Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between Aspire Technologies, Inc. ("Aspire", "Processor") and the customer, reseller, or partner entity ("Customer", acting as a Controller or Processor, as applicable) that uses Aspire products or services, including but not limited to QuoteWerks-hosted or database-hosted offerings ("Services").

This DPA applies only where Aspire processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not otherwise defined in this DPA have the meanings given in the applicable data protection laws.

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable:

1. the EU General Data Protection Regulation ("EU GDPR");
2. the UK General Data Protection Regulation ("UK GDPR");
3. the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and
4. any other similar U.S. state, federal, or international privacy or data protection laws applicable to the processing of Personal Data under the Services.

"Customer Data" has the meaning set forth in Aspire's Terms of Use, available at https://www.quotewerks.com/termsofuse.asp .

2. Roles of the Parties

• Customer is the Controller, or a Processor acting on behalf of a Controller.
• Aspire acts as a Processor only where it hosts, accesses, or otherwise processes Customer Data as part of the Services.
• Aspire does not determine the purposes or means of processing Customer Data.

Deployment Scope Clarification

This DPA applies only to Personal Data processed by Aspire in connection with Aspire-hosted, cloud-based, or managed services. Where Customer deploys Aspire software in a self-hosted or on-premises environment and Aspire does not host, access, or otherwise process Personal Data, Aspire does not act as a processor with respect to such data, and this DPA does not apply to that processing.

In hybrid deployments, this DPA applies solely to the portions of the Services for which Aspire processes Personal Data.

3. Scope and Purpose of Processing

Aspire processes Customer Data solely to provide, maintain, support, and secure the Services in accordance with Customer's documented instructions and the normal operation of the Services.

Categories of Data Subjects

• Customer employees
• Customer users
• Customer clients, prospects, or contacts

Categories of Personal Data

• Names
• Business contact details
• Account identifiers and credentials
• Usage, configuration, and diagnostic data
• Any data entered by Customer into the Services

Aspire does not intentionally process special categories of personal data.

4. Processor Obligations

Aspire shall:

1. Process Personal Data in accordance with Customer's documented instructions, except to the extent such processing is required to provide the Services, comply with Applicable Data Protection Laws, or is otherwise governed by the Terms of Use, this DPA, or Aspire's published policies and statements. Customer acknowledges that use of the Services constitutes documented instructions for processing consistent with the normal operation of the Services.
2. Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
3. Implement appropriate technical and organizational measures to protect Personal Data, as described in Aspire's Security Statement: https://www.quotewerks.com/securitystatement.asp
4. Not access, use, or disclose Customer Data except as necessary to provide the Services, comply with Applicable Data Protection Laws, or as otherwise permitted under the Terms of Use or this DPA.
5. Not sell or share Customer Data as those terms are defined under applicable U.S. state privacy laws, including the CCPA/CPRA.
6. Aspire's processing of Personal Data is further described in its Privacy Policy, available at https://www.quotewerks.com/privacypolicy.asp , which is incorporated by reference solely for descriptive purposes and does not expand Aspire's obligations under this DPA.

5. Sub-processors

Customer authorizes Aspire to engage Sub-processors for hosting, infrastructure, security, and operational support.

Current Sub-processors include, but are not limited to, major cloud infrastructure providers such as Microsoft Azure and Amazon Web Services, as disclosed on Aspire's GDPR information page: https://www.quotewerks.com/gdpr.asp

Sub-processors engaged by Aspire are subject to data protection obligations that are substantially equivalent to those set forth in this DPA, and Aspire remains responsible for the processing of Customer Data by such Sub-processors in accordance with Applicable Data Protection Laws.

6. International Data Transfers

Customer acknowledges that Aspire-hosted Services may be hosted or supported from locations outside the UK or EEA, including the United States.

Where required under Applicable Data Protection Laws, Aspire relies on lawful transfer mechanisms, including Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum (UK IDTA).

7. Assistance with Data Subject Rights

Taking into account the nature of processing, Aspire shall provide reasonable assistance to Customer in fulfilling Data Subject rights requests as required under Applicable Data Protection Laws.

Aspire may charge reasonable fees for assistance provided in connection with Data Subject requests to the extent permitted under Applicable Data Protection Laws.

8. Personal Data Breach Notification

Aspire shall notify Customer within a reasonable timeframe after becoming aware of a Personal Data breach affecting Customer Data. Notification may be supplemented as additional information becomes available.

Notification shall not be required where the incident is unlikely to result in a risk to the rights and freedoms of natural persons under Applicable Data Protection Laws.

9. Deletion or Return of Data

Upon termination or expiration of the Services, Aspire shall delete or return Customer Data in accordance with Customer instructions and Aspire's Privacy Policy.

10. Audits and Compliance

Aspire shall make available information reasonably necessary to demonstrate compliance with this DPA, primarily through documentation or third-party reports.

Requests must be limited in scope, not unreasonably interfere with operations, and may be subject to reasonable fees for time and resources expended beyond providing existing materials.

11. Government Access Requests

If Aspire receives a legally binding request from a governmental authority for access to Customer Data, Aspire shall, to the extent legally permitted, notify Customer of the request and provide reasonable assistance to allow Customer to seek a protective order or other appropriate remedy.

Aspire shall disclose only the minimum amount of Customer Data required to comply with such request.

12. Protected Health Information (PHI)

The Services are not designed to process, store, or transmit Protected Health Information (PHI) as defined under HIPAA. Customer shall not use the Services to process PHI unless a separate, written Business Associate Agreement (BAA) has been executed by Aspire.

13. Liability and Governing Terms

This DPA forms part of, and is subject to, the liability limitations, governing law, and dispute resolution provisions set forth in Aspire's Terms of Use: https://www.quotewerks.com/termsofuse.asp

Except as expressly stated in this DPA with respect to data protection obligations, the Terms of Use shall govern in the event of any conflict.

14. Term and Updates

This DPA remains in effect for the duration of Aspire's processing of Customer Data.

Aspire may update this DPA, including its descriptions of Services, Sub-processors, or processing practices, from time to time to reflect changes in Applicable Data Protection Laws, operational requirements, or the Services. Updated versions will be made available publicly and will apply prospectively.