Data Processing Agreement

Between Humareso, LLC and Client

Effective Date: May 29, 2026

Version: 1.0

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement (the "DPA") is entered into between:

Humareso, LLC, a Florida limited liability company with its principal place of business at Vero Beach, Florida, United States ("Humareso," the "Processor"); and

Client, the entity identified in the underlying Master Services Agreement, Subscription Agreement, or Statement of Work (the "Service Agreement") with Humareso (the "Controller").

Humareso and Client are each referred to as a "Party" and collectively as the "Parties."

1.2 Definitions

For purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given to them in the Service Agreement or in Applicable Data Protection Law.

"Applicable Data Protection Law" means all laws, regulations, and binding regulatory guidance applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other applicable U.S. state privacy laws.

"Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Humareso or its Sub-Processors.

"Client Data" means all data, including Personal Data, that Client or its Authorized Users submit to, upload to, or generate within the Services, together with any output produced by the Services on behalf of Client and audit log data generated by the Services in connection with Client's use.

"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under this DPA, Client is the Controller with respect to Client Data. Humareso acts solely as a service provider, contractor, or processor (as those terms are defined under applicable privacy laws) with respect to Client Data and does not sell or share such data except as permitted by Applicable Data Protection Law and instructed by Controller.

"Personal Data" means any information relating to an identified or identifiable natural person Processed by Humareso on behalf of Client under the Service Agreement.

"Processor" means a natural or legal person which Processes Personal Data on behalf of the Controller. Under this DPA, Humareso is the Processor with respect to Client Data.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, retrieval, use, disclosure, transmission, and deletion.

"Sensitive Data" means Personal Data revealing or consisting of: (a) health or medical information, including information contained in leave of absence requests, accommodation requests, return-to-work documentation, and disability records; (b) compensation data, including salary, bonus, equity, and total rewards information; (c) Social Security numbers and other government-issued identifiers; (d) financial account numbers; (e) biometric identifiers; and (f) any other category of data designated as sensitive, special category, or similar under Applicable Data Protection Law.

"Services" means the Humareso platforms and services provided to Client under the Service Agreement, which may include Engage, Portal, Leave, Hub, and Humareso's HR Outsourcing ("HRO") services.

"Sub-Processor" means any third party engaged by Humareso to Process Personal Data on behalf of Client in connection with the Services.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries published by the European Commission in Decision 2021/914 of 4 June 2021, including Module Two (Controller to Processor), as supplemented by the UK Information Commissioner's Office International Data Transfer Addendum where applicable.

2. Subject Matter and Scope of Processing

2.1 Roles of the Parties

Under this DPA, Client is the Controller and Humareso is the Processor with respect to Client Data. Humareso shall Process Personal Data only for the purpose of providing, maintaining, securing, and improving the Services in accordance with the Service Agreement and the documented instructions of the Controller.

This DPA does not apply to Personal Data for which Humareso is itself the controller, including data relating to: (a) Hub subscribers who contract directly with Humareso; (b) visitors to humareso.com and other Humareso websites; (c) job applicants applying for employment with Humareso; and (d) Humareso's own personnel and business contacts. Humareso's processing of such data is governed by Humareso's Privacy Notice.

2.2 Scope by Service

The subject matter, nature, and purpose of Processing under this DPA correspond to the Services purchased by Client. The mapping of platforms to Processing activities is set forth in Annex A and is incorporated into this Section by reference.

2.3 Categories of Data Subjects

Data subjects whose Personal Data is Processed under this DPA include: (a) Client's current, former, and prospective employees; (b) Client's contractors and contingent workers, where applicable; (c) job applicants engaged by Client through the Services; (d) HR administrators, managers, and other Authorized Users of the Services; and (e) such dependents, beneficiaries, or emergency contacts whose information Client elects to record in the Services.

2.4 HIPAA

Humareso does not intend to function as a HIPAA covered entity or HIPAA business associate under ordinary use of the Services and this DPA. Health information Processed by Humareso in connection with leave administration, accommodations, and similar HR functions is not Processed in the context of healthcare treatment, payment, or operations and is not protected health information ("PHI") under HIPAA. Such health information is nonetheless treated as Sensitive Data under this DPA and is subject to the additional safeguards described in Section 10.

3. Processor Obligations

3.1 Documented Instructions

Humareso shall Process Personal Data only on documented instructions from the Controller, including the instructions set forth in this DPA and the Service Agreement. Configuration of the Services by an Authorized User of Client constitutes a documented instruction. Humareso shall promptly inform the Controller if, in Humareso's opinion, an instruction infringes Applicable Data Protection Law.

3.2 Operational Necessity Carve-Out

Notwithstanding Section 3.1, Humareso may Process Personal Data without specific Controller instruction where reasonably necessary to: (a) maintain the security, integrity, or availability of the Services; (b) detect, investigate, and remediate fraud, abuse, or unlawful use of the Services; (c) debug, troubleshoot, or resolve technical errors; (d) comply with applicable law, including responding to valid legal process; or (e) establish, exercise, or defend legal claims. Humareso shall log such Processing activities and shall report to Controller, on request and no less than annually, a summary of any material Processing performed under this carve-out.

3.3 Confidentiality of Personnel

Humareso shall ensure that all personnel authorized to Process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Confidentiality obligations shall survive termination of employment or engagement.

3.4 Security Measures

Humareso shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Breach, as described in Section 5 and detailed in Annex B. Humareso shall periodically review and update such measures to address evolving risks.

3.5 Sub-Processor Management

Client provides general written authorization for Humareso to engage Sub-Processors, subject to the conditions in this Section and in Section 7. Humareso shall: (a) maintain a current list of Sub-Processors at humareso.com/legal/sub-processors; (b) impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA; (c) provide at least thirty (30) days' advance written notice of any addition, replacement, or removal of a Sub-Processor; (d) remain liable to Client for the acts and omissions of its Sub-Processors to the same extent as if Humareso performed the relevant acts itself; and (e) require each Sub-Processor, by written agreement, to notify Humareso of any Breach affecting Client Data without undue delay and within forty-eight (48) hours of the Sub-Processor's discovery of such Breach, so that Humareso can meet its notification obligations to Controller under Section 6.

Client may object to a new or replacement Sub-Processor on reasonable data protection grounds within fourteen (14) days of receiving notice. The Parties shall work in good faith to resolve the objection. If Humareso cannot accommodate the objection, Client may terminate the affected Service without penalty by providing written notice to Humareso.

3.6 Assistance with Data Subject Requests

Taking into account the nature of the Processing, Humareso shall assist Controller by appropriate technical and organizational measures, insofar as possible, in responding to verifiable requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection under Applicable Data Protection Law. Where the Services provide self-service tools that enable Controller to respond directly, Controller shall use those tools as the primary means of response. Humareso shall provide reasonable additional assistance within the timeframes required by Applicable Data Protection Law.

3.7 Assistance with Controller's Compliance Obligations

Humareso shall assist Controller, taking into account the nature of the Processing and the information available to Humareso, in ensuring compliance with Controller's obligations relating to: (a) security of Processing; (b) Breach notification to regulators and data subjects; (c) data protection impact assessments; and (d) prior consultation with supervisory authorities, where applicable.

3.8 Return or Deletion on Termination

Upon termination or expiration of the Service Agreement, Humareso shall return or delete Personal Data in accordance with Section 9. Humareso shall provide Controller with a written certificate of deletion confirming the date and scope of deletion within thirty (30) days following completion of deletion.

3.9 Audit Rights

Humareso shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA. Controller may, no more than once per calendar year, conduct or commission a qualified independent third party to conduct an audit of Humareso's Processing of Personal Data, on at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours, in a manner that does not unreasonably interfere with Humareso's operations, and subject to reasonable confidentiality obligations.

Humareso may satisfy its audit obligations under this Section by providing Controller with a copy of its then-current SOC 2 Type II report or comparable independent attestation. Controller may request additional audit activity at Controller's expense if the SOC 2 report does not reasonably address a documented compliance concern relevant to the Services.

4. Controller Obligations

Controller represents, warrants, and agrees that it shall:

(a) establish and maintain a valid lawful basis under Applicable Data Protection Law for the Processing of Personal Data instructed under this DPA, including obtaining any consents required from data subjects;

(b) provide all notices and disclosures to data subjects required by Applicable Data Protection Law, including notices regarding the use of Humareso as a Processor;

(c) comply with all laws, regulations, and contractual obligations applicable to Controller as the controller of the Personal Data;

(d) issue instructions to Humareso that are lawful, accurate, and consistent with the Service Agreement, and refrain from instructing Humareso to Process Personal Data in any manner that would cause Humareso to violate Applicable Data Protection Law; and

(e) be responsible for the accuracy, quality, and legality of Personal Data submitted to the Services.

5. Security Measures

5.0 AI Governance. Humareso may use AI-assisted features to support drafting, summarization, and analytical assistance within the Services. Humareso shall not use Client Data to train foundation models or general-purpose AI models. AI-generated output is subject to meaningful human review prior to use in employment-related communications or determinations. Humareso shall apply data minimization principles to AI-assisted processing and shall limit transmission of Personal Data to only those structured fields reasonably necessary for the requested task. Humareso may substitute AI subprocessors or providers from time to time in accordance with Section 7 and the Sub-Processor notification provisions of this DPA.

Humareso shall implement and maintain the following technical and organizational security measures, as further detailed in Annex B:

(a) Encryption in transit: TLS 1.2 or higher for all transmissions of Personal Data across public networks;

(b) Encryption at rest: AES-256 or equivalent for Personal Data stored in databases, object storage, and backup media;

(d) Role-based access controls: least-privilege access, with quarterly access reviews and prompt deprovisioning upon role change or termination;

(e) Penetration testing: independent third-party penetration testing performed at least annually, with timely remediation of findings according to severity;

(f) Incident response: documented incident response plan with defined roles, escalation procedures, communication templates, and post-incident review;

(g) Background checks: pre-employment background checks on Humareso personnel with access to Sensitive Data, to the extent permitted by applicable law;

(h) Logging and monitoring: centralized logging, anomaly detection, and retention of security event logs sufficient to support investigation; and

(i) Secure development: secure software development lifecycle practices, including code review, dependency scanning, and vulnerability management.

Where Humareso uses AI models (currently Claude, provided by Anthropic, PBC) to generate drafts of determinations, communications, or summaries on behalf of the Client, such processing constitutes Humareso-directed sub-processing. Humareso transmits only the structured data fields necessary for each task. Raw uploaded documents, unstructured health records, and file attachments are not transmitted to AI models. AI-generated output is a draft for human administrator review and does not produce automated decisions. Anthropic does not retain or use API-submitted data for model training.

6. Breach Notification

6.1 Notice to Controller

Humareso shall notify Controller without undue delay and, where feasible, within seventy-two (72) hours after confirmation of a Breach affecting Client Data. Where Humareso becomes aware of a suspected security event that may materially affect Client Data, Humareso may provide preliminary notice prior to confirmation. Where an initial notice is sent based on a suspected Breach, Humareso shall provide updated information as its investigation progresses and shall confirm or withdraw the suspected Breach notification as soon as the nature of the event is determined.

6.2 Content of Notice

To the extent known and reasonably available at the time of notice, the notification shall include:

(a) the nature of the Breach, including the date or date range, the systems affected, and the means of compromise;

(b) the categories and approximate number of data subjects affected and the categories and approximate number of records affected;

(d) the measures taken or proposed to address the Breach and to mitigate its possible adverse effects; and

(e) the name and contact details of a point of contact at Humareso for further information.

Where it is not possible to provide all information at once, Humareso shall provide the available information promptly and shall supplement the notice as further information becomes known.

6.3 Cooperation

Humareso shall cooperate with Controller in good faith to support Controller's notification obligations to regulators, data subjects, and other affected parties. Humareso shall not, except as required by law, make any public statement attributing a Breach to Controller without Controller's prior written consent.

Controller, as the data controller, is solely responsible for notifying affected data subjects and supervisory authorities in accordance with Applicable Data Protection Law. Humareso's notification to Controller under Section 6.1 does not constitute notification to data subjects or regulatory authorities and does not reduce Controller's own notification obligations. Humareso will assist Controller in drafting notifications and providing factual information necessary for Controller's compliance upon Controller's written request.

7. Sub-Processors

7.1 List of Sub-Processors

The current list of approved Sub-Processors is published at humareso.com/legal/sub-processors and is updated as Sub-Processors are added, replaced, or removed.

Approved Sub-Processors include Microsoft Corporation, whose Exchange Online service functions as Humareso's primary business email platform for all client-facing communications across every Service. Personal data referenced in email correspondence between Humareso and Client --- including employee names, case references, and HR matters discussed in the course of service delivery --- passes through Microsoft infrastructure. Microsoft SharePoint and OneDrive are used for document storage and collaboration in connection with HRO and other service engagements.

Approved Sub-Processors also include Anthropic, PBC, an AI model provider located in the United States. Claude, the AI model provided by Anthropic, assists human administrators across Humareso platforms with drafting, summarization, and analytical tasks in HR workflows, including leave eligibility determinations, case communications, performance summaries, and related HR functions across Engage, Leave, Portal, and other Humareso platforms where AI-assisted features are enabled. Humareso transmits only the structured data fields necessary for each specific task; data categories may include employment identifiers (name, job title, department, work state, tenure, employment status), leave case data (case type, reason, dates, hours worked, FTE, employer headcount, program eligibility), performance data (ratings, written feedback text, goal status, behavioral scores), and case or communication context, as applicable to the platform feature in use. Raw medical documents, uploaded files, and unstructured health records are not transmitted. Anthropic does not retain or use API-submitted data for model training. Anthropic's privacy policy is available at https://www.anthropic.com/privacy.

7.2 Notice of Changes

Humareso shall provide Controller with at least thirty (30) days' advance written notice of any addition, replacement, or removal of a Sub-Processor, except where an immediate change is required for security, legal, or operational continuity purposes. Notice may be given by email to the data protection contact identified by Controller, by in-product notification, or by an opt-in subscription to the Sub-Processor list.

7.3 Right to Object

Controller may object to a proposed Sub-Processor on reasonable data protection grounds by providing written notice to Humareso within fourteen (14) days following Humareso's notice. The Parties shall work in good faith to address the objection, including by Humareso evaluating reasonable alternatives. If Humareso is unable to accommodate the objection within a reasonable period, Controller may terminate the affected Service without penalty and shall be entitled to a pro rata refund of prepaid fees for the unused remainder of the then-current term.

7.4 Flow-Down Obligations

Humareso shall enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA and that permits Humareso to comply with its obligations to Controller. Each Sub-Processor agreement shall require the Sub-Processor to notify Humareso of any Breach affecting Client Data without undue delay, and in any event within forty-eight (48) hours of the Sub-Processor's discovery of the Breach.

8. International Data Transfers

8.1 Storage Location

Personal Data is stored and Processed in the United States. Humareso shall not transfer Personal Data to a jurisdiction outside the United States without Controller's prior written consent, except for transfers to Sub-Processors listed at humareso.com/legal/sub-processors and any successor or replacement Sub-Processors notified under Section 7.

8.2 EU and UK Transfers

Where Personal Data of data subjects in the European Economic Area, the United Kingdom, or Switzerland is transferred to Humareso, the Parties agree that the Standard Contractual Clauses, Module Two (Controller to Processor), are incorporated into this DPA by reference and shall govern such transfers. For transfers from the United Kingdom, the UK International Data Transfer Addendum applies. Humareso shall execute the SCCs and any required addenda upon Controller's written request.

8.3 Optional Clauses

For purposes of the SCCs: (a) the optional docking clause in Clause 7 does not apply unless the Parties agree in writing; (b) the option in Clause 9(a) is "general written authorization" with thirty (30) days' notice as set out in Section 7 of this DPA; (c) the option in Clause 11(a) regarding independent dispute resolution does not apply; (d) the governing law in Clause 17 is the law of Ireland; and (e) the supervisory authority in Annex I.C is the supervisory authority of the data exporter's place of establishment.

8.4 Conflict

In the event of a conflict between this DPA and the SCCs, the SCCs prevail with respect to transfers governed by them.

9. Data Retention and Deletion

9.1 During the Term

Humareso shall retain Personal Data only for as long as necessary to provide the Services, subject to Controller's instructions and applicable retention requirements set forth in Annex A.

9.2 Export on Termination

Within ten (10) business days following the effective date of termination or expiration of the Service Agreement, Humareso shall make Client Data available for export by Controller in CSV, JSON, or another commercially reasonable structured export format, at Controller's election. Controller is responsible for retrieving exported data within the export window made available by Humareso under the Service Agreement.

9.3 Deletion

Following the export period, Humareso shall delete or anonymize Personal Data from production systems within thirty (30) days and shall delete Personal Data from backups in accordance with Humareso's standard backup rotation, which shall not exceed one hundred eighty (180) days. Humareso shall provide Controller with a written deletion certificate within thirty (30) days following completion of production-system deletion.

9.4 Legal Holds

Notwithstanding the foregoing, Humareso may retain Personal Data to the extent and for the period required by applicable law, valid legal process, or a documented legal hold. Personal Data retained under this Section shall remain subject to the protections of this DPA for so long as Humareso retains it.

10. Sensitive Data

10.1 Designation

Health information contained in leave of absence cases, accommodation files, and related records, together with compensation data, are designated as Sensitive Data and are subject to the additional safeguards in this Section. Other categories of Sensitive Data identified in Section 1.2 are subject to the same safeguards where Processed by Humareso under the Services.

10.2 Additional Safeguards

Humareso shall:

(a) Segregated storage: maintain Sensitive Data in logically segregated storage with access controls distinct from those applied to general Client Data;

(b) Named-role access: limit access to Sensitive Data to a defined set of named roles with a documented need-to-know, and maintain a current roster of personnel assigned to those roles;

(c) No marketing transmission: not transmit Sensitive Data to any Sub-Processor used for marketing, advertising, lead generation, or analytics purposes that are not strictly necessary to provide the Services;

(d) Separate audit log: maintain a separate, tamper-evident audit log of access to and Processing of Sensitive Data, retained for no less than twenty-four (24) months and made available to Controller on request; and

(e) Training: provide role-based privacy and security training to personnel with access to Sensitive Data at least annually.

11. Liability

11.1 General

Each Party shall be liable for damages caused by its own breach of this DPA, subject to the limitations in this Section.

11.2 Cap

Humareso's aggregate liability arising out of or relating to this DPA shall be limited to the total fees paid by Controller to Humareso under the applicable Service Agreement during the twelve (12) months preceding the event giving rise to liability.

11.3 Exceptions to Cap

The limitation in Section 11.2 shall not apply to liability arising from: (a) breach of confidentiality obligations under this DPA; (b) gross negligence; (c) willful misconduct; (d) unauthorized disclosure of Client Data resulting from Humareso's gross negligence or willful misconduct; (e) violations of Applicable Data Protection Law; or (f) infringement of third-party intellectual property rights. Liability for the foregoing categories is uncapped.

11.4 Relationship to Service Agreement

Except as expressly modified by this Section 11, the limitations and exclusions of liability set forth in the Service Agreement apply to this DPA. Where the Service Agreement and this DPA conflict regarding liability, this DPA controls with respect to claims arising from the Processing of Personal Data.

12. Term

This DPA takes effect on the Effective Date and is coterminous with the Service Agreement. The provisions of this DPA shall survive termination or expiration of the Service Agreement for so long as Humareso retains Personal Data and to the extent necessary to fulfill Humareso's obligations relating to return, deletion, audit, breach notification, confidentiality, and limitations of liability.

13. Governing Law and Disputes

This DPA is governed by the laws of the State of Florida, without regard to its conflict of laws principles. Disputes arising out of or relating to this DPA shall be resolved by binding arbitration administered by JAMS in accordance with the dispute resolution provisions of the Service Agreement. Notwithstanding the foregoing, where the SCCs apply to a transfer, the choice of law and forum provisions of the SCCs govern the SCCs themselves.

14. Miscellaneous

14.1 Order of Precedence

In the event of a conflict between this DPA and the Service Agreement, this DPA controls with respect to the Processing of Personal Data. The SCCs control over this DPA with respect to transfers governed by them.

14.2 Entire Agreement

This DPA, together with its Annexes, the Service Agreement, and any documents incorporated by reference, constitutes the entire agreement between the Parties regarding the Processing of Personal Data.

14.3 Amendment

This DPA may be amended only by a writing signed by both Parties, except that Humareso may update Annex B and the list of Sub-Processors in accordance with the procedures in this DPA.

14.4 Severability

If any provision of this DPA is held unenforceable, the remaining provisions shall remain in full force and effect, and the unenforceable provision shall be modified to the minimum extent necessary to make it enforceable while preserving the Parties' intent.

14.5 Counterparts

This DPA may be executed in counterparts, including electronic counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument.

15. Signatures

HUMARESO, LLC

Signature: ____________________________________

Name: ________________________________________

Title: _________________________________________

Date: _________________________________________

CLIENT

Legal Entity Name: _____________________________

Signature: ____________________________________

Name: ________________________________________

Title: _________________________________________

Date: _________________________________________

Effective Date: _____________________________

Annex A: Processing Activities

The following table describes the Processing performed by Humareso for each Service. Where Client does not subscribe to a particular Service, the corresponding row does not apply.

A.1 Engage (HRIS, Performance, Engagement)

Element Description

Purpose of Processing Provide core HRIS functionality, performance management, goal setting, feedback, recognition, and engagement surveys for Client's workforce.

Categories of Data Subjects Client's employees, contractors, managers, HR administrators.

Categories of Personal Data Identifiers (name, employee ID, work email, work phone), employment data (job title, department, manager, hire date, location), performance data (goals, reviews, feedback, ratings), engagement survey responses, profile photos.

Sensitive Data Compensation data where Client elects to record it.

Retention Period Active for the term of the Service Agreement; deleted in accordance with Section 9 following termination, subject to legal holds.

Sub-Processors Cloud hosting, email delivery, analytics, error monitoring, and customer support tooling as listed at humareso.com/legal/sub-processors. Anthropic, PBC (AI-assisted performance summarization, drafting, and analytical tasks across Engage features).

A.2 Portal (Employee and Manager Self-Service)

Element Description

Purpose of Processing Provide employees and managers with self-service access to HR documents, requests, and case management.

Categories of Data Subjects Client's employees, managers, HR administrators.

Categories of Personal Data Identifiers, employment data, document content uploaded by users, case content and correspondence, ticket metadata.

Sensitive Data Where users upload documents containing sensitive content.

Retention Period Active for the term of the Service Agreement; deleted per Section 9 following termination, subject to legal holds.

Sub-Processors Cloud hosting, file storage, email delivery, customer support tooling as listed at humareso.com/legal/sub-processors. Anthropic, PBC (AI-assisted drafting and case communication features where enabled).

A.3 Leave (Leave of Absence Administration)

Element Description

Purpose of Processing Administer leave of absence requests, accommodations, return-to-work coordination, and related compliance workflows.

Categories of Data Subjects Client's employees requesting or affected by leave; HR administrators; designated managers; named dependents or family members where Client records them.

Categories of Personal Data Identifiers, employment data, leave reason and dates, medical certifications and notes, accommodation requests, correspondence, case status.

Sensitive Data Health and medical information; disability information; family relationship information.

Retention Period Retained for the duration of the leave case plus the period required by applicable law (typically up to seven years for FMLA-related records); deleted per Section 9 thereafter, subject to legal holds.

Sub-Processors Cloud hosting, secure document storage, fax transmission, email delivery, and AI-assisted intake tooling as listed at humareso.com/legal/sub-processors. Anthropic, PBC (AI-assisted determination and communication drafting).

A.4 Hub (Compliance Content and Handbook)

For Hub services provided to Client as a Controller-instructed Service (for example, Client-branded handbook hosting), the following applies. Where Hub is provided directly to a subscriber as a Humareso-controlled offering, that relationship is governed by Humareso's direct subscriber terms and not by this DPA.

Element Description

Purpose of Processing Host and distribute Client's policies, handbooks, and compliance content to Client's workforce; track acknowledgments.

Categories of Data Subjects Client's employees and Authorized Users.

Categories of Personal Data Identifiers, employment data, acknowledgment records, access logs.

Sensitive Data Not ordinarily Processed.

Retention Period Active for the term of the Service Agreement; deleted per Section 9 following termination, subject to legal holds.

Sub-Processors Cloud hosting, content delivery, analytics, and email delivery as listed at humareso.com/legal/sub-processors.

A.5 HR Outsourcing (HRO) Services

Element Description

Purpose of Processing Provide outsourced HR services to Client, which may include employee relations, policy administration, compliance support, recruiting support, onboarding and offboarding administration, leave administration, and related advisory services.

Categories of Data Subjects Client's current, former, and prospective employees; contractors; managers; HR administrators; complainants and witnesses in employee relations matters; named dependents or beneficiaries where applicable.

Categories of Personal Data Identifiers, contact information, employment data, performance and disciplinary records, investigation records and correspondence, applicant data, onboarding documentation, benefits enrollment information, and other Personal Data shared by Client with Humareso to perform HRO services.

Sensitive Data Health information arising in leave and accommodation matters; compensation data; government-issued identifiers in onboarding records; investigation content.

Retention Period Active for the term of the HRO engagement plus the period required by applicable law and the Service Agreement; deleted per Section 9 thereafter, subject to legal holds.

Sub-Processors Cloud hosting, secure document storage, email delivery, communications, e-signature, and case management tooling as listed at humareso.com/legal/sub-processors. Microsoft Corporation (Exchange Online --- primary business email platform for all client communications, which may include references to employee data, case details, and HR matters discussed in the course of HRO service delivery).

Annex B: Technical and Organizational Security Measures

Humareso maintains the following technical and organizational measures. Humareso may update these measures from time to time, provided that the level of protection afforded to Personal Data is not materially reduced.

B.1 Information Security Program

Humareso maintains a written information security program approved by management, reviewed at least annually, and aligned with industry-recognized frameworks including SOC 2 and applicable elements of ISO 27001 and the NIST Cybersecurity Framework.

B.2 Access Control

(a) Unique user identifiers for all personnel and Authorized Users.

(b) Role-based access control with least-privilege provisioning.

(d) Quarterly access reviews of administrative and privileged accounts.

(e) Prompt deprovisioning of access upon role change, termination, or extended leave.

(f) Password complexity, rotation, and lockout controls aligned with current NIST guidance.

B.3 Encryption

(a) TLS 1.2 or higher for all transmissions of Personal Data over public networks.

(b) AES-256 or equivalent for Personal Data stored in production databases, object storage, and backup media.

B.4 Network and Infrastructure Security

(a) Logical segmentation between production, staging, and development environments.

(b) Firewalls, security groups, and network access control lists configured to deny by default.

(d) Distributed denial-of-service mitigation through cloud provider services.

(e) Regular patching of operating systems, middleware, and application dependencies according to severity-based service levels.

B.5 Application Security

(a) Secure software development lifecycle including peer code review, static analysis, dependency scanning, and software composition analysis.

(b) Pre-production security testing for material releases.

(c) Independent third-party penetration testing performed at least annually, with timely remediation tracked through closure.

(d) Vulnerability management program with defined service levels for remediation by severity.

B.6 Logging and Monitoring

(a) Centralized application and infrastructure logging.

(b) Security event monitoring with alerting on anomalous activity.

(d) Separate, restricted-access audit log for Sensitive Data Processing as described in Section 10.

B.7 Incident Response and Business Continuity

(a) Documented incident response plan with defined roles, escalation, and communication procedures.

(b) Annual tabletop exercise of the incident response plan.

(d) Regular backup of production data with periodic restoration testing.

B.8 Personnel Security

(a) Pre-employment background checks on personnel with access to Sensitive Data, to the extent permitted by applicable law.

(b) Confidentiality and acceptable-use agreements signed by all personnel.

(d) Role-based privacy and security training for personnel with access to Sensitive Data.

B.9 Vendor and Sub-Processor Management

(a) Risk-based due diligence on Sub-Processors prior to engagement.

(b) Written contracts imposing data protection obligations no less protective than this DPA.

B.10 Physical Security

Production systems are hosted in cloud data centers operated by reputable providers that maintain SOC 2 Type II, ISO 27001, or equivalent attestations covering physical security, environmental controls, and media handling. Humareso does not operate its own data centers. Humareso office locations enforce badge-based access and visitor controls; Humareso personnel work primarily from secured remote environments configured under Humareso's endpoint management standards.

B.11 Endpoint Security

(a) Centralized device management for personnel endpoints with access to Personal Data.

(b) Full-disk encryption on managed endpoints.

(d) Automatic screen lock and remote wipe capability for lost or stolen devices.

B.12 Data Minimization and Retention

(a) Collection limited to Personal Data necessary to provide the Services.

(b) Retention configured in accordance with Annex A and Controller instruction.

B.13 Continuous Improvement

Humareso periodically reviews and updates its security measures based on changes in the threat landscape, lessons learned from incidents and exercises, results of audits and assessments, and evolving regulatory expectations.

End of Data Processing Agreement.