Data Processing Agreement

1. Roles of the parties

The Customer is the controller (the "business" under the CCPA) and determines the purposes and means of processing. Clox is the processor (the "service provider" under the CCPA) and processes personal data only to provide the Service to the Customer.

This DPA governs only the personal data that Clox processes on the Customer's behalf, which is the Customer's workforce and administrative data. For account, billing, and marketing data, Clox acts as an independent controller, and that processing is governed by the Privacy Policy rather than this DPA.

2. Scope and purpose of processing

Clox processes personal data solely on the Customer's documented instructions, which consist of the Terms of Service and the Customer's use of the Service, to deliver time tracking, scheduling, reporting, and payroll-data export.

The nature of the processing includes the collection, storage, organization, retrieval, analysis, export, and deletion of personal data as needed to provide the Service. The processing continues for the term of the Terms of Service, that is, for as long as Clox processes personal data on the Customer's behalf.

If Clox believes that an instruction from the Customer appears to violate applicable data-protection law, Clox will inform the Customer without undue delay.

Clox will not sell or share personal data, will not retain, use, or disclose it for any purpose other than providing the Service, and will not combine it with data from other sources except as needed to operate the Service.

As a service provider under the CCPA, Clox certifies that it understands the restrictions in this Section and the CCPA and will comply with them. Personal data is disclosed to Clox only for the limited and specified business purpose of providing the Service, and Clox will not sell or share that personal data.

3. Categories of data and data subjects

Data subjects are the Customer's workers and administrators. The categories of personal data processed include:

• Identifiers, such as name and email address.
• Employment data, such as role, pay rate, and overtime settings.
• Time records, such as clock-in/out times, breaks, schedules, and time-off.
• Device location and the reading's accuracy, captured at clock-in where the Customer has enabled worksite verification (see Section 8).
• Clock-in selfie photos, captured where the Customer has enabled photo verification. These are stored as images for the Customer to review and are not run through facial recognition. Clox does not create biometric templates from them.
• Device and usage metadata and audit logs, such as device and account identifiers, request metadata, and records of actions taken in the Service.

4. Confidentiality

Clox limits access to personal data to personnel who need it to provide the Service, and ensures that those personnel are bound by appropriate confidentiality obligations. Those obligations survive the end of the relevant person's engagement with Clox.

5. Security measures

Clox maintains technical and organizational measures appropriate to the risk, including the following:

• Encryption of data in transit using TLS, and encryption of data at rest.
• An encrypted on-device cache for offline punches captured by the mobile app.
• Hashed passwords and PINs, which are never stored in plain text.
• Role-based access controls and logical tenant isolation, so each organization's data is kept separate.
• Audit logging of significant actions taken in the Service.

6. Subprocessors

The Customer authorizes Clox to engage subprocessors to provide the Service. The current list of subprocessors is maintained at getclox.com/subprocessors, which is the source of truth and is kept up to date. Clox imposes data-protection obligations on each subprocessor that are substantially equivalent to those in this DPA, and Clox remains responsible for the performance of its subprocessors.

Clox will give the Customer at least 30 days' notice before adding or replacing a subprocessor, by updating the subprocessors page and by an email or in-product notice. The Customer may object in writing on reasonable data-protection grounds within that period. The parties will work in good faith to resolve the objection. If it cannot be resolved, the Customer may terminate the portion of the Service that requires the objected-to subprocessor.

7. Data subject and consumer requests

Clox will assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects to access, correct, delete, or restrict their personal data. If a worker contacts Clox directly about data the Customer entered, Clox will refer the request to the Customer.

8. Location data

Where the Customer enables worksite verification, Clox checks an employee's device location at the moment of clock-in, solely to confirm presence at an assigned worksite. Clox does not track location continuously or in the background, and does not check location after clock-out. For punches subject to worksite verification, Clox stores the clock-in coordinates and the reading's accuracy with the time record so the Customer can verify the punch; where worksite verification is not used, clock-in location is not retained. The Customer is responsible for providing any notice to, and obtaining any consent from, its workers that applicable law requires.

9. Personal data breach

Clox will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data. The notice will, to the extent reasonably available, describe:

• The nature of the breach.
• The categories and approximate number of data subjects affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and to mitigate its effects.

10. Return and deletion

During the term, the Customer can export its data from the Service at any time. After termination, the Customer has a 30-day window in which to export its data. After that window, Clox deletes the data in accordance with the retention terms in the Privacy Policy, except where law requires retention. Clox will provide written confirmation of deletion on the Customer's request.

11. Audits

Clox will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. Where available, Clox may satisfy this obligation by providing relevant third-party audit reports or certifications.

Where that information is not sufficient, the Customer may conduct an audit no more than once per year, on reasonable prior notice, during business hours, subject to confidentiality obligations, and at the Customer's expense.

12. International processing and transfers

Personal data is processed and stored in the United States.

Where the Customer or its data subjects are in the European Economic Area, the United Kingdom, or Switzerland, the parties incorporate the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum into this DPA to cover transfers of personal data, with Clox acting as the importer and the Customer as the exporter. Where a subprocessor is certified under the EU-US Data Privacy Framework, that framework may also serve as a transfer mechanism for personal data shared with it.

13. Liability and precedence

This DPA forms part of and is governed by the Terms of Service. The liability limitations and exclusions in the Terms of Service apply to this DPA. If there is a conflict between this DPA and the Terms of Service about the processing of personal data, this DPA controls to the extent of that conflict. This DPA is governed by the laws of the State of Wyoming.

14. Term and contact

This DPA remains in effect for as long as Clox processes personal data on the Customer's behalf under the Terms of Service.

Clox is operated by Clox Labs LLC, a Wyoming limited liability company. Questions are best sent to support@getclox.com; for formal legal or data-protection notices, Clox Labs LLC can also be reached by phone at (307) 910-2824.