Data Protection Addendum

This Data Protection Addendum (“DPA”) forms part of and is incorporated by reference into the Agreement (defined below) between the Conduit entity that is a party to the Agreement (“Service Provider”) and the customer entity that is a party to the Agreement (“Customer”), each a “Party”, and collectively the “Parties.” Service Provider and Customer have agreed to the terms of this DPA. The terms of this DPA shall take effect as of the effective date of the Agreement.NOW THEREFORE, in consideration of the mutual obligations and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:

1. Definitions. For purposes of this DPA:

a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA, where “control” refers to direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

b. “Agreement” means the applicable subscription or services agreements between Service Provider and Customer pursuant to which Customer has purchased, subscribed to, or signed up to receive services from Service Provider, and any statements of work, exhibits, schedules, work orders, addenda or amendments thereto, as well as the applicable online Service Provider Terms of Use and any other agreement that incorporates this DPA by reference.

c. “Data Protection Laws” means all applicable laws and regulations in the United States and Canada relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and together with its regulations (“CCPA”), the Colorado Privacy Act and related regulations (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and other federal and state United States laws; and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s Act to Modernise Legislative Provisions As Regards the Protection of Personal Information (“Law 25”), and other federal and provincial Canadian laws, in each case to the extent applicable to Processing of Personal Data carried out pursuant to this DPA.

d. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.e. “Personal Data” means “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Service Provider Processes in relation to the Agreement, for which unauthorized disclosure would trigger data breach notification obligations under applicable Data Protection Laws.

f. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

g. “Security Breach” means unauthorized or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Personal Data that compromises the security, confidentiality, or integrity of such Personal Data or that otherwise gives rise to a notification obligation to individuals or regulators under applicable Data Protection Laws. For the avoidance of doubt, Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

h. “Services” means the services that Service Provider performs on behalf of Customer pursuant to the Agreement.

i. “Subprocessor” means any third party that Service Provider engages to Process Personal Data.

j. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”

2. Roles of the Parties; Scope and Purposes of Processing.

a. This DPA applies to all Personal Data that Service Provider Processes to provide Services to Customer pursuant to the Agreement.

b. To the extent that Customer is the Controller of Personal Data, Service Provider is its Processor. To the extent that Customer is a Processor of Personal Data, Service Provider is its Subprocessor.

c. Service Provider will Process Personal Data solely (i) in compliance with Data Protection Laws; (ii) on Customer’s behalf; and (iii) to provide the Services to Customer under the Agreement for the business purposes set forth in the Agreement and as set forth in this DPA, unless required otherwise to comply with Data Protection Laws (in which case, Service Provider shall provide prior notice to Customer of such legal requirement, unless such law prohibits this disclosure).

d. Customer retains the right to take reasonable and appropriate steps to (i) ensure that Service Provider Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data.e. Customer is responsible for providing any notices, obtaining any consents or authorizations, and otherwise satisfying its own compliance obligations with respect to the Processing of Personal Data under this DPA. Customer will not instruct Service Provider to Process Personal Data in violation of Data Protection Laws or any third party’s legal, contractual, or other rights.

3. Personal Data Processing Requirements. Service Provider will:

a. Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Service Provider, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement.

b. Not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws.

c. Comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any interaction between it and any individual.

d. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

e. Provide Customer with reasonable assistance by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Data Protection Laws, taking into account the nature of the Processing.

f. Promptly notify Customer if Service Provider determines that it can no longer meet its obligations under Data Protection Laws or if it believes that Customer’s instructions violate Data Protection Laws, and Service Provider is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that Service Provider reasonably and in good faith believes would cause Service Provider to violate Data Protection Laws.

4. Data Security. Service Provider will implement reasonable and appropriate administrative, technical, physical, and organizational measures to protect Personal Data. Service Provider will provide the level of protection for Personal Data as is required under Data Protection Laws.

5. Security Breach. Service Provider will notify Customer of a Security Breach without undue delay, and in no event later than seventy-two (72) hours. Service Provider will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations. Customer acknowledges that Service Provider’s notification of a Security Breach is not an acknowledgement by Service Provider of its fault or liability.

6. Subprocessors.

a. Customer acknowledges and agrees that Service Provider may use Subprocessors to Process Personal Data on Service Provider’s behalf in accordance with this DPA and Data Protection Laws, including with regard to any applicable laws governing international data transfers and required safeguards thereto. Customer specifically authorizes Service Provider’s use of those Subprocessors already engaged by Service Provider as of the effective date of this Agreement. Service Provider shall make a current list of Subprocessors available to Customer upon written request. Service Provider will enter into a written agreement with each Subprocessor requiring it to comply with obligations at least as restrictive as those in this DPA.

b. Service Provider will provide Customer with reasonable notice (email or other electronic notice acceptable) of any new Subprocessor added to the list. Customer has fifteen (15) calendar days from the date of such notice to make an objection on reasonable grounds relating to the protection of the Personal Data, in which case Service Provider shall have the right to cure the objection through one of the following options (to be selected at Service Provider’s sole discretion): (i) Service Provider will cancel its plans to use the Subprocessor with regard to Personal Data or will offer an alternative to provide the Services without such Subprocessor; (ii) Service Provider will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Personal Data; or (iii) Service Provider may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Services considering the reduced scope of the Services.

c. Objections to a Subprocessor shall be submitted to Service Provider by following the directions set forth in the notice. If none of the above options are reasonably available and the objection has not been resolved to the reasonable mutual satisfaction of the Parties within thirty (30) days after Service Provider’s receipt of Customer’s objection, Customer shall have the right to terminate the relevant Processing. Service Provider may replace a Subprocessor if the reason for the change is beyond Service Provider’s reasonable control. In such instance, Service Provider shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 6(b) above.

d. Customer acknowledges and agrees that, as part of providing the Services, Service Provider and its Subprocessors may Process Personal Data in jurisdictions other than Customer's jurisdiction. To the extent required by Data Protection Laws, Service Provider will provide Customer with advance written notice of any material changes to the legal basis or mechanisms used for international transfers of Personal Data. If required by Data Protection Laws, Customer may object to such changes within thirty (30) days of notice. Any change to Subprocessor locations shall be managed as part of a Subprocessor change, and Customer's sole right and remedy to object to any such transfer shall be to object to the new Subprocessor pursuant to the process set forth above.

7. Audits. Service Provider will make available to Customer all information necessary to demonstrate compliance with this DPA, and may satisfy this obligation by undergoing, and providing to Customer a report reflecting, an annual audit of Service Provider’s policies and technical and organizational measures by a qualified, independent auditor using an appropriate and accepted control standard or framework, such as a SOC-2, Type 2 Report. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Service Provider’s compliance with this DPA, Service Provider will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. The Parties agree that such audits and inspections will be conducted with at least fourteen (14) days’ prior written notice to Service Provider and not more than once in any 12 month period, unless required by a data protection authority or in connection with a Security Breach within Service Provider’s system or that of a Subprocessor that involves Personal Data. In no case will Customer have any right to access by any means whatsoever the information or personal data of a third party or that is otherwise subject to a confidentiality obligation owed to a third party; information or systems that would, in Service Provider’s discretion, compromise Service Provider’s security; or any trade secrets or proprietary business information.

8. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, Service Provider will, at Customer’s written request, return to Customer and/or securely destroy all Personal Data.

9. Deidentified Information. Customer acknowledges and agrees that Service Provider may, as permitted by Data Protection Laws, and without limiting any data rights provisions set forth in each Agreement, collect, use and process aggregated, de-identified, and other non-identifiable data derived from the Services to improve its operations, enhance the features, functions, and performance of the Services, for benchmarking, reporting across Service Provider’s customer base, to develop industry reports, to develop general statements regarding the performance and capabilities of Service Provider’s products and services across Service Provider’s customer base, and to create new products and services offerings, provided such data is not Personal Data.

10. Miscellaneous.

‍a. Notwithstanding anything to the contrary in any Agreement or this DPA, the liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the applicable Agreement.

b. Any claims against Service Provider under this DPA may only be brought by the Customer entity that is a party to the applicable Agreement against the Service Provider entity that is a party to the applicable Agreement.

c. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Agreement, and subject to the dispute resolution provisions, if any, set forth in the applicable Agreement, in each case unless required otherwise by Data Protection Laws.

11. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Service Provider or its Subprocessors Process Personal Data.