Data Processing Addendum

If you would like to discuss the terms of this DPA, please reach out to your Calm Account Executive. Please do not download and redline from this webpage version.

Data Processing Addendum

Effective April 2024

This Data Processing Addendum (“DPA”) is incorporated into any written agreement currently in effect between Customer and Calm that references this DPA (the “Agreement”). This DPA applies where Calm Processes Customer Personal Data as a processor/service provider on behalf of Customer (the controller), in connection with providing the Services. Capitalized terms not otherwise defined in this DPA have the meanings ascribed to such terms in the Agreement

1. Data Processing And Protection

1.1 Limitations on Use. Calm will Process Customer Personal Data only: (a) in a manner consistent with documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, which will include Processing (i) as authorized or permitted under the Agreement, including as specified in Attachment 2 to this DPA, and (ii) consistent with other reasonable instructions of Customer, provided that Processing pursuant to such other instructions may be subject to additional fees; and (b) as required by Data Protection Law, provided that Calm will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law. Without limiting the foregoing, Calm will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the Parties or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Calm receives from individuals or other customers except as permitted by Data Protection Law, provided that Calm may associate Customer Personal Data with the relevant Users.

1.2 Compliance. Each Party will comply with its obligations under Data Protection Law. Calm shall notify Customer within five (5) business days of determining that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Calm has Processed Customer Personal Data without authorization, Calm will take reasonable and appropriate steps to stop and remediate such Processing.

1.3 Security. Calm will implement measures to protect Customer Personal Data that meet or exceed applicable requirements under Data Protection Law, including, as applicable, requirements under Article 32 of the GDPR. These measures include technical and organizational measures described in Attachment 3, such as the use of firewalls, access control protocols, business continuity measures, penetration tests, and patch management protocols.

1.4 Disposal. Calm will destroy or anonymize all Customer Personal Data, in the manner and on the schedule as required by Data Protection Law, and in accordance with Calm’s then-current data deletion practices.

2. Assistance

2.1 Data Subject’s Rights Assistance. Taking into account the nature of the Processing, Calm will reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under Data Protection Law, including rights laid down in Chapter III of the GDPR. Customer will inform Calm of any Data Subject request that Calm must comply with and provide the information necessary for Calm to comply with the request.

2.2 Security and Assistance. Taking into account the nature of Processing and the information available to the Calm, Calm will reasonably assist Customer in ensuring compliance with its security obligations under Article 32 of the GDPR.

2.3 Customer Data Breach Notice and Assistance. Calm will notify Customer of any Customer Data Breach without undue delay after becoming aware of such Customer Data Breach. Taking into account the nature of Processing and the information available to Calm, Calm will assist Customer in ensuring compliance with Customer’s notification obligations under Data Protection Law in connection with any Customer Data Breach, including in ensuring compliance with Customer’s obligations pursuant to Articles 33 and 34 of the GDPR. Calm’s notification of or response to a Customer Data Breach will not constitute an acknowledgment of fault or liability with respect to the Customer Data Breach.

2.4 Data Protection Impact Assessment Assistance. Taking into account the nature of Processing and the information available to Calm, Calm will assist Customer in ensuring compliance with the obligations under Articles 35 and 36 of the GDPR.

3. Audits

3.1 Calm’s Audit Reports. To help Customer assess Calm’s compliance with the terms of this DPA, upon Customer’s request, and subject to the confidentiality provisions of the Agreement, Calm will make available to Customer copies of, or extracts from, Calm’s audit reports related to security (e.g., SOC 2 Type II for Calm Business and HITRUST for Calm Health).

3.2 Customer’s Audit Rights. Calm will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to verify Calm’s compliance with this DPA if such an audit is required by Data Protection Laws and Calm’s compliance cannot be demonstrated by means that are less burdensome on Calm (including under Section 4.1). In connection with any such audit, the auditor will: (a) observe reasonable on site access and other restrictions reasonably imposed by Calm, including that such audit must occur during Calm’s normal business hours; (b) comply with reasonable and applicable on site policies and procedures provided by Calm; and (c) not unreasonably interfere with Calm’s business activities. Customer will provide written communication of any audit findings to Calm, and the results of the audit will be the Confidential Information of Calm. Customer will provide no less than thirty (30) days’ advance notice of its request for any such audit, and will cooperate in good faith with Calm to schedule any such audit on a mutually agreed-upon date and time (such agreement not to be unreasonably withheld by either Party). Customer may not make more than one such request in a calendar year, unless such request is required by a competent supervisory authority. Customer will be responsible for all costs associated with any such audits.

4. Subprocessors

Customer authorizes Calm to use subcontractors set forth at https://business.calm.com/calm-subprocessor-list/ to Process Customer Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Calm will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors by updating the list at https://business.calm.com/calm-subprocessor-list/. If Customer provides written notice of its objection within ten (10) days of such update and Calm determines it cannot accommodate such objection, Calm may terminate the Agreement upon notice to Customer without liability. Calm will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Calm will remain liable for any acts or omissions of its Subprocessors as it would for its own acts and omissions.

5. Data Transfers

5.1 Overview. The transfer of EEA, UK, and Swiss residents’ Customer Personal Data to a country not subject to an adequacy decision (a “Data Transfer”) will be subject to the SCCs, which are incorporated and deemed executed by this reference. If an alternative transfer mechanism for legitimizing Data Transfers (an “Alternative Mechanism”) becomes available during the term of this DPA, and Calm notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to the Alternative Mechanism, the Parties will rely on the Alternative Mechanism to legitimize Data Transfers instead of the provisions that follow.

5.2 SCCs. The Parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs (which are deemed executed as of the effective date of this DPA) with Customer as the “data exporter” and Calm as the “data importer.”

5.3 Transfers Subject to Swiss Data Protection Law. If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the Parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.

5.4 Transfers Subject to the UK GDPR. Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated by this reference. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

6. Miscellaneous

The terms of this DPA will control to the extent there is any conflict between the subject matter of this DPA and the Agreement. Without limiting the foregoing, the limitation of liability clauses, governing law clause and dispute resolution clauses of the Agreement will apply to any disputes arising out of this DPA.

Attachment 1

Definitions

For purposes of this DPA, the following terms will have the meaning ascribed below:

“Customer Personal Data” means any Personal Data provided by Customer to Calm under the Agreement. “Personal Data” means any information relating to a natural person that is subject to protection under the Data Protection Law and includes information that is referred to as “personal information,” “personal data,” and similar terms as may be defined in the Data Protection Law.

“Customer Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Data Protection Law” means any and all privacy, security and data protection laws and regulations that apply to the Customer Personal Data Processed by Calm under the Agreement, including, as applicable, the GDPR, Member State laws implementing the GDPR, the UK GDPR, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or on sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The Parties make the following choices for implementing the SCCs:

• In Clause 7, the optional docking clause will apply.
• The audits contemplated by Section 8.9 shall be conducted according to Section 4 of this DPA.
• In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Section 5 of this DPA.
• In Clause 11 the optional language will not apply to the SCCs or the UK IDTA.
• In Clause 15.1(a), Calm will notify Customer if it receives a government access request and Customer shall be solely responsible for notifying affected Data Subjects.
• In Clause 17, the SCCs shall be governed by the laws of Ireland.
• In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
• The information needed to complete Annex I of the SCCs is included in Attachment 2 to this DPA.
• The information needed to complete Annex II of the SCCs is included in Attachment 3 to this DPA.
• The information needed to complete Annex III of the SCCs is included at https://business.calm.com/calm-subprocessor-list/.

“Services” means the services provided by Calm to Customer of verifying eligibility of individuals to receive the Calm services at a discount, as further described under the Agreement.

“UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. The information needed to complete the Tables to the UK IDTA is provided in the Attachments to this DPA.

Attachment 2

Scope of Processing

Subject-Matter and Duration of Processing

Calm Processes Customer Personal Data in connection with the subject matter specified under the Agreement and until the Agreement terminates or expires, unless otherwise agreed upon by the Parties in writing.

Nature and Purpose of Processing (i.e., Processing operations)

Customer has agreed to pay for certain individuals to receive full or discounted access to certain Services described in the Agreement. Customer may from time to time provide Customer Personal Data, including limited personal data regarding eligible individuals, so that individuals to whom Customer wants to provide access to such Services can register for a Calm account. To provide Customer Personal Data to Calm, Customer may from time to time (i) provide an eligibility file to Calm containing names, email addresses, and other related information of such individuals; (ii) work with Calm to establish a Single Sign-On (SSO) or Application Programming Interface (API) connection between Customer’s website and Calm’s services; or (iii) use such other methods as agreed upon between the Parties. Calm will use the Customer Personal Data it receives to: determine if the registering individual is eligible; communicate with the individual regarding the Services; provide Customer and user support, including help with eligibility issues; and, subject to Customer’s choices in the Admin Console and feature availability, communicate with individuals on Customer’s behalf to promote the availability of the Services.

Types of Personal Data

The personal data subject to this DPA includes the unique identifier(s) (email address, employee ID, or other nonsensitive identifier as determined by Customer) provided by Customer to Calm, as well as any additional data Customer appends for segmented data reporting purposes. For the avoidance of doubt, Calm is the controller of any personal data Calm collects from any individual User, and such data may include name and email address that overlaps with information contained within the eligibility data provided by Customer.

Categories of Data Subjects

Individuals that Customer wishes to provide the discounted Services, as determined by Customer.

Special Categories of Data (if appropriate)

None.

Data exporter (if applicable)

Customer is a company that wishes to help promote use of Calm’s services by certain individuals.

Data importer (if applicable)

Calm is an operator of consumer-facing web and mobile applications that provide music, stories, meditations and other content.

Frequency of Transfers

Calm will import Customer Personal Data on a continuous basis.

Period of Data Retention

Calm will retain the Customer Personal Data until the termination of the Agreement, unless otherwise agreed to by the Parties.

Attachment 3

Security of Customer Personal Data

Calm employs the following technical and organizational measures to protect Customer Personal Data:

1. Calm Data Governance. Calm maintains appropriate policies and procedures to safeguard Customer Personal Data. It regularly commissions independent audits of its compliance with such policies as part of its third party certifications (e.g., SOC 2 Type II for Calm Business and HITRUST for Calm Health) and will make summaries of its audit reports available to Customer pursuant to Section 4 (Audits) of the DPA.

2. Calm Systems. Calm has implemented reasonable measures designed to help prevent and detect unauthorized access to the Calm systems used to process Customer Personal Data, including:

1. implementation and maintenance of a number of policies and training to inform workforce members about their obligations to access Customer Personal Data and supporting systems only to the extent necessary to perform their job duties (e.g., need-to-know and the principle of least access), handle sensitive information, or report an incident, as well as the consequences for violation of such obligations;
2. requiring individual account credentials such as user IDs that, once assigned, are not reassigned to another person;
3. procedures limiting the release of Customer Personal Data only to workforce members;
4. implementation and maintenance of a role-based access policy and related protective measures;
5. utilization of credentials (passwords) for Calm systems with enforced complexity requirements of at least eight characters or the system maximum permitted number and required modification of such credentials at first use and thereafter at least every one hundred and twenty (120) days;
6. automatic disabling of individual account credentials when several erroneous passwords are entered and maintenance of a log file of events, including monitoring of brute force attacks;
7. automatic deactivation of workforce member authentication credentials in case of non use for a defined period of time, except for those authorized solely for technical management and subject to alternate monitoring and reviews;
8. revocation of access rights upon termination of workforce member;
9. identification of the machine and/or workforce member accessing Calm systems;
10. dedication of individual machines and/or workforce member to specific functions, where appropriate;
11. controlling and monitoring the use of administrative privileges;
12. limitations and controls on Calm network ports, protocols, and services;
13. implementation and maintenance of anti-virus scanning, intrusion detection systems, and other malware defenses on and for Calm networks and systems;
14. end-point monitoring and centralized log collection, analysis, and anomaly detection; and
15. risk-based implementation of industry standard encryption technologies.

3. Cloud Security.

1. Calm Business. For Calm Business, as of the Effective Date of this DPA, Calm leverages Amazon Web Services (“AWS”) as its primary cloud-hosting partner, a recognized industry-leading cloud hosting platform that is SOC, HIPAA, NIST, and ISO compliant, among other such certifications. The service selections and configuration choices with respect to AWS also reflect Calm’s conscientious security approach. For example, Calm may utilize, as appropriate:
   1. Snyk for code-level vulnerabilities and Intruder.io for public endpoint vulnerability scanning;
   2. AWS Shield for DDoS mitigation;
   3. AWS WAF for application firewall;
   4. AWS GuardDuty for IDS;
   5. AWS Cloudtrail to monitor network and API activity for anomalies in Calm’s cloud environments;
   6. AWS SSE & KMS for encryption at rest;
   7. AWS ACM for SSL certification management;
   8. AWS ALB’s for TLS termination and cipher policy enforcement;
   9. Snyk for AWS ECR Container static analysis;
   10. AWS Config for policy enforcement and monitoring;
   11. AW Security Hub for further monitoring and alerting of common security issues; and
   12. Perimeter X for bot detection. Calm may update its cloud hosting partner for Calm Business by updating the list of Subprocessors at https://business.calm.com/calm-subprocessor-list/.
2. Calm Health. For Calm Health, as of the Effective Date of this DPA, Calm leverages Google Cloud Platform (“GCP”) as its primary cloud-hosting partner, a recognized industry-leading cloud hosting platform that is SOC, HIPAA, NIST, and ISO compliant, among other such certifications. Calm’s service selections and configuration choices with respect to GCP also reflect Calm’s conscientious security approach. For example, Calm may utilize, as appropriate:
   1. GCP Web Security Scanning for vulnerability scanning;
   2. GCP Cloud Armor for DDoS mitigation;
   3. GCP Cloud Armor WAF for application firewall;
   4. Sumo Logic for SIEM;
   5. GCP and DataDog Monitoring to monitor network and API activity for anomalies in our cloud environments;
   6. GCP for encryption at rest;
   7. GCP Certificate Manager for SSL certification management;
   8. GCP SSL policies for TLS termination and cipher policy enforcement;
   9. Snyk or GCP Container Analysis for static container analysis;
   10. GCP Organization Policy Service and Resource Manager for policy enforcement and monitoring; and
   11. GCP Security Command Center for further monitoring and alerting of common security issues. xii. Perimeter X for bot detection. Calm may update its cloud hosting partner for Calm Health by updating the list of Subprocessors at https://business.calm.com/calm-subprocessor-list/.

4. Calm Asset Management. Calm has implemented reasonable measures designed to help ensure reasonable control and configuration of Calm-owned hardware and software assets, including:

1. conducting and maintaining an inventory of Calm hardware assets;
2. conducting and maintaining an inventory of Calm software assets;
3. assessing risk-appropriate configurations to Calm hardware and software on mobile devices, laptops, workstations, and servers;
4. changing default passwords prior to deploying any new Calm hardware asset; and
5. maintaining a reasonable vulnerability scanning and management program.

5. Calm Application Software Security. Calm has implemented reasonable measures designed to help address privacy and security considerations in the development of its code for the Calm platform, including:

1. separating production and non-production systems;
2. implementing standardized coding practices and code reviews appropriate to the programming language and development environment;
3. ensuring development workforce members receive training regarding secure coding practices, vulnerabilities such as the OWASP Top Ten, and HIPAA and PHI training; and
4. conducting or engaging a reputable third party to conduct periodic, risk-based penetration tests of any external or internal websites, applications, and systems used to Process Customer Personal Data.

6. Physical Security. Calm maintains reasonable measures designed to help prevent and detect unauthorized access to the data processing facilities where Customer Personal Data is stored or processed by Calm or its vendors for data center or cloud services, including:

1. establishing security areas, with 24 hour security service provided by the property owner;
2. protecting and restricting access paths;
3. securing data processing equipment; and
4. maintaining appropriate processes applicable to the use of physical access cards or keys.

7. Personnel. Calm has implemented reasonable technical and organizational measures to help ensure its workforce members are subject to a contractual or statutory obligation of confidentiality and are regularly trained regarding privacy and security.