Data Processing Agreement

VIVIAN HEALTH DATA PROCESSING AGREEMENT

Updated March 3, 2025

By signing an Order Form referencing the Vivian Terms and Conditions or this DPA, Customer agrees to the following Data Processing Agreement which forms a valid and binding contract between Customer and Vivian.

1. Definitions

For the purposes of this Data Processing Agreement (this “DPA”):

“CCPA” means the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder.

“Customer Personal Data” means personal data, personal information, or similar information as defined or protected under Data Protection Laws, as applicable relating to individuals listed in Section 2.2.

“business,” “business purposes,” “commercial purposes,” “collect,” “consumer,” “personal information,” “sell,” “sensitive personal information,” “service provider,” and “share” shall have the same meaning as in the CCPA and other Data Protection Laws.

“Data Protection Laws” means all federal, state, or local privacy and data protection laws in the United States In effect on or after the effective date of this DPA.

“Sensitive Data” means sensitive personal information, special categories of personal data, or information or data defined or classified as sensitive under Data Protection Laws.

Capitalized terms not otherwise defined herein shall have the meanings given to them in the Terms and Conditions.
2. Status of Parties; Details of the processing activities
- 2.1 The parties agree that with respect to the provision of the Services, as to processing of Customer Personal Data, Customer is the controller and Vivian is a processor as such terms are used in Data Protection Laws and Customer is a Business and Vivian is a Service Provider as such terms are defined in the CCPA.
- 2.2 The details of the processing activities to be carried out by Vivian on behalf of the Customer under this DPA and the categories of personal data processed are specified below:

Categories of individuals	Authorized Users Candidates Individuals identified in Customer Applicant Tracking System
Categories of Personal Information	Authorized Users: First and Last name; Professional Email Address; Assigned user ID; All activities of Authorized User on the Vivian website in connection with the Services, including communications with candidates and with Vivian staff Candidate Submission Data, as determined by Customer ATS Data, as determined by Customer
Duration of Processing	Subscription Term of the Order Form executed between Customer and Vivian
Nature of Processing	Collecting, hosting and back-up storage for purposes of: Enabling administration of Customer account by Customer Authenticating Authorized Users Connecting Authorized Users to Candidates Contacting Authorized Users to provide the Services to them Storage and sharing of Candidate Submission Data with employers and vendor management systems upon instruction of Customer Customizing Services to Authorized Users Providing support services to Authorized Users Identifying Vivian Candidates in Customer ATS Deletion of personal data upon instruction of Customer or at the end of the DPA

3. Obligations of The Parties
- 3.1 Customer shall not upload to the Platform nor share with Vivian any personal information that is (i) sensitive data as defined under Data Protection Laws or (ii) Covered Data or Protected Health Information as defined in the Health Insurance Portability and Accountability Act. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data and shared such Customer Personal Data with Vivian, including providing any required notices to, and obtaining any necessary consent from any individual whose personal information is included in Customer Data. Customer shall ensure that no personal information of any individual who is not listed in Section 2 will be included in Customer Data.
- 3.2 Vivian shall:
  - (a) process Customer Personal Data only:
    - (i) on behalf of Customer and in accordance with its documented instructions unless otherwise required Data Protection Laws to which Vivian is subject; and
    - (ii) in compliance with Data Protection Laws and this DPA.
    - (iii) for business purposes and operational purposes applicable to the Customer’s instructions that are permissible under the CCPA for a service provider (the “Qualified Business Purposes”) and not for Vivian’s own purposes.
  - (b) not (i) sell or share the Customer Personal Data, (ii) retain, use, or disclose Customer Personal Data for a commercial purpose other than the Qualified Business Purposes set forth in the Agreement or outside of the business relationship between Customer and Vivian, (iii) processing Customer Personal Data outside of Vivian’s relationship with Customer or (iv) combine Customer Personal Information with personal information it receives from or on behalf of another person or entity other than to perform a qualified Business Purpose.
  - (c) not process or use Sensitive Personal Information unless instructed in writing by Customer.
  - (d) if it is legally required to process Customer Personal Data otherwise than as instructed by Customer, notify Customer before such processing occurs, unless the law requiring such processing prohibits Vivian from notifying Customer on an important ground of public interest, in which case it shall notify Customer as soon as that law permits it to do so.
  - (e) not assume any responsibility for determining the purposes for which and the manner in which Customer Personal Data is processed.
  - (f) notify Customer if its data privacy obligations with respect to Customer Data under this DPA or Data Protection Laws cannot be met and, upon such notice, allow Customer to suspend and remedy any unauthorized use of Customer Personal Data.
  - (g) will treat all Customer Personal Data as, confidential information as such is defined in the Terms and Conditions and not disclose such Customer Personal Data without Customer’s prior written consent except:
    - (i) to those of its personnel who need to know the Customer Personal Data in order to provide the Services; and
    - (ii) where it is required by a court to disclose Customer Personal Data, or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such court order or statutory obligation.
  - (h) take reasonable steps to ensure that its personnel who have access to the Customer Personal Data are both:
    - (i) informed of the confidential nature of the Customer Personal Data and required to keep such Customer Personal Data confidential; and
    - (ii) aware of and comply with Vivian´s duties and their personal duties and obligations under this DPA.
  - (i) promptly notify Customer about:
    - (i) any instruction which, in its opinion, infringes applicable law;
    - (ii) any complaint, communication or request received directly by Vivian or a subprocessor from a Data Subject and pertaining to the Customer Personal Data, without responding to that request unless it has been otherwise authorized to do so by Customer; and
    - (iii) any change in legislation applicable to Vivian which is likely to have a substantial adverse effect on Vivian’s obligations in this DPA.
  - (j) provide Customer with full and prompt cooperation and assistance in relation to any complaint, communication, or request received from a Customer employee or contractor, including by:
    - (i) providing Customer with full details of the complaint, communication or request;
    - (ii) where authorized by Customer, complying with a request from a Customer employee or contractor in relation to their Customer Personal Data within the relevant timeframes required by applicable law and in accordance with Customer’s instructions;
    - (iii) assisting Customer in complying with a request from a Customer employee or contractor in relation to their Customer Personal Data within the relevant timeframes required by applicable law;
    - (iv) providing Customer with any Customer Personal Data it holds in relation to a Customer employee or contractor in a commonly-used, structured, electronic, and machine-readable format;
    - (v) providing Customer with any information requested by Customer relating to the processing of Customer Personal Data under this DPA; and
    - (vi) correcting, deleting, or blocking any Customer Personal Data.
  - (k) provide Customer with full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Customer is legally required to make in respect of Customer Personal Data, and for which Vivian’s input is reasonably required.
  - (l) appoint, and identify to Customer, an individual to support the Customer in monitoring compliance with this DPA, and to make available to Customer upon request all information and evidence necessary to demonstrate that Vivian is complying with its obligations under this DPA.
4. Security of Customer Personal Data
- - (a) Vivian shall implemented and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Customer Personal Data processed by Vivian or a subprocessor (“Security Breach”), and shall provide Customer with all reasonable assistance Customer requires to comply with its own obligations to maintain such technical and organizational measures. Having regard to the state of the art and cost of their implementation, such technical and organizational measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Customer Personal Data to be protected.
  - (b) Vivian staff who has access to or otherwise processes Customer Personal data shall be subject to a duty of confidentiality.
  - (c) Upon discovery of any Security Breach, Vivian shall:
    - (i) immediately take reasonable steps to mitigate the harm to Customer employees and contractors and prevent any further Security Breach;
    - (ii) promptly inform Customer of the Security Breach and potential impact on Authorized Users whose Personal Information may have been impacted, and in any case within deadlines as provided by Data Protection Laws; and
    - (iii) provide Customer with full and prompt cooperation and assistance in relation to any notifications that Customer is required to make by Data Protection Laws as a result of the Security Breach.
5. Subcontractors
- Vivian may subcontract some of its processing operations under this DPA to subprocessors provided that:
  - (a) Vivian must notify Customer about subprocessor engagements;
  - (b) Customer may object to subprocessors; and
  - (c) subprocessors are subject to a written agreement which imposes substantially the same, and in any case no less onerous, obligations on that subprocessor as are imposed on Vivian under this DPA.
6. Audits
- 6.1 Vivian shall provide all information to Customer to demonstrate compliance with its obligations under this DPA and Data Protection Laws.
- 6.2 Upon request of Customer, at least annually, Vivian will submit its data processing facilities for an audit of its compliance with its obligations hereunder and its security measures. Inspections shall be carried out by Customer or any independent or impartial inspection agents or auditors selected by Customer and not reasonably objected to by Vivian. Alternatively, Customer may exercise its inspection rights via review of documents to be provided by Vivian upon reasonable advanced request. Vivian shall be provided a copy of all audit or inspection findings of Customer.
- 6.3 Each party shall perform its obligations under this DPA at its own cost.
7. Termination of the Services
- 7.1 Customer is entitled to suspend or terminate a Order Form executed with Vivian by giving written notice to Vivian if:
  - (a) Vivian commits any material breach of this DPA; and
  - (b) Customer gives notices to Vivian to remedy the breach (or to the extent that the breach is not capable of remedy, to give compensation for the breach) and Vivian fails to do so within twenty-eight days of receipt of the notice.
- 7.2 The parties agree that upon termination of the Services or when the processing of the Customer Personal Data is no longer necessary for the performance of the Services, Vivian and all subprocessors shall, make available to Customer all Customer Personal Data and thereafter securely destroy all Customer Personal Data and certify to Customer that it or they have done so, unless an applicable law to which Vivian or a subprocessor are subject prevent Vivian or subprocessor from returning or destroying all or part of the Customer Personal Data. In such a case, Vivian will guarantee the confidentiality of Customer Personal Data and will no longer actively process Customer Personal Data, and will guarantee the return and/or destruction of the Customer Personal Data as requested by Customer when the legal obligation to not return or destroy the information is no longer in effect.
8. Miscellaneous
- 8.1 In the event of inconsistencies between the provisions of this DPA and the Terms and Conditions or an Order Form executed between Vivian and Customer, the provisions of this DPA shall prevail.
- 8.2 Should any provision or condition of this DPA be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed either: (a) to be amended in such a way that ensures its validity, lawfulness, and enforceability while preserving the Parties’ intentions, or if that is not possible, (ii) as if the invalid, unlawful, or unenforceable part had never been contained in this DPA.
- 8.3 Any amendments to this DPA shall only be effective if they are made in writing duly signed by authorized representatives of the parties hereto.