Data Processing Addendum – What’s Changed

1. Changes posted May 1, 2026

Summary of updates:

• Renamed “Client Data” to “Client Content” and refined the definitions of Client Account Data and Security Breach (which now covers any incident affecting Client Content in PowerPlan’s possession or control).
• Added explicit limits on PowerPlan’s use of Personal Data: no selling, sharing, combining with outside data, or using it outside our direct relationship with Client.
• Extended subprocessor change notice from 14 to 30 days and replaced the old objection language with a formal process — if Client objects for a valid data-protection reason and no alternative can be provided within 90 days, Client may terminate the affected Services.
• Audits must be performed by a qualified independent auditor agreed by both parties, and recent third-party audit reports within 24 months (up from 12) may satisfy Client’s audit right.
• Added commitment that PowerPlan will reasonably assist Client with data protection impact assessments (DPIAs) and related regulatory consultations.

2. Changes posted April 1, 2025

Summary of updates:

• Corrected scrivener’s errors throughout.