Domos Data Processing Agreement

Last Modified: June 25, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Subscription Agreement between Domos and Customer (“Agreement”) to reflect the Parties’ agreement with respect to the Processing of Customer Personal Data. All capitalized terms used but not otherwise defined in this DPA will have the meanings set forth in the Agreement.

1. Definitions

“Customer Personal Data” means any Personal Data contained in Customer Property.

“Data Protection Laws” means any and all laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, each as amended, replaced or superseded from time to time. 

“Data Subject” means the identified or identifiable person to whom Personal Data relates. 

“Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as “personal data,” “personal information,” or other similar terms under applicable Data Protection Laws.

“Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data.

“Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means any person or entity which Processes Customer Personal Data, including as applicable any “service provider” or “contractor” as those terms are defined by applicable Data Protection Laws. 

“Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.

“Sub-processor” means any Processor appointed by or on behalf of Domos who may Process Customer Personal Data.

2. Processing of Personal Data

(a) Scope and Roles of the Parties. This DPA applies where and only to the extent Domos Processes Customer Personal Data that is governed by Data Protection Laws. In relation to Customer Personal Data, the Parties acknowledge and agree that Domos will be considered the Processor.

(b) Customer’s Processing of Personal Data. Customer shall, in its use of the Subscription Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

(c) Domos’ Processing of Personal Data. The Parties agree that Customer Personal Data is being made available to Domos for the limited and specified purpose of providing the Subscription Services as contemplated by the Agreement. Domos will Process Customer Personal Data on behalf of Customer only in accordance with Customer’s documented instructions for the following purposes: (i) to fulfill Domos’ obligations under the Agreement; (ii) in accordance with the terms of the Agreement and this DPA; and (iii) to comply with other documented reasonable instructions provided by Customer. Nothing contained in this DPA will restrict Domos’ ability to Process Customer Personal Data where required to do so by applicable laws to which Domos is subject. 

(d) Details of Processing. The details of the Processing are as follows:

(i) Purpose: The purpose of Processing under this DPA is the provision of the Subscription Services pursuant to the Agreement.

(ii) Nature of Processing: Domos will perform Processing as needed for the purpose set out above, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA.

(iii) Duration of Processing: Domos will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing. 

(iv) Categories of Personal Data: The types of Personal Data are determined and controlled by Customer in its sole discretion.

(e) Compliance. Domos will (i) comply with the obligations applicable to it as a Processor under applicable Data Protection Laws; (ii) provide the same level of privacy protection as required by applicable Data Protection Laws; and (iii) will notify Customer if Domos determines it can no longer meet its obligations as a Processor under applicable Data Protection Laws. 

(f) Restrictions. Without limiting Domos’ obligations under Section 2(c) of this DPA, Domos will not: (i) retain, use, or disclose Customer Personal Data for any purpose other than to perform its obligations under the Agreement, which for the avoidance of doubt prohibits Domos from retaining, using, or disclosing Customer Personal Data outside of the direct business relationship with Customer; (ii) “sell” or “share” (as those terms are defined by applicable Data Protection Laws) Customer Personal Data; or (iii) combine Customer Personal Data with Personal Data Domos receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).

3. Confidentiality

Domos will take reasonable steps to ensure that any personnel who is authorized to Process Customer Personal Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to such Customer Personal Data.

4. Security

Domos will implement and maintain reasonable and appropriate technical and organizational safeguards to protect Customer Personal Data from Personal Data Breaches. 

5. Personal Data Breach

If Domos becomes aware of a Personal Data Breach, Domos will notify Customer without undue delay. Domos will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request and expense, Domos will provide reasonable assistance as necessary to enable Customer to notify relevant Regulators and/or affected Data Subjects, if required under Data Protection Laws.

6. Deletion or Return of Personal Data

Upon termination or expiration of the Agreement for any reason, Domos will, at the choice of Customer, delete or return all Customer Personal Data to Customer, unless otherwise required by law.

7. Data Subject Rights

Upon Customer’s written request, Domos will provide reasonable assistance to Customer to respond to any  requests from Data Subjects to exercise their rights under Data Protection Laws (“Data Subject Requests”). If a Data Subject Request or other communication regarding the Processing of Customer Personal Data is made directly to Domos, Domos will promptly inform Customer and will advise the Data Subject to submit their request directly to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Customer Personal Data.

8. Sub-processors 

Customer acknowledges and agrees that Domos may engage third-party Sub-processors to provide the Services and Process Customer Personal Data. With respect to each Sub-processor, Domos will enter into a written agreement containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of  Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.

9. Compliance and Audits

(a) Demonstration of Compliance. Upon the reasonable request of Customer, Domos will make available to Customer all information in its possession that is reasonably necessary to demonstrate Domos’ compliance with this DPA. If Customer in its reasonable opinion determines that the information provided is not sufficient to confirm Domos’ compliance with its obligations under this DPA, Domos will allow for, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor to fulfill Customer's obligations under Data Protection Laws no more than once annually. Any such assessment will occur only after Customer has provided Domos with sixty (60) days prior written notice (unless otherwise agreed to between Domos and Customer in writing) and will be conducted pursuant to a mutually agreed upon date, time, and format. Such assessment will be subject to the following: (i) assessments must not unreasonably interfere with Domos’ business or operations, and the scope of such assessment will be subject to Domos’ reasonable pre-approval; (ii) individuals responsible for conducting such assessment will be subject to a contract of confidentiality with Domos; (iii) each Party will bear its own costs related to an assessment; and (iv) any information disclosed pursuant to this Section 9(a) will be deemed Domos’ Confidential Information.

(b) Customer’s Rights. Where required by applicable Data Protection Laws, Customer will have the right to take reasonable and appropriate steps to help ensure that Domos uses Customer Personal Data in a manner consistent with Customer’s obligations under applicable Data Protection Laws. Upon notice, Customer will have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.