AMENDMENT TO ADD THE MODEL CLAUSES DATA PROCESSING ADDENDUM Signature Page

New Attachment. The Model Clauses Data Processing Addendum (Reseller) attached hereto is added as new attachment to the Agreement.

Scope of Model Clauses Data Processing Addendum (Reseller). The Parties agree that the Model Clauses Data Processing Addendum (Reseller) applies only to the Processing of Personal Data by Salesforce in the course of providing the Resold Services. The Model Clauses Data Processing Addendum (Reseller) applies only to Personal Data that is transferred from the European Economic Area (EEA) to outside the EEA, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to Binding Corporate Rules for Processors.

Effect of Amendment. Subject to the above modifications, the Agreement remains in full force and effect.

Entire Agreement. The terms and conditions herein contained constitute the entire agreement between the Parties with respect to the subject matter of this Amendment and supersede any previous and contemporaneous agreements and understandings, whether oral or written, between the Parties hereto with respect to the subject matter hereof.

Counterparts. This Amendment may be executed in one or more counterparts, including facsimiles or scanned copies sent via email or otherwise, each of which will be deemed to be a duplicate original, but all of which, taken together, will be deemed to constitute a single instrument.

salesforce.com, inc., The Landmark, One Market, Suite 300, San Francisco, California 94105 USA, a company incorporated under the laws of the state of Delaware, USA (“Salesforce” or “Sub-Processor”);

(i) Salesforce.org, a nonprofit public benefit corporation having its principal place of business at 50 Fremont Street, Suite 300, San Francisco, California 94105, and (ii) solely for the purpose of meeting applicable requirements of Data Protection Laws, Salesforce.org EMEA Limited, (each the “Reseller” and each the “Processor” for purposes of this DPA)

Salesforce is a provider of enterprise cloud computing solutions and provides technology services to organizations (including the Pass-Through Customers).

Pursuant to EU Commission Decision 2010/87/EU, Reseller and the Pass-Through Customers may have entered into a data transfer agreement based on the Standard Contractual Clauses (“Data Transfer Agreement”) under which the Pass-Through Customers, as Controller, has agreed to transfer, and Reseller, as Processor, has agreed to receive, the Pass-Through Customers Personal Data intended for processing on the Pass-Through Customers’s behalf in accordance with the Data Transfer Agreement.

In accordance with Clause 11 of the Data Transfer Agreement and to safeguard the applicable Pass-Through Customers’s Personal Data (as defined below), the Parties have agreed to enter into this DPA.

For clarity, this DPA only applies to Pass-Through Customers Personal Data submitted to Salesforce’s systems by or for Pass-Through Customers as Customer Data (as defined in the Agreement) while such Customer Data is resident on Salesforce’s systems. The Pass-Through Customers Personal Data transferred will be processed under this DPA by Salesforce, Salesforce’s Affiliates (as defined in Clause 8 of this DPA) and non-Salesforce Affiliate sub-processors for the duration of the Agreement.

The headings used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA. All references in this DPA to “Clauses” or “Schedules” shall, unless otherwise provided, refer to Clauses hereof or Schedules to this DPA, respectively.

Capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement.

The details of the processing are specified in Schedule 1, which forms an integral part of this DPA.

Application. This Model Clauses Data Processing Addendum (Reseller) applies only to the Processing of Personal Data by Salesforce in the course of providing the Resold Services. The Model Clauses Data Processing Addendum (Reseller) applies only to Personal Data that is transferred from the European Economic Area (EEA) to outside the EEA, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to Binding Corporate Rules for Processors.

The Sub-Processor agrees and warrants that it will:

process the Pass-Through Customers Personal Data only on behalf of the Pass-Through Customers and in compliance with Reseller’s (and/or Pass-Through Customers’s) instructions, including but not limited to the Agreement and this DPA; if it cannot provide such compliance for whatever reasons, it agrees to promptly inform Reseller of its inability to comply, in which case Reseller is entitled to suspend the processing of the Pass-Through Customers Personal Data permitted pursuant to the Agreement and/or terminate the DPA;

process Pass-Through Customers Personal Data on behalf of and in accordance with Reseller and/or Pass-Through Customers’s, as the case may be, instructions as set forth in the Agreement and this DPA. Reseller and Pass-Through Customers instruct Sub-Processor to Process Pass-Through Customers Personal Data for the following purposes: (a) processing in accordance with the Agreement and applicable Service Order(s); and (b) processing initiated by the Pass-Through Customers’s Users (as defined in the Agreement). For clarity, as set forth in the Agreement, the Sub-Processor shall not disclose Pass-Through Customers Personal Data except as expressly permitted in writing by the Pass-Through Customers (or Reseller on Pass-Through Customers’s behalf) or where required by law, in which case to the extent permitted by law, the Sub-Processor shall provide the Reseller and/or Pass-Through Customers with prior notice of any such compelled disclosure;

it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from Reseller (and/or Pass-Through Customers) and its obligations under this DPA; in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, it will promptly notify the change to Reseller as soon as it is aware, in which case Reseller is entitled to suspend the processing of the Pass-Through Customers Personal Data permitted pursuant to the Agreement and/or terminate the DPA;

it has implemented the Technical and Organizational Security Measures specified in Schedule 2 before processing the Pass-Through Customers Personal Data;

it will promptly notify Reseller about:

any legally binding request for disclosure of the Pass-Through Customers Personal Data by a law enforcement authority or administrative or court order unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

any accidental or unauthorized access to, or use of disclosure of the Pass-Through Customers Personal Data; and

any request received directly from the Data Subjects, without responding to that request, unless it has been otherwise authorized to do so;

it will deal promptly and properly with all inquiries from Reseller relating to its processing of the Pass-Through Customers Personal Data and to abide by the advice of the Supervisory

Audit Report. Sub-Processor uses external auditors to verify the adequacy of its Technical and Organizational Security Measures, including the physical security of the data centers from which Sub-Processor provides the Resold Services. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent, third-party security inspection professional(s) in possession of professional qualifications and bound by a duty of confidentiality to Salesforce, at Sub-Processor’s selection and expense; (d) will result in the generation of an audit report (“Audit Report”) (e.g. in a Service Organization Controls 2 (SOC-2) report or its equivalent); and (e) may be performed for other purposes in addition to satisfying this Clause 4.2.1 (e.g. as part of Sub-Processor’s regular internal security procedures or to satisfy other contractual obligations).

On-Site Audit Right. In addition, subject to the restrictions in Clause 4.2.3 below, Sub-Processor shall allow Reseller to audit Sub-Processor, or an Salesforce Affiliate engaged in the Processing of Personal Data, for compliance with the Technical and Organizational Security Measures set forth in Schedule 2 of this DPA in the following limited circumstances:

Following any notice from Sub-Processor to Reseller of an actual or reasonably suspected unauthorized disclosure of Pass-Through Customers Personal Data submitted to the Resold Services, Reseller shall have the right to conduct, with reasonable prior written notice, either itself or through a third-party independent contractor selected by Reseller at Reseller’s expense, an on-site audit of Sub-Processor’s or the applicable Salesforce Affiliate’s systems, policies and procedures relevant to the security and integrity of Pass-Through Customers Personal Data submitted to the Resold Services; and

Reseller may conduct, either itself or through a third-party independent contractor selected by Reseller at Reseller’s expense, an on-site audit of Sub-Processor’s or the applicable Salesforce Affiliate’s systems, policies and procedures relevant to the security and integrity of Pass-Through Customers Personal Data submitted to the Resold Services, provided that such audit may be conducted only one time per year, with at least three week’s advance written request.

On-Site Audit Restrictions. The audit rights set forth in Clause 4.2.2 above are subject to the following restrictions:

Reseller must promptly provide Sub-Processor with information regarding any non-compliance discovered during the course of an audit.

Audits shall be conducted during reasonable times and shall be of reasonable duration and shall not unreasonably interfere with Sub-Processor’s day-to-day operations. In the event that Reseller conducts an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Sub-Processor’s proprietary information. Additionally, such independent contractor must not be a competitor of Sub-Processor.

If an audit requires the equivalent of more than one business day of time expended by Sub-Processor or a Sub-Processor Affiliate employee, Reseller agrees to reimburse Sub-Processor for any additional time expended at Sub-Processor’s then current professional services rates. Reseller may share a summary of the results of its audit or inspection with a Pass-Through Customers, provided that prior to sharing such summary, the Pass-Through Customers has entered into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Sub-Processor’s proprietary information.

The Sub-Processor agrees that it shall maintain the Pass-Through Customers Personal Data in confidence. In particular, the Sub-Processor agrees that, except with the prior written consent of Reseller and/or the Pass-Through Customers, it shall not make any use of any Customer Personal Data otherwise than in connection with the provision of the Resold Services and, subject to Clause 4.1(ii), shall not disclose any Customer Personal Data to any third-party.

The Sub-Processor agrees and acknowledges that Reseller may make available a copy of this DPA to the Pass-Through Customers or the Supervisory Authority for informational purposes; however Reseller shall remove any commercial information contained in this DPA. For the avoidance of doubt, this DPA is Confidential Information (as defined in the Agreement).

The Sub-Processor further agrees and acknowledges that Reseller may make available to the Data Subject for informational purposes, on request, a copy of this DPA; however Reseller shall remove any commercial information contained in this DPA, with the exception of Schedule 2, which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Customer. For the avoidance of doubt, this DPA is Confidential Information (as defined in the Agreement).

The Parties agree that the Supervisory Authority has the right to conduct an audit of the Sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Pass-Through Customers under the data protection laws applicable to the Pass-Through Customers.

The Sub-Processor shall promptly inform Reseller about the existence of legislation applicable to it preventing the conduct of an audit of the Sub-Processor pursuant to Clause 6.1, in which case

The Data Subject can enforce against the Sub-Processor this Clause 7.1, Clause 7.2 and 7.3, Clause 4.1 (i)-(vi), Clause 5.3, Clause 6.1 Clause 8, Clause 9.2 and 9.3, Clause 10, Clause 12.2 and Clause 13 as a third party beneficiary.

If a Data Subject, who has suffered damage as a result of any breach by the Sub-Processor of any of its obligations under this DPA, is not able to bring a claim against the Pass-Through Customers or Reseller arising out of such breach because both the Pass-Through Customers and Reseller have factually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the Data Subject may issue a claim against the Sub-Processor with regard to its own processing operations under this DPA as if it were the Pass-Through Customers or Reseller (unless any successor entity has assumed the entire legal obligations of the Pass-Through Customers or Reseller by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity). The liability of the Sub-Processor to the Data Subject as described in this Clause 7.2 shall be limited to its own processing operations under this DPA.

The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.

Pursuant to Clause 5(h) of the Data Transfer Agreement, Reseller acknowledges and expressly agrees that Sub-Processor is entitled to retain its Affiliates (“Salesforce Affiliates”) as further sub-processors for Sub-Processor and that Sub-Processor or Salesforce Affiliates respectively may engage third-party service providers as sub-processors that may provide customer support, including processing of Pass-Through Customers Personal Data, in connection with the Resold Services.

Sub-processors. Salesforce shall make available to Reseller a current list of sub-processors for the Resold Services with the identities of those Sub-processors (“Sub-processor List”). Salesforce shall provide Reseller with a mechanism to subscribe to updates to the Sub-processor List and shall provide such updates before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Resold Services.

Objection Right for new Sub-processors.  If Reseller has a reasonable basis to object to Salesforce’s use of a new Sub-processor, Reseller shall notify Salesforce promptly in writing within 10 business days after receipt of Salesforce’s notice.

All sub-processors will be subject to data protection obligations at least equivalent to those contained in this DPA under a written agreement, and such sub-processors shall be obliged to comply with applicable Data Protection Laws and Regulations. Where the sub-processor fails to fulfil its data protection obligations under such written agreement Salesforce shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.

Sub-Processor shall audit third-party sub-processors that are not Salesforce Affiliates at least once per year to ensure they have appropriate physical, technical, organizational, and administrative controls in place. Upon Reseller’s reasonable request at reasonable intervals, Salesforce shall provide Reseller with an executive summary of the most recent audits of such third-party sub-processors. Salesforce Affiliates that are sub-processors are audited at least once per year pursuant to salesforce.com, inc.’s ISO 27001 certification.

Upon Reseller’s request, Salesforce agrees to promptly make available to Reseller a copy of an applicable sub-processor data processing agreement executed in relation to this DPA, provided that Salesforce may remove any commercial information contained in such agreement. Reseller may make available a summary of the agreement, or the agreement if required, to the Pass-Through Customers provided that such summary, or the agreement if required, is treated as Confidential Information, including that the Pass-Through Customers has entered into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Salesforce’s Confidential Information.

This DPA shall continue in full force and effect until the Agreement has been terminated or expires, it being understood, however, that the Sub-Processor's provision of data-processing services for the Pass-Through Customers pursuant to its obligations under the Agreement shall be terminated upon instruction of Reseller or upon termination of the processing of Pass-Through Customers Personal Data by Reseller for the Pass-Through Customers pursuant to the Data Transfer Agreement.

Upon request by Pass-Through Customers made within 30 days following termination of the provision of data-processing services for the Pass-Through Customers, the Sub-Processor will return all Pass-Through Customers Personal Data to Pass-Through Customers, unless prohibited from returning or destroying all or part of the Pass-Through Customers Personal Data by applicable law, including, but not limited to, a litigation hold, or unless otherwise required by an agreement between Pass-Through Customers and Sub-Processor. In that case the Sub-Processor warrants that it will guarantee the confidentiality of the Pass-Through Customers Personal Data and will not actively process the Pass-Through Customers Personal Data anymore except as required by applicable law or permitted by the applicable agreement between Pass-Through Customers and Sub-Processor.

The Pass-Through Customers Personal Data is destroyed through an automated technical process. This process is audited according to Clause 4.2.

Subject to Clause 12.2 below, this DPA shall be governed by, and construed in accordance with the laws of California. The state and federal Courts of the City and County of San Francisco, California shall have the non-exclusive jurisdiction to hear and determine any suit, action or proceedings relating to or arising in connection with this DPA.

The provisions of this DPA relating to data protection aspects of processing of Pass-Through Customers Personal Data shall exclusively be governed by the law of the Member State in which the Pass-Through Customers is established.

The Sub-Processor agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under this DPA, the Sub-Processor will accept the decision of the Data Subject:

to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority; or

to refer the dispute to the courts in the Member State in which the Pass-Through Customers is established.

The Parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

prospects, customers, business partners and vendors of Pass-Through Customers (who are natural persons)

employees or contact persons of Pass-Through Customers's prospects, customers, business partners and vendors

employees, agents, advisors and freelancers of Pass-Through Customers (who are natural persons)

users of Pass-Through Customers authorized by Pass-Through Customers to use the Resold Services

Access control to premises and facilities to prevent unauthorized persons from gaining access to data processing systems for processing or using Personal Data, Salesforce’s production data centers have an access system that controls access to the data center. This system permits only authorized personnel to have access to secure areas. The facility is secured by around-the-clock guards, biometric access screening, and escort-controlled access.

Access control to systems to prevent data processing systems from being used without authorization.

Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.

User passwords are stored using a one-way hashing algorithm (SHA-256) and are never transmitted unencrypted.

Access to the Resold Services require a valid User ID and password combination, which are encrypted via SSL while in transmission. Following a successful authentication, a random session ID is generated and stored in the User’s browser to preserve and track session state.

Controls to ensure generated initial passwords must be reset on first use.

Controls to revoke access after several consecutive failed login attempts.

Controls on the number of invalid login requests before locking out a User.

Controls to force a User password to expire after a period of use.

Controls to terminate a User session after a period of inactivity.

Password history controls to limit password reuse.

Password length controls

Password complexity requirement (requires letters and numbers).

Verification question before resetting password.

The ability to accept logins to the Resold Services from only certain IP address ranges.

The ability to restrict logins to the Resold Services to specific time periods (Developer Edition, Enterprise Edition, and Unlimited Edition only).

Ability to delegate user authentication or federate authentication via SAML.

Access control to data to ensure that persons authorized to use a data processing system have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered, or removed without authorization during use and after recording.

Reseller and/or Pass-Through Customers may implement a granular sharing model and User permission profiles to limit data accessible to different Users.

Reseller and/or Pass-Through Customers, as applicable, may create custom fields that are encrypted at rest and are only visible to Users that have been granted the “View Encrypted Data” permission by Reseller or Pass-Through Customers’s, as applicable, designated system administrators.

Disclosure control to ensure that Personal Data cannot be read, copied, altered, or removed without authorization during electronic transfer or transfer or transport or while being recorded onto data storage media, and that it is possible to check and establish to which parties Personal Data are to be transferred by means of data transmission facilities.

Salesforce uses industry accepted encryption products to protect Customer Data and communications during transmissions between Reseller and/or Pass-Through Customers’s network and the Reseller Services, including minimum 128-bit VeriSign SSL Certification and minimum 2048-bit RSA public keys.

Input control to ensure that it is possible to after-the-fact check and establish whether Personal Data has been entered into, altered, or removed from data processing systems, and if so, by whom.

User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT (Network Access Translation) or PAT (Port Address Translation) is used by Reseller and/or Pass-Through Customers or its ISP.

If there is a suspicion of inappropriate access, Salesforce can provide Reseller log entry records to assist in forensic analysis. This service will be provided to Reseller on a time and materials basis.

Certain administrative changes to the Resold Services (such as password changes and adding custom fields) are tracked in an area known as the “Setup Audit Log” and are available for viewing by Pass-Through Customers’s designated system administrator(s). Pass-Through Customers may download and store this data locally.

Successful and failed login attempts for Pass-Through Customers’s instance(s) of the Services are tracked in an area known as the “Login History” and are available for viewing by Pass-Through Customers’s designated system administrator(s). Pass-Through Customers may download and store this data locally.

Pass-Through Customers may implement functionality known as “Set History Tracking” to track the history of specific objects or fields within the Customer’s instance(s) of the Resold Services. All entries include the date, time, nature of the change, and the User who made the change.

Job control to ensure that personal data processed on behalf of others are processed strictly in compliance with the Data Controller’s instructions.

As set forth in the DPA, Salesforce shall process Personal Data in accordance with the instructions of Reseller and/or Pass-Through Customers, including to provide the Resold Services as set forth in the Agreement and as instructed by Users in their use of the Resold Services.

Availability control to ensure that Personal Data are protected against accidental destruction or loss.

Disaster recovery. Salesforce can utilize disaster recovery facilities that are geographically remote from primary data centers, along with required hardware, software, and Internet connectivity, in the event Salesforce production facilities at the primary data center were to be rendered unavailable. Salesforce has disaster recovery plans in place and tests them at least once per year. Salesforce will discuss results of these tests with Reseller on request.

Reliability and Backup. All networking components, SSL accelerators, load balancers, Web servers, and application servers are configured in a redundant configuration. All Customer Data is stored on a primary database server that is clustered with a backup database server for redundancy. All Customer Data is stored on carrier-class disk storage RAID disks and multiple data paths. All Customer Data, up to the last committed transaction, is automatically backed up on a regular basis. Any backup tapes are verified for integrity stored in an offsite facility in a secure, fire-resistant location.

Viruses. The Resold Services will not introduce any viruses to Reseller’s systems; however, the Resold Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Resold Services by Reseller and/or Pass-Through Customers. Any such uploaded attachments will not be executed in the Resold Services and therefore will not damage or compromise the Resold Services.

Segregation control to ensure that data collected for different purposes can be processed separately.

Strong logical separation of Customer Data, which is achieved via Reseller and/or Pass-Through Customers-specific “Organization IDs” that permit only Users to view related Customer Data.

Pass-Through Customers may implement a granular sharing model and User permission profiles to limit data accessible to different Users.