Trakstar Terms & Conditions

Subscription Agreement

Last Updated as of the 10th day of January, 2025

This Subscription Agreement (together with all Order Forms and Addenda attached hereto, the “Agreement”) of Mitratech Trakstar, Inc., a subsidiary of Mitratech Holdings, Inc., and its affiliates (“Trakstar”) governs all access to and use of the human resources computer program, software modules and interactive computer services for human resources and management solutions and all applicable documentation of Trakstar and its affiliates, together with all related interfaces, functionality, web-services, supplements, add-on components, corrections, bug fixes, modifications, enhancements, updates, new versions or releases that Trakstar subsequently may make available (collectively, the “System”), and constitutes a legally binding agreement between the entity for whom the System will be accessed and/or used (the “Client”), including without limitation all of Client’s personnel who access or use the System, and Trakstar.

THIS AGREEMENT CONTAINS VERY IMPORTANT INFORMATION REGARDING CLIENT’S RIGHTS AND OBLIGATIONS, AS WELL AS CONDITIONS, LIMITATIONS AND EXCLUSIONS THAT MIGHT APPLY TO CLIENT. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE ACCESSING OR USING THE SYSTEM OR ANY PORTION THEREOF. BY CLICKING ON “I AGREE” OR BY ACCESSING OR USING THE SYSTEM OR ANY PORTION THEREOF, YOU, ON BEHALF OF THE CLIENT, ACKNOWLEDGE AND CONFIRM THAT: (A) YOU HAVE FULL AUTHORITY FROM THE CLIENT TO BIND THE CLIENT TO ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT; (B) YOU HAVE READ AND UNDERSTAND ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT; (C) CLIENT AGREES TO BE BOUND BY ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT; AND (D) CLIENT ACKNOWLEDGES THAT THIS AGREEMENT IS THE LEGAL EQUIVALENT OF A SIGNED, WRITTEN CONTRACT BETWEEN Trakstar AND CLIENT. IF YOU OR THE CLIENT WHOM YOU ARE REPRESENTING ARE NOT WILLING TO BE BOUND BY ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION THE PRECEDING ACKNOWLEDGEMENT AND AGREEMENT, THEN YOU MUST NOT SELECT THE ‘I AGREE’ BUTTON ASSOCIATED WITH THIS AGREEMENT AND YOU MUST NOT ACCESS OR USE THE SYSTEM OR ANY PORTION THEREOF; Trakstar DOES NOT AND WILL NOT GRANT YOU OR THE CLIENT ANY RIGHT OR LICENSE TO ACCESS OR USE THE SYSTEM OR ANY PORTION THEREOF.

THIS AGREEMENT REQUIRES THE USE OF ARBITRATION TO RESOLVE DISPUTES, RATHER THAN JURY TRIALS.

This Agreement applies to Client’s subscription to the System. This Agreement is subject to change by Trakstar at any time, in Trakstar’s sole discretion, upon Trakstar’s posting a notice on this website (the “Site”) or sending Client a notice via e-mail to notify Client that this Agreement has been revised, and Client hereby consents to receiving such notice in such manner. Any changes to this Agreement will be in effect as of the “Last Updated” date referenced above (the “Last Updated Date”). Client’s continued use of the System after the Last Updated Date will constitute Client’s acceptance of and agreement to such changes. All Order Forms (as defined below) between Trakstar and Client shall be governed by this Agreement.

1.Access to and Use of the System.

1.1.Order Forms. The parties must set forth those services within the System to which Client is receiving or will receive a subscription (the “Services”), together with the term of such subscription, associated fees and other terms, in a mutually approved (which approval may be evidenced in a written agreement, through a click-through agreement or through DocuSign or other reliable electronic means, regardless of whether approval occurs prior to, in conjunction with or following the Effective Date hereof), written order forms (each an “Order Form”). Hereafter, “System” shall be deemed to mean only those parts of the System necessary for Client to receive the Services to which Client has a subscription pursuant to an effective Order Form. The Services shall provide the business functionality set forth in Trakstar’s documentation, as amended by Trakstar from time to time as Trakstar modifies the System (the “Specifications”).

1.2.Access. Subject to the terms and conditions of this Agreement, including the timely payment of all fees due hereunder, Trakstar hereby: (a) agrees to make available to the personnel that Client authorizes to access and use the System (each a “User” and collectively the “Users”) non-exclusive access to the System via the Internet in accordance with the standard access protocol of Trakstar; (b) authorizes Client, on a non-exclusive, non-transferable basis, to have Users access and use the System, which will at all times reside on servers owned or controlled by Trakstar; and (c) authorizes Client, on a non-exclusive, non-transferable basis, to have Users make a reasonable number of copies of Trakstar’s standard documentation that Trakstar provides to Client from time to time (“Documentation”), in whole or in part, as required for Client to produce internal support, training or communication materials regarding usage of the System.

1.3.Limited Scope. Trakstar is providing a limited term subscription to access and use the System during the term set forth on Client’s Order Form. Client acknowledges that access to, and use of, the System is limited to the scope of the express provisions set forth in Section 1.1 and Section 1.2 above and that there are no implied licenses; all rights not expressly granted under this Agreement are reserved by Trakstar.

1.4.Restrictions. Client agrees that it will not, and will not allow its directors, officers, employees, business partners, contractors or agents to:

a.Reverse assemble, reverse engineer, decompile or otherwise attempt to derive source code from the System or any component thereof;

b.Copy, reproduce, modify, sell, lease, sub-license, market or commercially exploit in any way the System or any component thereof (including the further distribution or blank forms or templates) other than as expressly agreed to in this Agreement;

c.Use, or permit the use of, the System except for Client’s internal purposes. Client agrees that it shall not provide access to or perform services for third parties using the System including, but not limited to, any service bureau, time-sharing, lease, distribution or re-sale, rental, application service provider arrangement, or any other arrangement;

d.Disclose, resell or grant access to an access code to the System or any component thereof to any third party not affiliated with Trakstar.

1.5.Updates. Trakstar may, at its sole discretion, make available error corrections, bug fixes, modifications or minor enhancements to the System (each an “Update” and collectively “Updates”) that Trakstar generally makes available to its clients that subscribe to the same Services.

1.6.Upgrades. Trakstar may develop new modules that provide new functionality or services (each an “Upgrade”) that are not part of the Services to which Client is subscribing. Client may, at Client’s discretion, purchase a subscription to an Upgrade pursuant to the terms of a new Order Form.

1.7.Certain Parts of the System.

a.Client acknowledges and agrees that certain parts of the System may be used only to transmit and store resumes (or CVs), files associated with the process of hiring a candidate (hereinafter referred to as “Candidate”), job descriptions and comments with respect to the foregoing. In such parts of the System, Client may not (i) use the Service to upload advertisements or materials other than materials regarding the candidate search process, job descriptions and comments, or (ii) transmit unsolicited information, materials or data (including, without limitation, “spam” messages).

b.Client further acknowledges and agrees that Client may not: (i) transmit any code of a destructive nature or that attempts to automatically gather information from the screen (screen scraping); or (ii) use automated systems (“bots”) to upload multiple streams of data, such as for multiple Candidates, at once. If Trakstar reasonably deems Client’s bandwidth usage to be excessive (as determined solely by Trakstar), in order to protect the responsiveness of services for all clients, Trakstar reserves the right, upon notice to Client, to reduce or disable Client’s use of this part of the System until Client can reduce its bandwidth consumption.

1.8.Right to Modify the System.

a.Trakstar provides a platform that can be configured to meet the needs of its clients without customizing the software directly as part of a one-off build for a given client. However, if Client desires specific development work, then Client will suggest the same to Trakstar and, upon Trakstar and Client executing a written order for the specific development work (“Specific Work”) for the fees set forth in such order, Trakstar will use commercially reasonable efforts to develop such Specific Work and make available the Specific Work to Client as part of the Services.

b.Trakstar reserves the right, in its sole discretion and without incurring any liability to Client, to change, enhance and otherwise modify the specifications for, and formulations and methods of provision of, the System and the Services, provided that such alterations will not materially reduce the functionality of the same. Trakstar further reserves the right, in its sole discretion, to create new products and/or services based upon or incorporating the System, the Services or elements thereof.

1.9.Third Party Products and Services.

a.Client may make certain parts of the System interoperate with third-party products or services, including by way of illustration but not limitation human capital management software, virtual meeting software or document management software (collectively, “Third Party Products”). Any access to or use by Client of such Third Party Products in connection with the Services, and any exchange of data between Client and any third party provider of such Third Party Product (each a “Third Party Provider”), is solely between Client and the applicable Third Party Provider. Trakstar does not warrant or support Third Party Products, whether or not they are designated by Trakstar as “certified” or otherwise, except as expressly specified in an Order Form.

b.If Client uses a Third Party Product in connection with a Service, then (i) Client shall ensure that it has sufficient rights in the Third Party Product and its own Client Data to allow such use by the Third Party Provider and (ii) Client hereby grants to Trakstar permission to allow the applicable Third Party Provider to access the Client Data as required for the interoperation of that Third Party Product with the Services. Trakstar is not responsible for any disclosure, distribution, modification or deletion of Client Data resulting from such access by a Third Party Provider or Third Party Product.

c.Certain features of the System may interoperate with Third Party Products. If Client desires to use such features of the System, then (i) Client will obtain authorization from the Third Party Provider to have the System interface with and access the Third Party Products, and (ii) Client hereby grants Trakstar permission to have the System interface with and access the account(s), data, materials, and other information of Client on the Third Party Product (collectively, “Client’s Third Party Product Materials”) to allow such Third Party Product to interoperate with the Services. Trakstar is not responsible for the operation of any Third Party Product or the availability or operation of the Services to the extent such availability and operation is dependent upon a Third Party Product. If the Third Party Provider ceases to make the Third Party Product available for interoperation with the corresponding Service features on reasonable terms, Trakstar may cease providing those Service features without entitling Client to any refund, credit, or other compensation.

d.Client will (i) be responsible for complying (including, without limitation, ensuring that all Users comply) with this Agreement and Trakstar’s policies available at: https://www.trakstar.com/acceptable-use-policy/, each of which is incorporated into and made a part of this Agreement by reference, (ii) be responsible for ensuring that Client Data and Client’s Third Party Product Materials are at all times accurate and appropriate, are not acquired or provided to Trakstar in violation of any applicable law, policy, contractual restrictions, or other third party rights, and do not infringe or misappropriate any intellectual property or other rights of any party, (iii) use all commercially reasonable efforts to prevent unauthorized access to or use of Services, and notify Trakstar promptly of any such unauthorized access or use, and (iv) use the Services only in accordance with the Documentation and applicable laws and government regulations.

e.Parts of the System may contain links to third party websites and vendors. Any such links to other websites and/or vendors do not represent Trakstar’s endorsement, sponsorship, or approval of such websites (or any content found thereon) or vendors. Client acknowledges that Trakstar does not control such other websites and vendors. Client understands and agrees that Trakstar does not make any representation or warranty whatsoever about any third party website or vendor, or endorse the products or services offered on or by any such website or vendor. Trakstar hereby disclaims: (i) all responsibility and liability for content on third party websites; and (ii) any representations or warranties as to the security of any information (including, without limitation, credit card and other personal information) Client might provide to a third party, and Client hereby irrevocably waives any claim against Trakstar and its directors, officers, employees, agents and members with respect to such websites (including the content thereon) and vendors.

2.Term and Termination.

2.1.Agreement Term. The initial term of this Agreement shall commence upon the date on which Client has both (a) clicked “Accept” to this Agreement and (b) entered into an Order Form with Trakstar (the “Effective Date”) and, unless earlier terminated in accordance with this Agreement, continue until there is no Order Form in effect.

2.2.Order Form Term. The term of each Order Form shall begin on the ‘begin date’ of the applicable Order Form (the “Order Form Begin Date”) and shall continue for the duration specified on the relevant Order Form (the “Order Form Initial Term”), at which time, subject to any fee changes made by Trakstar pursuant to this Agreement, the Order Form Term shall automatically renew for subsequent renewal terms each of that number of years equal to the number of years of the Order Form Initial Term (each an “Order Form Renewal Term” and, together with the Order Form Initial Term, “Order Form Term”), unless and until either Party provides written notice of intent not to renew at least sixty (60) days prior to the end of the then-current Order Form Term.

2.3.Termination. Upon a material breach of this Agreement, the non-breaching Party may send written notice to the breaching Party informing the breaching Party of the nature of the breach and providing thirty (30) days to cure a non-monetary breach and ten (10) days to cure a monetary breach (the “cure period”). If the breaching Party does not cure the material breach within the cure period, the non-breaching Party may immediately terminate this Agreement.

2.4.Effects of Termination.

a.Upon expiration or termination of an Order Form for any reason, (i) any amounts owed to Trakstar under the Order Form before such expiration or termination will be immediately due and payable, and Client will promptly pay any and all such amounts (and with respect to any amounts not paid due to a reasonable dispute, such amounts will be paid at the time of, and to the extent required by, resolution of the dispute, together with Late Payment Fees (as defined below), if any) and (ii) all rights to access or use the Services specified in the Order Form, and the associated System, will immediately terminate.

b.Upon expiration or termination of the Agreement for any reason, (i) any amounts owed to Trakstar under all Order Forms before such expiration or termination will be immediately due and payable, and Client will promptly pay any and all such amounts (and with respect to any amounts not paid due to a reasonable dispute, such amounts will be paid at the time of, and to the extent required by, resolution of the dispute, together with Late Payment Fees (as defined below), if any), (ii) all access to or use of the Services specified under all Order Forms, and the associated System, will immediately terminate and Client and all Users will immediately cease accessing or using the without limitation any Confidential Information) of the other Party in its possession or control and (iv) Client may access and download the Client Data (as defined below) from the System and, to the extent that Client requests the same within five (5) days of the expiration or termination date, Trakstar will, at Client’s expense, assist Client in downloading the Client Data in its then-current state but in a format reasonably acceptable to Client. Trakstar will perform off-boarding activities in accordance with Trakstar’s standard procedures, a copy of which is available upon request.

c.Further, upon expiration or termination of the Agreement for any reason, Client acknowledges and agrees that, unless the parties have otherwise previously agreed in writing or Trakstar is otherwise required by law to do so, Trakstar is not obligated to retain any Client Data for longer than thirty (30) days after the date of expiration or termination and Client authorizes Trakstar to permanently delete all Client Data that remains in Trakstar’s possession or control at the end of such 30 day period. Client shall be solely responsible for downloading all Client Data and complying with all data retention laws applicable to Client.

d.The following Sections will survive the termination or expiration of this Agreement: 2.4; 3.2; 3.3; 8; 9.1; 9.2; 9.3; 9.4; 9.5; 10; 11.2; 11.3; 11.4; 12; 14; and 15.

3.Fees; Payment and Taxes

3.1.Subscription Fees.

a.Client will pay Trakstar the “per seat” subscription fee set forth on the Order Form (the “Subscription Fee”), on an annual basis in advance upon receipt of invoice. Client must provide full legal name, full company name, a valid e-mail address, correct billing information and any other information requested, including any changes in this information throughout the term of the contract, in order to complete the payment process. Client acknowledges and agrees that if Client adds additional seats at any time(s) during the term, then Trakstar may invoice Client for such additional seats at the then-current Subscription Fee. All Subscription Fees are non-refundable with the exception of circumstances in which Client terminates this Agreement for Trakstar’s material, uncured breach in accordance with Section 2.3 above, in which case Client shall receive a pro-rated refund of the prepaid Subscription Fee for the remainder of the Contract Year (as defined below).

b.Client acknowledges and agrees that Subscription Fees, which are the fees paid for each “seat,” are fixed for each Contract Year during the term (provided that Client understands that it will be required to pay for additional seats that it adds at any point(s) during the term), where “Contract Year” means each 12-month period during the term of the applicable Order Form, with the first Contract Year commencing on the effective date of such Order Form and each subsequent Contract Year commencing on the annual anniversary of such effective date. Trakstar may change the Subscription Fees for the next Contract Year upon providing at least seventy-five (75) days’ notice to Client. Trakstar may provide such notice by e-mail, posting to the Site or posting on the System itself, and Client hereby consents to receiving such notice in such manner.

3.2.Late Fees.

a.Client will pay all invoiced amounts to the extent not subject to reasonable dispute within thirty (30) days of the date of invoice unless otherwise expressly set forth in the applicable Order Form. Client will pay all invoiced amounts for subsequent years as set forth in the applicable Order Form within thirty (30) days of the date of invoice unless otherwise expressly set forth in the applicable Order Form. Client will pay all withheld invoiced amounts that had been subject to reasonable dispute to the extent and at the time required by resolution of the dispute.

b.Until paid in full, all amounts that are not subject to good faith dispute that are not paid within thirty (30) days of the date of invoice may, at Trakstar’s discretion, bear an interest charge at the lesser rate of twelve percent (12%) on an annualized basis or the maximum amount permitted under applicable law (the “Late Payment Fee”). With respect to amounts that were subject to good faith dispute, Client will promptly pay such amounts to the extent required by and at the time of the dispute resolution, together with the applicable Late Payment Fee, if any.

3.3.Taxes. All Subscription Fees are exclusive of, and Client will be responsible for, all taxes (including without limitation sales, value-added and similar taxes), duties and the like, other than taxes based upon or calculated by Trakstar’s net income.

4.Service Level Commitment

4.1.Availability; Service Level Exceptions. Trakstar shall use diligent, commercially reasonable efforts with the objective of making the System available to Client at least 99.5% of the time, subject to the following exceptions (“Service Level Exceptions”), for which Trakstar will not be liable:

a.periodic maintenance procedures, enhancements, repairs or corrections with respect to the System or server(s), as deemed necessary by Trakstar (which Includes but is not limited to, infrequent product updates and improvements);

b.periods during which Trakstar has suspended Client’s access to the System as a result of Client’s material breach of this Agreement, which includes without limitation failure to make timely payment of amounts that are due and are not subject to reasonable dispute, provided that Trakstar notifies Client of such material breach and Client does not cure such breach within ten (10) days of receipt of notice;

c.acts or omissions of Client or its Users that cause the service level shortcoming or failure, which by way of illustration but not limitation include Client’s misuse of the System, scheduled or unscheduled outages of the User’s internet browser, known and persistent slow response time on a User’s internal network, or problems with the User’s computer hardware, telecommunications system or electricity; or

d.causes beyond the reasonable control of Trakstar or that are not reasonably foreseeable by Trakstar, including interruption or failure of telecommunication or digital transmission links, delays or failures due to Client’s Internet Service Provider (ISP), hostile network attacks, network congestion or other Force Majeure Event (as defined in Section 13 below).

4.2.Client Obligation. Client agrees that it shall notify Trakstar immediately if Client suspects the System is unavailable due to a fault of Trakstar. In such notice, Client shall provide reasonable information as requested by Trakstar for proper diagnosis and repair.

4.3.Outages. For purposes of this Agreement, an “Outage” occurs when the System is unavailable to Client in Client’s hosted production environment for a reason other than a Service Level Exception and such unavailability causes the System not to meet the 99.5% availability objective (with any Service Level Exception time not counted toward the unavailable time). If an Outage occurs in three (3) consecutive months, then Client may terminate this Agreement upon providing written notice to Trakstar, provided that Client must exercise this right to terminate within thirty (30) days of the latest consecutive Outage or the Agreement will be considered in good standing.

5.Support

5.1.First-Line Support. Client shall provide first-line support to its Users. Client shall appoint an “Internal Administrator” and notify Trakstar in writing regarding the Internal Administrator’s name and contact information. The Internal Administrator shall be responsible for: input of all Client-related information and data, User ID information, and organizational structure (including without limitation accurate job titles and/or roles, which will be used in connection with role-based access to the System); and training of Client’s Users. All User questions regarding the functioning of the System shall be directed first to Client’s Internal Administrator.

5.2.Second-Line Support. Provided that Client is current in its payment of Subscription Fees under this Agreement, Trakstar shall provide its standard technical support and maintenance to Client, solely through Client’s Internal Administrator, during Trakstar’s normal business hours (9:00 AM-8:00 PM Eastern Time M-F). Trakstar may provide such support via telephone, e-mail and other Internet based technology directly to Client’s Internal Administrator. Second-line support means direct technical support of the System, including, but not limited to: (a) direct response to the Internal Administrator’s inquiries concerning performance, functionality or operation of the System; (b) a direct response to reported problems for performance deficiencies with the System; (c) a diagnosis of problems for performance deficiencies of the System; and (d) a resolution of the problems for performance deficiencies of the System. Trakstar shall also provide standard error correction and maintenance modifications to the System.

5.3.Additional Support. Notwithstanding the above, if Trakstar makes a reasonable business determination that the technical support requested by Client pursuant to Section 5.2 will entail detailed, specialized maintenance or support services different in kind or amount from those provided to other clients that subscribe to similar Services, then Trakstar shall notify Client that the requested support is considered an additional service which shall be subject to additional fees, to be negotiated.

5.4. Response Commitments — During our Business Hours (9:00 AM-8:00 PM Eastern Time M-F).
Severity Level Description Communication Schedule
Critical The Services are non-operational, or Users cannot access the System. (post hourly)
High The Services are operational with functional limitations or restrictions but there is minimal business impact. (post every 4 hours)
Standard The Services are operational with functional limitations or restrictions that are not critical to the overall System operation, and the issue has a moderate impact on the functionality of the Services. (post as required)

6.System Maintenance

Trakstar shall employ industry standard practices, using technical and organizational security measures customarily adhered to within the industry, to ensure the security, confidentiality and integrity of all Client data and other information or materials transmitted to or stored on the System by or on behalf of Client or any User (“Client Data”). Trakstar shall make backups of the Client Data in the System on a daily incremental basis during the week on a rolling, 7-day basis, and a full backup each weekend.

7.Certain Client Obligations

7.1.Client is responsible for all activity occurring under its account and will comply with all applicable local, state, national and foreign laws, treaties, and regulations in connection with its access or use of the System, including those related to data privacy, data security, international communications and the transmission of technical or personal data. Client will be solely responsible for ensuring that its Users receive sufficient training to enable proper access or use of the System. Client will be solely responsible for, and will bear the cost of, providing all equipment, facilities and connectivity, including without limitation any Internet access or telecommunications services, necessary to use and access the System.

7.2.A Client’s Users will access the System through Single Sign On (SSO) or non-SSO. If Client is to access the System through SSO, then Client will be responsible for administering the User credentials. If Client is to access the System through non-SSO, then as part of the registration and account creation process, each of Client’s Users will need a unique user name (“User Name”) and password (“Password”). User may not select a User Name that is identical to that used by another person or use a User Name that, in the sole opinion of Trakstar, is offensive or inappropriate. Client shall be solely responsible for its Users’ maintaining the confidentiality of Passwords. Client is solely responsible for all usage or activity on Client’s account, including but not limited to use of Client’s account, Client’s User Names, and Password by any third party. Any fraudulent, abusive, or otherwise illegal activity may be grounds for termination of Client’s account, in Trakstar’s sole discretion, and Trakstar may refer Client to appropriate law enforcement agencies.

8.Confidential Information; Personal Information

8.1.Confidential Information.

a.For purposes of this Agreement, “Confidential Information” means (i) with respect to each party, all nonpublic, business-specific information disclosed or otherwise made available under this Agreement (but in all cases excludes Personal Information, which is addressed in Section 8.2 below) that relates to the provision or receipt, respectively, of the Services or either party’s suppliers, affiliates, investors, customers, products and/or services, pricing, research and development, technology, intellectual property, financial data, or operations and that is clearly identified as confidential at the time of disclosure or that, in light of the nature of the information itself or the circumstances surrounding its disclosure, ought in good faith to be deemed confidential, and (ii) with respect to Trakstar, the System and the Documentation.

b.Obligations. Client agrees to disclose to Trakstar only that Confidential Information of Client that is reasonably necessary to enable Trakstar to provide the Services, and Trakstar agrees to disclose to Client only that Confidential Information of Trakstar that is reasonably necessary to enable Client to receive the Services. The party receiving Confidential Information (the “Receiving Party”) from the other party (the “Disclosing Party”) will not use any Confidential Information of the Disclosing Party for any purpose other than the provision and receipt of Services under this Agreement, respectively, in accordance with all terms and conditions of this Agreement. Further, the Receiving Party will disclose the Confidential Information of the Disclosing Party only to the employees or contractors of the Receiving Party who have a need to know such Confidential Information for purposes of this Agreement and who are under a duty of confidentiality no less restrictive than the Receiving Party’s duty hereunder. The Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access or disclosure in the same manner as the Receiving Party protects its own confidential or proprietary information of a similar nature and with no less than reasonable care. Client also agrees not to: (i) disclose to third parties (whether in writing or orally) any benchmark test data related to the System; and (ii) use Trakstar’s Confidential Information to create, or have a third party create, any computer software or documentation that is substantially similar to the System software.

c.Termination of Obligations. The Receiving Party’s obligations under this Section 8.1 with respect to any Confidential Information of the Disclosing Party will terminate if and when the Receiving Party can document that such information: (i) was already lawfully known to the Receiving Party at the time of disclosure by the Disclosing Party; (ii) is disclosed to the Receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (iii) is, or through no fault of the Receiving Party has become, generally available to the public; or (iv) is independently developed by the Receiving Party without access to, or use of, the Disclosing Party’s Confidential Information. In addition, the Receiving Party will be allowed to disclose Confidential Information of the Disclosing Party to the extent that such disclosure is: (1) approved in writing by the Disclosing Party; (2) necessary for the Receiving Party to enforce its rights under this Agreement in connection with a legal proceeding; or (3) required by law or by the order or a court of similar judicial or administrative body, provided that the Receiving Party notifies the Disclosing Party of such required disclosure promptly and in writing and cooperates with the Disclosing Party, at the Disclosing Party’s reasonable request and expense, in any lawful action to contest or limit the scope of such required disclosure.

d.Return of Confidential Information. The Receiving Party will return to the Disclosing Party or destroy all Confidential Information of the Disclosing Party in the Receiving Party’s possession or control and permanently erase all electronic copies of such Confidential Information promptly upon the written request of the Disclosing Party.

8.2.Personal Information. Client Data might include information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information (“Personal Information”). Each of the party’s rights and obligations with respect to Personal Information is set forth in Addendum A attached hereto.

9.Client Data; Client-Third Party System

9.1.Client at all times has and will have sole responsibility:

a.with respect to Client Data, for the accuracy, quality, integrity, legality, reliability and appropriateness of all Client Data, and Client hereby represents, warrants and covenants to Trakstar that (i) Client has all necessary rights in all Client Data and other Confidential Information (including without limitation all intellectual property rights and trade secrets rights), and has obtained all necessary consents, made all necessary disclosures and otherwise complied with all applicable laws and regulations, including without limitation all privacy and data security laws and regulations, to transmit, input, load and use such Client Data and/or other Confidential Information that it enters into the System and to allow Trakstar to provide the Services, as are required by applicable laws, rules or regulations and (ii) Client will be responsible for all appropriate safeguards for the privacy and security of such Client Data and other Confidential Information while the same is within Client’s custody or control, including without limitation the administrative, physical and technical safeguards regarding the same while such Client Data and other Confidential Information is within Client’s custody or control.

b.with respect to any third party system, application, software or online service that Client requests Trakstar to access or use (each a “Client-Third Party System” and, collectively, the “Client-Third Party Systems”), for the quality, integrity, legality, reliability and appropriateness of all Client-Third Party Systems, and Client hereby represents, warrants and covenants to Trakstar that Client has all necessary rights in all Client-Third Party Systems (including without limitation all license and contract rights), and has obtained all necessary authorization from the relevant third parties, to have Trakstar access and use the Client-Third Party Systems pursuant to Client’s written instructions to allow Trakstar to access and use such Client-Third Party Systems in connection with the Services.

9.2.where Client, by virtue of itself and/or the Client Data that is submitted to the System, is subject to the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the terms of Trakstar’s data processing addendum attached as Addendum A (the “DPA”), together with the Standard Contractual Clauses and Appendices thereto, form a part of and are hereby incorporated into this Agreement by this reference and apply to the extent Client Data includes Personal Information. For the sake of clarity, when interpreting the DPA, Client will be the data controller, and Trakstar will act as a data processor. In the event Personal Information is transferred from the European Economic Area (EEA), the United Kingdom and/or Switzerland, the Standard Contractual Clauses or another adequate means of protection will apply, as further set forth in the DPA. For the purposes of the Standard Contractual Clauses, Client and its applicable affiliates are each the data exporter, and Client’s acceptance of this Agreement will be treated as Client’s or its applicable affiliate’s execution of the Standard Contractual Clauses and Appendices.

9.3.where Client, by virtue of itself and/or the Client Data that is submitted to the System, is subject to other Data Regulations, Client shall at all times comply with the Data Regulations. For purposes of this Agreement, “Data Regulation” means any applicable data protection, privacy or similar law or regulation that applies to data processed in connection with this Agreement, including FTC Guidance, self-regulatory principles set forth by the Digital Advertising Alliance, the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. and other U.S. state and federal legislation relating to data privacy and security, in each instance with respect to each of the foregoing as such laws and regulations are amended and revised from time to time.

9.4.Client acknowledges that use of the Services involves transmission of Client Data and other communications over the internet and other networks, and that such transmissions could potentially be accessed by unauthorized parties. Client must promptly notify Trakstar of any suspected security breach at [email protected]. Client is fully responsible, and Trakstar has no liability, for any viruses, worms, Trojan horses, or other disabling code, malware component, or code or program harmful to a network or system (collectively, “Malware”) contained in or originating from Client Data, provided that such Malware was not introduced to the Client Data through Trakstar or did not originate from Trakstar.

9.5.Client hereby authorizes Trakstar to receive, maintain, modify, distribute and display Client Data during the term of this Agreement, solely to enable Trakstar to provide the Services to Client and as otherwise authorized under this Agreement. Client further authorizes Trakstar to collect anonymized Service information, such as usage or traffic patterns, and aggregate it with such data from other clients to generate statistical information to analyze and improve the Services and to develop, display and distribute Trakstar’s Insights benchmark and similar reports, provided that Trakstar takes reasonable measures to ensure this information cannot be associated with Client, Client’s Users, or any identifiable natural person and provided further that Trakstar may only use such anonymized and aggregate Service information in deidentified form and may not attempt to reidentify the information. Except as permitted in this Agreement, Trakstar will not edit, delete, or disclose the contents of Client Data unless authorized by Client or unless Trakstar is required to do so by law or in the good faith belief that such action is necessary to: (i) conform with applicable laws or comply with legal process served on Trakstar; (ii) protect and defend the rights or property of Trakstar; (iii) enforce this Agreement; or (iv) perform Trakstar’s obligations described in this Agreement, the Specifications or in conformance with Client’s instructions.

9.6.Client will be solely responsible where Client, a person or entity acting on behalf of Client or a User deletes, corrects, destroys, damages, loses or fails to store any Client Data.

10.Intellectual Property

10.1.Trakstar Property. Client acknowledges that, as between Trakstar and Client, Trakstar is and will remain sole and exclusive owner of all right, title and interest in and to the System and Documentation, and all components and portions thereof, and all other materials, information, processes and technology used by Trakstar or made available to Client in connection with the Services, and any and all improvements, enhancements, updates, upgrades and modifications to any of the preceding (whether or not made in conjunction with this Agreement) and all Specific Works, and all patent, trade secret, copyright, trademark and other proprietary rights worldwide embodied in each of the preceding.

10.2.Client Property. As between Client and Trakstar, Client is and will remain the sole and exclusive owner of all right, title and interest in and to Client’s Confidential Information and the Client Data.

10.3.Protection of Proprietary Rights. Client shall not remove or obscure any proprietary, copyright, patent, trademark, design right, trade secret, or any other proprietary rights legends from the System or Documentation.

11.Limited Warranty; Disclaimer

11.1.Warranty. Trakstar represents and warrants that the System and the Services provided under this Agreement will substantially conform to the Specifications and the Documentation made available by Trakstar.

11.2.Disclaimer. Except as expressly provided in Section 11.1 above, Trakstar and its licensors expressly disclaim any and all representations, warranties and conditions of any kind or nature, express or implied, whether written or oral, including without limitation, representations, warranties and conditions of satisfactory quality, performance, merchantability, merchantable quality, durability, fitness for a particular purpose, title, non-infringement and those arising by statute or otherwise in law or from a course of dealing or use of trade. Trakstar and its licensors do not represent or warrant that: (a) the Services will meet the Client’s business requirements; (b) the Services will be error-free or uninterrupted or that the results obtained from its use will be accurate or reliable; or (c) all deficiencies in the System or any Services can be found or corrected. Some states do not allow limitations relating to implied warranties, so the above limitations may not apply to Client.

11.3.Acknowledgement. Where applicable, Client acknowledges that Trakstar has no control over, and no duty to take any action regarding: which of the Client’s Client Data the Client accesses via the System; what effects the Client Data may have on Client or any User; how Client may interpret or use the Client Data; or what actions Client may take as a result of having been exposed to the Client Data. Client releases Trakstar from any and all liability for Client having acquired or not acquired, used or not used, relied upon or not relied upon, acted upon or not acted upon Client Data obtained or obtainable through the System. Trakstar makes no representations or warranties concerning the content of any Client Data contained in or accessed through the System, and Trakstar will not be responsible or liable for the accuracy, completeness, copyright compliance or legality of Client Data contained in or accessed through the System.

11.4.Exclusive Remedy. Except for the exclusive remedy as provided above for service level commitments, and except for the exclusive remedy provided by Trakstar for infringement, for any breach of warranty or the failure of Trakstar to provide the services as required herein (a “deficiency”), the Client’s sole and exclusive remedy and Trakstar’s entire obligation hereunder shall be, at Trakstar’s option, for Trakstar to cure the deficiency or for Trakstar to refund an amount equal to the amount Client paid for the deficiency reduced by any benefit received by Client for the deficiency.

12.Limitations of Liability; Indemnification

12.1.Limitations.

a.TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, FOR ANY BREACH OR DEFAULT BY TRAKSTAR OF ANY OF THE PROVISIONS OF THIS AGREEMENT OTHER THAN ANY BREACH OR DEFAULT OF ADDENDUM A, UNDER NO CIRCUMSTANCE WILL TRAKSTAR AND ITS LICENSORS’ ENTIRE LIABILITY, IF ANY, EXCEED ONE TIMES (1X) THE SUBSCRIPTION FEE ACTUALLY PAID BY CLIENT TO TRAKSTAR FOR THE CONTRACT YEAR IN WHICH THE CAUSE OF ACTION FIRST AROSE. TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, FOR ANY BREACH OR DEFAULT BY TRAKSTAR OF ADDENDUM A, UNDER NO CIRCUMSTANCE WILL TRAKSTAR AND ITS LICENSORS’ ENTIRE LIABILITY, IF ANY, EXCEED ONE TIMES (1X) THE SUBSCRIPTION FEE ACTUALLY PAID BY CLIENT TO TRAKSTAR FOR THE CONTRACT YEAR IN WHICH THE CAUSE OF ACTION FIRST AROSE.

b.TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, IN NO EVENT WILL TRAKSTAR AND ITS LICENSORS BE LIABLE FOR SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL LOSS OR DAMAGE, LOST BUSINESS REVENUE, LOSS OF PROFITS, LOSS OF DATA, LOSS OF COVER, DAMAGES FOR DELAY, PUNITIVE OR EXEMPLARY DAMAGES, FAILURE TO REALIZE EXPECTED PROFITS OR SAVINGS OR ANY CLAIM AGAINST CLIENT BY ANY OTHER PERSON, REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER IN AN ACTION BASED ON CONTRACT, WARRANTY, STRICT LIABILITY, TORT (INCLUDING BUT NOT LIMITED TO NEGLIGENCE) OR OTHERWISE, EVEN IF TRAKSTAR AND ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH LOSSES OR DAMAGES AND EVEN IF THE REMEDY SET FORTH HEREIN SHALL BE DEEMED TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

c.EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY TRAKSTAR TO CLIENT AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN THIS SECTION 12 WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.

12.2.Disclaimer. To the fullest extent allowed by law, Trakstar disclaims any liability or responsibility for the reliability, availability, or operability of the Services provided through the System. By using the System, Client acknowledge that Trakstar is not responsible or liable for any harm resulting from: (a) use of the System; (b) the temporary or permanent inability to access or retrieve any content from the System; and (c) downloading information contained on the System, including, without limitation, harm caused by viruses, worms, trojan horses, or any similar contamination or destructive program. The limitations specified in this Section will survive termination or expiration of this Agreement.

12.3.One Year Limit. No Party may bring an action, regardless of form, arising out of or related to this Agreement (other than to recover fees or expenses due to Trakstar) more than one year after the cause of action has arisen or the date of discovery of such cause, whichever is later.

12.4.Indemnification by Client. Subject to the provisions contained herein, Client agrees to defend, indemnify and hold Trakstar and its officers, directors, employees, agents, affiliates, licensors, distributors, and resellers harmless against any loss, damage, expense, or cost, including reasonable attorneys’ fees (including allocated costs for in-house legal services) (“Liabilities”) arising out of any claim, demand, proceeding, or lawsuit by a third party relating to Client’s acts or omissions related to Client’s representations, warranties and covenants set forth in Section 9.1.

12.5.Indemnification by Trakstar. In the event of a third party claim against Client asserting that Client’s use of the System infringes upon or violates any U.S. patent, copyright, trade secret, or other proprietary right, as Client’s exclusive remedy, Trakstar will defend, at Trakstar’s expense, and will indemnify Client and hold Client harmless against any loss, cost, expense (including attorneys’ fees), or liability arising out of such claim, whether or not such claim is successful. In the event an injunction or order should be obtained against use of the System by reason of the allegations, or if in Trakstar’s opinion the System is likely to become the subject of such a claim of infringement, Trakstar will, at its option and its expense, and as Client’s exclusive remedy: (a) procure for the Client the right to continue using the System; (b) replace or modify the same so that it becomes non-infringing (such modification or replacement shall be functionally equivalent in all material respects to the original); or (c) if neither (a) nor (b) is practicable, refund any prepaid subscription fees, on a pro-rated basis, for Services not rendered and terminate this Agreement. Notwithstanding the foregoing, Trakstar will not indemnify Client to the extent that the claim arises because Client altered the System or used it outside the scope of use identified in the Trakstar’s user documentation. In addition, Trakstar will not indemnify Client to the extent that an infringement claim is based upon (i) any information, design, specification, instruction, software, data, or material not furnished by Trakstar, or (ii) any system from a third party portal or other external source that is accessible to Client within or from the System (e.g., a third-party Web page accessed via a hyperlink) or (iii) based upon the combination of any system with any products or services not provided by Trakstar. This Section provides Client’s exclusive remedy for any infringement claims or damages.

13.Force Majeure

Notwithstanding anything in this Agreement to the contrary, each party will be excused from performance hereunder (excluding payment obligations) for any period and to the extent that it is prevented from performing pursuant hereto, in whole or in part, as a result of delays caused by a Force Majeure Event. For purposes of this Agreement, “Force Majeure Event” means an act of God, war (whether or not actually declared), armed conflict or the serious threat of the same, hostility, blockade, military embargo, sabotage, insurrection, rebellion, act of a public enemy, riot or other act of civil disobedience, governmental act, judicial action, explosion, act of terrorism or threat thereof (including cyberterrorism), natural disaster (including without limitation asteroid strikes or volcanic activity), violent storm (including without limitation hurricanes, tornados or blizzards), atmospheric disturbance (including without limitation geomagnetic storm, solar flare or sun outage with respect to electricity grids, transformers and satellite transmissions), destruction by lightning, fire, earthquake, tsunami, flood, plague, epidemic, pan-epidemic, quarantine, civil commotion, strike or lockout or labor dispute (excluding for the avoidance of doubt strikes of Trakstar’s staff), satellite malfunction, prolonged internet outage, communications line failure or power failure.

14.Waiver of Jury Trials and Binding Arbitration

14.1.CLIENT AND TRAKSTAR ARE AGREEING TO GIVE UP ANY RIGHTS TO LITIGATE CLAIMS IN A COURT OR BEFORE A JURY. OTHER RIGHTS THAT CLIENT WOULD HAVE IF CLIENT WENT TO COURT MAY ALSO BE UNAVAILABLE OR MAY BE LIMITED IN ARBITRATION. ANY CLAIM, DISPUTE OR CONTROVERSY (WHETHER IN CONTRACT, TORT OR OTHERWISE, WHETHER PRE-EXISTING, PRESENT OR FUTURE, AND INCLUDING STATUTORY, CONSUMER PROTECTION, COMMON LAW, INTENTIONAL TORT, INJUNCTIVE AND EQUITABLE CLAIMS) BETWEEN CLIENT AND TRAKSTAR ARISING FROM OR RELATING IN ANY WAY TO CLIENT’S SUBSCRIPTION TO, ACCESS TO, OR USE OF THE SYSTEM WILL BE RESOLVED EXCLUSIVELY AND FINALLY BY BINDING ARBITRATION.

14.2.The arbitration will be administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules and Mediation Procedures (“Commercial Rules”). The arbitrator will have exclusive authority to resolve any dispute relating to arbitrability and/or enforceability of this arbitration provision, including any unconscionability challenge or any other challenge that the arbitration provision or the agreement is void, voidable or otherwise invalid. The arbitrator will be empowered to grant whatever relief would be available in court under law or in equity. Any award of the arbitrator(s) will be final and binding on each of the parties, and may be entered as a judgment in any court of competent jurisdiction.

14.3.If any provision of this arbitration agreement is found unenforceable, the unenforceable provision will be severed, and the remaining arbitration terms will be enforced.

15.Miscellaneous.

15.1.Assignment. Neither party may assign this Agreement without the other party’s prior written consent (not to be unreasonably delayed, conditioned or withheld), and any purported attempt to do so is null and void, provided, however, that either party may, without requiring the consent of the other party, assign this Agreement and all of its rights under this Agreement to an Affiliate or an assignee in the event of a merger, sale of assets of the business to which this Agreement is related, or consolidation. Any purported assignment or delegation in violation of this Section 15.1 is null and void. No assignment or delegation relieves the assigning party of any of its obligations under this Agreement.

15.2.Choice of Law. All matters arising out of or relating to this Agreement are governed by and construed in accordance with the internal laws of the State of Delaware without giving effect to any choice or conflict of law provision or rule (whether of the State of Delaware or any other jurisdiction) that would cause the application of the laws of any jurisdiction other than those of the State of Delaware.

15.3.Entire Agreement. This Agreement and all Exhibits hereto and Trakstar’s Acceptable Use Policy, a current copy of which can be accessed here, as well as agreements and other documents referred to in this Agreement constitute the entire agreement between the Parties with regard to the subject matter hereof and thereof. This Agreement supersedes all previous agreements between or among the Parties. There are no agreements, representations, or warranties between or among the Parties other than those set forth in this Agreement or the documents and agreements referred to in this Agreement.

15.4.Export Compliance. The Services, the System, and other Trakstar technology might be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any government denied-party list. Client further represents that it is not located, and will not access or use, or permit any User to access or use, any part of the System or Services in any U.S.-embargoed country or region (including but not limited to Cuba, Iran, North Korea, Sudan, Syria or Crimea), or access or use any part of the System or Services in violation of any applicable U.S., local or foreign export laws or regulations.

15.5.Feedback. Client may, but is not required to, provide feedback to Trakstar from time to time at its discretion, which feedback will not be treated as Client’s Confidential Information. To the extent Client does provide feedback to Trakstar, Client shall, and hereby does, grant Trakstar a perpetual, irrevocable, non-exclusive, worldwide, transferable, assignable, sub-licensable, royalty-free, fully paid-up license to use and exploit the feedback for any purpose.

15.6.Independent Contractor Relationship. The relationship between the Parties to this Agreement is that of independent contractors. Neither Party is an agent, representative or employee of the other Party. Neither Party will have any right, power or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other Party. This Agreement will not be interpreted or construed to create an association, agency, joint venture or partnership between the Parties or to impose any liability attributable to such a relationship upon either Party.

15.7.Notice. Any notice, approval, request, authorization, direction or other communication under this Agreement will be given in writing and will be deemed to have been delivered and given for all purposes (a) on the delivery date if delivered by confirmed facsimile; (b) on the delivery date if delivered personally to the Party to whom the same is directed; (c) one business day after deposit with a commercial overnight carrier, with written verification of receipt; or (d) five business days after the mailing date, if sent by U.S. mail, return receipt requested, postage and charges prepaid, or any other means of rapid mail delivery for which a receipt is available. The contact information below the Parties signatures may be used by the Parties hereto.

15.8.Severability. If any term or provision of this Agreement is determined to be illegal, unenforceable, or invalid in whole or in part for any reason, such illegal, unenforceable, or invalid provisions or part thereof shall be stricken from this Agreement, and such provision shall not affect the legality, enforceability, or validity of the remainder of this Agreement. If any provision or part thereof of this Agreement is stricken in accordance with the provisions of this Section, then this stricken provision shall be replaced, to the extent possible, with a legal, enforceable, and valid provision that is as similar in tenor to the stricken provision as is legally possible.

15.9.Third-Party Beneficiaries. This Agreement does not and is not intended to confer any rights or remedies upon any person or entity other than Client and Trakstar.

15.10.Waivers. The failure by Trakstar to enforce any right or provision of this Agreement will not constitute a waiver of future enforcement of that right or provision. The waiver of any right or provision will be effective only if in writing and signed by a duly authorized representative of Trakstar.

ADDENDUM A

PERSONAL INFORMATION

1.Data Processing Addendum

1.1.A copy of the Trakstar Data Processing Addendum can be found at https://www.trakstar.com/data-processing-addendum and will be executed with Clients to whom the UK and EU General Data Protection Regulation applies.

2.CCPA

2.1.Definitions. The following definitions and rules of interpretation apply in this Agreement: (i) “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337), and any related regulations or guidance provided by the California Attorney General, terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Addendum; (ii) “Contracted Business Purposes” means the services described in this Agreement for which Trakstar receives or accesses personal information; and (iii) “Authorized Persons” means the persons or categories of persons that Client authorizes to provide Trakstar with personal information processing instructions, which includes Employees, Contractors, Applicants, Hiring Managers, Trainees, and Trainers.

2.2.Trakstar’s CCPA Obligations.

a.Trakstar will only collect, use, retain or disclose personal information for the Contracted Business Purposes for which Client provides or permits personal information access from Authorized Persons.

b.Trakstar will not collect, use, retain, disclose, sell or otherwise make personal information available for Trakstar’s own commercial purposes or in a way that does not comply with the CCPA. If a law requires Trakstar to disclose personal information for a purpose unrelated to the Contracted Business Purpose, Trakstar must first inform Client of the legal requirement and give Client an opportunity to object or challenge the requirement, unless the law prohibits such notice.

c.Trakstar will limit personal information collection, use, retention and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

d.Trakstar must promptly comply with any Client request or instruction from Authorized Persons requiring Trakstar to provide, amend, transfer or delete the personal information, or to stop, mitigate or remedy any unauthorized processing.

e.If the Contracted Business Purposes require the collection of personal information from individuals on Client’s behalf, Trakstar will always provide a CCPA-compliant notice at collection that Client specifically pre-approves in writing. Trakstar will not modify or alter the notice in any way without Client’s prior written consent.

f.Where the CCPA permits, Trakstar may aggregate, deidentify or anonymize personal information so it no longer meets the personal information definition, and may use such aggregated, deidentified or anonymized data for its own research and development purposes as well as for other commercial purposes, such as trendspotting or benchmarking. Trakstar will not attempt to or actually re-identify any previously aggregated, deidentified or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.

2.3.Assistance with Client’s CCPA Obligations.

a.Trakstar will reasonably cooperate and assist Client with meeting Client’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of Trakstar’s processing and the information available to Trakstar.

b.Trakstar must notify Client immediately if it receives any complaint, notice or communication that directly or indirectly relates either party’s compliance with the CCPA. Specifically, Trakstar must notify Client within [ten (10)] working days if it receives a verifiable consumer request under the CCPA.

2.4.Subcontracting

a.Trakstar may use subcontractors to provide portions of the Contracted Business Services. Trakstar cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.

b.For each subcontractor used, Trakstar will give Client an up-to-date list disclosing:

(1) The subcontractor’s name, address and contact information.

(2) The type of services provided by the subcontractor.

(3) The personal information categories disclosed to the subcontractor in the preceding 12 months.

c.Trakstar remains fully liable to Client for the subcontractor’s performance of its agreement obligations.

d.In the event that Trakstar audits a subcontractor’s compliance with its personal information obligations, Trakstar will provide Client with the audit results.

2.5.CCPA Warranties.

a.Each party will comply with all applicable requirements of the CCPA when collecting, using, retaining or disclosing personal information.

b.Trakstar warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Agreement. Trakstar must, promptly after becoming aware of the same, notify Client of any changes to the CCPA’s requirements that might adversely affect its performance under the Agreement.

CCPA Supplemental Privacy Policy

Last updated as of the 22nd day of June, 2022

This supplemental privacy policy for California residents supplements the information contained in the Privacy Policy of Applied Training Systems, Inc. and its subsidiaries, collectively doing business as “Trakstar” (collectively, “Trakstar,” “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of personal information listed above from the following categories of sources:

• Directly, through background checks conducted during the hiring process.
• Directly and indirectly from activity on our website and products. For example, from submissions through our websites or through usage details collected automatically.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including services, billing, and collections.
• To fulfill or meet the reason for which the information is provided. For example, if your employer provides us with your personal information for services related to products we offer, we will use that information to fulfill such services under the applicable customer agreement.
• To provide you with information, products or services that you request from us.
• To provide you with alerts and other notices concerning our products or services, or events or news, that may be of interest to you.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including services, billing, and collections.
• To improve our website and present its contents to you.
• For testing, research, analysis and product development.
• As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information or as otherwise set forth in the CCPA.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category I: Professional or employment-related information.

We disclose your personal information for a business purpose to the following categories of third parties:

• Our affiliates.
• Service providers.
• Third parties to whom you or your employer authorizes us to disclose your personal information in connection with products or services we provide to you.

In the preceding twelve (12) months, we have not sold any personal information.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). Once we receive your request and confirm your identity, we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the “right to delete”). Once we receive your request and confirm your identity, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

1. Provide services under agreements with our customers where a lawful use of your information has been established.
2. Complete services for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our services with you.
3. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
4. Debug products to identify and repair errors that impair existing intended functionality.
5. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
6. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
7. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
8. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
9. Comply with a legal obligation.
10. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

Exercising Your Rights to Know or Delete

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

• Emailing [email protected]
• Calling us at 1 (877) 489-5651

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. You may also make a request to know or delete on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a request to know or delete does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact [email protected]. We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

We do not sell the personal information of consumers.

If you are age 16 or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years old. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing [email protected].

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back into personal information sales at any time by contacting us at [email protected].

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Notice

We reserve the right to amend this supplemental privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated notice on the Website and update the policy’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, our Privacy Policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

If you need to access this supplemental privacy policy in an alternative format due to having a disability, please contact [email protected] or call 1 (877) 489-5651.

California Consumer Privacy Act (CCPA) Notice to Applicants

This privacy notice for California residents who are applicants to Trakstar positions, supplements the information contained in the Privacy Policy of Applied Training Systems, Inc. and its subsidiaries (collectively, “we,” “us,” or “our”) and applies solely to applicants for Trakstar including visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of personal information listed above from the following categories of sources:

• Directly, through background checks conducted during the hiring process.
• Directly and indirectly from activity on our website and products. For example, from submissions through our websites or through usage details collected automatically.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

• Recruiting and hiring, for example from your application and through the interview process.
• To conduct background checks on new employees.
• To comply with mandatory government reporting obligations.
• To manage employee records through our HCM systems.
• To improve our website and present its contents to you.
• As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information or as otherwise set forth in the CCPA.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

Trakstar’s policy is to protect your privacy. We do not disclose, sell, or share your Personal Information to third parties unless explicitly authorized under the employer / employee relationship. Such disclosures are detailed below:

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category C. Protected classification characteristics under California or federal law.

Category I: Professional or employment-related information.

We disclose your personal information for a business purpose to the following categories of third parties:

• HCM and HR Service providers.
• Service providers for background checks.
• Government agencies with mandatory reporting requirements.

In the preceding twelve (12) months, we have not sold any personal information.

Your Rights and Choices

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

1. Comply with federal, state, and local laws
2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
3. Cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state or local law.
4. Otherwise exercise or defend legal claims.
5. Manage the employer-employee relationship under employment agreements with you where a lawful use of your information has been established.
6. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
7. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
8. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

• Emailing [email protected]
• Calling us at 1 (877) 489-5651

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to establish an employment relationship with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights.

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice and privacy policy at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website.

Contact Information

If you have any questions or comments about this notice, our Privacy Policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

UK & EU Privacy Rights

This privacy notice should be read in conjunction with our Privacy Policy.

How we use your personal data and your rights

When you visit or register with Trakstar online or use any Trakstar online product, service or mobile application, your personal data is controlled by Applied Training Systems, Inc. (doing business as “Trakstar”).

Your personal data is primarily used to provide you with the Trakstar products and services you request. It may also be used to comply with legal obligations we are subject to or to fulfill our legitimate interests, such as to personalize your experience, develop and improve our services or to detect illegal activities. With your prior consent, it may also be used to send you offers and promotions.

You have a number of rights including the right to request access to, change, or remove your personal data, or to change your marketing preferences (including withdrawing your consent at any time) — please see our Privacy Policy to learn more about managing your marketing preferences or deleting your account.

Our Data Protection Officer can be contacted by emailing: [email protected]

If you are in the EU, you may reach us through our support team at [email protected].

You have a right to lodge a complaint with your local Data Protection Supervisory Authority or with the UK Information Commissioner’s Office: https://ico.org.uk/for-the-public.

For more information about Trakstar’s data collection and use practices, please read Trakstar’s Privacy Policy.

Data Processing Addendum

THIS DATA PROCESSING ADDENDUM (the “Addendum”) forms part of the Master Services Agreement (the “Agreement”) by and between Applied Training Systems, Inc., a Delaware corporation (the “Data Processor”) and the undersigned party to this Addendum (the “Customer,” and collectively with the Data Processor, the “Parties”).

Recitals

A. The Customer acts as a Data Controller, as defined in GDPR (as defined below);

B. The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor; and

C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to the GDPR and other Data Protection Laws, and that incorporates by reference all provisions of the Standard Contract Clauses (as defined below), attached hereto as Exhibit A and incorporated herein by this reference, which are not otherwise stated herein.

NOW, THEREFORE, in consideration of the promises and agreements set forth herein, the Parties, each intending to be legally bound hereby, do promise and agree as follows:

1. Definitions. Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning:

2. Standard Contract Clauses

3. Processing of Customer Personal Data

4. Data Processor Personnel. Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Data Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security.

6. Data Subject Rights

7. Personal Data Breach

8. Deletion or Return of Customer Personal Data; audit rights.

9. Limitation of Liability Each Party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section of the Agreement.

10. Insurance. In addition to any requirements set forth in the Agreement, Customer shall procure and, throughout the term of the Agreement, maintain cyber liability insurance to cover any Personal Data Breach affecting Customer Personal Data, or other losses suffered by Data Processor or any member of the same group as Data Processor resulting from any action or inaction on Customer’s part in an amount of no less than €1,000,000 per occurrence. The policy that provides liability coverage shall name Applied Training Systems, Inc. as an additional insured.

11. Miscellaneous

EXHIBIT A TO DATA PROCESSING ADDENDUM

STANDARD CONTRACTUAL CLAUSES
(CONTROLLER) TO APPLIED TRAINING SYSTEMS, INC. (PROCESSOR)

SECTION I

Clause 1

Purpose and scope

Clause 2

Effect and invariability of the Clauses

Clause 3

Third-party beneficiaries

Clause 4

Interpretation

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of Transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 — Optional

Docking clause

SECTION II — OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

Clause 9

Use of sub-processors

Clause 10

Data subject rights

Clause 12

Liability

Clause 13

Supervision

SECTION III
LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

Clause 15

Obligations of the data importer in case of access by public authorities

SECTION IV
FINAL PROVISIONS

Clause 16
Non-compliance with the Clauses and termination

Clause 17
Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Insert governing jurisdiction.

Clause 18
Choice of forum and jurisdiction

APPENDIX
ANNEX I

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The technical and organizational measures must be described in specific detail and not in generic terms. In particular, clearly indicate which measures apply to each transfer or set of transfers.

1.1. Compliance

1.1.1.Trakstar SOC Reports. Trakstar is audited for compliance with the SOC 2 standard on an annual basis. This comprehensive audit conducted by a licensed CPA firm provides a full accounting of the Trakstar organization and product tools, methods and processes for security, availability, integrity, confidentiality, and privacy. Our SOC 2 report is available to customers upon request.

1.1.2.Trakstar GDPR Compliance. Trakstar is compliant with the EU’s General Data Protection Regulation. During 2021, Trakstar (under the parent umbrella organization of Applied Training Systems Inc., and with our former brands Trakstar, Reviewsnap, Recruiterbox, and Mindflash) was certified for the EU-U.S. Privacy Shield Framework. With the Schrems II judgement of July 2020 and subsequent rulings in 2021, Trakstar adapted its compliance to include the Standard Contractual Clauses within our Data Processing Addendum (DPA). We execute DPAs for customers located in the EU or other companies with EU based employees covered by the GDPR.

1.1.3.AWS SOC Reports. The Trakstar products and platforms are hosted on the Amazon Web Services platform. All AWS compliance and audit reports are available to AWS customers, under an NDA. AWS holds multiple certifications including SOC 2, ISO 27001:2013, GDPR, and more. To review the AWS SOC 2 reports, please refer to the AWS Artifact service.

1.2. Organizational

1.2.1.Privacy. The Trakstar team prioritizes customer data privacy and security. We employ a proactive approach to limit access to customer data by Trakstar staff. Our policies, training, and monitoring processes are regularly reviewed and enforced to protect customer data. For more information, see our Privacy Policy which may be updated from time to time by Trakstar.

1.2.2.Security and Data Policies. Each year, and as warranted, the security team at Trakstar reviews and updates our IT security policies and training program. These policies are distributed to all employees and compliance is mandatory. For data security and handling, employees are required to undergo training which covers the types of data and safeguards that must be taken to protect that data. These security and training programs cover key topics such as change management, asset usage, computer security, password and credential management, loss and theft, usage monitoring, and infrastructure protection. It is the responsibility of all Trakstar employees to handle the integrity and security of customer data.

1.2.3.Security Training. All Trakstar new employees are required to undergo security and awareness training, and to retake that course on an annual basis. Training consists of common mistakes and threats, as well as industry specific concerns related to SaaS companies. Team members are tested and knowledge is verified through a rigorous program of quizzes as well as response to real world threat examples.

1.2.4.Background Checks, Code of Conduct and Oversight. Employees undergo background checks prior to employment. The process includes verification of criminal records, reference and education checks. For certain personnel, more extensive screening requirements are in place. All employees must also agree to an employee handbook which includes a code of conduct and policies governing use of company equipment, adherence to IT and Security policies and other policies. Applied Training Systems (i.e. Trakstar and the Trakstar brands including Trakstar Hire, Trakstar Learn, Trakstar Perform and Reviewsnap) are overseen by a board of directors that govern the operations and management of the business.

1.3. Infrastructure and Endpoint Security

1.3.1.Cloud Security. All Trakstar products and services are deployed on Amazon Web Services (AWS). The Trakstar engineering team has implemented multiple controls and monitoring/compliance tools to ensure property security procedures are being adhered to including risks such as insecure Security Groups, IAM account credential and encryption key rotation, use of MFA for authentication, secure VPN connection for access to network infrastructure and more. The engineering team has deployed multiple monitoring tools to identify changes and alerts with redundant notifications to team members. Trakstar engineering uses segmented accounts and isolated access credentials to restrict scope and use a least privilege pattern for operational activity.

1.3.2.Encryption. Communications with the Trakstar platform are conducted over the Internet by customers and their users with a minimum TLS 1.2 secured connection. HTTP connections are not permitted. All data in transit is encrypted with this standard or better. Data at rest is encrypted and isolated using strong encryption algorithms. Additionally, all data stored on employee laptops is fully encrypted and redundantly stored and encrypted using backup solutions.

1.3.3.Passwords. Any user with access to production system is required to use complex, long passwords, and secure password management tools with regular rotation. The same policy applies to local laptops and SSO integrated software. Laptops are locked when unattended. Automatic screensavers with password protection are also included. Phishing drills and policies ensure staff are honoring the policies and trained to respond appropriately to security threats.

1.3.4.Network Security. All AWS production accounts utilize firewalls and application threat detection to identify and block threats to the infrastructure or applications. Direct connectivity is prohibited for internal systems. For external facing systems, connectivity is blocked unless explicitly authorized. Networks are separated using VPCs and security groups to isolate systems. For office environments as well as remote staff, all networks are untrusted and treated as a public connection; laptops and all other devices that connect are configured accordingly.

1.3.5.Intrusion Detection and Prevention. The Trakstar engineering team has deployed a suite of tools designed to identify and proactively stop intrusions, scans, and malicious payloads from penetrating our security perimeter. This includes production systems, application security, email, device threats, and rogue user behaviors such as privilege escalation. In addition to these measures, audit trails and logging systems are leveraged to identify and alert on anomalous behaviors. Changes in infrastructure configuration are monitored, alerted, and investigated.

1.3.6.Antivirus. Across the Trakstar portfolio, antivirus and malware protections have been deployed and are monitored to mitigate common threats and vulnerabilities. These systems update frequently with new malware signatures and continuously scan for malicious activity. Implementation on employee laptops is secured and managed remotely by the Trakstar security team.

1.3.7.Identity and Access Management. Following a principle of least privilege, the Trakstar engineering team restricts access to systems to a minimum basis. This includes accounts with privileged access such as system root or admin accounts. In addition, the team monitors privilege and accounts on a monthly basis with alerts that detect unusual activity.

1.3.8.Authentication. Two factor authentication is used across the Trakstar organization. The requirements for 2FA are enforced and reviewed periodically. Acceptable methods include physical tokens such as YubiKeys or app generated passcodes. Staff are also required to use a managed SSO solution for access to devices and systems that support an enterprise SSO integration.

1.4. Physical Security

1.4.1.Offices. Trakstar employees are typically remote, with the exception of a Denver office. Employees are trained on procedures such as VPN access to secure systems, a protocol for handling laptops and reporting any lost or stolen devices. No mission critical systems or sensitive data are maintained within a physical office environment. Employee laptops are fully secured and remotely managed. Access can be revoked and data can be remotely destroyed.

1.5. Security Operations

1.5.1.Vulnerability Management. Several processes and tools are in place to identify, prioritize, and remediate vulnerabilities. Trakstar engineering reviews discovered vulnerabilities which are identified by automated scanning and other methods, to identify the threat level and classification. Vulnerability detection begins at the source code, with scanners equipped to identify threats such as the OWASP Top 10 vulnerabilities.

1.5.2.Patching. A monthly patch cycle is enforced that brings tools, operating systems, and other software current with releases that resolve vulnerabilities. For high severity issues, patching is conducted on demand to remediate any potential threats.

1.5.3.Vulnerability Disclosure Policy. Trakstar publishes a vulnerability disclosure policy, which may be updated from time to time by Trakstar, covering our response to externally identified vulnerabilities. Trakstar does not compensate ethical hackers for their contributions, though they are appreciated. The policy covers expectations, reporting policy, scope, and disclosure methods.

1.5.4.Penetration Testing. Trakstar publishes a vulnerability disclosure policy, which may be updated from time to time by Trakstar, covering our response to externally identified vulnerabilities. Trakstar does not compensate ethical hackers for their contributions, though they are appreciated. The policy covers expectations, reporting policy, scope, and disclosure methods.

1.5.5.Change Management. A change control policy and procedure is used to properly review the impact of any change to code or infrastructure prior to deployment. Procedures exist to ensure multiple staff have reviewed the change and approval has been given by engineering management. All changes are documented and tied to specific change control tickets for audit purposes.

1.5.6.Software Development Process. The engineering group leverages several checkpoints during the software development process to ensure the security and integrity of the Trakstar products. These include pull requests with code reviews, infrastructure as code, isolation of configuration and security parameters to secured storage (parameterized) and a full automated test suite to ensure the quality controls and standards are met. Development is supported by a full ticketing and agile development process to document requirements, the QA process, and deployments.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to Customer and, for transfers from a processor to a sub-processor, to ATSI.

ANNEX III
LIST OF SUB-PROCESSORS

Sub-Processor

Customer has authorized the use of the following sub-processor(s). Data Processor may amend this list and will provide notice to Customer within 10 days of any changes, and Customer shall have 10 days following receipt of such notice to object to the changes. Include the identity and contact details of the Sub-Processor(s), and, where applicable, the Sub-Processor(s) Data Protection Officer:

Description of the processing (including a clear delimitation of responsibilities in case several subprocessors are authorized): (see below in chart)

Acceptable Use Policy

By accessing and using the Trakstar website at www.trakstar.com, or any of the Services including but not limited to perform.trakstar.com, learn.trakstar.com, or hire.trakstar.com, and outlined in a Trakstar Subscription Agreement (together with all Order Forms and Addenda attached hereto, the “Agreement”), of Applied Training Systems, Inc., doing business as Trakstar, and its affiliates (collectively “Trakstar”), You accept and agree to comply with this acceptable use policy (this “AUP”). Capitalized terms not defined in this AUP have the same meaning as in Trakstar’s Subscription Agreement located at https://www.trakstar.com/terms/.

Trakstar does not actively monitor Your use of the Services under normal circumstances, nor does Trakstar exercise editorial control or review the content of any Web site, electronic mail transmission, newsgroup or other material created or accessible over or through the Site or Services (including, without limitation, any User Material). However, Trakstar may remove, block, filter or restrict by any means any Content (including User Material) that Trakstar believes, in Trakstar’s sole discretion, may be illegal, infringing, libelous, fraudulent, obscene, abusive or harassing, invasive of privacy, inaccurate, misleading, destructive or otherwise offensive or objectionable, may subject Trakstar to liability, or may violate the terms of this AUP and, in the event of such actions by Trakstar, You hereby agree and acknowledge that Trakstar shall have no liability to You or any other person or entity. To ensure that Trakstar provides a high quality experience for You and for other users of the Services, you agree that Trakstar may access your account and records on a case-by-case basis to investigate complaints or allegations of abuse, infringement of third party rights, or other unauthorized uses of the Services. Trakstar reserves the right to suspend Service, and subsequently suspend any User Materials from the Services which violates this AUP, at any time and without notice.

You agree (a) to comply with all applicable local, state, federal, national, foreign and international laws, statutes, regulations, ordinances and rules (including, without limitation, (i) any intellectual property laws or laws pertaining to the proprietary rights of others, (ii) the U.S. Foreign Corrupt trade Practices Act, (iii) the U.S. Export Administration Act or any other applicable export control laws or laws relating to the export of data or software to or from the United States or any other jurisdiction, or (iii) the U.S. International Traffic in Arms Regulations or any other applicable laws, statutes or regulations relating to national security, national defense or traffic in arms), in each case during your use of the Site or Services, and (b) that you are solely responsible and, to the maximum extent permissible by applicable law, shall bear all risk and liability, for the accuracy, completeness, reliability and/or usefulness of (I) any User Material, and (II) all communications sent by You or any other person or entity using Your account.

Prohibited uses of the Services include, but are not limited to the following:

(A) violating or attempting to violate any security features of the Services, or using or attempting to use the Services or their application programming interfaces (APIs) to violate any security features or terms of service of a third- party site, including without limitation by;

(B) uploading, downloading, submitting, displaying, performing, transmitting, or otherwise distributing or making available any Content or User Materials that:

(C) harming, or attempting to harm, minors in any way;

(D) impersonating any person or entity or falsely stating or otherwise misrepresenting your affiliation with a person or entity, or forging, making or otherwise using false or misrepresenting message headers, whether in whole or in part, to mask the originator of the message;

(E) using the www.trakstar.com site or Services to defraud, blackmail, stalk or otherwise harass another person or to access, use, collect or store, or attempt to access, use, collect or store, personal data about third parties without their knowledge or consent;

(F) reselling, leasing, time-sharing, or otherwise letting other persons access or use the Services or accessing the Services other than in connection with authorized third parties accessing User Materials or Content as training materials.

Any restriction or monitoring of a minor’s access to the Trakstar site or Services is your sole responsibility. Trakstar will cooperate fully with any law enforcement officials or agencies in the investigation of any violation of this AUP or of any applicable laws. Any violation of this AUP or of any applicable laws may subject You to civil and/or criminal liability. You hereby agree and acknowledge that the burden of proving that Your use of the Services, or use of any Content or User Materials uploaded, downloaded, displayed, performed, transmitted, or otherwise distributed by You does not violate this AUP, any applicable laws or any third party rights rests solely with You.

Vulnerability Disclosure Policy

Introduction

Our team works vigilantly to protect our customers and their information assets impacted by our software. We recognize the important role that security researchers and our user community play in keeping Applied Training Systems Inc. (“ATSI”) and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.

To encourage responsible disclosure, we commit that if we conclude that a disclosure respects and meets all the guidelines outlined below we will not bring a private action or refer a matter for public inquiry.

We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure.

Guidelines for responsible disclosure

We request that you:

• Share the real or potential security issue with us before making it public to peers, on message boards, mailing lists, and other forums.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Provide full details of the security issue, and be open to describing how you found it so we may reproduce the conditions.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
• Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Do not submit a high volume of low-quality reports.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and ATSI will not recommend or pursue legal action related to your research.

Scope

At this time, the following services and applications are in-scope:

• Web application, services, and infrastructure on any of the following domains and subdomains:
  • *.trakstar.com
  • *.reviewsnap.com
  • *.mindflash.com
  • *.recruiterbox.com
  • *.appliedtraining.com
• Anything with significant impact across our entire security posture or infrastructure

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in our third-party applications/services fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Out of Scope

We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered as out of scope. Furthermore, all issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.

These items also are considered to be out of scope:

• Attacks designed or likely to degrade, deny, or adversely impact services or user experience (e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam…).
• Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or information that does not belong to you.
• Attacks designed or likely to validate stolen credentials, credential reuse, account takeover (ATO), hijacking, or other credential-based techniques.
• Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate the vulnerability.
• Performing physical, social engineering, or electronic attacks against our personnel, offices, wireless networks, or property.
• Security issues in third-party applications, services, or dependencies that integrate with ATSI products or infrastructure that do not have a demonstrable proof of concept for the vulnerability (e.g., libraries, SAAS services).
• Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a library we rely on to include a vulnerability).
• Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
• Reports of missing “best practices” or other guidelines which do not indicate a security issue.
• Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or email spam.
• Missing cookie flags on non-sensitive cookies.
• Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
• Reports of how you can learn whether a given client can authenticate to a ATSI product or service.
• Reports of mappings between code names and client names.
• Reports of simple IP or port scanning.
• Missing HTTP headers (e.g. lack of HSTS).
• Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven vulnerability.
• Clickjacking or self-XSS reports.
• Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
• Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
• Violating any laws or breaching any agreements (or any reports of the same).

Reporting a vulnerability

We accept vulnerability reports via:

• This form (Google sign-in required)
• Email to [email protected]

Be sure to include an email address where we can reach you in case we need more information. We take security issues seriously and will respond swiftly to fix verifiable security issues. Some parts of our product are complex and take time to update. When properly notified of legitimate issues, we will do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible.

We do not support PGP-encrypted emails at this time. For particularly sensitive information, please submit through our HTTPS web form.

What we would like to see from you

In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 7 business days, we will acknowledge that your report has been received.
• We will perform an initial assessment on the potential findings to determine accuracy, need for escalation and product team to work with. In this phase, you may:
  • Receive requests for additional information, or
  • Receive notification that the vulnerability is not accepted into the program because it does not meet the criteria of the program or provide sufficient detail. (You may respond to any notifications of non-acceptance by contacting [email protected])
• We will develop a resolution and take appropriate action depending on the criticality scoring of the vulnerability.
• We will provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.

Where necessary or if we are unable to resolve communication issues or other problems, ATSI may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

Note: Any information shared with ATSI may be used by ATSI in any manner determined appropriate by ATSI. Submitting any information will not create any rights for the submitter, nor will it create any obligations for ATSI.

Bug Bounty

ATSI does NOT offer compensation for vulnerabilities that are disclosed. We will, from time to time, say thank you for new and interesting reports in our thanks section of this page. Please note however that providing a report does not guarantee a credit.

Cigna Machine-Readable Files Policy

cigna.com/legal/compliance/machine-readable-files

The above link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.