Customer and Service Provider agree as follows:

1. DEFINITIONS. The following terms, including any derivatives thereof, will have the meanings set forth below.  
   
   1. “Data Protection Laws” means any laws that apply to the Processing of data by Service Provider under the Agreement. This includes laws, regulations, guidelines, requirements, and government issued rules in the U.S. and other jurisdictions, at the international, country, state/provincial, or local levels, currently in effect and as they become effective, including without limitation EU Directive 95/46/EC, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK Data Protection Act, 2018, and any applicable data security and/or privacy laws of other jurisdictions, including but not limited to the United States.
   2. “Data Subject” means any living identified or identifiable natural person to which Personal Data relates or identifies.
   3. “Data Subject Request” means a request to access, correct, amend, transfer, rectify, restrict, limit use, opt out of sale or sharing or other processing, or delete a Data Subject’s Personal Data consistent with that person’s rights under Data Protection Laws.
   4. “De-Identified Data” means information that cannot reasonably be used to Infer information about, or otherwise be linked to, a particular consumer, provided that the business that possesses the information:
      
      1. Takes reasonable measures to ensure that the information cannot be associated with a Data Subject or household;
      2. Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this definition; and
      3. Contractually obligates any recipients of the information to comply with all of the requirements of this definition.
   5. “Personal Data” or “Personal Information” means Customer information Processed by Service Provider under the Agreement that is linked, reasonably linkable, or relates to an identified or identifiable natural person.  Both Personal Data and Personal Information are referred to in this Addendum as “Personal Data.”
   6. “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, sale, analysis, alignment or combination, restriction, erasure or destruction.
   7. “Pseudonymous Data” means Personal Data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the Personal Data is not attributed to an identified or identifiable individual.
   8. “Security Incident” means any confirmed accidental, unauthorized, unintended, or unlawful processing, access to, exfiltration, theft, disclosure, destruction, loss, alteration, compromise, and/or malicious infection of Customer Personal Data transferred, transmitted, stored, or otherwise Processed by Service Provider or any of its Subprocessors or third parties that Process Personal Data on Service Provider’s behalf.
   9. “Sell” has the meaning as set forth in the Data Protection Laws.
   10. “Sensitive Personal Information” shall have the meaning(s) provided in the Data Protection Laws.  
   11. “Service Provider” means Exterro, Inc., including its affiliates and subsidiaries.
   12. “Services” will have the same meaning provided under the Agreement.
   13. “Share” has the meaning as set forth in the Data Protection Laws.
   14. “Standard Contractual Clauses” means the agreement executed by and between Customer and Service Provider and attached hereto as Exhibit B pursuant to the European Commission’s decision ((EU) 2021/914) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
   15. “Subprocessor” means a subcontractor engaged by Service Provider or its affiliates to Process Customer Personal Data as part of the performance of the Services.
   16. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, attached hereto as Exhibit C.

‍

2. PROCESSING OF PERSONAL DATA
   
   1. Processing of Personal Data.  Service Provider will only Process (including but not limited to Sale, Sharing, or Disclosure) Customer Personal Data for the purposes of providing the Services specified in the Agreement and only in accordance with Customer’s documented instructions, which may be specific instructions or standing instructions of general application in relation to the performance of Service Provider’s obligations under this DPA,  unless otherwise required under Data Protection Laws to which Service Provider is subject, in which case Service Provider shall notify Customer prior to such Processing unless prohibited by law.
      
      1. Service Provider shall be responsible for its compliance with Data Protection Laws and Customer’s instructions when Processing Personal Data. Service Provider will inform Customer immediately if, in its opinion, an instruction does not comply with Data Protection Laws.
      2. Customer instructs Service Provider to Process Personal Data to perform the Services and as described in this DPA and the Agreement.
      3. Service Provider will not Sell or Share Customer Personal Data, nor will it retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purpose of performing the Services specified in the Agreement.  Service Provider will not Process Customer Personal Data outside the direct business relationship between Customer and Service Provider, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services specified in the Agreement or as required by law.
      4. Service Provider shall not aggregate, anonymize, or otherwise deidentify Personal Data without the prior written authorization of Customer except as needed to perform the Services.
      5. The details of the Processing of Personal Data pursuant to the Agreement are set forth in Exhibit A to this DPA.  
      6. Service Provider shall not combine Customer Personal Data received from Customer with any other information Service Provider receives from or on behalf of another person or business or which it collects from its own interactions with Data Subjects.
      7. Service Provider shall Process Personal Data under the Agreement in compliance with Data Protection Laws, including providing the same level of privacy protection required by Data Protection Laws.  Service Provider will notify Customer if Service Provider determines it or its Subprocessor(s) cannot meet its obligations under the Data Protection Laws, in which case Customer may, upon thirty (30) days’ notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Data.
   2. Data Subject Requests.  Service Provider shall inform Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws.   Service Provider will provide such assistance, including taking any appropriate technical and organizational measures, as Customer requests to help Customer fulfill its obligations under Data Protection Laws to respond to Data Subject Requests.  Notwithstanding its obligations under this Section, Service Provider is not obligated to respond to a Data Subject Request directly from a Data Subject and does not otherwise assume any liability or responsibility for responding to Data Subject Requests.
      
      1. Responding to Requests.  Unless expressly authorized by Customer, Service Provider shall not respond to any Data Subject Request.
      2. Requests to Delete.  Unless it is permitted to retain Personal Data under the Data Protection Laws, Service Provider will comply with Customer’s direction to delete any Personal Data Processed under the Agreement, and shall notify any Subprocessors of such direction as applicable.  Service Provider shall not be required to delete any of the Personal Data to comply with a Data Subject’s request directed by Customer if it is necessary to maintain such information in accordance with applicable law, in which case Service Provider shall promptly inform Customer of the exceptions relied upon under applicable law and Service Provider shall not use the Personal Data retained for any other purpose than provided for by that exception.
      3. Requests to Restrict Processing of Sensitive Personal Information.  Service Provider will assist Customer in complying with a Data Subject's request to limit the use and disclosure of Sensitive Personal Information and will not use the Sensitive Personal Information after it has received instructions from the Customer and to the extent it has actual knowledge that the Personal Data is Sensitive Personal Information for any other purpose.  
   3. Regulator Requests. Both Parties will assist the other in communicating and cooperating with any regulators relating to Personal Data.
      
      1. Service Provider shall notify Customer of all enquiries from a regulator that Service Provider receives which relate to the Processing of Personal Data under the Agreement, the provision or receipt of the Services, or either Party's obligations under the Agreement, unless prohibited from doing so at law or by the regulator.
      2. Unless a regulator requests in writing to engage directly with Service Provider, the Parties (acting reasonably and taking into account the subject matter of the request) agree that Customer shall be responsible for handling all regulator requests. Customer shall: (a) be responsible for all communications or correspondence with the regulator in relation to the Processing of Personal Data and the provision or receipt of the Services, and (b) keep Service Provider informed of such communications or correspondence to the extent permitted by law. At Customer’s expense, Service Provider shall provide such assistance as Customer may request in relation to such a regulator request.  
   4. Deletion and Return of Personal Data. Upon termination of the Agreement or Customer’s request, Service Provider will, at Customer’s option: either (a) return all Personal Data to Customer, or (b) securely destroy all Personal Data.  Upon Customer's request, Service Provider will provide a signed certification that Personal Data has been returned and, if applicable, securely destroyed, unless retention is required by law. If required to retain Personal Data by law, then Service Provider will provide written notice of such to Customer and store the data solely on encrypted backup or archive locations and continue to safeguard such data in accordance with this DPA.
   5. Disclosure.
      
      1. Service Provider shall not disclose Customer Personal Data to any third parties without Customer’s prior consent, except as required by law or permitted by the Agreement.
      2. Service Provider shall inform its personnel engaged in the Processing of Customer Personal Data of the confidential nature of the Customer Personal Data and ensure that they are subject to binding confidentiality obligations.
      3. If Customer Personal Data is being provided to a third party in response to a subpoena or other discovery request, to the extent permitted by applicable law, Service Provider will provide Customer with notice of the subpoena or discovery request prior to disclosing the Customer Personal Data so that Customer may, at its expense, object to the subpoena or discovery request, or seek an appropriate protective order.
   6. Access.  Subject to the terms of this DPA, Service Provider will limit access to Personal Data to only its employees, Subprocessors, and other third parties who require access as part of providing the Services.
   7. Confidentiality. Service Provider agrees to treat all Personal Data as confidential and will inform all individuals with authorized access to Personal Data of the confidential nature of such information. Service Provider will ensure that all employees are subject to binding confidentiality obligations.
   8. Data Protection Impact Assessments and Prior Consultation.  Service Provider agrees to provide all reasonable assistance to Customer in completing any data protection impact assessments and/or consultations with government authorities pursuant to Data Protection Laws.  
   9. De-identified Data. Service Provider shall be responsible for its compliance with all laws regarding data that cannot reasonably identify, be related to, describe, be capable of being associated with or be linked directly or indirectly to a Data Subject.  
      
      1. To the extent Service Provider Processes De-Identified Data under the Agreement, Service Provider:
         
         1. Will not attempt to associate De-Identified Data with an individual;
         2. Will not attempt to re-identify De-Identified Data;
         3. Will maintain and use De-Identified Data only in a de-identified fashion; and
         4. Will not use De-Identified Data to infer information about, or otherwise link to, an identified or identifiable individual or a device linked to such an individual.
   10. Pseudonymous Data.  To the extent Service Provider Processes Pseudonymous Data under the Agreement, Service Provider will not attribute or attempt to attribute Pseudonymous Data to an identified or identifiable individual.  Service Provider will ensure that any information necessary to identify the Data Subject is:
       
       1. Kept separately from Pseudonymous Data; and
       2. Subject to effective technical and organizational controls that prevent access to such information.

‍

3. AUDITS.  Customer may audit Service Provider’s compliance with its obligations under this DPA and the Data Protection Laws, and will cooperate in a data protection impact assessment (together, “Audit”) as required by Data Protection Laws, subject to the following requirements:
   
   1. Customer may audit Service Provider’s compliance with its obligations under this DPA and Data Protection Laws, including but not limited to ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months.
   2. Service Provider will inform Customer if, in its opinion, any of Customer’s instructions relating to the Audit violate applicable Data Protection Laws.
   3. Customer may perform such Audits not more than once per year or more frequently if required by Data Protection Laws applicable to Customer.
   4. Customer may use a third party to perform the Audit on its behalf, provided the third party is a qualified auditor and executes a confidentially agreement acceptable to Service Provider before the Audit.
   5. Audits must be conducted off premises during regular business hours, subject to Service Provider policies, and may not unreasonably interfere with Service Provider business activities.
   6. Customer must provide Service Provider with any Audit reports or findings generated in connection with any Audit at no charge, unless prohibited by law. Customer may use the Audit reports only for the purposes of meeting its Audit requirements under Data Protection Laws and/or monitoring and confirming compliance with the requirements of this DPA.  The Audit reports shall constitute Confidential Information of the Parties under the Agreement.
   7. Nothing in this Section 3 shall require Service Provider to breach any duties of confidentiality owed to any of its customers or employees.
   8. Under the following circumstances, Customer agrees to accept those findings in lieu of requesting an Audit of the controls covered by the report: (a) the requested Audit scope is addressed in a similar Audit report performed by a qualified third-party auditor for Service Provider within twelve (12) months of Customer’s request, (b) if permitted by the Data Protection Laws, and (c) Service Provider confirms there are no known material changes in the controls audited. All Audits are at Customer’s sole cost and expense.  Any request for Audit assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional Service for which reasonable additional fees may be charged. Service Provider reserves the right to require Customer’s written agreement to pay for such fees before providing such Audit assistance.
   9. Information and Audit rights of the Customer only arise under this Section 3 to the extent that the Agreement does not otherwise give the Customer information and Audit rights meeting the relevant requirements of Data Protection Law.

‍

4. SECURITY MEASURES.  Subject to the obligations of Customer under the Agreement:
   
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider and each Service Provider Affiliate shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
   2. In assessing the appropriate level of security, Service Provider shall take account in particular of the risks that are presented by Processing, including without limitation the risks of a Security Incident.
   3. Service Provider shall notify Customer without undue delay after becoming aware of a Security Incident and shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of a Security Incident.

‍

5. SUBPROCESSORS
   
   1. Customer authorizes Service Provider and each Service Provider Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Agreement and applicable Data Protection Laws including the Standard Contractual Clauses and UK Addendum, if applicable.
   2. Service Provider and each Service Provider Affiliate may continue to use those Subprocessors already engaged by Service Provider or any Service Provider Affiliate as of the date of this DPA, subject to Service Provider and each Service Provider Affiliate in each case as soon as practicable meeting the obligations set out in Section 5.3. Service Provider shall give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor, and Customer must inform Service Provider of any objection to such new Subprocessor within seven (7) days of such notice.
   3. Service Provider will ensure that any Subprocessor that has access to Customer Personal Data enters into a written agreement obligating the Subprocessor to comply with terms that are at least as restrictive as those required under Data Protection Laws.  
   4. Service Provider shall remain fully liable to Customer for the performance of its Subprocessors’ obligations and shall be responsible to Customer for its Subprocessors’ Processing of Personal Data.

‍

6. DATA TRANSFERS
   
   1. Cross-border Transfers.  Customer is solely responsible for ensuring that any authorized transfer of Customer Personal Data across national borders made by Service Provider at the Customer’s direction complies with all laws, including, but not limited to, any cross-border data transfer requirements or prohibitions. Service Provider will not transfer data outside the European Economic Area (“EEA”) without the consent of Customer.
   2. The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Customer to Exterro is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:
      
      1. EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows: (i) Module Two will apply where Customer is a Controller; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 5.2 of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 2 will apply, and if the data exporter’s Member State does not allow for third-party beneficiary rights, then the law of Ireland shall apply; (vi) in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Agreement between the parties or, if that jurisdiction is not an EU Member State, then the courts in Dublin, Ireland. In any event, Clause 17 and 18 (b) shall be consistent in that the choice of forum and jurisdiction shall fall on the country of the governing law; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA.
      2. UK Transfers: in relation to Personal Data that is protected by the UK GDPR, the EU SCCs, completed as set out above in clause 6.2.1 of this DPA, shall apply to transfers of such Personal Data, except that: (i) The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the transferring Customer and Exterro; (ii) Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum; (iii) For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this DPA; and (iv) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”
      3. Swiss Transfers: in relation to Personal Data that is protected by the Swiss FADP (as amended or replaced), the EU SCCs, completed as set out about in clause 6.2.1 of this DPA, shall apply to transfers of such Personal Data, except that: (i) the competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner; (ii) in Clause 17, the governing law shall be the laws of Switzerland; (iii) references to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and (iv) references to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss FADP (as amended or replaced).
      4. The following terms shall apply to the EU SCCs (including as they may be amended under clauses 6.2.2 and 6.2.3 above): (i) Customer may exercise its right of audit under the EU SCCs as set out in, and subject to the requirements of, Section 3 of this DPA; and (ii) Exterro may appoint sub-processors as set out in, and subject to the requirements of, Sections 5 and 6.3 of this DPA, and Customer may exercise its right to object to sub-Processors under the EU SCCs in the manner set out in Section 5.2 of this DPA.
      5. In the event that any provision of this DPA contradicts, directly or indirectly, the EU SCCs (and the UK Addendum, as appropriate), the latter shall prevail.
   3. In respect of Restricted Transfers made to Exterro under clause 6.2, Exterro shall not participate in (nor permit any sub-processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws and, if applicable, any EU SCCs and/or UK Addendum implemented between Customer and Exterro.

‍

7. ADDITIONAL COMPLIANCE PROVISIONS
   
   1. The Parties each represent and warrant to each other that they have read and understand the requirements of all applicable Data Protection Laws, and will be responsible for their own compliance with them.
      
      1. Service Provider shall not have any liability to Customer to the extent the basis of liability arises from failure by Customer to obtain any necessary consents to collect, use, transfer, or otherwise Process Personal Data, or failure by Customer to fully comply with the Agreement, this DPA, or applicable Data Protection Laws.
      2. Customer represents and warrants that, if required, it has provided notice that the Personal Data is being Processed consistent with the Data Protection Laws.
      3. Each Party agrees that it is responsible for its own compliance with the requirements of the GDPR and other applicable Data Protection Laws and agrees to indemnify, defend, and hold harmless the other Party from and against any claims, demands, losses, liabilities, fines, penalties, costs, and expenses arising out of or relating to its own acts and omissions that do not comply with the Data Protection Laws.  This duty to indemnify, defend, and hold harmless includes fines that may be imposed by a governing authority and any and all reasonable attorneys’ fees and court costs.
      4. The Parties agree that where Service Provider processes Personal Data, it functions as a Service Provider and a Processor under the Data Protection Laws.
      5. The disclosure of Customer Personal Data to Service Provider does not constitute a Sale or Sharing under the Data Protection Laws. Notwithstanding anything in the Agreement, the Parties acknowledge and agree that Customer’s provision of access to Personal Data is not part of and is explicitly excluded from the exchange of consideration or any other thing of value between the Parties.

‍

8. GENERAL
   
   1. Certification.  By signing this DPA, Service Provider certifies that it understands the restrictions herein and will comply with them.
   2. Liability.  Each Party’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement, to the extent permitted by law.

No Restriction. The obligations contained in this DPA, including the Exhibits, Attachments, and Appendices, shall not restrict Service Provider in its rights and/or obligations to: (a) comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information or legal holds, or (b) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

‍

‍