Terms

Gusto, Inc. ("Gusto") and partner ("Partner") (each a "Party" and collectively the "Parties") have entered into a Partnership Agreement for the purpose of sharing customer lead information and related data in exchange for certain consideration as specified in the Partnership Agreement. This Mutual Partnership Data Processing Agreement ("MPDPA") forms part of and is subject to the terms and conditions of the Partnership Agreement. The Partnership Agreement and this MPDPA are collectively referred to as the "Agreement."

1. Subject Matter and Duration

a) Subject Matter. This MPDPA reflects the Parties' commitment to abide by Data Protection Laws concerning the Processing of Shared Personal Data in connection with the Parties' partnership data sharing relationship. All capitalized terms that are not expressly defined in this MPDPA will have the meanings given to them in the Partnership Agreement. If and to the extent language in this MPDPA conflicts with the Partnership Agreement, this MPDPA shall control.

b) Duration and Survival. This MPDPA becomes legally binding when the Parties execute a Partnership Agreement containing the following reference: "The Parties agree to comply with the Mutual Partnership Data Processing Agreement located at https://gusto.com/legal/terms/mpdpa ("MPDPA"), which is hereby incorporated by reference." By including such URL reference in their Partnership Agreement, both Parties acknowledge they have reviewed this MPDPA and agree to be bound by all terms herein with the same legal effect as bilateral execution.

c) Partnership Agreement Integration.

i) Relationship to Partnership Agreement. This MPDPA supplements and does not replace the Partnership Agreement. Commercial terms, revenue sharing, and general business obligations remain governed by the Partnership Agreement.

ii) Precedence. For matters specifically related to personal data processing, this MPDPA takes precedence over conflicting provisions in the Partnership Agreement.

iii) Definitions. Terms defined in the Partnership Agreement apply to this MPDPA unless specifically redefined herein.

2. Definitions

a) "Shared Personal Data" means Personal Data shared between the Parties pursuant to this partnership arrangement, including customer identifiers, names, entity types, email addresses, usage metrics, and financial data as specified in Section 3.

b) "Data Protection Laws" means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Shared Personal Data are subject, including but not limited to the EU General Data Protection Regulation 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut's Act Concerning Data Privacy and Online Monitoring, and the Utah Consumer Privacy Act.

c) "Personal Data" has the meaning assigned to the terms "personal data" or "personal information" under applicable Data Protection Laws, and will, at a minimum, mean any information relating to an identified or identifiable natural person.

d) "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

e) "Security Incident(s)" or “Security Breach(es)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Shared Personal Data, including ransomware, denial of service attacks and other similar security events.

3. Data Sharing Specifications

a) Categories of Shared Personal Data. The Parties will share the following categories of Personal Data:

1. Lead Data Sharing:The Parties will share the following category of Personal Data pursuant to the Partnership Agreement:

• Company Data (as more specifically described at: https://docs.gusto.com/app-integrations/reference/post-v1-provision)

1. Expanded Data Sharing via API Integration:To the extent that, pursuant to the Partnership Agreement, Partner builds an API integration that enables the processing of Personal Data beyond the sharing of customer lead information, the Parties will share the following categories of Personal Data (as more specifically described at: https://docs.gusto.com/app-integrations/reference/get-v1-token-info):
   • Benefits Data
   • Company Bank Account Data
   • Company Data
   • Employee Bank Account Data
   • Employee Data
   • Payment Data
   • Run Payroll Data
   • Tax Data
   • Team Data

These categories correspond to "Customer Data" as defined in the Partnership Agreement when such data contains personal information.

b) Purpose and Lawful Basis. Each Party processes Shared Personal Data as an independent controller for: (i) partnership program health monitoring and marketing purposes; (ii) accounting and revenue share reconciliation; and (iii) operational partnership management. The lawful basis for processing includes legitimate business interests, contractual necessity, and consent.

4. Mutual Processing Obligations

a) Documented Instructions. Each Party shall Process Shared Personal Data solely for the purposes specified in the Partnership Agreement, in accordance with this MPDPA and Data Protection Laws. Each Party will promptly inform the other in writing if it: (i) reasonably believes there is a conflict between the other Party's data sharing practices and applicable law; (ii) seeks to Process Shared Personal Data inconsistently with this MPDPA; or (iii) determines it can no longer meet its obligations under this MPDPA.

b) Confidentiality. Any person authorized to Process Shared Personal Data must contractually agree to maintain confidentiality or be under an appropriate statutory obligation of confidentiality.

c) Data Subject Rights. Each Party agrees to provide reasonable assistance to the other related to requests from individuals exercising their rights in Shared Personal Data under Data Protection Laws. If a request is sent directly to one Party regarding data originally provided by the other Party, the receiving Party shall promptly notify the originating Party within five (5) days and coordinate the response. The originating Party shall provide necessary information within fifteen (15) days of notification to enable timely response to data subject requests within applicable legal deadlines.

d) Prohibited Uses. Each Party shall not:

• Sell or share Shared Personal Data as defined by the CCPA or other Data Protection Laws
• Attempt to identify any person using de-identified or aggregate information
• Use Shared Personal Data for purposes beyond those specified in the Partnership Agreement

5. Information Security Program

a) Security Measures. Each Party shall implement and maintain reasonable administrative, technical, and physical safeguards that protect Shared Personal Data, including:

• Encryption of Shared Personal Data in transit and at rest
• Ensuring ongoing confidentiality, integrity, and availability of Processing systems
• Regular testing and evaluation of security effectiveness
• Access controls limiting data access to authorized personnel only

b) Minimum Security Standards. Each Party agrees to maintain security measures substantially equivalent to those specified in Exhibit A,and the comprehensive industry standard controls required under Section 6.E of the Partnership Agreement (including but not limited to applicable administrative, technical (e.g., NIST, ISO 27001, SOC 2) and physical safeguards), as measured by industry-standard security frameworks such as SOC 2 Type II or ISO 27001.

c)Subprocessors. Each Party may engage subprocessors to process Shared Personal Data on its behalf, provided that:

(i) such subprocessors are subject to written agreements imposing data protection obligations substantially equivalent to those set forth in this MPDPA; and

(ii) each Party remains fully liable for the acts and omissions of its subprocessors relating to Shared Personal Data to the same extent as if such acts or omissions were its own.

6. Security Incidents

a) Incident Response. Each Party will maintain policies and procedures to detect, respond to, and address Security Incidents, including procedures to identify, respond to, mitigate, document, and restore availability of Shared Personal Data.

b) Notification. Each Party agrees to provide written notice without undue delay (but no longer than five (5) business days) to the other Party's Designated POC upon becoming aware of a Security Incident. Such notice will include all available details required under Data Protection Laws, with updated information provided as it becomes available.

c) Cooperation. Each Party shall cooperate in investigating, remediating, and responding to Security Incidents affecting Shared Personal Data, including coordinating breach notifications to regulatory authorities and affected individuals as required by law.

7. Cross-Border Transfers

a) International Transfers. Each Party authorizes the other to transfer Shared Personal Data across international borders, provided such transfers comply with Data Protection Laws.

b) Transfer Mechanisms. For transfers of Shared Personal Data originating in the European Economic Area, Switzerland, and/or United Kingdom to countries without adequacy decisions, the parties agree that the European Commission's Standard Contractual Clauses as most recently adopted, or other transfer mechanisms approved under applicable Data Protection Laws will apply.

8. Data Retention and Deletion

a) Retention Period. Each Party will retain Shared Personal Data only as long as necessary for the purposes specified in the Partnership Agreement, or as required by applicable law, whichever is longer.

b) Data Deletion. Upon termination of the Agreement, each Party will:

• Within 30 calendar days, securely destroy all copies of Shared Personal Data received from the other Party, except for any data that has become that Party's own Customer Data pursuant to the Partnership Agreement because the relevant data subject has become a customer of that Party
• Dispose of data using methods that prevent recovery in accordance with industry best practices
• Provide a Certificate of Deletion upon request within 30 days, which shall confirm: (A) the date of deletion; (B) the method used for deletion; (C) that no copies remain in any system, backup, or archive; and (D) the identity of the person certifying the deletion.

9. Audit Rights

a) Mutual Audit Rights. Each Party may audit the other Party's compliance with this MPDPA, subject to: (i) at least thirty (30) days' advance written notice; (ii) conduct during regular business hours; (iii) minimal disruption to operations; (iv) appropriate confidentiality procedures; (v) limitation to once per calendar year unless required by regulatory authorities; and (vi) each Party bearing its own audit costs unless material non-compliance is discovered. For purposes of this section, "material non-compliance" means violations that create substantial risk of regulatory penalties or data subject harm.

10. Liability and Indemnification

a) Mutual Indemnification. Each Party shall indemnify, defend, and hold harmless the other Party from claims arising out of: (i) Security Incidents caused by the indemnifying Party, consistent with any indemnification obligations in the Partnership Agreement; (ii) the indemnifying Party's material breach of this MPDPA; or (iii) the indemnifying Party's material violation of Data Protection Laws in connection with Shared Personal Data, subject to the liability limitations set forth in the Partnership Agreement.

b) Liability Limitations. Each Party's total liability arising out of or relating to this MPDPA, whether in contract, tort, or otherwise, shall be subject to the liability limitations, caps, and exclusions set forth in the Partnership Agreement, including any applicable exclusions for Security Incidents set forth therein.

c) Carve-outs. Notwithstanding the liability limitations in subsections (a) and (b), such limitations shall not apply to:

i) Willful misconduct or criminal acts;

ii) Security Incidents caused by material failures to maintain the security requirements in Section 5; or

iii) Material violations of the prohibited uses in Section 4(d).

11. Contact Information

a) Designated Points of Contact:

• Gusto: Legal Privacy, 525 20th St. San Francisco, CA 94107, [email protected]
• Partner: As specified in the Partnership Agreement or updated in writing

b) MPDPA Updates: Material changes to this MPDPA will be posted at https://gusto.com/legal/terms/mpdpa with 30 days' advance notice to all Partners via email. Partners may either: (i) accept updates by continuing data sharing after the notice period, or (ii) request bilateral negotiation of the changes within the 30-day notice period. If no response is received within 30 days, continued data sharing constitutes acceptance of updates.

c) Update Disagreements: If a Partner objects to material MPDPA updates and the Parties cannot reach agreement within 60 days of the initial notice, either Party may terminate the data sharing relationship under this MPDPA with 30 days' written notice, without penalty or breach of the underlying Partnership Agreement.

d) Version Information: Current Version 1.1 - Effective Date: October 1, 2025

EXHIBIT A - SECURITY REQUIREMENTS

Based on industry-standard security practices, each party agrees to maintain security measures substantially equivalent to the following requirements:

a) Encryption: Commercially reasonable encryption for data in transit and whole disk encryption for data at rest, with established key management procedures.

b) Storage: Physically and logically secure environments with hardened, continuously monitored platforms.

c) Access Controls: Role-based access restrictions with regular access reviews and privileged user monitoring.

d) Vulnerability Management: Regular vulnerability assessments and timely application of security patches using risk-based prioritization.

e) Audit Logging: Comprehensive logging of access activities with daily review and intrusion detection capabilities.

f) Risk Assessments: Annual formal risk assessments and independent third-party security reviews.

g) Physical Security: Appropriate physical controls for facilities processing Shared Personal Data.

h) Disaster Recovery: Documented disaster recovery plans with annual testing affecting shared data systems.