Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement ("Agreement") between Ventus, Inc. ("Ventus" or "Processor") and Customer ("Controller") and governs the processing of Personal Data by Ventus on behalf of Customer in connection with the Ventus Assets.

1. Definitions

1. "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the GDPR, CCPA, and HIPAA where applicable.
2. "Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data.
3. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
4. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
5. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Ventus on behalf of Customer in connection with the Ventus Assets.
6. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
7. "Processing" means any operation performed on Personal Data, whether or not by automated means.
8. "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
9. "Sub-processor" means any Processor engaged by Ventus to process Personal Data on behalf of Customer.

2. Scope and Roles

This DPA applies to the processing of Customer Personal Data by Ventus in connection with the provision of the Ventus Assets. Customer is the Controller and Ventus is the Processor with respect to Customer Personal Data.

3. Processing of Personal Data

3.1 Instructions

Ventus will process Personal Data only in accordance with Customer's documented instructions. The Agreement, including this DPA, constitutes Customer's complete instructions to Ventus for the processing of Personal Data.

3.2 Purpose Limitation

Ventus will process Personal Data only for the purposes of providing the Ventus Assets as described in the Agreement and as further instructed by Customer.

3.3 Compliance

Each party will comply with its respective obligations under Applicable Data Protection Law with respect to the processing of Personal Data under this DPA.

4. Data Security

4.1 Security Measures

Ventus will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, use, alteration, or disclosure. These measures include:

• Encryption of Personal Data at rest and in transit (AES-256 and TLS 1.3)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee security awareness training
• Incident response and disaster recovery procedures
• Physical security of data processing facilities

4.2 Confidentiality

Ventus will ensure that personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Sub-processors

5.1 Authorization

Customer authorizes Ventus to engage Sub-processors to process Personal Data on Customer's behalf. Ventus will maintain a list of Sub-processors and will provide notice to Customer before engaging any new Sub-processor.

5.2 Sub-processor Obligations

Ventus will ensure that Sub-processors are bound by data protection obligations no less protective than those set forth in this DPA.

5.3 Current Sub-processors

6. Data Subject Rights

Ventus will assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

7. Personal Data Breach

7.1 Notification

Ventus will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.

7.2 Breach Response

Ventus will provide Customer with sufficient information to enable Customer to meet its obligations under Applicable Data Protection Law with respect to the Personal Data Breach.

8. Data Transfers

Ventus may transfer Personal Data to countries outside the European Economic Area or other jurisdictions with data transfer restrictions, provided that appropriate safeguards are in place, such as Standard Contractual Clauses or other approved transfer mechanisms.

9. Audits

Upon Customer's request and subject to reasonable confidentiality obligations, Ventus will make available to Customer information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Customer or an auditor mandated by Customer.

10. Data Retention and Deletion

Upon termination of the Agreement or upon Customer's request, Ventus will delete or return all Personal Data to Customer, unless Ventus is required by law to retain the Personal Data.

11. HIPAA Compliance

Where Customer is a Covered Entity or Business Associate under HIPAA, the parties will execute a Business Associate Agreement that governs Ventus's handling of Protected Health Information (PHI) in compliance with HIPAA requirements.

12. Certifications and Compliance

Ventus maintains the following certifications and compliance standards:

• SOC 2 Type II: Annual audits of security, availability, and confidentiality controls
• HIPAA: Compliance with Health Insurance Portability and Accountability Act requirements
• GDPR: Compliance with European data protection requirements
• CCPA: Compliance with California Consumer Privacy Act requirements

13. Term and Termination

This DPA will remain in effect for as long as Ventus processes Personal Data on behalf of Customer. The obligations under this DPA will survive termination to the extent necessary to fulfill the purposes for which the Personal Data was collected.