated to uphold the same de-identification standards.

4. Japan

4.1. Customer acknowledges that Bekind Labs will Process Customer Personal Data solely for the purpose of delivering the Tracker Boot service and in accordance with Customer’s instructions, as outlined in this DPA and the Agreement.

4.2. If Bekind Labs transfers Personal Data to a third party or to a location outside of Japan, it will take necessary steps under the Act on the Protection of Personal Information (APPI), including confirming that the recipient maintains an adequate level of protection or obtaining the prior consent of the data subject where required.

4.3. Bekind Labs will retain Customer Personal Data only as long as necessary to fulfill the intended processing purposes. Once the data is no longer needed, Bekind Labs will delete or anonymize it without delay in accordance with APPI.

5. India

5.1. Bekind Labs acknowledges that Customer Personal Data may be accessed or processed from India. In doing so, Bekind Labs shall:

• Comply with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act), where applicable.
• Ensure that any personnel or Sub-processors in India handling Customer Personal Data are subject to confidentiality obligations and appropriate security measures.
• Process such data only for the purpose of delivering the Service as instructed by the Customer under this DPA and the Agreement.

5.2. If Customer Personal Data is to be transferred outside India (e.g., to the United States or other regions), Bekind Labs shall implement appropriate safeguards, such as Standard Contractual Clauses or equivalent mechanisms, to ensure adequate protection.