Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Takt, Inc. (“Takt,” “Processor,” “Service Provider,” “we,” “our,” or “us”) and the customer entity (“Customer” or “Controller”) governing Customer’s use of Takt’s services (the “Agreement”).

This DPA applies where Takt processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed by Takt on behalf of Customer.

“Processing” means any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion.

“Applicable Data Protection Laws” means all applicable privacy and data protection laws, including, where applicable, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).

“Subprocessor” means any third party engaged by Takt to process Personal Data on behalf of Customer.

2. Roles of the Parties

The parties acknowledge that:

• Customer is the Controller (or Business under CCPA/CPRA)

• Takt is the Processor (or Service Provider under CCPA/CPRA)

Takt will process Personal Data only on behalf of Customer and in accordance with Customer’s documented instructions as set forth in the Agreement and this DPA.

3. Scope and Purpose of Processing

Takt processes Personal Data solely for the purpose of providing, operating, and supporting the Services.

Nature of Processing

Processing includes ingestion, storage, analysis, and retrieval of workforce and operational data.

Categories of Data Subjects

• Customer employees

• Customer contractors

• Customer representatives and users

Categories of Personal Data

• Employee identifiers (e.g., name, employee ID, manager)

• Workforce performance and productivity data

• Operational activity data from warehouse systems

• Optional compensation-related data (e.g., hourly wages)

Takt does not intentionally collect sensitive personal data such as biometric data unless explicitly provided by Customer.

4. Customer Obligations

Customer represents and warrants that:

• It has all necessary rights and legal bases to provide Personal Data to Takt

• It will comply with all Applicable Data Protection Laws

• It will provide required notices to data subjects

Customer is responsible for the accuracy, quality, and legality of Personal Data provided to Takt.

5. Processor Obligations

Takt agrees to:

• Process Personal Data only in accordance with Customer’s instructions

• Not sell Personal Data or share it for cross-context behavioral advertising

• Not retain, use, or disclose Personal Data for any purpose other than providing the Services, except as required by law

• Notify Customer if it believes an instruction violates applicable law

6. Confidentiality

Takt will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

7. Security Measures

Takt will implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit and at rest

• Access controls and authentication (including multi-factor authentication)

• Monitoring and logging of system activity

• Vulnerability management and security testing

Takt will regularly review and update its security measures in line with industry standards.

8. Subprocessors

Customer authorizes Takt to engage Subprocessors to process Personal Data.

Takt will:

• Maintain an up-to-date list of Subprocessors at https://trust.takt.io

• Ensure Subprocessors are bound by data protection obligations no less protective than those in this DPA

• Remain responsible for the performance of Subprocessors

9. International Data Transfers

Takt may transfer Personal Data to countries outside of the Customer’s jurisdiction, including the United States.

Where required by Applicable Data Protection Laws, Takt will implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)

• Other lawful transfer mechanisms

10. Data Subject Rights

Taking into account the nature of processing, Takt will assist Customer in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws, including requests for access, correction, deletion, or restriction.

If Takt receives a request directly from a data subject, Takt will direct the request to Customer unless otherwise legally required.

11. Data Retention and Deletion

Takt will retain Personal Data for the duration of the Agreement and for up to one (1) year following termination, unless otherwise required by law.

Upon termination of the Agreement or upon Customer’s written request, Takt will delete or return Personal Data, except where retention is required by law.

Backup data may be retained for up to 90 days before deletion.

12. Security Incidents

Takt will notify Customer without undue delay upon becoming aware of a confirmed Security Incident involving Personal Data.

Such notification will include, to the extent available:

• The nature of the incident

• The categories and approximate number of affected data subjects

• The likely consequences of the incident

• Measures taken or proposed to address the incident

Takt will cooperate with Customer in investigating and mitigating the incident.

13. Audits

Upon reasonable request, Takt will make available information necessary to demonstrate compliance with this DPA.

Where appropriate, this may include providing relevant audit reports or certifications (such as SOC 2 reports), in lieu of on-site audits.

14. Return or Deletion of Data

Upon termination of the Agreement, Customer may request deletion or return of Personal Data.

Takt will comply with such requests within a reasonable timeframe, subject to legal obligations and standard backup retention practices.

15. CCPA / CPRA Provisions

To the extent applicable:

• Takt acts as a “Service Provider” under CCPA/CPRA

• Takt will not sell or share Personal Data

• Takt will not retain, use, or disclose Personal Data for any purpose other than performing the Services

• Takt will comply with applicable obligations under CCPA/CPRA

16. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.

17. Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to data protection matters.

18. Governing Law

This DPA is governed by the governing law specified in the Agreement.