This Data Processing Addendum, including its Annexes and Appendices (the "DPA"), forms part of the agreement between the applicable customer identified in the Agreement ("Customer") and SiteSync (FreedomSeeker OÜ), an Estonian private limited company with its registered office at Kotkapoja tn 2a-10, 10615 Tallinn, Estonia, registration number 17097142, VAT ID EE102833191 ("SiteSync"). This DPA supplements the SiteSync Terms of Service, any applicable Order Form, and any other agreement governing Customer's use of the Services (collectively, the "Agreement"). This DPA is incorporated into the Agreement and becomes effective when Customer accepts the Agreement or otherwise accesses or uses the Services subject to the Agreement.

• 1.1 This DPA applies to the extent SiteSync processes Customer Personal Data on behalf of Customer as a processor, service provider, or contractor in connection with the Services.
• 1.2 This DPA does not apply to processing for which SiteSync acts as a controller, including processing for SiteSync's own business purposes as described in the Privacy Policy, except to the extent expressly required by applicable law.
• 1.3 The DPA is intended to satisfy the requirements of Article 28 GDPR and comparable processor/service provider requirements under applicable UK data protection law and applicable U.S. state privacy laws.
• 1.4 If an executed enterprise agreement, negotiated order form, or separately executed data processing addendum expressly supersedes this DPA, that executed agreement will control solely to the extent of the conflict.

• 2.1 "Applicable Data Protection Law" means, to the extent applicable to the processing of Customer Personal Data under the Agreement, the GDPR, UK GDPR, the UK Data Protection Act 2018, and applicable U.S. state privacy laws imposing processor, service provider, contractor, or similar obligations, in each case as amended from time to time.
• 2.2 "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
• 2.3 "Customer Personal Data" means Personal Data contained in Customer Data that SiteSync processes on behalf of Customer in connection with the Services.
• 2.4 "EU SCCs" means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914.
• 2.5 "Security Incident" means a breach of SiteSync's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in SiteSync's possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.
• 2.6 "Services" has the meaning given in the Agreement.
• 2.7 "Subprocessor" means a third party engaged by SiteSync to process Customer Personal Data on SiteSync's behalf in connection with the Services.
• 2.8 "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, as updated or replaced from time to time.
• 2.9 "Sensitive Data" means any category of data requiring heightened protection under the Agreement or Applicable Data Protection Law, including the categories identified as sensitive data in the Agreement.
• 2.10 Capitalized terms not defined in this DPA have the meanings given in the Agreement.

• 3.1 This DPA applies only to Customer Personal Data that SiteSync processes on behalf of Customer in connection with the provision of the Services.
• 3.2 The subject matter, duration, nature, and purpose of the processing, as well as the types of Customer Personal Data and categories of Data Subjects, are described in Annex 1.
• 3.3 This DPA applies whether Customer acts as a Controller or, where permitted by Applicable Data Protection Law, as a Processor acting on behalf of another Controller.

• 4.1 The parties acknowledge that, with respect to Customer Personal Data processed under this DPA, Customer is the Controller or Processor, as applicable, and SiteSync is the Processor, service provider, contractor, or similar service recipient role recognized under Applicable Data Protection Law.
• 4.2 If Customer is a Processor, Customer represents and warrants on an ongoing basis that Customer's instructions and actions with respect to Customer Personal Data, including Customer's appointment of SiteSync as a further Processor and Customer's authorization of SiteSync's engagement of Subprocessors and international transfers under this DPA, have been authorized by the relevant Controller.

• 5.1 SiteSync will process Customer Personal Data only: (a) to provide the Services in accordance with the Agreement; (b) on Customer's documented instructions as set out in the Agreement, this DPA, and Customer's configuration and use of the Services; (c) as necessary to comply with applicable law; and (d) as otherwise agreed in writing by the parties.
• 5.2 Customer instructs SiteSync to process Customer Personal Data as reasonably necessary to: (a) host, operate, secure, monitor, maintain, support, troubleshoot, and improve the Services for Customer; (b) provide account administration, authentication, permissions, collaboration, synchronization, import/export, API, reporting, and related functionality; (c) provide AI Features requested or enabled by Customer in accordance with the Agreement and the AI Product Terms; (d) communicate with Customer regarding service-related matters; and (e) prevent fraud, abuse, misuse, or security threats affecting the Services.
• 5.3 SiteSync will promptly inform Customer if, in SiteSync's opinion, a documented instruction infringes Applicable Data Protection Law, unless SiteSync is prohibited from doing so by law.

• 6.1 SiteSync will ensure that persons authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality, whether by contract, policy, or law.
• 6.2 SiteSync will ensure that access to Customer Personal Data is limited to personnel who need such access to provide, secure, support, or maintain the Services, or otherwise to fulfill SiteSync's obligations under the Agreement and this DPA.

• 7.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to natural persons, SiteSync will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• 7.2 The technical and organizational measures implemented by SiteSync as of the effective date of this DPA are described in Annex 2.
• 7.3 SiteSync may update or modify its technical and organizational measures from time to time, provided that such updates or modifications do not materially decrease the overall security of the Services.
• 7.4 Customer acknowledges that no security measure can guarantee absolute security and that Customer is responsible for its own secure use of the Services, including appropriate role assignment, user-access controls, and review of Customer Data uploaded to the Services.

• 8.1 Customer grants SiteSync general written authorization to engage Subprocessors in accordance with this Section.
• 8.2 SiteSync will maintain an up-to-date list of Subprocessors through its Trust Center at: https://trust.sitesync.ai/subprocessors. Where made available by SiteSync, Customer may also subscribe through the Trust Center to receive notifications of Subprocessor changes.
• 8.3 SiteSync will remain responsible for the performance of each Subprocessor's data protection obligations to the extent required by Applicable Data Protection Law.
• 8.4 SiteSync will impose data protection obligations on each Subprocessor that are substantially no less protective of Customer Personal Data than the obligations imposed on SiteSync under this DPA, to the extent applicable to the services provided by that Subprocessor.
• 8.5 SiteSync may add or replace Subprocessors from time to time. SiteSync will provide at least thirty (30) days' advance notice before a new Subprocessor begins processing Customer Personal Data. Such notice may be provided through updates to the Trust Center, service communications, or both.
• 8.6 If Customer reasonably objects to a new Subprocessor on documented data protection grounds, Customer will notify SiteSync promptly and in any event within ten (10) days after the relevant notice or posting. The parties will work in good faith to address the objection and to resolve the objection within thirty (30) days of receipt.
• 8.7 If SiteSync is unable, using commercially reasonable efforts, to address Customer's reasonable objection within that thirty (30)-day period, then SiteSync may, at its option: (a) offer a commercially reasonable alternative; (b) suspend the affected processing or affected feature; or (c) permit Customer to terminate the affected Services in accordance with the Agreement.
• 8.8 For clarity, customer-enabled integrations or third-party services that Customer chooses to enable are not Subprocessors under this DPA unless SiteSync engages the relevant third party on SiteSync's own behalf to provide the Services.

• 9.1 Customer authorizes SiteSync and its Subprocessors to process Customer Personal Data in the European Union, the United Kingdom, the United States, and other jurisdictions where SiteSync or its Subprocessors maintain processing facilities, subject to this Section.
• 9.2 Where SiteSync processes Customer Personal Data subject to GDPR or UK GDPR and such processing involves a restricted transfer to a country not recognized as providing an adequate level of protection, SiteSync will ensure that a valid transfer mechanism under Applicable Data Protection Law applies.
• 9.3 To the extent Customer Personal Data is transferred from the EEA to SiteSync or to an onward recipient in a country that is not subject to an adequacy decision, the EU SCCs are incorporated by reference into this DPA as follows: (a) Module Two applies where Customer is a Controller and SiteSync is a Processor; (b) Module Three applies where Customer is a Processor and SiteSync is a sub-Processor; (c) Clause 7 (Docking Clause) is included; (d) in Clause 9, Option 2 applies, and the time period for prior notice of Subprocessor changes is as set out in Section 8; (e) in Clause 11, the optional language does not apply; (f) in Clause 17, the governing law is the law of Estonia; (g) in Clause 18(b), the courts are the competent courts of Estonia; (h) Annex I, Annex II, and Annex III of the EU SCCs are completed using Annex 1, Annex 2, and Annex 4 to this DPA, respectively.
• 9.4 To the extent Customer Personal Data is transferred from the United Kingdom to SiteSync or to an onward recipient in a country lacking adequacy regulations, the UK Addendum is incorporated into this DPA and applies to the EU SCCs as completed under Section 9.3: (a) the parties are those identified in Annex 1; (b) the selected SCCs are the EU SCCs as incorporated by this DPA; (c) the appendices are the Annexes to this DPA; and (d) the party that may end the UK Addendum as permitted by its terms is either party.
• 9.5 If SiteSync adopts or offers another lawful transfer mechanism recognized under Applicable Data Protection Law, Customer agrees to cooperate reasonably, including by executing supplemental documents, where reasonably necessary to give effect to that mechanism.
• 9.6 To the extent there is any direct conflict between the transfer terms in this Section or Annex 3 and the rest of this DPA or the Agreement, the applicable transfer terms will control with respect to the transferred Customer Personal Data.

• 10.1 Taking into account the nature of the processing, SiteSync will provide Customer with reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.
• 10.2 If SiteSync receives a request from a Data Subject relating to Customer Personal Data, SiteSync will, to the extent legally permitted: (a) notify Customer of the request; and (b) not respond directly to that request except as required by applicable law or as instructed by Customer.
• 10.3 Customer is responsible for responding to Data Subject requests concerning Customer Personal Data, except to the extent Applicable Data Protection Law requires SiteSync to respond directly.
• 10.4 SiteSync may charge Customer reasonable costs for assistance under this Section to the extent such assistance is not included in the Services and is unusually burdensome or exceeds standard support obligations, where permitted by law and the Agreement.

• 11.1 SiteSync will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Security Incident affecting Customer Personal Data.
• 11.2 Such notification will, to the extent reasonably available at the time: (a) describe the nature of the Security Incident; (b) describe the categories of affected Customer Personal Data; (c) describe the likely consequences of the Security Incident; and (d) describe measures taken or proposed to address and mitigate the Security Incident.
• 11.3 SiteSync will take reasonable steps to investigate, mitigate, and remediate a Security Incident and will provide reasonable cooperation to Customer in connection with Customer's compliance obligations under Applicable Data Protection Law.
• 11.4 SiteSync's notification of or response to a Security Incident is not an acknowledgment of fault or liability.

• 12.1 Taking into account the nature of the processing and the information available to SiteSync, SiteSync will provide Customer with reasonable assistance in connection with: (a) data protection impact assessments; and (b) consultations with supervisory authorities or regulators, where Customer is required to carry out such assessments or consultations under Applicable Data Protection Law.
• 12.2 SiteSync may charge reasonable costs for assistance under this Section to the extent such assistance is not included in the Services and is unusually burdensome or exceeds standard support obligations, where permitted by law and the Agreement.

• 13.1 Upon termination or expiry of the Agreement, and upon Customer's written request, SiteSync will make Customer Personal Data available for return or export in a commercially reasonable manner where technically feasible.
• 13.2 After the applicable return/export period and subject to Section 13.3, SiteSync will delete Customer Personal Data in accordance with its standard deletion processes, unless applicable law requires continued retention.
• 13.3 Notwithstanding the foregoing: (a) backup copies may remain in SiteSync's backup systems for up to six (6) months before deletion or overwrite in the ordinary course; (b) SiteSync may retain Customer Personal Data to the extent required by applicable law, valid legal process, tax/accounting obligations, fraud prevention, dispute resolution, or legitimate security purposes; and (c) any retained Customer Personal Data will remain protected under this DPA for so long as it is retained.
• 13.4 Unless otherwise agreed in writing, Customer may request return/export of Customer Personal Data within thirty (30) days following termination or expiry of the Agreement, after which SiteSync may proceed with deletion under its standard processes, subject to Section 13.3.

• 14.1 SiteSync will make available to Customer, upon written request and subject to reasonable confidentiality restrictions, information reasonably necessary to demonstrate SiteSync's compliance with this DPA, which may include relevant security documentation, customer-facing security materials, responses to reasonable written security questionnaires, and any available third-party audit reports or summaries.
• 14.2 If the information made available under Section 14.1 is not sufficient for Customer to demonstrate compliance with Applicable Data Protection Law, Customer may request an additional audit of SiteSync's relevant processing activities, subject to the following conditions: (a) the audit must be limited to matters directly relevant to Customer's compliance obligations under this DPA; (b) Customer must provide reasonable prior written notice; (c) the audit must occur during normal business hours and in a manner that minimizes disruption to SiteSync; (d) the audit must not require access to other customers' data, internal source code, or information that would compromise SiteSync's security or confidentiality obligations; (e) the audit may be performed no more than once annually unless a Security Incident or regulatory requirement justifies additional review; and (f) the parties will agree in advance on the scope, timing, duration, and reasonable confidentiality protections for the audit.
• 14.3 SiteSync may satisfy audit obligations through remote review, interviews, document review, or other reasonable alternative means where appropriate.
• 14.4 Customer will bear its own audit costs and reimburse SiteSync for reasonable costs incurred in supporting audits under this Section, except where Applicable Data Protection Law requires otherwise or where the audit reveals a material breach of this DPA by SiteSync.

• 15.1 To the extent applicable U.S. state privacy laws apply to Customer Personal Data processed under this DPA, SiteSync will act as Customer's service provider, contractor, processor, or comparable service recipient role, as applicable.
• 15.2 SiteSync will not: (a) sell Customer Personal Data; (b) share Customer Personal Data for cross-context behavioral advertising; or (c) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the business purposes and services specified in the Agreement and this DPA, except as permitted by applicable law.
• 15.3 SiteSync may process Customer Personal Data for the limited purposes permitted under applicable U.S. state privacy laws for service providers, contractors, and processors, including to provide the Services, ensure security and integrity, detect and prevent fraud or illegal activity, debug and repair errors, maintain and improve the Services, and comply with applicable law, provided such processing is permitted by such laws.
• 15.4 SiteSync will comply with applicable restrictions on combining Customer Personal Data with personal data received from other sources, except to the extent permitted by applicable U.S. state privacy laws.
• 15.5 Customer may take reasonable and appropriate steps to help ensure that SiteSync uses Customer Personal Data in a manner consistent with Customer's obligations under applicable U.S. state privacy laws, including through the audit and information rights set out in Section 14.

• 16.1 The liability of each party under this DPA is subject to the exclusions, limitations, and liability caps set out in the Agreement.
• 16.2 Nothing in this DPA limits either party's liability to Data Subjects under the third-party beneficiary provisions of the EU SCCs or UK Addendum to the extent such limitation is prohibited by Applicable Data Protection Law.
• 16.3 In the event of any conflict between this DPA and the Agreement, this DPA will control with respect to the subject matter of this DPA. In the event of any conflict between the EU SCCs or UK Addendum and this DPA or the Agreement, the EU SCCs or UK Addendum, as applicable, will control with respect to the transferred Customer Personal Data.

• 17.1 This DPA takes effect when it is incorporated into the Agreement and remains in effect for so long as SiteSync processes Customer Personal Data on behalf of Customer under the Agreement.
• 17.2 This DPA automatically terminates when SiteSync has ceased all processing of Customer Personal Data on behalf of Customer, subject to Section 13.3.

• 18.1 Privacy and data protection notices under this DPA may be sent to: [email protected]
• 18.2 SiteSync may provide Subprocessor notices, security notices, and other operational notices under this DPA through the contact points or notice mechanisms used for service-related notices under the Agreement, through the Trust Center, or both.

• A. List of Parties. Data Importer / Processor / Service Provider / Contractor: SiteSync (FreedomSeeker OÜ), Kotkapoja tn 2a-10, 10615 Tallinn, Estonia, Registration number: 17097142, Privacy contact: [email protected]. Data Exporter / Controller or Processor / Business: The Customer party to the Agreement.
• B. Subject Matter. SiteSync's provision of the Services to Customer under the Agreement, including workspace management, project and task management, scheduling, workforce management, equipment and asset management, document handling, communications, integrations, reporting, support, security, and AI-enabled service functionality.
• C. Duration of Processing. For the term of the Agreement and any post-termination period during which SiteSync retains Customer Personal Data in accordance with the DPA, including limited retention in backups, logs, or where legally required.
• D. Nature and Purpose of Processing. SiteSync may collect, access, host, store, organize, structure, adapt, retrieve, consult, use, transmit, synchronize, disclose by transmission, combine, analyze, support, secure, delete, and otherwise process Customer Personal Data as necessary to: provide the Services requested by Customer; administer Customer accounts and workspaces; authenticate users and manage permissions; provide collaboration, communications, notifications, and workflow functionality; provide import/export, reporting, API, integration, and synchronization functionality; provide customer support and technical support; monitor, secure, maintain, troubleshoot, and improve the Services for Customer; prevent fraud, abuse, misuse, and security threats; and where enabled by Customer, provide AI Features, including contextual processing of Customer Data, AI Inputs, AI Outputs, and related materials to generate customer-requested functionality, subject to the Agreement and AI Product Terms.
• E. Categories of Customer Personal Data. Customer Personal Data may include, as determined by Customer's use of the Services: names and identifiers; business contact details, including work email address, telephone number, company, department, and title; account and access data, including role, account profile information, authentication-related metadata, and security/authentication artifacts (such as MFA device metadata, encrypted MFA secrets, recovery-code hashes, and session/security-event metadata); network and device-related identifiers, including IP address, user-agent, and related request metadata to the extent processed on behalf of Customer; project, scheduling, task, resource, and operational data; workforce and personnel data, including employee or contractor names, sex, birthdate, work contact details, job roles, certifications, schedules, company dates, compensation details (including hourly rates), and similar work-related records; leave/absence management records, including sick-leave and return-to-work planning records, where submitted by Customer; equipment, asset, compliance, and site-related records; documents, spreadsheets, attachments, file contents, and imported records; communications content, support content, comments, messages, prompts, requests, and instructions; integration and synchronization data from connected third-party systems; AI Inputs and AI Outputs where AI Features are used; usage, telemetry, and log data to the extent such data constitutes Personal Data and is processed on behalf of Customer.
• F. Sensitive Data. SiteSync does not request or require Sensitive Data for the ordinary provision of the Services. Because some free-text fields, documents, attachments, integrations, workforce records, leave/absence records, and AI Inputs may allow users to submit a wide range of content (which may include sensitive or special-category data, such as health-related information), Customer remains responsible for controlling what data it uploads and for limiting uploads of Sensitive Data except where strictly necessary, lawful, and appropriate, and subject to appropriate safeguards and human review. The Services are not intended to serve as a primary system of record for highly sensitive or high-risk regulated data.
• G. Categories of Data Subjects. Data Subjects may include: Customer's employees, personnel, workers, field staff, temporary workers, and contractors; Customer's authorized users, administrators, owners, planners, and other workspace users; Customer's business contacts, representatives, and counterparties; individuals whose data is included by Customer in project, workforce, scheduling, compliance, equipment, site, or document records; and other individuals about whom Customer or its users submit Personal Data through the Services.
• H. Competent Supervisory Authority. For purposes of the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs.

As of the effective date of this DPA, SiteSync maintains technical and organizational measures that include, as appropriate to the Services and risks presented:

• 1. Access controls and organizational segregation: organization-scoped and role-based permissions; user-role and admin-permission controls within customer environments; internal access restriction to authorized personnel with a need to know.
• 2. Authentication and account security: password hashing; multi-factor authentication functionality and organization-level enforcement options; secure session management and authentication controls.
• 3. Encryption and transmission security: encryption in transit using industry-standard transport security; secure handling of credentials and authentication artifacts; secure cookie settings and related session protections where applicable.
• 4. Network, application, and platform security: rate limiting and abuse prevention controls; security headers and related web-application protections; CORS and related service-configuration controls; measures designed to reduce duplicate or unauthorized actions.
• 5. Logging, monitoring, and auditability: security logging, infrastructure monitoring, and observability controls; audit logging for relevant business events; controls supporting audit-log integrity; logging practices designed to reduce inappropriate exposure of personal data in logs.
• 6. Operational security: vulnerability management and patching processes; change management processes; incident response procedures; backup and recovery procedures; vendor management processes.
• 7. Personnel and confidentiality: confidentiality obligations for authorized personnel; workforce access limited by role and business need.
• 8. Testing, maintenance, and improvement: Monitoring, troubleshooting, and maintenance activities reasonably necessary to keep the Services secure and operational. These measures may be updated from time to time, provided that SiteSync does not materially decrease the overall security of the Services.

• 1. EEA Restricted Transfers. Where Customer Personal Data subject to GDPR is transferred from the EEA to SiteSync in a country that is not subject to an adequacy decision, the EU SCCs are incorporated as stated in Section 9 of this DPA. EU SCC Completion Summary: Module Two (Controller to Processor): applies where Customer is a Controller. Module Three (Processor to Processor): applies where Customer is a Processor. Clause 7: included. Clause 9: Option 2. Clause 11: optional language omitted. Clause 17: Estonia. Clause 18(b): courts of Estonia. Annex I.A: parties as set out in Annex 1. Annex I.B: transfer description as set out in Annex 1. Annex II: technical and organizational measures as set out in Annex 2. Annex III: Subprocessors as set out in Annex 4.
• 2. UK Restricted Transfers. Where Customer Personal Data subject to UK GDPR is transferred from the United Kingdom to SiteSync in a country lacking adequacy regulations, the UK Addendum is incorporated as stated in Section 9 of this DPA and attaches to the EU SCCs described above. UK Addendum Completion Summary: Table 1: Parties are those described in Annex 1. Table 2: the approved EU SCCs are the EU SCCs incorporated by this DPA. Table 3: Appendix Information is Annex 1, Annex 2, and Annex 4 to this DPA. Table 4: either party may end the UK Addendum as permitted by its terms.
• 3. Alternative Transfer Mechanisms. If SiteSync adopts another lawful transfer mechanism recognized under Applicable Data Protection Law, the parties will cooperate reasonably to implement that mechanism where necessary.

Customer authorizes SiteSync to use Subprocessors in accordance with Section 8 of this DPA. The current list of Subprocessors is maintained at: https://trust.sitesync.ai/subprocessors. That Trust Center page, as updated from time to time in accordance with Section 8 of this DPA, constitutes SiteSync's Subprocessor list for purposes of this DPA.

Als u vragen heeft over onze Gegevensverwerkingsovereenkomst of onze gegevensverwerkingspraktijken, kunt u contact met ons opnemen via: