Common use of Appointment and Data Processing Clause in Contracts

Appointment and Data Processing. 2.1 Subject to the terms of the Agreement, the Company is the sole Data Controller of the Company Personal Data or has been instructed by and obtained the authorization of the relevant Controller(s) to enter into this DPA in the name and on behalf of such Controller(s). The Company is responsible for obtaining all the necessary authorizations and approvals to enter, use, provide, store and process Company Personal Data to enable Docebo to provide the Services. 2.2 The Company, as the Data Controller, hereby appoints Docebo as the Data Processor in respect of all processing operations required to be carried out by Docebo on Company Personal Data in order to provide the Services in accordance with the terms of the Agreement. 2.3 Docebo shall collect, retain, use, disclose, and otherwise Process the Company Personal Data only in accordance with the Company’s documented lawful instructions as set forth in the Agreement and this DPA, as necessary to comply with applicable Data Protection Laws, or as otherwise agreed in writing. The Parties agree that the Agreement sets out Company’s complete and final instructions to Docebo in relation to the processing of Company Personal Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. 2.4 Docebo shall process collected data only for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by LMS Platform users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Company where such instructions are consistent with the terms of the Agreement 2.5 If, at any time while the Agreement and this DPA are in force, the Company requires compliance by Docebo with any additional instructions regarding the Processing of Company Personal Data, any such additional instructions shall be subject to agreement by Docebo (and payment of any costs Docebo may incur in implementing such additional instructions) provided that if, for any reason, Docebo refuses to comply with any such additional instructions, then the Company may terminate the Agreement (and the DPA); provided that the Company shall not have any right to terminate the Agreement (and the DPA) where Docebo timely informs the Company, upon reasonable belief, that the Company’s instructions infringe Data Protection Laws, or other relevant law. 2.6 Docebo acknowledges that it has no right, title or interest in the Company’s Proprietary Information (including all intellectual property or proprietary information) and may not sell, rent or lease

Appointment and Data Processing. 2.1 Subject to the terms of the Agreement, the Company Customer is the sole Data Controller of the Company Customer Personal Data or has been instructed by and obtained the authorization of the relevant Data Controller(s) to enter into this DPA in the name and on behalf of such Data Controller(s). The Company Customer is responsible for obtaining all of the necessary authorizations and approvals to enter, use, provide, store store, and process Company Process Customer Personal Data to enable Docebo the Company to provide the Services. 2.2 . The CompanyCustomer, as the Data Controller, hereby appoints Docebo the Company as the Data Processor in respect of all processing Processing operations required to be carried out by Docebo the Company on Company Customer Personal Data in order to provide the Services in accordance with the terms of the Agreement. 2.3 Docebo 2.2 The Company shall collect, retain, use, disclose, and otherwise Process the Company Customer Personal Data only in accordance with the CompanyCustomer’s documented lawful instructions as set forth in the Agreement and in this DPA, as necessary to comply with applicable Data Protection Lawslaw, or as otherwise agreed in writing. The Parties agree that the Agreement sets out Companythe Customer’s complete and final instructions to Docebo the Company in relation to the processing Processing of Company Customer Personal Data, and processing Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. 2.3 The Customer will not provide (or cause to be provided) any Sensitive Data to the Company for Processing under the Agreement, and the Company will have no liability whatsoever for Sensitive Data, whether in connection with a Data Breach or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data. 2.4 Docebo shall process collected data only The Customer represents and warrants that (a) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions it issues to the Company; and (b) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for the following purposes: (i) Company to Process Customer Personal Data for the purposes described in the Agreement. The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired the Customer Personal Data. 2.5 The Customer will ensure that the Company’s Processing of Customer Personal Data in accordance with the Agreement; (ii) Processing initiated by LMS Platform users Customer’s instructions will not cause the Company to violate any applicable law, regulation, or rule, including, without limitation, all Data Protection Laws. The Company shall immediately notify the Customer, where in their use its opinion an instruction of the Services; Customer infringes any Data Protection Laws and (iii) Processing request the Customer to comply with other documented reasonable instructions provided by Company where such instructions are consistent with withdraw, amend, or confirm the terms relevant instruction. Pending the decision on the withdrawal, amendment, or confirmation of the Agreement 2.5 If, at any time while the Agreement and this DPA are in forcerelevant instruction, the Company requires compliance by Docebo with any additional instructions regarding shall be entitled to suspend the implementation of the relevant instruction. 2.6 The subject matter, nature, purpose, and duration of the Processing of Company Customer Personal Data, any such additional instructions shall be subject as well as the types of Personal Data collected and categories of Data Subjects, are described in Annex B to agreement by Docebo (and payment of any costs Docebo may incur in implementing such additional instructions) provided that if, for any reason, Docebo refuses to comply with any such additional instructions, then the Company may terminate the Agreement (and the this DPA); provided that the . 2.7 The Company shall not have maintain complete, accurate, and up to date written records of all Processing activities carried out on behalf of the Customer containing information as required under any right to terminate the Agreement (and the DPA) where Docebo timely informs the Company, upon reasonable belief, that the Company’s instructions infringe applicable Data Protection Laws, or other relevant law. 2.6 Docebo 2.8 The Company acknowledges that it has no right, title title, or interest in the Company’s Proprietary Information (including all intellectual property or proprietary information) Customer Personal Data and may not sell, rent rent, or leaselease the Customer Personal Data to anyone.

Appointment and Data Processing. 2.1 Subject to the terms of the Agreement, the Company Customer is the sole Data Controller of the Company Personal Customer Data or has been instructed by and obtained the authorization of the relevant Data Controller(s) to enter into this DPA in the name and on behalf of such Data Controller(s). The Company Customer is responsible for obtaining all of the necessary authorizations and approvals to enter, use, provide, store store, and process Company Personal Process Customer Data to enable Docebo the Company to provide the Services. 2.2 . The CompanyCustomer, as the Data Controller, hereby appoints Docebo the Company as the Data Processor in respect of all processing Processing operations required to be carried out by Docebo the Company on Company Personal Customer Data in order to provide the Services in accordance with the terms of the Agreement. 2.3 Docebo 2.2 The Company shall collect, retain, use, disclose, and otherwise Process the Company Personal Customer Data only in accordance with the CompanyCustomer’s documented lawful instructions as set forth in the Agreement and in this DPA, as necessary to comply with applicable Data Protection Lawslaw, or as otherwise agreed in writing. The Parties agree that the Agreement sets out Companythe Customer’s complete and final instructions to Docebo the Company in relation to the processing Processing of Company Personal Customer Data, and processing Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. 2.3 The Customer will not provide (or cause to be provided) any Sensitive Data to the Company for Processing under the Agreement, and the Company will have no liability whatsoever for Sensitive Data, whether in connection with a Data Breach or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data. 2.4 Docebo shall process collected data only The Customer represents and warrants that (a) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Customer Data and any Processing instructions it issues to the Company; and (b) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for the following purposes: (i) Company to Process Customer Data for the purposes described in the Agreement. The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired the Customer Data. 2.5 The Customer will ensure that the Company’s Processing of Customer Data in accordance with the Agreement; (ii) Processing initiated by LMS Platform users Customer’s instructions will not cause the Company to violate any applicable law, regulation, or rule, including, without limitation, all Data Protection Laws. The Company shall immediately notify the Customer, where in their use its opinion an instruction of the Services; Customer infringes any Data Protection Laws and (iii) Processing request the Customer to comply with other documented reasonable instructions provided by Company where such instructions are consistent with withdraw, amend, or confirm the terms relevant instruction. Pending the decision on the withdrawal, amendment, or confirmation of the Agreement 2.5 If, at any time while the Agreement and this DPA are in forcerelevant instruction, the Company requires compliance by Docebo with any additional instructions regarding shall be entitled to suspend the implementation of the relevant instruction. 2.6 The subject matter, nature, purpose, and duration of the Processing of Company Personal Customer Data, any such additional instructions shall be subject as well as the types of Personal Data collected and categories of Data Subjects, are described in Annex B to agreement by Docebo (and payment of any costs Docebo may incur in implementing such additional instructions) provided that if, for any reason, Docebo refuses to comply with any such additional instructions, then the Company may terminate the Agreement (and the this DPA); provided that the . 2.7 The Company shall not have maintain complete, accurate, and up to date written records of all Processing activities carried out on behalf of the Customer containing information as required under any right to terminate the Agreement (and the DPA) where Docebo timely informs the Company, upon reasonable belief, that the Company’s instructions infringe applicable Data Protection Laws, or other relevant law. 2.6 Docebo 2.8 The Company acknowledges that it has no right, title title, or interest in the Company’s Proprietary Information (including all intellectual property or proprietary information) Customer Data and may not sell, rent rent, or leaselease the Customer Data to anyone.