InVista License Agreement

Effective Date: May 10, 2023

1) RECITALS

InVista has developed talent assessment solutions (“Role Specific Solutions” or "Solutions") and has the right to license the Role Specific Solutions to others; Customer desires to access InVista's Role Specific Solutions via InVista's online digital platform, Connect2Vista. In consideration of the mutual covenants and promises expressed herein and other good and valuable considerations, it is agreed as follows:

2) LICENSE

InVista hereby grants Customer, subject to the terms of this Agreement, a license to access certain Specific Solutions on the Connect2Vista platform.

3) TERM and TERMINATION

The term for Customer's access to the InVista Solutions shall begin on the Effective Date and shall continue so long as InVista receives the applicable fees for use of the Solutions. Fees charged during the Term shall be at InVista's then-current rates, unless otherwise mutually agreed to in writing.

Either party may terminate this Agreement, effective 30 days after the terminating party gives the other party written notice of termination. In addition, Customer will pay InVista any outstanding fees owed to InVista within 60 days of termination. Failure to cease all use of the Solutions and Connect2Vista platform after termination shall constitute copyright infringement.

4) PROPRIETARY RIGHTS

InVista is the owner of all right, title and interest in the Role Specific Solutions and the Connect2Vista platform. Customer shall acquire no right or interest in the Solutions or the Connect2Vista platform, by virtue of this Agreement or by virtue of use of the Solutions and/or platform, except the right to use the Solutions and the platform in accordance with the provisions of this Agreement. All uses of the Solutions and the Connect2Vista platform by Customer shall inure to the benefit of InVista.

5) INDEMNITY

Customer agrees to indemnify InVista and hold InVista harmless against any claim or demand or against any recovery in any suit (including taxes of any kind, reasonable attorney's fees, litigation costs, and other related expenses) that may be:

• brought by or against InVista, arising or alleged to have arisen out of the use of the Solutions or Connect2Vista platform by Customer;
• sustained or incurred by InVista, arising or alleged to have arisen in any way from the breach of any of Customer's obligations hereunder; or
• incurred by InVista in any litigation to enforce this Agreement, including litigation against Customer.
  

6) ASSIGNMENT

8) SEVERABILITY

DATA PROCESSING ADDENDUM

1. SCOPE

InVista License Agreement

Effective Date: May 10, 2023

1) RECITALS

InVista has developed talent assessment solutions (“Role Specific Solutions” or "Solutions") and has the right to license the Role Specific Solutions to others; Customer desires to access InVista's Role Specific Solutions via InVista's online digital platform, Connect2Vista. In consideration of the mutual covenants and promises expressed herein and other good and valuable considerations, it is agreed as follows:

2) LICENSE

InVista hereby grants Customer, subject to the terms of this Agreement, a license to access certain Specific Solutions on the Connect2Vista platform.

3) TERM and TERMINATION

The term for Customer's access to the InVista Solutions shall begin on the Effective Date and shall continue so long as InVista receives the applicable fees for use of the Solutions. Fees charged during the Term shall be at InVista's then-current rates, unless otherwise mutually agreed to in writing.

Either party may terminate this Agreement, effective 30 days after the terminating party gives the other party written notice of termination. In addition, Customer will pay InVista any outstanding fees owed to InVista within 60 days of termination. Failure to cease all use of the Solutions and Connect2Vista platform after termination shall constitute copyright infringement.

4) PROPRIETARY RIGHTS

InVista is the owner of all right, title and interest in the Role Specific Solutions and the Connect2Vista platform. Customer shall acquire no right or interest in the Solutions or the Connect2Vista platform, by virtue of this Agreement or by virtue of use of the Solutions and/or platform, except the right to use the Solutions and the platform in accordance with the provisions of this Agreement. All uses of the Solutions and the Connect2Vista platform by Customer shall inure to the benefit of InVista.

5) INDEMNITY

Customer agrees to indemnify InVista and hold InVista harmless against any claim or demand or against any recovery in any suit (including taxes of any kind, reasonable attorney's fees, litigation costs, and other related expenses) that may be:

1. brought by or against InVista, arising or alleged to have arisen out of the use of the Solutions or Connect2Vista platform by Customer;
2. sustained or incurred by InVista, arising or alleged to have arisen in any way from the breach of any of Customer's obligations hereunder; or
3. incurred by InVista in any litigation to enforce this Agreement, including litigation against Customer.

6) ASSIGNMENT

Customer shall not assign this Agreement or any license, power, privilege, right, or immunity, or delegate any duty, responsibility, or obligation hereunder, without the prior written consent of InVista. Any assignment by InVista of its rights shall be made subject to this Agreement.

7) GOVERNING LAW

This Agreement shall be construed according to the laws of the State of Florida of the United States of America. Venue for any legal action relative to this Agreement shall be in the appropriate state court in Hillsborough County, Florida, or in the United States District Court for the Middle District of Florida, Tampa division. Customer agrees that, in any action relating to this Agreement, the Circuit Court in Hillsborough County, Florida or the United States District Court for the Middle District of Florida, Tampa Division, has personal jurisdiction over Customer, and that Customer waives any argument it may otherwise have against the exercise of those courts' personal jurisdiction over Customer.

8) SEVERABILITY

If any provision of this Agreement shall, to any extent, be invalid and unenforceable such provision shall be deemed not to be part of this Agreement, and the parties agree to remain bound by all remaining provisions.

9) EQUITABLE RELIEF

Customer acknowledges that irreparable damage would result from unauthorized use of the Solutions and/or Connect2Vista platform and further agrees that InVista would have no adequate remedy at law to redress such a breach. Therefore, Customer agrees that, in the event of such a breach, specific performance and/or injunctive relief, without the necessity of a bond, shall be awarded by a Court of competent jurisdiction.

10) ENTIRE AGREEMENT OF THE PARTIES

This instrument embodies the whole Agreement of the parties. There are no promises, terms, conditions, or obligations for the Role Specific Solutions licensed hereunder other than those contained herein; and this Agreement shall supersede all previous communications, representations, or agreements, either written or verbal, between the parties hereto, with the exception of any prior agreements that have not previously been terminated by written consent of both parties or by one party if the terms of the agreement allow. This Agreement may be changed only by an agreement in writing signed by both parties.

11) NOTICES AND MODIFICATIONS

Any notice required or permitted to be given under this Agreement shall be sufficient if in writing and if sent by certified or registered mail postage prepaid to the addresses first herein above written or to such addresses as either party may from time to time amend in writing. No letter, telegram, or communication passing between the parties hereto covering any matter during this contract, or periods thereafter, shall be deemed a part of this Agreement unless it is distinctly stated in such letter, telegram, or communication that it is to constitute a part of this Agreement and is to be attached as a right to this Agreement and is signed by both parties hereto.

12) SUCCESSORS AND ASSIGNS

Subject to the limitations on assignments as provided in Section 6, this Agreement shall be binding on the successors and assigns of the parties hereto.

DATA PROCESSING ADDENDUM

1. SCOPE

1.1The following Data Processing Addendum (“DPA”) applies to all transfers of Personal Information (defined below) by and between Psychological Assessment Resources, Inc., PARiConnect, PAR InVista, and/or the Self-Directed Search (collectively, “PAR,” “we,” “us,” or “our”) and any entities that provide the Personal Information of their patients, clients, students, or customers to PAR for PAR's provision of services (these entities are herein referred to as “Customer”). This DPA is effectively incorporated into the agreement (“Agreement”) entered into between PAR and Customer (each a “Party” and collectively the “Parties”). This DPA is effective as of the date of the Agreement. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control.

1.2PAR acknowledges that Customer and/or the data it discloses to PAR may be subject to consumer privacy laws and regulations, as well as common law restrictions and/or obligations (the “Consumer Privacy Laws”). Consumer Privacy Laws may include, but it is not limited to, laws, and associated regulations or guidance, such as pursuant to the Health Insurance Portability and Accountability Act, General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), U.K. General Data Protection Regulation, California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (“CPRA”), as codified in California Civil Code sections 1798.100, et seq. (collectively, “CCPA/CPRA”), and other similar foreign or domestic, federal, state, or local privacy statutes, regulations, rules, or guidance, laws currently in effect or that may come into effect during the term of the Agreement, all as applicable and as may be amended from time to time.

1. DEFINITIONS

2.1Based on Customer's relationship with PAR, PAR is considered a “service provider,” “contractor,” or “processor” (collectively, “Processor”) under the Consumer Privacy Laws. As a Processor, PAR may process and/or receive “personal information” or “personal data,” as such terms are defined in applicable Consumer Privacy Laws, from, or on behalf of, Customer (such personal information or personal data is herein referred to as “Personal Information”).

2.2The term “security incident” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by PAR that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of PAR or a breach or alleged breach of this DPA. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information.

2.3The term “Model Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

2.4The term “U.K. Addendum” means the template U.K. Information Commissioner's Office Addendum to the Model Clauses for international data transfers, issued under Section 119A of the U.K. Data Protection Act 2018, and including both tables and mandatory clauses.

1. PAR COMMITMENTS

3.1PAR will comply with Customer's instructions regarding the processing of Personal Information, including but not limited to instructions regarding amending, transferring, or deleting Personal Information.

3.2PAR shall not “sell” or “share” Personal Information it collects pursuant to the Agreement, as those terms are defined by applicable Consumer Privacy Laws.

3.3Customer is providing PAR access to Personal Information for the limited and specific purposes provided in the Agreement, as described in section 5 herein, and/or as otherwise expressly permitted by Consumer Privacy Laws. PAR shall not retain, use, or disclose Personal Information for any purpose(s) other than those specified in section 5 herein or otherwise permitted by the Consumer Privacy Laws. Such purposes are incorporated by reference herein.

3.4PAR shall not retain, use, or disclose Personal Information that it collects pursuant to the Agreement for any “commercial purpose,” as defined by applicable Consumer Privacy Laws, other than the business purposes specified in section 5 herein, including in the servicing of any entity other than Customer.

3.5PAR shall not retain, use, or disclose Personal Information it collects pursuant to the Agreement outside of the direct business relationship between PAR and Customer.

3.6PAR shall not combine or update Personal Information with any other information, except to perform a business purpose defined in Consumer Privacy Laws, such as regulations adopted pursuant to Cal. Civ. Code § 1798.185(a)(10), except as provided by Consumer Privacy Laws.

3.7PAR shall comply with all applicable laws and obligations regarding the use and protection of Personal Information, including all Consumer Privacy Laws, as applicable. PAR certifies that it understands these restrictions, including pursuant to the CCPA/CPRA, and shall comply with them.

3.8PAR shall provide the same level of privacy protection as required by Customer, and shall assist the Customer in meeting the Customer's obligations in relation to the Personal Information. These privacy protections and obligations include, but are not limited to:

1. collecting and processing Personal Information solely to the extent the processing is necessary, reasonable, and proportionate to the specific purpose(s) listed in section 5 herein or otherwise permitted by Consumer Privacy Laws.
2. cooperating with Customer in responding to and complying with consumer requests made pursuant to Consumer Privacy Laws. PAR shall without undue delay notify Customer, and provide Customer with copies, of all communications from, or requests made by (i) consumers in relation to their rights under any Consumer Privacy Laws; and (ii) any state or government regulators related to Personal Information.
3. implementing reasonable security procedures and practices to protect the Personal Information from unauthorized or illegal processing, access, copying, storage, reproduction, display, loss, destruction, damage, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5 and other Consumer Privacy Laws' similar requirements, including but not limited to technical and organizational measures appropriate to the nature of the Personal Information and risk to the same. PAR shall be responsible for implementing and maintaining such measures on systems PAR uses for processing Personal Information.
4. providing notification of any security incident related to any system, platform, or process that PAR, its employees, agents, subprocessors, or representatives use to process Personal Information. PAR shall report any such security incident to Customer without undue delay. PAR shall follow Customer's instructions regarding security incidents to enable Customer to perform a thorough investigation into the incident, formulate a response, and take further steps in respect to the incident.

3.9PAR shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to such Personal Information. The termination or expiration of this DPA shall not discharge PAR from its confidentiality obligations pursuant to the Agreement and this paragraph. PAR shall process Personal Information until the date of expiration or termination of the Agreement, unless instructed otherwise by Customer, or until such data is returned, de-identified, or destroyed on instruction of Customer.

3.10If PAR engages any other person or entity to assist it in processing Personal Information for purposes of providing the services enumerated in the Agreement, PAR shall:

1. notify Customer of that proposed engagement in advance;
2. provide Customer at least five (5) business days to object to such engagement; and
3. ensure that the engagement complies with all Consumer Privacy Laws and is pursuant to a written contract binding such party to observe all material requirements regarding Personal Information and Customer's rights in relation to the same, as laid out herein. PAR remains responsible for any acts or omissions committed by itself, its representatives, agents, employees, officers, subcontractors, or any person or entity to which it or they provide access to Personal Information.

3.11To the extent PAR processes or receives any deidentified personal information, as defined by applicable Consumer Privacy Laws, from, or on behalf of, Customer (“Deidentified Information”), PAR shall comply with all Consumer Privacy Laws concerning the Deidentified Information, including maintaining the information as deidentified personal information. PAR shall take reasonable measures to ensure the Deidentified Information cannot be associated with a consumer or household, publicly commit to maintain and use the Deidentified Information in deidentified form, not attempt to reidentify the information unless solely for the purpose of determining whether the data is deidentified, and contractually obligate any recipient of the Deidentified Information to comply with this DPA and all Consumer Privacy Laws regarding the processing of such Deidentified Information.

3.12Unless PAR is otherwise required by law, or if Customer sooner requests PAR return Personal Information to Customer instead, PAR will delete and destroy Personal Information and all copies of the same once the Personal Information is no longer needed to complete the transaction or services requested.

3.13Upon the reasonable request of Customer, PAR shall make available to Customer all information in its possession, custody, or control that is necessary to demonstrate PAR's compliance with all Consumer Privacy Laws and the requirements of this DPA or to enable Customer to conduct and document any required data protection assessments.

3.14PAR shall notify Customer if PAR determines it can no longer meet its Consumer Privacy Laws obligations.

3.15To the extent PAR processes any Personal Information from the European Economic Area (“EEA”) or United Kingdom (“U.K.”), Customer as “data exporter” and PAR as “data importer” hereby enter into the Model Clauses and U.K. Addendum. If required by law or by any agency or regulatory body with jurisdiction, the Parties agree to re-execute the Model Clauses and U.K. Addendum (including Annexes hereto) as a document separate from this DPA. For purposes of the Model Clauses and U.K. Addendum, the Parties hereby agree that:

1. Module Two of the Model Clauses and the U.K. Addendum are incorporated by reference into this DPA.
2. Signatures applied to the Agreement will be taken as equally signing and effectuating the Model Clauses and U.K. Addendum where applicable to the underlying Personal Information processed by PAR.
3. Clause 7 and the optional provision in clause 11 of the Model Clauses are excluded.
4. With respect to clause 9 of the Model Clauses, the Parties select Option 2. The applicable time period for changes to the sub-processor list shall be at least five (5) business days' written notice prior to the engagement of the sub-processor. The list of sub-processors already authorized by Customer can be found at Annex III.
5. With respect to clause 17 of the Model Clauses, the Parties select Option 1 and the governing law is that of Ireland for Model Clause purposes and England and Wales for U.K. Addendum purposes.
6. With respect to clause 18 of the Model Clauses, the courts of Ireland shall resolve any disputes arising from the Model Clauses; the courts of England and Wales may resolve disputes arising from the U.K. Addendum.
7. If there is any conflict between the DPA and the Model Clauses and U.K. Addendum, the Model Clauses shall prevail to the extent applicable to the processing at issue. (h) The Parties agree to the U.K. Addendum Tables provided at Annex IV. 4.

4. ADDITIONAL RIGHTS AND OBLIGATIONS

4.1PAR grants Customer the right to take, and PAR shall allow and contribute to, appropriate and reasonable steps to monitor PAR and ensure PAR's use of Personal Information is consistent with all applicable privacy rights and obligations, whether statutory, regulatory, based in common law, contractual, or otherwise. These steps may include, but are not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other policy review or technical and operational testing at least once every 12 months. As an alternative to a Customer-requested review, assessment, audit, or testing, PAR may arrange for a qualified and independent assessor, using an appropriate and accepted control standard or framework and assessment procedure, to conduct such review, scan, assessment, audit, or other policy review and testing of PAR's policies and technical and organizational measures to satisfy its obligations under this DPA. PAR shall provide a report of all such reviews, scans, assessments, audits, or tests to Customer upon request.

4.2PAR grants Customer the right, upon notice, to take reasonable and appropriate steps to stop, mitigate, and remediate any and all unauthorized use of Personal Information.

4.3Customer is responsible for providing any required privacy notice to data subjects and securing any required consent for PAR's processing of Personal Information in accordance with Customer's instructions.

4.4Customer agrees that PAR may aggregate data and use such data for analytical purposes. In those instances, PAR will ensure that the data is effectively anonymized prior to such use and that no individual is reasonably identifiable from the data once anonymized and aggregated.

4.5PAR shall enable Customer to comply with any consumer privacy request made pursuant to Consumer Privacy Laws.

4.6The parties will work and communicate with each other in good faith to comply with Consumer Privacy Laws.

1. From time to time, the parties may amend this DPA to clarify the understanding of the relationship of the parties and to clarify the obligations of each party with respect to current or future privacy laws. Such modifications are effective upon signature by all parties.
2. Upon the request of a Party (“Requesting Party”), either voluntarily or upon reasonable request, the other Party (“Receiving Party”) shall promptly provide to the Requesting Party relevant and accurate information to facilitate updates to the Requesting Party's privacy policy or other notice obligation under applicable Consumer Privacy Laws.

4.7Indemnification.

1. Separate and apart from any indemnification provided for in the Agreement, each party to this Agreement (an “Indemnifying Party”) will defend, indemnify and hold the other Party, its parent, subsidiaries and affiliates, and its current and former officers, directors, employees, contractors, agents and representatives (collectively, the “Indemnified Party”) harmless from and against any and all liabilities, losses, damages and costs, including reasonable attorneys' fees (collectively, “Losses”), resulting from a third party claim connected with (a) any breach by an Indemnifying Party of any commitment contained herein, (b) the failure by an Indemnifying Party or any of its agents, employees or subcontractors to perform its duties or obligations hereunder, or (c) the negligent, wilful, wrongful, or illegal acts or omissions of an Indemnifying Party or any of its agents, employees or subcontractors.
2. It will be an ongoing condition of the foregoing indemnity that the Indemnified Party give the Indemnifying Party prompt written notice of any actual or threatened claim, and provide the Indemnifying Party with all reasonably accessible information regarding such claims in the Indemnified Party's possession. The Indemnified Party will promptly notify the Indemnifying Party of any claim, demand, suit or proceeding for which the Indemnifying Party has agreed to indemnify and hold the Indemnified Party harmless, and the Indemnifying Party, upon written request by the Indemnified Party, will promptly defend and continue the defense of such claim, demand, suit or proceeding at the Indemnifying Party's expense. If the Indemnifying Party fails to undertake and continue such defense, the Indemnified Party will have the right (but not the obligation) to make and continue such defense as it considers appropriate, and the expenses and costs thereof, including but not limited to attorneys' fees, out-of-pocket expenses and the costs of an appeal and bond thereof, together with the amounts of any judgment rendered against the Indemnified Party, will be paid by the Indemnifying Party. The Indemnifying Party shall not enter into any settlement of an indemnified claim for which the Indemnified Party does not receive a general release without the prior written approval of the Indemnified Party. Nothing herein will prevent the Indemnified Party from defending, if it so desires in its own discretion, any such claim, demand, suit or proceeding at its own expense through its own counsel, notwithstanding that the defense thereof may have been undertaken by the Indemnifying Party.

4.8 Limitation of Liability.

EXCEPT WITH RESPECT TO EACH PARTY'S OBLIGATIONS AS TO CONFIDENTIALITY AND INDEMNIFICATION, OR LOSSES ARISING FROM A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT:

1. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY TO THIS AGREEMENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR PUNITIVE DAMAGES WHETHER ARISING OUT OF BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE; AND
2. IN NO EVENT SHALL EITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE AMOUNT OF THE TOTAL FEES ACTUALLY PAID TO CONTRACTOR PURSUANT TO THIS AGREEMENT.

5. DESCRIPTION OF PROCESSING

1. Nature and Purpose of Processing. PAR processes Personal Information provided by individuals about themselves to provide psychological and career assessments used by individuals and/or their psychologists, career advisors, or similar professionals to evaluate, diagnose, or otherwise provide guidance or advice to the particular individual.
2. Type of Data Involved in Processing. This Agreement may involve the processing of the following types of Personal Information: name, demographic data, assessment responses, contact information, and medical information.
   
   

6. DISPUTES

Any disputes arising from or in connection with this DPA shall be brought as set forth in the Agreement.

MODEL CLAUSES ANNEX I

A.List of Parties

Data Exporter

Data Exporter is: Customer.

Address: See Agreement.

Contact person's name, position, and contact details:

See Agreement.

Activities relevant to the data transferred under these Clauses:

Data Exporter is a professional seeking PAR's assistance evaluating an individual for purposes of Data Exporter advising the data subject.

Data Exporter is the Controller.

Data Importer

Data Importer is: PAR.

Address: 16204 N Florida Ave, Lutz, FL 33549.

Contact person's name, position, and contact details:

Travis White, PhD, President and Chief Operating Officer

twhite@parinc.com

1.800.331.8378

Activities relevant to the data transferred under these Clauses:

Data Importer processes the data provided to assist Data Exporter in providing professional services to the data subject.

Data Importer is the Processor.

B.Description of Transfer

1. Categories of data subjects whose personal data is transferred: consumers.
2. Categories of personal data transferred: see Section 5.
3. Restrictions and safeguards: see full DPA.
4. Frequency of transfer: ongoing.
5. Nature and purpose of processing: see Section 5.
6. Data retention period: Length of Agreement.
7. Transfers to sub-processors: [If applicable, input subject matter, nature, and duration of processing.]

C.Competent Supervisory Authority

The competent supervisory authority for purposes of the Model Clauses is the Irish Supervisory Authority. The competent supervisory authority for purposes of the U.K. Addendum is the U.K. Information Commissioner's Office.

MODEL CLAUSES ANNEX II

Description of the technical and organizational measures implemented by the data importer(s)

PARiConnect IT Controls

PAR employs and applies a variety of information technology tools, strategies, devices, and methodologies to protect both PAR Customer data and patient/client data and item responses that are captured and stored on PARiConnect. Below is information pertaining to these various IT controls.

Hosting and Storage Controls

• Servers utilized by PARiConnect are located at a professionally managed data hosting facility located in the central southeast region of the U.S. This is the primary facility for PARiConnect servers and is connected via a dedicated circuit to a backup facility at PAR in Florida, U.S.
• The hosting facility data centers have been evaluated against ISO 27001 and have undergone a SAS 70 Type II or SSAE 16 review.
• A third party has performed penetration testing using established guidelines/methodology.
• All sites housing PARiConnect applications and data have secure firewalls and current antivirus software installed.
• A third party has performed an external vulnerability scan.
• Sensitive application data is encrypted in transit using at least HTTPS TLS 1.2.
• Sensitive application data is encrypted at rest using the encryption algorithm AES-256.
• Database tables/fields are protected using FIPS-140-compliant encryption for all tables/fields containing sensitive data.

Application Controls

• Applications log security-relevant events. Each log entry must contain, at minimum, the following: user or process ID of the user or process causing the event, failure of the attempt to access security file, date/time of the event, type of event, success or failure of the event, and seriousness of event violation.
• Application logs are retained for at least 30 days.
• The application process runs only with least privileges necessary for proper operation (for example, root or administrator privileges are used only for specifically required operations, whereas in normal mode the application runs as a user without administrative privileges).
• A disaster recovery and backup/restore plan are in place. If applicable, data are destroyed using a NIST 800-88 compliant method.
• PAR has a Secure Software Development Life Cycle (SSDLC) in place that includes peer code review and developer security training, and a code promotion/release management strategy is in place.
• PAR does NOT store assessment scores and/or results—only item responses are stored, and such item responses are stored separately from the patient/client personal data and
• Separately from the assessment items. This data, along with many other elements including personal data and demographics, are encrypted.

General Security Controls

• PARiConnect has a team designated with overall responsibility for the application, its controls, design, security, etc.
• PAR regularly monitors vulnerabilities in underlying products (e.g., Microsoft, Linux, databases) and patches all critical vulnerabilities within 30 days, unless overridden by Senior Leadership which is documented as an exception (example: patching would break application until the patch vendor or internal staff resolve the issues causing the failure).
• PAR and its hosting vendor maintain and monitor security appliances such as intrusion protection systems (IPS) to detect abnormal system, malware, and user behavior.
• No vendor has access to PARiConnect data and/or applications.
• All PAR employees are subject to pre-employment background checks.
• All PAR employees must complete annual security awareness training with testing. A record of each employee's compliance status is retained.
• Passwords are accessible only to select IT employees and require oversight by the Chief Technology Officer.
• Payment information related to purchases by PAR Customers is NOT maintained or stored on PARiConnect.

Disaster Recovery/Business Continuity Strategy (DR/BC)

• PAR employs an active/passive strategy with respect to DR/BC. The primary PARiConnect production servers act as the active installation, with real-time replication occurring to a fail-over (passive) server structure that remains ready and available to take over processing. Fail-over for Customer-facing systems is generally accomplished in approximately two minutes or less.
• PAR effectively creates backups in real time. Additionally, further backups are retained at a secure third-party location, as well as on-site for at least 30 days to facilitate any unlikely, but potential, need to restore data from a prior date(s).
• PAR retains electronic logs regarding the digital backup process, as well as logs regarding off-site storage.

MODEL CLAUSES ANNEX III

Approved list of sub-processors

Infrastructure Sub-Processors

General Sub-Processors

MODEL CLAUSES ANNEX IV

Table 1:Parties

Table 2:Selected SCCs, Modules and Selected Clauses

Table 3:Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Annex I

Annex 1B: Description of Transfer: See Annex I

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data

Annex III: List of Sub processors (Modules 2 and 3 only)

Table 4:Ending this Addendum when the Approved Addendum Changes