DATA PROCESSING ADDENDUM

Updated: August 10, 2025

1. Definitions

The terms "controller", "processor", and "supervisory authority" as used in this DPA will have the meanings ascribed to them in the applicable Data Protection Laws.

All other non-defined but capitalized terms shall have the meaning set forth in the Agreement or the applicable Data Protection Laws.

2. Processing of Company Personal Data

2.1 Vendor Responsibilities

Vendor shall:

2.2 Purpose of Processing

The subject matter and duration of Processing, nature and purpose of Processing, specific types of Company Personal Data that Vendor will Process, and categories of Data Subjects whose Company Personal Data will be Processed are set forth in Schedule 1 (Details of Processing of Company Personal Data). For purposes of this DPA, the parties agree that Company is a controller of Company Personal Data and Vendor is a processor of such data.

2.3 U.S. Data Protection Laws

For purposes of U.S. Data Protection Laws (including the CCPA), "controller" includes "business"; "processor" includes "service provider"; "Data Subject" includes "consumer"; and "Personal Data" includes "personal information." Vendor is a service provider and Company is a business.

2.4 Company Instructions

Company instructs Vendor to Process Company Personal Data: (a) in accordance with the Agreement and any applicable Supplement; (b) as otherwise necessary to provide the products and/or services to the Company; (c) as necessary to comply with applicable law or regulation; and (d) to comply with other reasonable written instructions provided by Company where such instructions are consistent with the terms of the Agreement. Company will ensure that its instructions for the Processing of Company Personal Data shall comply with the Data Protection Laws. As between the parties, Company shall have sole responsibility for the accuracy, quality, and legality of Company Personal Data and the means by which Company obtained the Company Personal Data.

2.5 Vendor's Compliance with Company Instructions

Vendor shall only Process Company Personal Data in accordance with Company's instructions and shall treat Company Personal Data as confidential information. If Vendor believes or becomes aware that any of Company's instructions conflict with any Data Protection Laws, Vendor shall inform Company within a reasonable timeframe. Vendor may Process Company Personal Data other than on the written instructions of Company if it is required under applicable law to which Vendor is subject. In this situation, Vendor shall inform Company of such requirement before Vendor Processes the Company Personal Data unless prohibited by applicable law.

2.6 CCPA Processing

To the extent Vendor's Processing of Personal Data is subject to the CCPA, Vendor certifies that it shall not: (a) retain, use, or disclose Company Personal Data other than as provided for in the Agreement, as needed to provide the products and/or services, to detect security incidents, to protect against fraudulent or illegal activity, to retain sub-processors in accordance with this DPA, or as otherwise permitted by the CCPA; or (b) sell or share Company Personal Data.

3. Sub-processors

3.1 Appointment of Sub-processors

Company acknowledges that Vendor may engage third-party sub-processors in connection with the provision of services and hereby provides general written authorization for Vendor's current sub-processors. Vendor will be responsible for the acts and omissions of its sub-processors. Vendor will impose contractual obligations on its sub-processors that are at least equivalent to those obligations imposed on Vendor under this DPA. Vendor shall make a list of sub-processors available to Company upon request, update Company when a new sub-processor is engaged, and honor objections to specific sub-processors where made. Company may object to any sub-processor by communicating such objection to Vendor within thirty (30) days of an update, and the parties will work in good faith to resolve the objection.

3.2 Sub-processor AI Use

Vendor shall not subcontract or engage third-party providers to perform AI-based processing activities involving Company Personal Data without prior written authorization from Company. Any authorized sub-processors must adhere strictly to the requirements of this Addendum.

3.3 Sub-processor Security

Where Vendor subcontracts its obligations, it shall do so only by way of a written agreement with the sub-processor which imposes contractual obligations that are at least equivalent to those obligations imposed on Vendor under this DPA. The parties agree that copies of the agreements with authorized sub-processors that must be provided pursuant to applicable Standard Contractual Clauses will be provided only upon written request by Company.

3.4 Liability

Where the sub-processor fails to fulfill its data protection obligations under such written agreement, Vendor shall remain fully liable to Company for the performance of the sub-processor's obligations under such agreement.

4. Security and Privacy Impact Assessments

4.1 Vendor Security

Vendor will implement, maintain and monitor a comprehensive written information security policy that contains appropriate administrative, technical and organizational safeguards to ensure the security and confidentiality of Company Personal Data and to prevent unauthorized or unlawful Processing of Company Personal Data and any loss, destruction of or damage to Company Personal Data ("Information Security Program"). The safeguards will be appropriate to the nature of the Company Personal Data Vendor Processes and will meet or exceed prevailing industry standards. Vendor will maintain the ability to restore the availability and access to Company Personal Data in a timely manner in the event of a physical or technical incident.

4.2 Security Testing

Vendor will regularly test, assess, and evaluate the effectiveness of the Information Security Program for ensuring the secure Processing of Company Personal Data. Vendor will provide Company upon request with the results of all tests and any other audit, review or examination relating to its Information Security Program and take appropriate steps to protect against identified risks. Vendor will comply with its Information Security Program and represents and warrants that its Information Security Program is and will be in compliance with all applicable law. Vendor will deliver separate certifications of such compliance upon Company's reasonable request.

4.3 Vendor Personnel

Vendor shall ensure that its personnel engaged in the Processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality, with such obligations surviving the termination of that individual's engagement with Vendor.

4.4 Vendor Assistance

Vendor will take reasonable measures to cooperate and assist Company in conducting any required impact assessment and related consultations with any supervisory authority if Company is required to do so under Data Protection Laws.

5. Data Subject Rights

5.1 Assistance with Company Obligations

To the extent Company, in its use or receipt of the products and/or services, does not have the ability to correct, amend, restrict, block or delete Company Personal Data as required by Data Protection Laws, Vendor shall promptly comply with reasonable requests by Company to facilitate such actions to the extent Vendor is able to do so.

5.2 Notification Obligations

Vendor shall promptly notify Company if it receives a request from a Data Subject for access to, correction, amendment, deletion of, or objection to the Processing of Company Personal Data relating to such individual. Vendor shall not respond to any such Data Subject request relating to Company Personal Data without Company's prior written consent except to confirm that the request relates to Company. Furthermore, Vendor shall, to the extent legally permitted, promptly notify Company if it receives a request for disclosure of or correspondence, notice or other communication relating to Company Personal Data from law enforcement, a competent authority, or a relevant data protection authority. Vendor shall provide Company with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request.

6. Personal Data Breach

6.1 Notification Obligations

In the event Vendor has actual or constructive notice of any actual or potential Security Breach, Vendor will take any necessary action to stop the active breach or similar recurring breaches and immediately (and in any event within forty-eight (48) hours):

Such notification shall at a minimum:

• describe the nature of the Security Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
• communicate the name and contact details of Vendor's data protection officer or other relevant contact from whom more information may be obtained;
• describe the likely consequences of the Security Breach; and
• describe the measures taken or proposed to be taken to address the Security Breach.

6.2 Breach Notification Control

In the event of a Security Breach, Company has the right to control the breach notification process, unless applicable law dictates otherwise.

6.3 Breach Costs

In the event of a Security Breach, Vendor will be liable for any costs and expenses incurred by Company in connection with the Security Breach, including:

• (i) the cost of preparing and delivering notices to affected individuals;
• (ii) the cost of providing credit monitoring services or other credits or benefits extended to affected Data Subjects;
• (iii) reasonable attorneys' fees associated with investigation, remediation and response;
• (iv) liability to third parties that Company incurs in connection with the Security Breach (such as amounts paid or for which Company is liable to third parties in tort or arising out of contracts); and
• (v) labor and subcontractor costs, including employee time spent and additional costs incurred in connection with call center support.

7. Deletion or Return of Company Personal Data

7.1 Data Deletion

Subject to section 7.3, Vendor shall promptly and in any event within thirty (30) days of the date of cessation of any services involving the Processing of Company Personal Data (the "Cessation Date"), securely Delete all copies of any and all Company Personal Data from Vendor's data stores and ensure the Deletion of any and all Company Personal Data from the data stores of any sub-processors Vendor has utilized. For clarification, "Delete" means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.

7.2 Data Return

Company may in its absolute discretion by written notice to Vendor within ten (10) business days of the Cessation Date require Vendor to provide a complete copy of any and all Company Personal Data from Vendor's data stores, to be provided to Company by secure file transfer in such format as is reasonably requested by Company. Such a request may include procurement of a complete copy of Company Personal Data from Vendor sub-processors.

7.3 Records

Vendor may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

7.4 Certification

Vendor shall provide written certification to Company that it has fully complied with this Section 7 within thirty (30) days of the Cessation Date.

8. Audit Rights

8.1 Audit Rights

Taking into account the nature of the Processing and the information available to Vendor, Vendor will provide adequate reasonable cooperation and assistance to Company regarding Vendor's compliance obligations described in Articles 32-36 of the GDPR. Vendor shall make available to Company on reasonable request all information necessary to demonstrate compliance with this DPA and Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Company or an auditor agreed to by the parties in relation to the Processing of the Company Personal Data. This provision serves to meet audit requirements pursuant to Article 28, Section 3(h) of the GDPR or any equivalent provision of applicable Data Protection Law.

8.2 Compliance Assistance

Vendor will:

• (i) cooperate with any such audit;
• (ii) grant Company and its representatives full and complete access, during normal business hours, to Vendor's facilities, networks and systems and to all books, records, procedures and information that relate to Vendor's procedures regarding Company Personal Data and Vendor's performance under this DPA;
• (iii) address, at Vendor's cost, any shortcomings identified in the audit by implementing industry best practices; and
• (iv) certify in writing to Company that it has corrected all such shortcomings within thirty (30) days of receiving notice of the audit results.

Company will bear the costs of such an audit, unless the audit reveals material vulnerabilities, in which case Vendor will cover the costs of the audit.

9. Data Transfers

9.1 Compliance with Laws

Vendor will not transfer, or cause to be transferred, any Company Personal Data from one jurisdiction to another unless in accordance with all applicable Data Protection Laws and will not cause Company to be in breach of any Data Protection Law.

9.2 EU Standard Contractual Clauses

To the extent, and only to the extent, Vendor Processes Company Personal Data from the European Economic Area and SCCs are required, Module Two of the EU SCCs shall apply and are hereby incorporated with the following specifics:

• For purposes of the EU SCCs, Company is the "data exporter" and Vendor is the "data importer";
• Clause 7, the optional docking clause will apply;
• Clause 9, Option 2 will apply and the period for prior notice will be thirty (30) days;
• Clause 11, the optional language will not apply;
• Clause 13, the supervisory authority with responsibility for ensuring compliance shall be the supervisory authority of Ireland;
• Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
• Clause 18(b), disputes shall be resolved by the courts of Ireland;
• Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and
• Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA.

9.3 UK Addendum to the EU Standard Contractual Clauses

To the extent, and only to the extent, Vendor Processes Company Personal Data from the United Kingdom and SCCs are required, the UK Addendum to the EU SCCs will apply and is hereby incorporated.

• The EU SCCs shall be deemed amended as specified by Part 2 of the UK Amendment;
• Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedules 1 and 2 of this DPA (as applicable); and
• Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Importer" and "Exporter."

9.4 Swiss FADP

To the extent, and only to the extent, Vendor Processes Company Personal Data from Switzerland, the following additional requirements shall apply to the extent the data transfers are exclusively subject to the FADP or are subject to both the FADP and the EU GDPR:

• (a) the term "member state" must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs;
• (b) insofar as the data transfers underlying the SCCs are exclusively subject to the FADP, references to the EU GDPR are to be understood as references to the FADP;
• (c) insofar as the data transfers underlying the SCCs are subject to both the FADP and the EU GDPR, the references to the EU GDPR are to be understood as references to the FADP insofar as the data transfers are subject to the FADP;
• (d) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland" for transfers from Switzerland;
• (e) Clause 17, the EU SCCs shall be governed by the laws of Switzerland; and
• (f) Clause 18(b), disputes shall be resolved before the applicable courts of Switzerland.

9.5 CCPA and CPRA

To the extent the Processing of Personal Data is subject to CCPA and CPRA:

• Company is a "business" and Vendor is a "service provider," each as defined under the CCPA and CPRA;
• Vendor shall not: (i) retain, use, disclose or otherwise Process Personal Data other than as provided for in the Agreement or as needed to perform the Services or as otherwise required or permitted by applicable law; (ii) "sell" or "share" Personal Data, as defined under the CCPA and CPRA; and (iii) Process Personal Data in any manner outside of the direct business relationship between Company and Vendor;
• Company shall only disclose Personal Data in connection with the Agreement for the limited and specified purposes of receiving the products and/or services; and
• Each party certifies that it understands the requirements under the CCPA and CPRA.

9.6 Sub-processors

To the extent, and only to the extent, Standard Contractual Clauses or Model Contractual Clauses are required under the applicable Data Protection Law, Vendor shall ensure the required clauses apply to its sub-processors.

9.7 Other Standard Contractual Clauses or Model Contractual Clauses

To the extent, and only to the extent, there is a transfer of Company Personal Data other than those discussed above that requires country-specific SCCs or Model Contractual Clauses under the applicable Data Protection Laws, the parties agree that the appropriate required country-specific SCCs or Model Contractual Clauses are hereby automatically incorporated by reference and form an integral part of this DPA.

9.8 Additional Safeguards

Vendor represents and warrants that:

• As of the date of this DPA, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. §1881a ("FISA Section 702");
• No court has found Vendor to be the type of entity eligible to receive process issued under FISA Section 702: (i) an "electronic communication service provider" within the meaning of 50 U.S.C §1881(b)(4) or (ii) a member of any of the categories of entities described within that definition;
• Vendor is not the type of provider that is eligible to be subject to upstream collection ("bulk" collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems ("Schrems II");
• Vendor will never comply with any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific "targeted selector" (an identifier that is unique to the targeted endpoint of communications subject to the surveillance);
• Vendor will use all reasonably available legal mechanisms to challenge any demands for data access through the national security process it receives as well as any non-disclosure provisions attached thereto;
• Vendor will take no action pursuant to U.S. Executive Order 12333; and
• Vendor will promptly notify Company if Vendor can no longer comply with the applicable SCCs or the clauses in this Section and such notice will entitle Company to terminate the Agreement (or, at Company's option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder without prejudice to Company's other rights and remedies with respect to a breach of the Agreement.

9.9 Transfer Precedence

In the event that services are covered by more than one transfer mechanism, the transfer of Company's Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (i) Vendor's Data Privacy Framework certification (if applicable); (ii) Vendor's Binding Corporate Rules (if applicable); (iii) Standard Contractual Clauses or Model Contractual Clauses (where required by applicable Data Protection Law).

10. Liability and Indemnification

10.1 Indemnification

Vendor will indemnify, defend, and hold harmless Company and its parent, subsidiaries, affiliates, agents and suppliers, and their respective officers, directors, shareholders and personnel, from and against any claims, suits, hearings, actions, damages, liabilities, fines, penalties, costs, losses, judgments or expenses (including reasonable attorneys' fees) arising out of or relating to Vendor's failure to comply with this DPA.

10.2 Liability

If Vendor can no longer meet its obligations under this DPA, it will immediately notify Company. Vendor will take reasonable and appropriate steps to stop and remediate, and will cooperate with Company's reasonable requests regarding, any unauthorized Processing of Company Personal Data by Vendor. A breach of any provision of this DPA may result in irreparable harm to Company, for which monetary damages may not provide a sufficient remedy, and therefore, Company may seek both monetary damages and equitable relief. Monetary damages for breach of the obligations in this DPA are not subject to any limitation of liability provision in the Agreement. In the event Vendor breaches any of its obligations under this DPA, Company will have the right to terminate the Agreement, or suspend Vendor's continued Processing of any Company Personal Data, without penalty immediately upon notice to Vendor.

11. Term and Termination

11.1 Term of DPA

This DPA will take effect on the date on which it is fully executed and, notwithstanding expiry of the term of any purchased subscription, remain in effect until, and automatically expire upon, deletion of all Company Personal Data as described in this DPA.

12. General Terms

12.1 Governing Law and Jurisdiction

This DPA will be reviewed as appropriate under the circumstances.

Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:

• the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination; and
• this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws specified in the Agreement.