Data Processing addendum

This Data Processing Addendum ("DPA") is between Tributary Studios LLC, a Minnesota limited liability company ("Tributary"), provider of dooMO, and the customer organization that uses dooMO ("Customer"). This DPA supplements the Terms of Service, order form, or other agreement that references it.

If there is a conflict between this DPA and the Terms, this DPA controls for processing of Customer Data, Personal Data, Student Data, and Education Records.

• Customer Data means task descriptions, comments, photos, files, building data, member rosters, invitations, and related metadata submitted to dooMO by Customer or its authorized users.
• Personal Data means information that identifies or can reasonably be linked to an individual.
• Student Data means Personal Data relating to a student that is submitted to dooMO by or for a K-12 school or district.
• Education Records has the meaning given under the Family Educational Rights and Privacy Act and its implementing regulations.
• Security Incident means a confirmed unauthorized access to or disclosure of Customer Data in Tributary's possession or control.

For Customer Data, Customer is the controller, business, educational agency, or equivalent data owner. Tributary acts as a processor, service provider, contractor, or equivalent service provider that processes Customer Data only to provide, maintain, secure, and support dooMO.

For school-district customers, when Tributary processes personally identifiable information from Education Records, Tributary acts as a "school official" performing an institutional service for which Customer would otherwise use employees, subject to Customer direct control over the use and maintenance of such information. [counsel confirm FERPA wording]

Customer instructs Tributary to process Customer Data only as necessary to provide dooMO, prevent or address security and operational issues, provide support, comply with law, and perform other processing described in the applicable agreement and Privacy Policy.

Tributary will not sell Customer Data, use Student Data for targeted advertising, build behavioral profiles unrelated to the service, or train machine-learning models on Customer Data unless a signed addendum expressly permits it.

dooMO is designed for authorized adult staff. Students should not be invited as users. Customer is responsible for configuring access, training users, and avoiding unnecessary student personally identifiable information in task descriptions, comments, photos, and attachments.

If Customer submits incidental Student Data to dooMO, Tributary will process it only for the contracted service purpose, will not redisclose it except to authorized subprocessors or as required by law, and will assist Customer with deletion, redaction, or export requests using available admin tools and support channels.

Customer authorizes Tributary to use subprocessors listed on the Subprocessors page. Tributary remains responsible for subprocessor performance under this DPA and will require subprocessors to protect Customer Data under obligations materially consistent with this DPA.

Tributary will update the Subprocessors page before adding a new material subprocessor and will provide advance notice when required by a signed order form or district agreement.

Tributary will maintain reasonable administrative, technical, and physical safeguards for Customer Data, including TLS encryption in transit, managed-provider encryption at rest, Firebase Authentication, role- and building-scoped access controls, backend authorization checks, deny-all client storage access with signed upload/download URLs, request IDs, diagnostics, and least-privilege operational access.

Customer is responsible for user access decisions, timely removal of users who no longer need access, device security for its users, and choosing appropriate content to submit to dooMO.

If Tributary confirms a Security Incident affecting Customer Data, Tributary will notify Customer without undue delay and, where required by contract or law, no later than [72 hours after confirmation]. Notice will describe the nature of the incident, affected data categories, known impact, mitigation steps, and recommended customer actions to the extent known at the time.

During the subscription term, Customer may access and export data through available product features. After termination, Tributary will make Customer Data available for export or support-assisted retrieval for [30 days], then delete or de-identify Customer Data according to the Privacy Policy and backup schedule, unless retention is required by law, dispute resolution, security investigation, or accounting obligations.

Customer is responsible for responding to parent, student, employee, and data-subject requests about Customer Data. Tributary will reasonably assist Customer through dooMO admin tools and support channels. Users should first route organization-content requests through their organization administrator.

Tributary will provide reasonable security and privacy documentation needed for Customer procurement reviews. Customer may not perform invasive testing, production-system access reviews, or vulnerability scans without Tributary's prior written approval.

State-specific student-data privacy terms may be added by order form or separate rider for jurisdictions where Customer requires them. Potential first-pass riders include California SOPIPA, New York Education Law 2-d, Illinois SOPPA, Texas student-data requirements, and Utah student-data requirements. [choose target states with counsel]

Privacy and DPA requests should be sent to support@doomotasks.com.