SHOEBOX INC. DATA PROCESSING ADDENDUM

Effective Date: January 25, 2019

THIS ADDENDUM is made between:

SHOEBOX INC., incorporated under the laws of Canada whose registered office is at 301-80 Aberdeen St., Ottawa, ON Canada K1S 5R5 (“SHOEBOX”); and

The SHOEBOX customer subscribing for SHOEBOX services pursuant to SHOEBOX’s Terms of Service (“Customer”) who requires a Data Processing Addendum,

together the “parties”.

WHEREAS:

(A) SHOEBOX and the Customer have entered or desire to enter into Terms of Service for the provision by SHOEBOX to the Customer of iPad-based hearing testing services, including related data management, processing and analysis services (the “Terms”); and

(B) SHOEBOX and the Customer have agreed to enter into this Addendum to the Terms in relation to data processing.

IT IS NOW AGREED AS FOLLOWS:

APPENDIX: Description of Information Processing

The data processing activities carried out by SHOEBOX under this Addendum are as follows:

Description of Service:Hearing testing services using an iPad-based audiometer and web portal, including related data management, processing and analysis services
Subject-matter of Processing:SHOEBOX processes certain Customer Personal Information on behalf of its Customers in relation to hearing testing services. The content of the Customer Personal Information may include contact information for the Customer, demographics of the Customer’s patients and their hearing test results data.
Duration of Processing For the duration of the Service to which this Addendum relates.
Nature and purpose of Processing:To enable SHOEBOX to provide the Customer with certain Services in relation to hearing testing.
Types of Personal Information:Customer Personal Information relating to Customers and provisioned end users of the Services which is uploaded by such Customers or provisioned end users and/or otherwise collected by or on behalf of the Customer or provisioned end user as a result of use of the Services. Patient Personal Information may be collected by the Customer and provisioned end users of the Service. Patient Personal Information collected may include without limitation, audiograms, personal contact information, demographic information, location information, profile data, unique IDs, passwords, usage activity, transaction history, and online behaviour and interest data.SHOEBOX also collects information about visitors to it web properties.
Type of Sensitive Personal Information (Personal Information revealing race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric information, health information or information concerning a person’s sex life or sexuality).Hearing test result data, medical condition/diagnosis
Categories of Information Subjects:SHOEBOX’s Customers, their provisioned end users of its Services, patients, as well as visitors to SHOEBOX’s web properties.