Legal and Privacy

Privacy Policy

Last Revision: April 2021

Centro, LLC and its affiliates (“Centro“, “we” or “us“) is committed to protecting the privacy of the users of its website at the address https://www.centro.rocks or any other website managed and controlled by Centro(the “Site“) and its online products, including the Centro and Grok™ service (each a “Service” and collectively the “Services“).A User may be either an entity which executed an agreement with Centro or with Centro’s resellers or distributors who provide Centro’s Services (“Customer“) or Customer’s users of the Services (“EndUser(s)“) or visitors of the Site (collectively “Users” or “you“).This Policy explains the types of information we may collect from you or that you may provide when you visit the Site or use the Services and our practices for collecting, using, maintaining, protecting, and disclosing that information, as well as your rights in determining what we do with the information that we collect and hold about you. GENERAL (THIS SECTION APPLIES FOR ALL SERVICES)
Please refer to the specific Section(s) about the Site or Services you use or plan to use for a complete review of the relevant practices. 
A.    CONSENT AND PRINCIPALS OF PROCESSING DATA
Centro processes data fairly, lawfully, in a transparent manner and in accordance with individuals’ rights(as applicable). The use of information collected through our Services shall be limited to the purpose of providing the service for which our Client has engaged Centro or, if collected through the website or other marketing means, to Centro’s legitimate interests, where we have considered these are not overridden by your rights.Centro may process data of an End User on behalf of the Controller when the Controller obtains consent from an End User or when there is another basis for doing so under applicable law. For purposes of this Privacy Policy, a Controller may mean a Customer or anyone acting a Customer’s behalf or, Centro (only in connection with information provided to it through the website or for marketing purposes). (the “Controller”), Customers who cause Centro to process Personal Information of an End User are obligated to hold all appropriate consents (if applicable) and may only utilize the Services pursuant to applicable law. We may transfer Personal Information between Controlling entities (Salesforce, Slack, and/or Gmail) that help us provide our Services. Transfers to subsequent third parties are covered by the service agreements with our Customers (the Controller). Furthermore, Centro supports End Users’ rights under certain laws, to retrieve any information retained on our servers which relates to such End User. Centro acknowledges that you may have the right to access your Personal Information. We have processes in place to accommodate an End User’s rights to delete data, amend erroneous data, access data and receive PersonalData or Sensitive Data in a machine readable commonly used format, all subject to reasonable technical restrains and abilities. For more information, please see the Section “Modification or Deletion of Data” under the applicable Site or Service Section. Centro will never discriminate against any person based on his/hers exercising of their rights hereunder.Personal Information or Personal Data is information by which an individual may be personally identified, including name, address, e-mail address, telephone number or any other information that is defined as Personal Information, Personal Data, or Personally IdentifiableInformation under an applicable law (hereinafter referred to as “Personal Information”)Users are not obligated to provide us with any information by law. However, we require certain information in order to operate properly. Under some jurisdictions (such as under certain applicable E.U. legal frameworks or California Laws), a User has a right to withdraw its consent at any time and in some cases (subject to applicable laws) to request cessation of any collection of Personal Information. In such a case, the withdrawal will not affect the lawfulness of processing based on consent before its withdrawal but certain services may not function without certain information provided.Please note that consent for the gathering and processing of data for one Service does not automatically mean that a User consents to the processing of data in connection with other Services.Controller should always make sure that the User’s consent is relevant, clear, valid, and to the extent reasonably possible, not “bundled” with any other written agreement (especially if required under applicable laws), unambiguous and if required under applicable law, affirmative and active (meaning not by virtue of any inaction).Centro aims to process only adequate, accurate and relevant data limited to the needs and purposes for which it is gathered.It also aims to store data for the time period necessary to fulfill the purpose for which the data is gathered. Centro only collects data in connection with a specific legitimate purpose and only processes data in accordance with this Privacy Policy. 
B.    MINORS
We do not knowingly collect or solicit information or data from children under the age of 18 or knowingly allow children under the age of 18 to register for the Centro Service. If you are under 18, do not register or attempt to register for any of the Centro Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Information or Personal Data from a child under the age of 18, we reserve the right to delete that Personal Information or Personal Data as soon as reasonably practicable. If you believe that we might have collected or been sent information from a child under the age of 18, please contact legal@Centro.rocks as soon as possible. 
C.    INFORMATION SECURITY
We take great care in implementing, enforcing and maintaining the security of our Services, Site and Users’ information. Centro implements, enforces and maintains security policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of Personal Information or Personal Data and to monitor compliance of such policies on an ongoing basis. The information is hosted on the AmazonCloud in the United States which provides advanced security features and is compliant with the ISO 27001 standard. All information is stored with logical separation from information of other Customers. However, we do not guarantee that unauthorized access will never occur.We use a combination of processes, technology and physical security controls to help protect Personal Information andPersonal Data from unauthorized access, use, or disclosure. When PersonalInformation or Personal Data is transferred over the Internet, we encrypt it using Transfer Layer Security (TLS) encryption technology or similar technology. Each server is protected by a firewall, exposing it only to the minimum ports necessary. However, no security controls are 100% effective, and we cannot completely ensure or warrant the security of your PersonalInformation.Unless otherwise agreed with the Customer and subject to applicable law, Centro shall act in accordance with its policies to promptly notify Customer in the event that any Personal Information or PersonalData processed by Centro on behalf of a Customer is lost, stolen, or where there has been any unauthorized access to it.Centro may share and use your personal information with third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the Centro Service. Where practical, we seek to obtain confidentiality agreements that are consistent with this Privacy Policy and that limit others’ use or disclosure of your Personal Information and PersonalInformation.                             
D.    CHANGES TO THE PRIVACY POLICY
The terms of this Privacy Policy will govern the use of the Site and Service and any information collected in connection therewith, however, Centro may amend or update this Privacy Policy from time to time. The most current version of this Privacy Policy will always be posted at https://www.Centro.rocks/privacy. We will endeavor to provide notice of material changes to this policy on the homepage of the Site and/or via an e-mail. Such material changes will take effect thirty (30) days after such notice was provided on ourSite or sent by email. Otherwise, all other changes to this Privacy Policy are effective as of the stated “Last Revised” date and your continued use of the Site and/or Services will constitute your written acceptance of, and agreement to be bound by, the changes to the Privacy Policy. 
E.    EU-US PRIVACY SHIELD AND SWISS-U.S.PRIVACY SHIELD
Centro, LLC. participate in and have certified their compliance with the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.  Centro,LLC. remains committed to subjecting all personal data received from EuropeanUnion (E.U.) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, and to view our certification, visit the U.S. Department of Commerce’sPrivacy Shield List. https://www.privacyshield.gov/list. Centro LLC. is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Centro, Inc. remains compliant with the Privacy Shield Principles for all onward transfers of personal data from the E.U. and Switzerland, including the onward transfer liability provisions.With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Centro may be subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.  In certain situations, Centro may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.You can direct any questions or complaints about the use or disclosure of your E.U. Personal Data to legal@Centro.rocks. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your E.U. Personal Data within 45 days of receiving your complaint.If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. 
F.    QUESTIONS, CONTACT INFORMATION AND COMPLAINTS
If you have any questions (or comments)concerning this Privacy Policy, you are welcome to send us an email or otherwise contact us at the following address and we will make an effort to reply within a reasonable timeframe.E.U. citizens have the right to lodge a complaint with a supervisory authority (Data Protection Authority in your jurisdiction) in case of a breach of any E.U. data protection and privacy regulations.If the supervisory authority fails to deal with a complaint or inform you within the time frame set under applicable law, you have the right to an effective judicial remedy. Please do not hesitate to contact us:
legal@Centro.rocks 

Centro, LLC.
1495 Canyon Blvd
LL 26
Boulder, CO 80302
USA 

Data Privacy Agreement (DPA)

Last Revision: April 2021

THIS DATA PROCESSING AGREEMENT (“DPA”) BETWEEN THE CENTRO LEGAL ENTITY SIGNING AN ORDER FORM ANDITS AFFILIATES (COLLECTIVELY, “CENTRO”, “COMPANY”, “WE”, “US” or “PROCESSOR”) AND THE INDIVIDUAL OR LEGAL ENTITY LICENSING THE SERVICES UNDER AN APPLICABLE ORDER FORM AND/OR CENTRO’S MASTER SAAS AGREEMENT (“THE PRINCIPAL AGREEMENT”) (“CUSTOMER”, “YOU” OR “CONTROLLER (CONTROLLER VIA PLATFORMS SALESFORCE AND/OR SLACK”) AND TOGETHER WITH CENTRO, THE “PARTIES” GOVERNS CUSTOMER’S ACCESS AND USE OF THE SERVICES.BY ACCEPTING THIS DPA WHILE EXECUTING AN ORDER FORM AND/OR PRINCIPAL AGREEMENT THAT REFERENCES THIS DPA, CUSTOMER AGREES TOTHE TERMS OF THIS DPA. IF YOU ARE ENTERING INTO THIS DPA ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “CUSTOMER” “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS DPA AND SHALL NOT BE PERMITTED TO USE THE SERVICES.BY ACCEPTING THE TERMS OF THIS DPA YOU REPRESENT AND WARRANT THAT ANY AND ALL INFORMATION PROVIDED TO US THROUGH THE SERVICE IS TRUE, ACCURATE AND COMPLETE. THE PROVISION OF FALSE OR FRAUDULENT INFORMATION IS STRICTLY PROHIBITED.
Background and undertakings:
1.     Controller and CENTRO have entered into thePrincipal Agreement under which CENTRO agreed to provide the Service pursuant to the Principal Agreement to the Controller and/or its Affiliates. In rendering the Service, CENTRO may from time to time be provided with, or have access to, information of the Controller which may qualify as Personal Data (as defined below).2.     Subject to the terms of this DPA, CENTRO shall process Controller‘s data as a processor for the provision of the Service under the Principal Agreement and as further described in Annex 1.3.     The Parties agree that the terms and conditions set out below, are an addendum to the Principal Agreement. Now therefore, and in order to enable the Parties to comply with the Applicable Data ProtectionLegislation, the Parties have entered into this DPA as follows:
1.     Definitions
In this DPA the following terms have the following meanings, terms not otherwise defined herein shall have the same meaning as in the Principal Agreement:“Affiliate/s” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Principal Agreement, where “control” means the ownership of a majority share of the voting stock, equity, or voting interests of such entity.“
Applicable Data Protection Legislation” means all applicable laws and regulations, subject to the processing of Controller Data under this DPA, including without limitation (as applicable), (i) the GeneralData Protection Regulation (EU) 2016/679 (the “GDPR”); and (ii) the California Consumer Privacy Act of 2018,California Civil Code § 1798.100 et seq. (the “CCPA”);“Controller Data”means any Personal Data processed by Processor on behalf of Controller, pursuant to or in connection with the Principal Agreement;“
Data Processing Agreement or DPA” means this DPA and all appendices attached hereto (as amended from time to time in accordance herewith);“ Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or as otherwise referred to as “personal information”, “personally identifiable information” or similar term defined in the Applicable Data Protection Legislation; “PersonalData Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Data processed, transmitted, stored or otherwise processed;“
Privacy Shield” means EU–US and/or Swiss-US Privacy ShieldFramework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016 and detailed at https://www.privacyshield.gov/;“Sub-processor/s” means a Processor engaged by CENTRO to carry out Processing in respect of Controller Data on behalf of the Controller.The terms recognized by the GDPR, such as “Controller”, “Data Subject”, “Process”, “Processor” “Processing”, “Supervisory Authority” shall have the meanings set out therein even if such terms are not capitalized in this DPA.
1.              Processing of Controller Data
       
1.1  Each Party shall comply with theApplicable Data Protection Legislation at all times.        
1.2  The Processor shall solely process the Controller Data to the extent necessary to provide the Service to theController.        
1.3  The Processor agrees to only processController Data, in accordance with Controller’s documented instructions under this DPA, the Principal Agreement, the Order Form and in accordance with the Applicable Data Protection Legislation.        
1.4  Notwithstanding the above, Controller hereby agrees and consents that Processor may Process Controller Data for the purpose of the ongoing operation of the Service, and the improvement and development, security and controls thereof.        
1.5  Controller warrants and represents that it is, and will, at all relevant times remain duly and effectively authorized to give instructions. Controller shall have sole responsibility for the accuracy, quality and legality of Controller Data and how Controller acquired Controller Data. This DPA, the instructions, the Principal Agreement and the Order Form are Controller’s complete and final instructions to Processor for theProcessing of Controller Data. Any additional or alternate instructions must be agreed upon separately in writing between authorized representatives of bothParties.        
1.6  The Processor shall immediately notify Controller if the Processor cannot fulfill its obligations under thisDPA or if the Processor is of the view that an instruction regarding the processing of Controller Data given by Controller would be in breach of ApplicableData Protection Legislation, unless the Processor is prohibited from notifyingController under applicable Data Protection Legislation.         1.7  The Processor shall immediately notify Controller in writing if the Supervisory Authority requests access toController Data which the Processor processes on behalf of Controller.         1.8  The Parties acknowledge and agree that CENTRO may qualify a “Service Provider” as defined in the CCPA. In such case, Customer discloses Personal Information to CENTRO solely for a valid business purpose and for CENTRO to perform the Service. CENTRO and itsAffiliates shall not: (i) sell or otherwise transfer Controller Data; or (ii)retain, use, or disclose the Controller Data for a commercial purpose other than providing the Service under this DPA, the Principal Agreement and CENTRO’sPrivacy Policy (as referred to below).  
2.              Security Measures        
2.1  The Processor shall implement appropriate technical and organizational measures to protect and safeguard theController Data that is processed against Personal Data Breaches.        
2.2  The measures shall at least reach a level of security equivalent of what is prescribed by Applicable DataProtection Legislation, relevant Supervisory Authorities’ applicable regulations and guidelines regarding security of Controller Data and what is otherwise appropriate to the risk of the processing of Controller Data againstPersonal Data Breaches.        
2.3  Processor will maintain its security controls and audits pursuant to industry best practices. Processor regularly monitors compliance with these safeguards. Processor will not materially decrease the overall security of the Service during the term of the Principal Agreement.
3.              Personnel; Confidentiality        
3.1  Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Data (“Personnel”), ensuring in each case that access is strictly limited toPersonnel who need to know/access the relevant Controller Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with theApplicable Data Protection Laws in the context of such Personnel’s duties to the Processor.      
3.2  The Processor will impose appropriate contractual obligations upon its Personnel Processing Controller Data, including relevant obligations regarding confidentiality, data protection and data security. Personnel engaged are informed of the confidential nature ofController Data and have received appropriate training with respect to their responsibilities.        
3.3  The Processor has appointed a Data Protection Officer where such appointment is required by Applicable Data Protection legislation. The appointed person can be reached at legal@centro.rocks. 
4.              Sub-processors        
4.1  Controller authorizes Processor to appoint Sub-processors in accordance with this Section 4 for the purpose of providing the Services under the Principal Agreement.        4.2  Processor may continue to use those Sub-processors already engaged by Processor for the performance of certainProcessing activities related to the Service, as detailed in 
Annex 2 – Pre-approved Sub-Processors attached hereto.        
4.3  Processor shall give Controller prior adequate notice of the appointment of any new Sub-processor, including relevant details of the processing activities to be performed by such Sub-processor. If, within seven (7) days of receipt of such notice, Controller notifies Processor in writing of any reasonable objection to the appointment, Processor shall postpone the appointment until reasonable steps have been taken to addressController’s objection. Where such steps are not sufficient to relieveController’s objection, to the extent that it relates to the Service which require the use of such Sub-processor, Controller may, by written notice to Processor, terminate the applicable Order Form and/or Principal Agreement.        
4.4  Where a Sub-processor fails to fulfill its data protection obligations, the Processor will attempt to be liable to Controller for the performance of the Sub-processor’s obligations.        
4.5  With respect to each Sub-processor(i) Processor shall before the Sub-processor first Processes Controller Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Controller Data required by the PrincipalAgreement and this DPA; and (ii) ensure that the arrangement between theProcessor and the Sub-processor is governed by a written contract that substantially meets the same obligations under this DPA. 
5.              Affiliates 
5.1  Some of Processor’s obligations may be performed by Processor’s Affiliates.Controller acknowledges that Processor’sAffiliates may Process Controller Data on Processor’s behalf to perform the Service under the Principal Agreement.       5.2  Processor will be liable for the acts and omissions of its Affiliates to the same extent Processor would be liable if performing the Service under the Principal Agreement.        
5.3  Controller hereby consents toProcessor’s use of Processor’s Affiliates in the performance of the Service in accordance with the terms of this Section 5. 
6.              Personal Data Breach        
6.1  In the event of a Personal Data Breach, the Processor shall notify Controller of a Personal Data Breach without undue delay and at the latest within 48 hours after becoming aware of thePersonal Data Breach.        
6.2  The Processor shall promptly after becoming aware of a Personal Data Breach: a.  Commence an investigation of the Personal Data Breach in order to determine the scope, nature and the likely consequences of thePersonal Data Breach; b.  Take appropriate remedial measures in order to mitigate the possible adverse effects of the Personal Data Breach and minimize damage resulting therefrom.        
6.3  Processor shall promptly provideController with such details relating to the Personal Data Breach as Controller reasonably requires complying with its obligations under the Applicable DataProtection Legislation. 
6.4  The obligations in this Section 6shall not apply to incidents that are caused by Controller or Controller’s EndUsers (as defined in the Principal Agreement). 
7.              Rights of Data Subjects        
7.1  Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from aData Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, or to object to processing, each a “Data Subject Request”. Processor will not respond to any such requests unless authorized to do so byController (unless required to do so under Applicable Data ProtectionLegislation or under the instructions of a competent authority).        
7.2  The Processor shall provide commercial reasonable assistance to Controller by taking appropriate technical and organizational measures for the fulfillment of Controller’s obligation to respond to requests for exercising the Data Subjects’ rights as laid down by Applicable Data Protection Legislation. Unless prohibited under the Applicable Data Protection Laws, Controller will reimburse Processor with any costs and expenses related to Processor’s provision of such assistance. 
8.              Audits        
8.1  Processor shall make available toController, upon prior written request, all relevant information necessary to reasonably demonstrate compliance with its obligations detailed in this DPA.        
8.2  Processor shall allow for and contribute to audits, including inspections on its premises not more than once in each calendar year (except following a Personal Data Breach) and during regular business hours. The audit may be conducted by Controller or a third-party auditor mandated by Controller, provided that such third-party auditor shall be subject to sufficient confidentiality obligations. Controller shall give Processor reasonable notice prior to exercising its audit rights.        
8.3  Each Party shall bear its own costs in relation to such audit. However, where Controller has mandated a third-party auditor to carry out the audit on its behalf, Controller shall bear the costs for such third-party auditor. 
9.      Data Impact Assessments; Consultations

The Processor shall, upon Controller’s request, provide necessary information in order to allow Controller to fulfill its obligations to, where applicable, carry out data protection impact assessments (“DPIAs”) and prior consultations with the relevant SupervisoryAuthority under Applicable Data Protection Legislation in relation to the processing of Controller Data covered by this DPA. 
10.  Documentation
Processor shall maintain complete, accurate and up-to-date documentation of its processing activities and measures taken hereunder, as required under the Applicable Data Protection Legislation, which Processor shall make available to Controller upon Controller’s written request. 
11.  Transfers
In order to provide the Service, Processor and its Sub-processors may only transfer Controller Data concerning residents of the EEA to a Sub-processor or an Affiliate outside the EEA in accordance with a data transfer mechanism permitted by the Applicable Data Protection Legislation as further detailed below:         11.1  Processor and its Affiliates hereby affirm that they certified their compliance to the EU-US and Swiss-US Privacy Shield Framework (the “Privacy Shield”) as of the effective date of this DPA and shall remain committed to comply with the Privacy Shield principles with respect to transfer of Personal Data concerning residents of the EEA to a Sub-processor or anAffiliate in the United States, until Processor withdraws from the PrivacyShield. 11.2  Notwithstanding the above, theProcessor and Controller shall execute the EU Commission’sStandard Contractual Clauses in the event that Controller Data is transferred to: (i) countries outside the EEA, and (ii)  that are not recognized by the EU Commission as providing adequate protection pursuant to Article 45 of the GDPR. If the foregoing applies to Controller Data, and notwithstanding the absence of a signature on the Standard Contractual Clauses, Parties agree that the Standard Contractual Clauses are binding on CENTRO and its Affiliates as the“Data Importer”, and Customer and the Customer’s affiliates as the “Data Exporter”, by way of entering into an Order Form which references thePrincipal Agreement and this DPA. If you wish to receive a signed copy of theStandard Contractual Clauses, please reach out to legal@centro.rocks. 
12.  Deletion; Return

Processor shall promptly, and in any event within 90 days of termination of the Principal Agreement or upon Controller’s request, delete or return all copies of Controller Data, except where such copies are required to be retained in accordance with the Applicable DataProtection Legislation and provided that Processor shall ensure the confidentiality of all such Controller Data. Upon prior written request ofController, Processor shall provide written documentation that is has complied with its obligation herein. Formalized deletion requests must be emailed to legal@centro.rocks
13.          General Terms        
13.1  The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.        
13.2  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable parthad never been contained therein.        
13.3  Amendments and additions to this DPA shall be in writing and duly signed by the Parties to be valid. 

ANNEX 1 – DETAILS OF PROCESSING (Please email legal@centro.rocks for diagrams and full agreement) This Annex 1 includes details of the Processing of Controller Data as required by Article 28(3) GDPR.
1.      Subject matter and duration of the Processing of Controller Data
The subject matter and duration of theProcessing of the Controller Data are set out in the Principal Agreement andthis Annex.
2.      The nature and purpose of the Processing of Controller Data
CENTRO has developed, and owns digital integrations between other platforms, and software tools for interacting effectively between platforms. These platforms include (EMAIL LEGAL@CENTRO.ROCKS FOR LIST OF SUB PROCESSORs). The tools include synchronizing Slack channels and thread to Salesforce, sending and receiving email and text messages from Slack, and summarizing Slack channels using (EMAIL FOR SUBPROCESSOR) Service (“Service- as further defined in the PrincipalAgreement). The Controller Data is collected by Processor when an End User (as defined in the Principal Agreement) uses the Service. The Controller Data is processed for the purpose of providing the Service, the ongoing operation thereof, and/or for security purposes.
3.      The types of Controller Data to be Processed 
3.1 End-Users’ SlackMessages, Salesforce Records and Metadata, Email Messages and SMS Text Messages(these align to the module purchased in the Order. These data are treated a spass through to the Data Controller systems (Salesforce, Slack, or Gmail). Centro does not store these data on any servers or in any way.
3.2 Email addresses and API tokens of authorized Controller personnel inherent for the provision of the Service, for the purpose of creating Outputs (as defined in the Principal Agreement) and of those End Users which contact Processor in connection with the provision oftechnical support for the Service.
4.      The categories of Data Subject to whom the Controller Data relatesData subjects are the End-Users of the Service and authorized Controller Personnel.
5.      The obligations and rights of Controller
The obligations and rights of Controller are set out in this DPA, the Principal Agreement and this Annex.
6.      RetentionPeriods
Processor will retain Controller Data it processes here under only for as long as required to provide the Service pursuant to the Principal Agreement.Unless otherwise agreed in writing by theParties, after a request from the Controller to delete any Controller Data or upon termination or expiration of the Principal Agreement, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below. Once initiated, this process cannot be reversed, and data will be permanently deleted. 
Type Timeline for  Deletion (after deletion process begins) for Cancellation, Termination or  Migration
Backups: 30  days
Logs: 60  days 
 Annex 2 –Pre-approved Sub-processorsSub-processorHosting LocationServices (EMAIL LEGAL@CENTRO.ROCKS for list of sub-processors)

MSA

Please email info@centro.rocks for a copy of our Master Services Agreement.