Data Processing Addendum

This Data Processing Addendum (“DPA”) sets forth the data processing commitments of Cority and Client and forms part of the Hosted Software and Services Agreement or the software as a service agreement (the “Agreement”) between Cority Software Inc. or its Affiliate identified in an order form or statement of work and the Client identified on the order form or statement of work. By entering into an order form or an Agreement that references and incorporates these Terms and Conditions, Client accepts the terms and conditions set forth herein.

Unless otherwise defined herein, capitalized terms have the meaning given to them in the Agreement.

  1. DEFINITIONS
    • 1.1. The terms “controller”, “data protection impact assessment” “processor”, and “processing” shall have the meanings given to them in applicable European Data Protection Laws; and the terms “business”, “business purpose”, “commercial purpose”, “consumer”, “personal information”, “service provider”, “sell”, and “share” shall have the meanings given to them in applicable US Privacy Laws.
    • 1.2. “Affiliates” means any entity (now existing or hereafter formed or acquired), which directly, through one or more intermediaries, controls, is controlled by or is under common control with, another entity. Ownership of fifty percent (50%) or more of the voting stock, membership interests, or other equity of an entity shall be deemed to be control over such entity.
    • 1.3. “Data Protection Laws” means the European Data Protection Laws, US Data Privacy Laws, and any other applicable data privacy or data protection laws.
    • 1.4. “Data Security Standards” means the data security standards and procedures set out in this DPA.
    • 1.5. “EEA” means the countries that are parties to the agreement on the European Economic Area, and Switzerland.
    • 1.6. “European Data Protection Laws” means: (i) EU General Data Protection Regulation (“GDPR”); (ii) any applicable national implementations of the GDPR; (iii) the Swiss Federal Data Protection Act (“Swiss DPA“); and (iv) in respect of the United Kingdom (“UK”), the UK GDPR (“UK GDPR“); in each case as may be amended, superseded or replaced.
    • 1.7. “GDPR” means the EU General Data Protection Regulation 2016/679.
    • 1.8. “Personal Data” means any “personal data”, “personal information”, or “personally identifiable information” as defined under Applicable Data Protection Laws, which includes, without limitation, information concerning an identified or identifiable natural person.
    • 1.9. “Personal Data Breach” means any confirmed security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data processed under this DPA.
    • 1.10. “Regulated Transfers” mean: (i) where the GDPR applies, a transfer of Client Personal Data from the EEA to a country outside of the EEA which does not benefit from an adequacy decision by the European Commission (an “EEA Regulated Transfer“); (ii) where the UK GDPR applies, a transfer of Client Personal Data from the UK to any other country which does not benefit from adequacy regulations under the UK GDPR (a “UK Regulated Transfer“); and (iii) where the Swiss DPA applies, a transfer of Client Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (a “Swiss Regulated Transfer”).
    • 1.11. “Services” means the Software and services provided by Cority pursuant to the Agreement.
    • 1.12. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021, as amended, superseded, or replaced from time to time.
    • 1.13. “Sub-processor” means any processor engaged by Cority or its Affiliates to assist in fulfilling its obligations with respect to providing the hosted software and services under the Agreement or this DPA. Sub-processors may include third parties or Cority’s Affiliates.
    • 1.14. “Supervisory Authority” means a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws.
    • 1.15. “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office under S.119(A) of the UK Data Protection Act 2018.
    • 1.16. “US Data Privacy Laws” means, as applicable: the California Consumer Privacy Act of 2018 as amended (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Connecticut Data Privacy Act (“CTDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”), as of January 1, 2026, the Indiana Consumer Data Protection Act (“INCDPA”), as of January 1, 2026, the Iowa Consumer Data Protection Act (“ICDPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Tennessee Information Protection Act (“TIPA”), the Texas Data Privacy and Security Act (“TDPSA”), and any other US state privacy or data protection laws that have been enacted at the time of the parties execution of this DPA.
  2. CONTEXT
    • 2.1. Context. This DPA governs the processing of any personal data by Cority, as a processor or service provider, for Client when providing Services under the Agreement.
  3. PROCESSING OF CLIENT PERSONAL DATA
    • 3.1. Processing. Cority is acting as a Processor or a sub-processor for Client. Client is acting as the Controller for its own Personal Data and if applicable, processor for the Personal Data of its Affiliates or of other Controllers that have appointed Client as a processor and, in such case, Client has authorization to engage Cority as sub-processor. Client will serve as a single point of contact for Cority on behalf of its Affiliates and any other Controllers. Cority will be discharged of any obligation to inform or notify another Controller when Cority has informed or notified Client.
    • 3.2. Instructions. Cority shall process Client Personal Data as required to provide the Services and in accordance with Client’s documented lawful instructions. The Agreement and applicable order form(s) (including this DPA) outline Client’s written instructions to Cority regarding the processing of Client Personal Data (“Written Instructions”). Additional instructions outside the scope of the Written Instructions (if any) require prior written agreement between Cority and Client, including agreement on any additional fees payable by Client to Cority for carrying out such instructions. To the extent that Cority believes an instruction is contrary to any Data Protection Laws, Cority shall inform Client, and Cority may suspend the performance of the instruction until Client has modified or confirmed its lawfulness to Cority’s reasonable satisfaction. Notwithstanding the foregoing, Cority is not obligated to evaluate whether an instruction issued by Client complies with Data Protection Laws and Client acknowledges that Client Personal Data may be processed on an automated basis in accordance with Client’s use of the Services, which Cority does not monitor.
    • 3.3. Details of Processing. A list of categories of Data Subjects, types of Client Personal Data, and Processing activities is set out in Appendix 1 – Personal Data Processing. The duration of the Processing corresponds to the Term, unless otherwise stated in Appendix 1 – Personal Data Processing. Cority’s provision of the Services is the purpose and subject matter of the Processing.
    • 3.4. Client Obligations. Client is responsible for its lawful use of the Services and for the lawfulness of its own processing of Personal Data under or in connection with the Services. Accordingly, Client shall:
      • (a) provide all notices and obtain all consents, permissions and rights necessary under Data Protection Laws for Cority to lawfully process Client Personal Data under the Agreement and this DPA;
      • (b) comply with all Data Protection Laws applicable to the collection, provision and contemplated processing of Client Personal Data to and by Cority and/or its Sub-processors; and
      • (c) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws).
    • 3.5. Cority Compliance with Data Protection Laws. In carrying out its activities under this Agreement, Cority will observe and comply with all applicable Data Protection Laws supported by Cority’s operations and applicable to Cority’s activities in connection with this Agreement. For the sake of clarity, Cority supports compliance with European Data Protection Laws, US Data Privacy Laws, Canadian data privacy laws, and Australia data privacy laws.
    • 3.6. Review of Client Data. Cority is not required to assess the contents or accuracy of Client Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Client is responsible for determining whether its use of the Services will meet Client’s requirements and legal obligations under Data Protection Laws.
    • 3.7. Third-Party Requests and Confidentiality. Unless prohibited by applicable law or a legally binding request of law enforcement, Cority shall promptly notify Client of any request by a government or supervisory authority for access to Client Personal Data.
  4. DATA PROTECTION
    • 4.1. Data Security Standards. Cority shall use, process, retain, and disclose Client Personal Data only as necessary to provide the Services and in compliance with the Data Security Standards. Client acknowledges and agrees that Cority may modify the Data Security Standards from time to time in Cority’s sole discretion provided that any modified Data Security Standards must be, except to the extent required to comply with applicable law, no less protective of the Client Personal Data than the Data Security Standards in place as of the Effective Date.
    • 4.2. Client Personal Data. Cority shall implement appropriate technical and organizational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as set out in Appendix 2 – Technical and Organizational Measures (“Technical and Organizational Measures”). Cority shall treat all of Client Personal Data as confidential by not using, maintaining, or disclosing Client Personal Data except for purposes of providing the Services pursuant to the Agreement or as otherwise required by applicable law.
  5. DATA SUBJECT RIGHTS AND REQUESTS
    • 5.1. Data Subject Requests. Cority shall inform Client of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Cority. Client is responsible for handling requests from Data Subjects and using the functionality that forms part of the Services to give effect to such requests. To the extent that Client cannot handle Data Subject requests using self-service functionality provided as part of the Services, Cority shall reasonably assist Client in handling Data Subject requests in accordance with section 12.
    • 5.2. Data Subject Claims. If a Data Subject brings a claim directly against Cority in relation to their Data Subject rights, Client shall reimburse Cority for any cost, charge, damages, expenses, or loss arising from the claim to the extent that Cority has notified Client about the claim and given Client the opportunity to cooperate with Cority in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from Cority direct damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Cority’s breach of its obligations under this DPA.
    • 5.3. Legal Disclosure Requests. If Cority receives a demand to disclose or provide access to Client Personal Data from a third-party or government authority including, without limitation, a government agency or public authority (“Legal Demand”), then Cority will attempt to redirect the Legal Demand to Client. If Cority cannot redirect the Legal Demand, Cority will promptly notify Client and provide a copy of the Legal Demand to allow Client to seek a protective order or other appropriate remedy, to the extent permitted by law. Cority will only disclose or provide access to Client Personal Data as required by law.
  6. SUB-PROCESSORS
    • 6.1. List of Authorized Sub-processors. Client authorizes Cority to engage other Processors to Process Client Personal Data (“Sub-processors”), including Cority’s Affiliates. A list of the third-party Sub-processors is set out on Cority’s website at: https://www.cority.com/legal-center/, which may be updated from time to time.
    • 6.2. New Sub-Processors. Cority shall notify Client in advance of any addition of Sub-processors via email. Within 30 days after Cority’s notification, Client can object to the addition of a Sub-processor. Client’s objection must be in writing and include Client’s specific reasons for its objection and options to mitigate. If Client does not object, the Sub-processor may be engaged to Process Client Personal Data. To the extent required under Data Protection Laws, Cority shall impose substantially similar but no less protective data protection obligations as set out in this DPA, as required under Data Protection Laws, on any Sub-processor prior to the Sub-processor initiating any Processing of Client Personal Data, as deemed appropriate by Cority considering factors such as the nature, scope, context, purposes. If Client legitimately objects to the addition of a Sub-processor and Cority cannot reasonably accommodate Client’s objection, Cority shall notify Client and Client may terminate the order form within 14 days of Cority’s notification to the Client; otherwise, the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
    • 6.3. Subprocessor Obligations. Cority shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Client Personal Data to the extent required by Data Protection Laws and this DPA; and (ii) remain liable for the acts and omissions of its Sub-processors to the same extent that Cority would be liable if performing the services of each Sub-processor under the terms of this DPA.
  7. RETURN OR DELETION OF CLIENT DATA
    • 7.1. During the term of the Agreement, Client retains full control over the Client Personal Data input into the Software and has the right to delete any such Client Personal Data. Furthermore, Client may download its data at any time through the Services.
    • 7.2. Upon termination or expiration of the Agreement, Cority shall:
      • (a) return Client data in accordance with a statement of work, which outlines the fees and format of return, executed by Client and Cority; or
      • (b) delete all Client Personal Data stored in Client’s production environment in accordance with the Agreement, except any Personal Data that Cority is required to retain under applicable law. Any data stored in electronic backups shall be put beyond use and deleted in accordance with Cority’s backup retention policy.
  1. TRANSFERS OF PERSONAL DATA
    • 8.1. Regions. Cority will host Client data in the region identified on the order form (“Hosting Region”). Client is solely responsible for the regions from which it accesses the Services, and for any transfer or sharing of Client Personal Data by Client and if applicable, its Affiliates. Once Client has selected a Hosting Region, Cority will not process Client Personal Data from outside the Hosting Region except as required to provide the Services in accordance with the Agreement, which may include transfers of Client Personal Data to the regions where Sub-processors maintain data processing operations, or as necessary to comply with the law or binding order of a governmental entity.
    • 8.2. EU Transfers. If any transfer of Client Personal Data from Client to Cority constitutes an EEA Regulated Transfer, Cority agrees to abide by and process Client Personal Data in compliance with the Standard Contractual Clauses, which shall be deemed incorporated into this DPA as follows:
      • (a) Applicable Modules. Where Client is a controller of the Client Personal Data, Module Two (controller to processor transfers) shall apply, or where Client is a processor of the Client Personal Data, Module Three (processor to processor transfers) shall apply;
      • (b) Docking Clause. Regarding Clause 7, the optional docking clause will apply;
      • (c) Sub-Processing. Regarding Clause 9, Option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-processor changes shall be as set out in this DPA;
      • (d) Redress. Regarding Clause 11, the optional language will not apply;
      • (e) Governing Law. Regarding Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland;
      • (f) Choice of Forum and Jurisdiction. Regarding Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and Annex I and II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annexes I and II attached hereto; and
      • (g) Appendix. Annex I Standard Contractual Clauses will be deemed populated with the information set forth in Appendix 2 and Annex II of the Standard Contractual Clauses will be deemed populated with the information set forth in Appendix 2.
    • 8.3. UK Transfers. If any transfer of Client Personal Data from Client to Cority constitutes a UK Regulated Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 through 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II attached hereto, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
    • 8.4. Swiss Transfers. If any transfer of Client Personal Data from Client to Cority constitutes a Swiss Regulated Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2 above, but with the following modifications:
      • (a) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;
      • (b) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
      • (c) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and
      • (d) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
  1. US PRIVACY LAWS
    • 9.1. For any processing of Client Personal Data subject to US Privacy Laws, the parties agree that:
      • (a) Client is a business; and
      • (b) Client appoints Cority as its service provider (or processor) to process Client Personal Data for the specific business purpose described in and otherwise permitted by the Agreement and US Privacy Laws (the “Permitted Purposes“).
    • 9.2. To the extent required under applicable US Privacy Laws, Client and Cority agree that:
      • (a) Cority shall not sell or share Client Personal Data;
      • (b) Client is not sharing or selling Client Personal Data to Cority;
      • (c) Cority shall comply with its applicable obligations under US Privacy Laws, shall provide the level of privacy protection required by US Privacy Laws, and shall notify Client if it decides it can no longer meet its obligations under US Privacy Laws with respect to its processing Client Personal Data under the Agreement;
      • (d) Cority shall not retain, use, or disclose Client Personal Data outside of the direct business relationship between Client and Cority, or for any purpose other than for the Permitted Purposes, including retaining, using, or disclosing Client Personal Data for a commercial purpose other than the Permitted Purposes;
      • (e) Client has the right to take reasonable and appropriate steps to ensure Cority processes Client Personal Data in a manner consistent with Client’s obligations under US Privacy Laws, and in compliance with the Agreement in accordance with the audit parameters set forth in Section 3.4 (Audits) of this DPA, and shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data;
      • (f) Cority engages other service providers to assist in the processing of Client Personal Data for the Permitted Purposes under the Agreement on behalf of Client, as detailed in Section 4.2 (Authorized Sub-processors) of this DPA pursuant to a written contract(s) binding such additional service providers to observe the applicable requirements of US Privacy Laws; and
      • (g) Cority shall not combine the Client Personal Data that Cority receives from or on behalf of Client, with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, except as permitted under US Privacy Laws.
  1. SECURITY INCIDENTS
    • 10.1. Incidents. Cority shall investigate unauthorized access and unauthorized use of Client Personal Data in connection with or through the Services, including Personal Data Breaches (“Security Incidents”). Client may notify Cority of a suspected incident or Security Incident.
    • 10.2. Notifications. Cority shall notify Client without undue delay upon confirmation (and in any event within 48 hours of becoming aware) of a Security Incident that is known or reasonably suspected by Cority to affect Client Personal Data and shall provide Client with reasonably requested information about each Security Incident and the status of any remediation and restoration activities. Cority’s notification of or response to a Security Incident will not be construed as an acknowledgement by Cority of any fault or liability with respect to the Security Incident. Client will be responsible for (a) determining if there is any resulting notification or other obligation to data protection authorities and/or Data Subjects and (b) taking necessary action to comply with those obligations. Cority will provide Client with reasonable assistance.
  2. AUDIT
    • 11.1 Requests. Cority will permit audits conducted by Client or a third-party auditor engaged by Client solely on Client’s behalf to determine whether Cority is processing Client Personal Data in accordance with the Agreement, as follows:
      • (a) Upon Client’s written request, Cority will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s) that Cority has obtained to regularly test, assess, and evaluate the effectiveness of Cority’s Technical and Organizational Measures.
      • (b) Cority will reasonably cooperate with Client by providing available additional information concerning the Technical and Organizational Measures as reasonably required by Client to help Client better understand them.
      • (c) If further information is needed by Client (acting reasonably) to comply with its own or other Controllers’ audit obligations or a competent Supervisory Authority’s request, Client shall inform Cority in writing to enable Cority to provide such information or to grant access to it. For the avoidance of doubt, Cority will be under no obligation to disclose confidential or commercially sensitive information as part of an audit.
    • 11.2. Formal Audit. In the event that the audit request isn’t satisfied by
    • 11.3. Confidentiality. All audits will be subject to the auditing party’s execution of a confidentiality agreement acceptable to Cority and will be conducted at Client’s expense.
  3. ASSISTANCE
    • 12.1. Assistance. Cority will assist Client in the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Client’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach, and any required Data Protection Impact Assessments, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the Processing and the information available to Cority.
    • 12.2. Requests. Client shall make a written request for any assistance referred to in these Data Security Requirements. Cority may charge Client no more than a reasonable charge to provide assistance and any charges to be set forth in a SOW. If Client does not agree to the SOW, the parties will reasonably cooperate to find a feasible solution.
  4. LIMITATION OF LIABILITY
    • 13.1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability set forth in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement.

 

 

APPENDIX 1 – Personal Data Processing

A. LIST OF PARTIES

Data exporter(s):

  1. Name:Client

Address: As stated in the order form

Contact person’s name, position and contact details: The primary contact by Client

Activities relevant to the data transferred under these Clauses: Client’s use of the Services

Signature and date: Same as the effective date of the order form

Role (controller/processor): Controller or Processor, as applicable.

 

Data importer(s):

  1. Name: Cority

Address: As stated in the order form

Contact person’s name, position and contact details: Kamran Chaudhry, General Counsel, Kamran.Chaudhry@cority.com with a copy to legal@cority.com and cpo@cority.com

Activities relevant to the data transferred under these Clauses: The performance and provision of Services

Signature and date: Same as the effective date of the order form

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The applicable categories of data subjects are determined and controlled by Client and may include, without limitation:

  • Client employees and independent contractors

Categories of personal data transferred

The applicable categories of personal data are determined and controlled by Client and may include, without limitation:

  • First/Last Name
  • Contact information
  • User Identification Number
  • Employment details
  • Demographic characteristics
  • Health information
  • Safety (injury/illness)
  • Any other personal data input into the Services by Client

Sensitive data transferred (if applicable)

The applicable types of Sensitive Personal Data are determined and controlled by Client, and may include, without limitation:

  • Demographic Characteristics
  • Health information

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature and purpose of the processing

The nature and purpose of the processing will be to provide the services set out under the Agreement relating to Cority’s occupational health, safety, industrial hygiene, environmental, quality, sustainability or ergonomics software solution.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Term of the Agreement and until deletion of all backups containing Client data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

 

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the Republic of Ireland shall act as competent supervisory authority.

 

 

Appendix 2 – Technical and Organizational Measures

  1. Corporate Information Security Policy
    • 1.1. Cority ISP (Information Security Policy) documents are developed based on ISO framework.
  2. Information Risk Management
    • 2.1. Third-party risk assessments are conducted before authorizing any third-party services and/or software.
    • 2.2. Organizational level risk assessment and reviews are conducted on annual basis for the evaluation on potential risks to the organization including hosting services.
    • 2.3. Centralized risk management system for risk tracking and monitoring.
  3. Organization of Information Security
    • 3.1. CSMC (Corporate Security Management Committee) is established to proactively, develop, maintain, improve, and promote the Information Security Management System and IT security needs to meet business requirements.
  4. Policy Maintenance Policy
    • 4.1. Centralized policy documents management system for policy documents version control and approval.
  5. Human Resources Security
    • 5.1. Criminal and background checks are conducted before onboarding new employees.
    • 5.2. Employee contracts and Rules of Behavior documents are required for signature and/or acknowledgment before authorizing access for new employees.
    • 5.3. Employee onboarding procedure and employee termination procedure are defined and updated on regular basis.
    • 5.4. Information security awareness and data privacy trainings are conducted for new employees.
    • 5.5. Information security awareness and data privacy refreshment trainings are conducted for all existing employees on an annual basis.
  6. Asset Management
    • 6.1. Centralized information asset management system to track and monitor information assets, including physical and digital (software) assets. Regular reviews are conducted to ensure the information assets are up to date.
  7. Access Control
    • 7.1. Centralized user identity management system to enforce password policy, and user authorization & authentication policy.
    • 7.2. Separate sets of regular user credentials and privileged user credentials.
    • 7.3. Strong authentication such as MFA is enforced on privileged user credentials and enforced on regular user credentials for remote access such as VPN.
    • 7.4. Privileged user credentials and activities are reviewed on regular basis for auditing.
  8. Cryptography
    • 8.1. Client data encryption at rest is enforced with AES256.
    • 8.2. Client data encryption in transit is enforced with TLS1.2 (or higher).
    • 8.3. File encryption at rest is supported with PGP and/or WinZip (AES256).
    • 8.4. File encryption in transit is supported with SFTP.
    • 8.5. Remote VPN tunnels encryption are enforced with AES256.
    • 8.6. User endpoint disk encryption is enforced with AES256.
  9. Physical and Environmental Security Policy
    • 9.1. Physical and environmental controls are inherited from cloud hosting service providers.
  10. Operations and Network Security
    • 10.1. Centralized SIEM system to capture activities and audit events.
    • 10.2. Vulnerability monitoring system to continuously scan and monitor the potential vulnerabilities within the SaaS application hosting environment.
    • 10.3. Segregated internal and external networks, client hosting and corporate networks. Network access rules are enforced to limit only necessary network traffic in/out of the SaaS application hosting environment.
    • 10.4. Network boundary protection such WAF (Web Application Firewall).
    • 10.5. Security hardening procedure defined and enforced to secure server endpoints.
    • 10.6. Anti-virus protection systems are deployed on server and user endpoints for protection against both signature-based and behavior-based attacks.
    • 10.7. Data encryption (see Cryptography).
    • 10.8. Data backup (see Information Security Aspects of Business Continuity Management).
    • 10.9. Internal and external monitoring system for monitoring on internal components and external SaaS application instances.
  11. Communications Security
    • 11.1. Email system is hosted on Microsoft Office 365 (O365). TLS encryption is enabled by default in O365.
    • 11.2. Access to SaaS applications is enforced with HTTPS/443.
    • 11.3. Strong authentication such as MFA is enforced for remote connection to internal networks through VPN tunnel.
  12. System Acquisition, Development and Maintenance
    • 12.1. Centralized source code repository is established for securing source code with version control.
    • 12.2. Software engineering principal is established as guideline for secure engineering best practices.
    • 12.3. Role-based training for software development team on topics such as OWASP Top 10 are conducted on an annual basis.
    • 12.4. CMP (Change Management Procedure) is established to govern the lifecycle management on configuration changes and application deployment activities. Changes must be approved and validated before implementation in client live production sites.
    • 12.5. Static code analysis system to continuously scan for vulnerabilities within source code.
    • 12.6. Dynamic web application system to continuously scan for vulnerabilities within the SaaS application.
    • 12.7. Application penetration tests are conducted by certified third-party penetration testers.
  13. Supplier Relationship
    • 13.1. Third-party risk assessments are conducted before authorizing any third-party services and/or software.
  14. Information Security Incident Management
    • 14.1. IRP (Incident Response Plan) document is established to define the scope and lifecycle process on responding to security incidents.
    • 14.2. CSIRT (Computer Security Incident Response Team) is established and is responsible for incident response activities.
    • 14.3. Third-party security retainer for handling data breach incident and conduct forensic investigation.
  15. Information Security Aspects of Business Continuity Management
    • 15.1. Client data backup process is established for securing data backup at both onsite and offsite locations.
    • 15.2. Client data backup is encrypted at rest and in transit.
    • 15.3. Members of the CSIRT is responsible for BCP/DRP activities and are trained for BCP/DRP activities on regular basis.
    • 15.4. DRP is tested and evaluated through functional testing.
  16. Compliance
    • 16.1. Cority is ISO27001/27017/27018 certified.
  17. Cloud Security
    • 17.1. Cority is 27017/27018 certified.
  18. Security Roles and Responsibilities
    • 18.1. Security R&R (Roles and Responsibilities) are documented in the ISP (Information Security Policy) documents.
Sean Baldry

Sean Baldry

Sr. Director of Product Marketing

As Cority’s Sr. Director of Product Marketing, Sean leads Cority’s product marketing strategy and tactical delivery, helping customers understand the value that they can realize from a digital EHS transformation with Cority. With over 20 years of experience working in front-line and corporate EHS roles, Sean intuitively understands the key challenges and pain points faced by EHS professionals, and leverages this deep expertise to educate Cority’s team on how best to support the customer journey. Sean works with Product Management, Sales, Marketing and Professional Services functions to better understand customer impressions of Cority’s products and services, and advocates for product investment that support current needs while addressing future demands. Prior to joining Cority, Sean worked across manufacturing, automotive, mining and construction sectors, most recently serving as Head of Health & Safety for Holcim’s Eastern Canada division.
 
Sean is a graduate of the University of Guelph and Ryerson University, and holds a Canadian Registered Safety Professional (CRSP) designation.
Timothy Ku

Timothy Ku

VP of Customer Support

Tim is a seasoned professional with over 20 years of extensive experience in Support and Service Management. Currently serving as Cority’s VP of Customer Support, he is known for his ability to lead and scale global support teams across diverse locations. Tim’s approach is deeply rooted in customer-centricity, leveraging his expertise to ensure the Voice of the Customer is heard throughout the organization.

With a strong focus on process optimization and data-driven decision-making, Tim consistently delivers results that enhance customer satisfaction and loyalty. He understands that success isn’t just about hitting targets but also about building a positive rapport with customers and key stakeholders. His leadership style inspires trust and collaboration, empowering teams to innovate and be creative. Prior to his role at Cority, Tim held leadership positions at TELUS Communications, Esri Canada, and most recently VP of Client Services at Doxim Inc. Tim holds a Bachelor of Business Commerce degree from Toronto Metropolitan University.

Matt Nelson

Matt Nelson

VP, Strategic Alliances

Matt is a highly accomplished executive leader with a passion for learning and executing innovative growth strategies. With over 25 years of proven expertise in the enterprise Risk Management, Compliance and Environmental, Health, Safety (EHS) and ESG/Sustainability arena. Matt is responsible for driving the global expansion of our Strategic Alliance initiatives. Matt is recognized for an unbroken track record of success building, developing, and scaling high-performing collaborative global teams and multi-channel partnering ecosystems who consistently exceed revenue, profit, and management goals. Matt is a process driven, fact-based problem solver who enjoys creating long-term value for his clients, partners, and team. Matt’s experience in team building and associate development has driven significant new and organic international market expansion, M&A pursuits, change management, new product/market launches and has managed global teams as large as 145 team members. Over the past 10 years, Matt, his teams, and channel partners are responsible for negotiating, selling, and delivering more than $1.5 billion in SaaS/Cloud software and consulting services. When Matt is not working, he enjoys spending as much time as possible traveling with his wife and six children.

 
Scott Miner

Scott Miner

Sr. Director, Platform & Design

As Sr. Director, Platform & Design, Scott spearheads the successful delivery of platform capabilities across CorityOne clouds. Additionally, he oversees our UX/UI team, prioritizing user-centered design, and the creation of best-in-class experiences. With over 20 years of product design leadership, Scott has successfully delivered mission-critical finance and business applications to global Fortune 100 companies.

Before joining Cority, he served as the Head of Experience for Telus Agriculture and Consumer Goods. Prior to that role, Scott held the position of VP, Technology – Enterprise Data, Product, and Delivery at TKXS. This business became a pivotal acquisition, forming Telus’ Ag/Consumer business unit. In the early stages of his career, he co-founded ettain group, a prominent US digital agency, guiding it through rapid growth and positioning it for future acquisition by Experis/Manpower.

Scott’s deep experience in driving design at scale and leading high-performing teams will play a pivotal role in supporting Cority through its next stage of growth. He holds a bachelor’s degree in design from the Rochester Institute of Technology in Rochester, NY.

Laura Vassilowitch

Laura Vassilowitch

Senior Director, Product Operations

Laura Vassilowitch is the Senior Director, Product Operations at Cority. Laura works with Product Management, Product Marketing, Engineering, UIUX, and other cross functional areas to provide streamlined processes that support superior performance and output. Laura’s decade-plus history in Product Management includes leadership of Product Organizations at Start-Ups and Fortune 500 companies within the Higher Education, Federal & State Governments, and Healthcare Markets. Most recently, Laura was the Director of Technical Product Management at Gordian, a Fortive Operating Company (FTV). In this role, she was responsible for the execution and delivery of software solutions across Gordian’s SaaS product portfolio.

Jamie Devlin

Jamie Devlin

VP of Sales

Jamie is a senior leader with 25 years of international business consulting and technology experience across multiple industries and geographies, with deep expertise in strategy development, sustainability, business change, process optimization, digital transformation, and advanced technologies, including industrial Artificial Intelligence (AI).

As Vice President of Sustainability Sales, Jamie is responsible for driving Cority’s acquisition of new business and developing strategic partnerships, focused on the value Cority’s clients realize in the context of an ever-changing sustainability reporting landscape. Jamie also works closely with the colleagues across Cority’s Sustainability Cloud to ensure Cority’s trusted software and expert advisory services continue to lead the market.

Stephen Tkaczyka

Stephen Tkaczyk

VP of Finance

As VP Finance, Stephen Tkaczyk oversees the finance and accounting functions. Stephen has 15 years of financial experience, with areas of expertise in financial reporting, performance management and analysis. Prior to joining Cority, Stephen spent the initial part of his career working in the KPMG audit practice and then subsequently in progressively senior finance roles at both private and public companies. Such companies crossing various industries include, Alliance Atlantis Communications, Shred-it International and Kognitiv Corporation all of which saw significant growth and M&A activity. He is a CPA, CA and holds a Bachelor of Commerce degree from the University of Toronto.

Ted Kail

Ted Kail

Chief Product Officer

Ted Kail is the Chief Product Officer at Cority and oversees the Product Management, Solution Marketing & Enablement functions that serve Cority’s customers throughout the globe. For the past 15 years Ted has led Product organizations at Start-Ups & Fortune 500 companies within the Higher Education, Federal & State Governments, and Healthcare Markets. Most recently Ted was the Chief Product Officer at Gordian, which is a Fortive Operating Company (FTV). In this role, he was responsible for determining the strategic direction of all products across Gordian’s product portfolio that included both SaaS and data product offerings.

Ted holds a Bachelor of Science in business as well as an Executive MBA from Northeastern University.

Daphne Reed

Daphne Reed

Senior Director, Security

Daphne Reed is the Senior Director Of Security at Cority Inc. With 20 years of experience in the technology field, Daphne has worked with organizations such as Infrastructure Ontario (Crown Agency), Loyalty One (Air Miles), and most recently worked with the tech start-up Vidyard for 8 years from its infancy to its current size in the enterprise market. Beginning with late mainframe technology in the 90s, she has witnessed the transformation and migration journey through to today’s Cloud systems, and the compliance and regulatory demands that have come with it. Daphne’s focus on process efficiency brings faster and smarter connections between otherwise disparate enterprise teams, always to foster and facilitate the human connection first.

Tjeerd Hendel-Blackford

Tjeerd Hendel-Blackford

VP of Sales

Tjeerd is an experienced Sales Leader covering the EMEA and APAC regions. He and his team work to build long-term strategic partnerships with new and existing customers to help them reach and exceed their EHS and ESG/Sustainability goals. Tjeerd has over two decades of experience in environment, health & safety, and quality (EHSQ). Having worked as both an EHS practitioner and a consultant he has helped dozens of companies to address their HSEQ challenges through the application of management best practice in combination with market-leading information and technology solutions.

Justin Dennis

Justin Dennis

VP of M&A Integrations

With over 20 years of experience in enterprise software solutions, Justin Dennis serves as the VP, M&A Integrations at Cority where he provides program governance on the complex integration of people, processes, and technologies of acquired companies. In 2020, Justin created the highly successful Cority Center of Excellence (CoE), which manages multiple strategic initiatives and digital transformations that support increasing company valuation. He is a visionary leader with a proven track record to enable an organizational culture of continuous competency improvement through cross-functional collaboration. Prior to joining Cority in 2017, Justin served as the VP, Information Technology and principal at RegAction. During his tenure he managed the company P&L, led product development, cloud strategy, IT security, platform integrations, and corporate expansion efforts. Justin’s deep domain expertise and passion for technology operations were cultivated during his time at BMC Software. He holds a BBA degree in both Management Information Systems and Marketing with a minor in Latin American Studies at University of Houston, C.T. Bauer College of Business.

Carrie Young​

Carrie Young

VP of Strategic Solutions

Carrie has spent her 25+ year career around EHSQ software solutions; first as a customer using software in the chemical industry, next as an implementation partner guiding customers through their software journey, and most recently within the software provider community developing market leading solutions. In each of these roles, she has led high performance teams and implemented strong organizational change techniques as the foundation for success. She brings a 360° view to her role as the VP of Strategic Solutions, helping customers identify and execute solutions that drive powerful change.

Carrie holds a Bachelors of Science degree in Chemical Engineering from the University of Kansas specializing in Environmental Studies, is trained as a Six Sigma Black Belt, and is a certified Project Management Professional from the Project Management Institute.

She formerly was the Vice President of Operational Excellence for a technology company, Waitr Holdings, the Vice President of Professional Services at Sphera, the Director of Professional Services at Rolls-Royce, as well as a process engineer at Vulcan Chemicals and an Environmental Consultant at Trinity Consulting.

DeAnn Poe

DeAnn Poe

VP of Marketing

DeAnn Poe is the VP of Marketing, overseeing the Growth Marketing, Brand and MarComm, and Business Development functions at Cority. She is a versatile marketer with over 20 years of experience serving in Marketing Leadership, Demand Gen and MarComm functions at software companies across a variety of verticals. With a proven track record for building efficient, data-driven marketing teams, she is passionate about proving marketing’s impact on the bottom line and empowering her teams to drive sustainable revenue for the organization. DeAnn holds a bachelor’s degree in Business Administration from California State University, San Marcos.

Anthony Palladino

Anthony Palladino

Multi-faceted Finance and Operations Executive possessing more than 15 years of management experience. I have achieved measurable success in P&L management, budgeting, human resource administration, treasury models and facility management. Significant experience in SaaS supply chain solutions, sourcing services and IT delivery. International finance experience managing operations in Europe and Asia.

Currently, Chief Financial Officer at Elemica, a leading cloud based software company headquartered in Wayne, PA that enables the world’s largest manufacturing companies to effectively manage their demand and supply chains.

Jesse Miller

Jesse Miller

VP of Sales

Jesse Miller is the leader of Customer Sales for Cority, working closely with our customer success and product management teams to support the adoption and use of our solutions. Jesse is an avid scuba diver and underwater photographer, which drives his passion to help our customers create a healthy and more sustainable future. Throughout his career he has held progressively senior leadership positions helping software companies scale by investing in the people and processes that lead to success. As a leader with Dexter and Chaney, Viewpoint, and Rhumbix, Jesse helped construction companies through a digital transformation of their business to create efficiency, and reduce risk. He was an integral part of the team at Viewpoint that grew the company from $25M to $200M in annual revenue, which resulted in an acquisition by Trimble Inc (TRMB). During Jesse’s 15 year sales career, he has helped software companies with numerous M&A activity, scaling, and organizational change. Jesse holds a Masters degree in Communication and Organizational Leadership from Gonzaga University, with minors in Applied Finance and Marketing.

Brad Totten

Brad Totten

VP of Sales

As Senior Sales Director, Brad is responsible for leading and developing a team of sales professionals focused on one thing: providing the best possible commercial experience to Cority’s prospective customers. A 25 year veteran of Enterprise Sales, Brad prides himself on leaving no stone unturned when it comes to our clients understanding of the entire sales process from the first point of contact to the launch of a successful program and beyond. Brad is passionate about the environment and helping organizations maintain safe and healthy workplaces and sustain the communities in which they operate. Outside of work, you can find Brad on the golf course or running along the Toronto Beaches and spending time outdoors with his wife and two children.

Rob Michayluk

Rob Michayluk

Sr Director, Cloud and Security

With over 25 years experience across multiple IT disciplines in a variety of industry verticals, Rob Michayluk serves as the VP, Cloud at Cority. In this role, he is responsible for Cloud Infrastructure, DevOps and the IT services that support the Cority Enterprise. Rob has held several senior leadership roles including Director, Technology at LoyaltyOne (AirMiles) and Managing Director, Digital Engineering at Bond Brand Loyalty building and operating the technology that enables the Scene+ loyalty program.

Ran Ding

Ran focuses on growth equity investments across a wide range of sectors including technology, business services, and consumer. Ran sits on the board of Avetta and Infutor, and he is actively involved with Norwest’s investments in ACL, Avetta, Cority, Infutor, Kendra Scott (recapitalized by Berkshire Partners), and The Rainmaker Group. Ran was previously involved with Norwest’s investments in 1010data (acquired by Advance), Rainmaker – Multifamily (acquired by RealPage), and The Retail Equation (acquired by Appriss).

Ran holds a bachelor of science degree in electrical and computer engineering from Cornell University. Ran is also a CFA charterholder.

Nicolaas Vlok

Nicolaas Vlok

Nicolaas Vlok is an Operating Partner at Thoma Bravo. He brings more than 20 years of experience leading high-growth, publicly traded, and PE-backed software and data businesses, by driving market expansion, revenue growth, product innovation, and operational excellence. As a transformational leader, he executed multiple growth strategies that transformed companies into clear market leaders, which included integrating multiple acquisitions accelerating growth. He holds board positions at ABC Fitness, Centrify, Cority, MailGun, and MeridianLink, all industry leading software companies. He is a former board member of Vision Solutions and Idaptive.

Nicolaas is also the President and CEO of MeridianLink, and the former President and CEO of Vision Solutions, which was a Thoma Bravo portfolio company, and subsequently sold to Clearlake Capital. Prior to Vision Solutions, he was the Co-Founder and CEO of IDION Technology Holdings, a publicly traded company on the JSE in South Africa.

Nicolaas was born and raised in South Africa, and studied Computer Engineering at the University of Pretoria. In 2000, he moved to the US to lead IDION’s growth in North America. He is married to the love of his life, and together they are raising their three sons in Southern California.

PRIOR EXPERIENCE
Vision Solutions, President and CEO
IDION Technology Holdings, Co-Founder and CEO
TST, Co-Founder and CEO

Matt LoSardo

Matt LoSardo is a Vice President at Thoma Bravo. Based in San Francisco, he joined the firm in 2016. Previously Matt worked in private equity at Harvest Partners and investment banking at Morgan Stanley. He holds a BS degree in Economics from Duke University.

Hudson Smith

Hudson Smith

Hudson Smith has been a Partner at Thoma Bravo since 2016. Based in San Francisco, he is responsible for finding and executing new deals and monitoring and growing the portfolio as an active board member for the firm’s Discover funds, which focus on investing in mid-sized and smaller software and technology companies. Prior to joining Thoma Bravo, he served as Managing Director of HGGC, where he led software and technology investments. Previously, he worked at Bain & Company in Dallas and Sidney and Lincoln International in Chicago. Hudson earned an MBA from the Kellogg School of Management at Northwestern University and a BS degree in Business Administration, magna cum laude, from Washington and Lee University.

Marlene da Costa

VP, Human Resources

Marlene da Costa is the VP, Human Resources, where she heads the People & Culture Function for Cority across Canada, US, UK, France, Germany and Australia. In her current role, Marlene and her team manage the Talent Acquisition, Talent Management, HR Business Partnering, Organizational Development, Leadership & Development, Compensation and Employee Engagement programs. Marlene brings a decade of international Human Resources experience especially in talent acquisition, talent management and employee engagement to the role. Prior to Cority, Marlene headed the HR function for a software company in the financial services space in downtown Toronto. Marlene holds two Masters in Industrial/Organizational Psychology from Middle Tennessee State University and Mumbai University. Marlene is also a Certified Human Resources Leader, certified through the Human Resources Professionals Association of Canada.

Lee Estepp

Lee Estepp

VP of Engineering

Lee Estepp is the Director of Engineering where he oversees the product development and integration of the technology vision at Cority. He joined in 2018 to head up engineering, operations, and support for Cority IQS. Lee continues to lead Cority’s Quality initiatives while also directing development for the Environmental, Chemical, and Ergonomics solutions. Prior to joining Cority, he served as Senior Director in PTC’s PLM division and has more than 20 years of global enterprise software experience. Lee holds Bachelor of Arts degrees in Physics and Computer Science at Bethel University in St. Paul, Minnesota.

 

Brian Chan

Brian Chan

VP of Engineering

Brian Chan is Cority’s Director, Software Engineering. Brian manages the core development operations, and he began his career at Cority in 2002 on the Helpdesk. Throughout the years, Brian has held progressive roles in the software engineering department including, Software Developer, Software Architect, Manager, Software Engineering. Brian is a graduate of the University of Toronto with a Bachelor of Science in Computer Science.

Simona Barcau

Simona Barcau

Vice President, Customer Success

Simona brings over 18 years of customer-focused experience, having had diverse leadership roles in Customer Success, Professional Services, Product Management, and Software Development that uniquely position her to understand the SaaS customer life cycle. Prior to Cority, Simona was SVP Customer Success at Varicent, after having served as the Offering Management Leader at IBM for the Varicent portfolio.

 

Amanda Smith

Amanda Smith

Executive Vice President, Product Strategy

Amanda Smith is Cority’s Executive Vice President, Product Strategy, where she brings over 15 years of experience in cloud-based software and human/computer interaction to oversee the creation, marketing, and support of targeted industry solutions. In her role, she focuses on helping to solve EHS&Q problems and providing valuable technology solutions to Cority customers. Amanda has a degree in Industrial & Operations Engineering from University of Michigan.

Adrian Williams

Adrian Williams

VP, Professional Services

Adrian Williams is the VP, Professional Services at Cority. He graduated in Computing from Staffordshire University before commencing his career implementing enterprise manufacturing execution systems globally. Having an extensive corporate IT background including time with Anglo American and Michelin, he has a passion for high quality service delivery. Adrian leads the Professional Services team’s functional consulting resources and actively involves himself in project governance duties. One of his key roles at Cority has been to gather post implementation lessons learned feedback to share with the wider business to ensure continuous improvement.

Atish Ghosh - CTO at Cority

Atish Ghosh

Chief Technology Officer

Ghosh brings over 20 years of experience in product engineering expertise in B2B cloud-based software, products, and services to Cority. Ghosh joins from Neustar, a leading global information services provider serving more than 8000 clients worldwide, including 60 of the Fortune 100, where he was Senior Vice President of Product Engineering and led the engineering and development organization for Neustar’s broad set of Marketing, Risk, Security, and Communications solutions. Prior to Neustar, Ghosh was Senior Vice President of Global Research and Development for Ellucian, where he led the research and development organization of over 800 employees responsible for the design, development, and release of Ellucian’s broad product portfolio that served over 2,500 higher education institutions globally. Previously, he held a number of senior leadership roles at Blue Yonder, a leading supply chain software provider. Ghosh holds a BS, MS, and Ph.D. in Electrical Engineering with minors in Computer Science and Mathematics from Clemson University.

Pablo Neiman

Pablo Neiman

Chief Customer Officer

As Chief Customer Officer, Pablo oversees the successful delivery of Cority’s solution to our client’s around the globe. Pablo brings a decade of experience delivering enterprise solutions to top-tier clients throughout North America, Europe and APAC. Prior to joining Cority in January 2018, Pablo was the VP of Strategic Planning at NexJ Systems. Pablo has also held various Professional Services roles and always maintained an excellent track record of delivering solutions and establishing strong relationships with clients. Pablo’s experience driving operational efficiencies and leading high performing teams will help Cority through its next stage of growth. Pablo has also held research and teaching positions at the University of Toronto in the Faculty of Mechanical and Industrial Engineering, the Advanced Microsystems and Nano Lab, at Queen’s University, and the Royal Military College. Pablo holds a B.Sc. in Electrical Engineering from Queen’s University, and both an M.A.Sc. and MBA from the University of Toronto.

Mark Wallace

Mark Wallace

CEO

Mark is CEO of Cority Software Inc., a Toronto-based, award-winning, global SaaS company. Under Mark’s leadership, Cority’s revenue has grown consistently at a compounded rate of 25%. The company has grown in employees from 29 when Mark started in 2003 to close to 400 employees today. It enjoys an industry-leading profit margin. In 2016, Cority raised capital with Norwest Venture Partners, Georgian Partners, and BMO; in 2019 Cority raised capital from software specialist Private Equity firm Thoma Bravo and with Norwest again stepping up as an investor. Mark was a finalist for the EY Entrepreneur of the Year Award in 2017 and 2018. Previously, Mark was Vice President, General Counsel & Corporate Secretary and a member of the executive management team of AT&T Canada Corp. Mark is a graduate of St. Francis Xavier University, where he recently completed 10 years on the Board of Governors, including four as Chair of the Board. He received his J.D. from the University of Victoria and is a member of the Law Society of Upper Canada. Mark is active in mentoring young entrepreneurs and has served on several other not for profit boards.