Common use of Cross-Border Transfers Clause in Contracts

Cross-Border Transfers. 6.1 Customer acknowledges and agrees that Mimecast may, in the course of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s Personal Data in one or more Third Countries, provided that such Processing takes place in accordance with the requirements of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. Customer hereby grants Mimecast a mandate to enter into the Standard Contractual Clauses with a Third-Party Subcontractor or Affiliate it appoints. 6.2 If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Customer, Personal Data is to be transferred from the European Economic Area and/or Switzerland to any country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, the parties agree to enter into and abide by the EU Standard Contractual Clauses, which are incorporated into this DPA as follows: (i) Customer is the Data Exporter and Mimecast is the Data Importer; (ii) Clause 7, the "Docking Clause (Optional)", shall be deemed incorporated; (iii) In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 days; (iv) the optional wording in Clause 11 shall be deemed not incorporated; (v) In Clause 17, the Data Exporter and Data Importer agree that the EU Standard Contractual Clauses shall be governed by the laws of the Germany, and choose Option 1 to this effect; (vi) In Clause 18, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Germany; (vii) Completed Annexes I, II and III of the EU Standard Contractual Clauses are included in Schedule 1-3 herein; and (viii) Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without the Standard Contractual Clauses actually being signed by the parties, the parties agree that the execution of this DPA is deemed to constitute its execution of the Standard Contractual Clauses on behalf of the Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. (ix) The parties agree that the Standard Contractual Clauses shall cease to apply to the Processing of Personal Data if and to the extent that the relevant transfer of Personal Data ceases to be a “restricted transfer” by the relevant Regulator. (x) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable to the cross- border transfers of Personal Data for purposes of providing the Services. 6.5 The parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum are updated, replaced, or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement Standard Contractual Clauses, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers. 6.6 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-intercompany-agreement/), to provide for the adequate safeguards for the transfer of Personal Data among its Affiliates as such transfer may be necessary in order for Mimecast to fulfil its obligations under the Agreement.

Cross-Border Transfers. 6.1 Customer acknowledges and agrees that Mimecast may, in (a) To the course extent PodRoll’s Processing of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s Shared Personal Data includes data subjects in one or more Third Countries, provided that such Processing takes place in accordance with the requirements of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. Customer hereby grants Mimecast a mandate to enter into the Standard Contractual Clauses with a Third-Party Subcontractor or Affiliate it appoints. 6.2 If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Customer, Personal Data is to be transferred from the European Economic Area (“EE”), Switzerland and/or Switzerland United Kingdom (“UK”), Customer and PodRoll acknowledge and agree that such Shared Personal Data may be transferred to any country third countries, including countries that has are not been recognized by the European Commission Commission, UK or Switzerland as providing an adequate level of protection for Personal Data. More specifically, Customer acknowledges and agrees that Shared Personal Data may be transferred to PodRoll in the United States, which has not received an adequacy determination. Customer hereby consents to the transfer of Customer Personal Data to PodRoll in the United States as set forth herein. (b) For Shared Personal Data of data subjects in the EEA, the parties agree to enter into and abide by the EU Standard Contractual Clauses, which Clauses are incorporated into this DPA implemented as follows: (i) Customer is the Data Exporter and Mimecast is the Data Importer; (ii) : • Clause 7, the "Docking Clause (Optional)", shall be deemed incorporated; (iii) In ; • Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 days; (iv) the 9 is not applicable; • The optional wording in Clause 11 shall be deemed not incorporated;; • Clause 17 and Clause 18, the governing law and forum shall be the Republic of Ireland; and • Appendixes 1 and 2 attached hereto serve as Annexes I and II of the Standard Contractual Clauses. (vc) In Clause 17For Shared Personal Data of data subjects in Switzerland, the Standard Contractual Clauses (as revised herein) are implemented as follows: • The Swiss Federal Data Exporter Protection and Information Commissioner shall be the sole Supervisory Authority for the transfers exclusively subject to the Swiss FADP; • The terms “General Data Importer agree that Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU Standard Contractual Clauses shall be governed by interpreted to include the laws Swiss FADP with respect to the transfers; • References to Regulation (EU) 2018/1725 are removed; • References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Germany, Standard Contractual Clauses; • In Clause 17 and choose Option 1 to this effect; (vi) In Clause 18, the Data Exporter governing law and Data Importer agree that any disputes forum shall be resolved by Switzerland; • Where the courts of transfers are exclusively subject to the Germany; (vii) Completed Annexes ISwiss FADP, II and III of all references to the EU Standard Contractual Clauses are included GDPR in Schedule 1-3 herein; and (viii) Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without to be understood to be references to the Swiss FADP; and • Where the transfers are subject to both the Swiss FADP and the GDPR, all references to the GDPR in the Standard Contractual Clauses actually being signed by are to be understood to be references to the parties, Swiss FADP insofar as the parties agree that transfers are subject to the execution of this DPA is deemed to constitute its execution of the Standard Contractual Clauses on behalf of the Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordinglySwiss FADP. (ixd) The parties agree that the Standard Contractual Clauses shall cease to apply to the Processing of For Customer Personal Data if of data subjects in the UK, the UK Transfer DPA is implemented as follows: A. Table 1: Parties • The Start Date is the effective date of the Agreement. • The Customer’s and XxxXxxx’s details and key contacts are provided in the Agreement. • The parties’ signatures on the Agreement constitute their signatures for purpose of this UK Transfer DPA. B. Table 2: Selected SCCs, Modules and Selected Clauses The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this UK Transfer DPA: • Module in operation: Module One: Transfers Controller to Controller • Clause 7 (docking clause): Yes. • Clause 9: Not applicable • Clause 11 (option): No • Combined Personal Data: No C. Table 3: Appendix Information • Annex IA: The list of parties (Customer and PodRoll) is provided in the extent that Agreement. • Annex IB: Description of Transfer: A description of the relevant transfer is provided in Appendix 1 of Personal Data ceases this DPA. • Annex II: Technical and organisational measures including technical and organisational measures to be a “restricted transfer” by ensure the relevant Regulatorsecurity of the data: PodRoll’s implemented security measures are described in Appendix 2 of this DPA. • Annex III: Not applicable D. Table 4: Ending this UK Transfer DPA when the Approved DPA Changes Either Customer or PodRoll can end this UK Transfer DPA as set out in Section 19 therein. (xe) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable to the cross- border transfers of Personal Data for purposes of providing the Services. 6.5 The parties Parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum Transfer DPA are updated, replaced, replaced or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement Standard Contractual ClausesClauses or UK Transfer DPA, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers. 6.6 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-intercompany-agreement/), to provide for the adequate safeguards for the transfer of Personal Data among its Affiliates as such transfer may be necessary in order for Mimecast to fulfil its obligations under the Agreement.

Cross-Border Transfers. 6.1 If the Processing of Customer acknowledges and agrees that Mimecast may, in the course of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s Personal Data in one or more Third Countries, provided that such Processing takes place in accordance with the requirements involves transfers of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. Customer hereby grants Mimecast a mandate to enter into the Standard Contractual Clauses with a Third-Party Subcontractor or Affiliate it appoints. 6.2 If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Customer, Personal Data is to be transferred from the European Economic Area and/or EEA, Switzerland or the UK to any third country that has does not been recognized by the European Commission as providing ensure an adequate level of protection for Personal Dataunder the Data Protection Legislation, then the parties agree to enter be bound by the terms of the Standard Contractual Clauses and their Module Two (Controller to Processor transfers) attached to this DPA as Schedule 2, which form part of, and are incorporated into, this DPA. Each of CampusLogic’s and the Customer’s entering into this DPA shall be treated as, respectively, CampusLogic’s and the Customer’s signature of Annex I, Section A, of the Standard Contractual Clauses as of the date this DPA becomes biding on the parties thereto. Insofar as the transfer of Personal Data is subject to, respectively, the Data Protection Legislation of Switzerland (“Swiss Data Protection Laws”) and the Data Protection Legislation of the United Kingdom (“UK Data Protection Laws”), the following provisions apply: (a) the Swiss Federal Data Protection and Information Commissioner and the Information Commissioner will be the competent supervisory authorities for, respectively, transfers of Personal Data from Switzerland and transfers of Personal Data from the United Kingdom under Clause 13 of the Standard Contractual Clauses; (b) the parties agree to abide by the EU GDPR standard in relation to all Processing of Personal Data that is governed by Swiss Data Protection Laws and by the UK Data Protection Laws standard in relation to all Processing of Personal Data that is governed by UK Data Protection Laws; (c) the term ‘Member State’ in the Standard Contractual Clauses will not be interpreted in such a way as to exclude Data Subjects in Switzerland and the UK from the possibility of suing for their rights in their place of habitual residence (Switzerland or the UK, as applicable) in accordance with Clause 18(c) of the Standard Contractual Clauses; (d) references to the ‘GDPR’ and its provisions in the Standard Contractual Clauses will be understood as references to Swiss Data Protection Laws or, which are incorporated into this DPA as follows: applicable, UK Data Protection Laws; (ie) Customer is all references to the Data Exporter and Mimecast is “European Economic Area” or the Data Importer; (ii) Clause 7, “European Union” in the "Docking Clause (Optional)", shall be deemed incorporated; (iii) In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 days; (iv) the optional wording in Clause 11 shall be deemed not incorporated; (v) In Clause 17, the Data Exporter and Data Importer agree that the EU Standard Contractual Clauses shall be deemed to refer to, respectively, Switzerland and the UK, (f) for transfers of Personal Data governed by the laws UK Data Protection Laws, Clause 17 of the Germany, and choose Option 1 to this effect; (vi) In Clause 18, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Germany; (vii) Completed Annexes I, II and III of the EU Standard Contractual Clauses are included in Schedule 1-3 herein; and (viii) Notwithstanding the fact is replaced to provide that the Standard Contractual Clauses are incorporated herein by reference without the Standard Contractual Clauses actually being signed governed by the partieslaws of England and Wales, the parties agree that the execution and for transfers of this DPA is deemed to constitute its execution Personal Data governed by Swiss Data Protection Laws, Clause 17 of the Standard Contractual Clauses on behalf of the Data Exporter or Data Importer (as applicable), and that it is duly authorized replaced to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. (ix) The parties agree provide that the Standard Contractual Clauses shall cease to apply to the Processing of Personal Data if and to the extent that the relevant transfer of Personal Data ceases to be a “restricted transfer” are governed by the relevant Regulator. laws of Switzerland; and (xg) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable to the cross- border transfers of Personal Data for purposes of providing governed by UK Data Protection Laws, the Services. 6.5 The parties further agree that if any courts under Clause 18 of the EU Standard Contractual Clauses or shall be the UK Addendum are updatedcourts of England and Wales, replaced, or are no longer available and for any reasontransfers of Personal Data governed by Swiss Data Protection Laws, the parties will cooperate in good faith to implement updated or replacement courts under Clause 18 of the Standard Contractual ClausesClauses shall be the competent courts of Switzerland. In respect of data transfers governed by Swiss Data Protection Laws, as appropriate, or identify an alternative mechanism(s) the Standard Contractual Clauses also apply to authorize the contemplated cross-border transfers. 6.6 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-intercompany-agreement/), to provide for the adequate safeguards for the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data among its Affiliates as under Swiss Data Protection Laws until such transfer may be necessary in order for Mimecast laws are amended to fulfil its obligations under the Agreementno longer apply to a legal entity.

Cross-Border Transfers. 6.1 Customer acknowledges and agrees that Mimecast may, in the course of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s If HTM Personal Data in one subject to the European Data Protection Laws is transferred outside of the European Economic Area, Switzerland or more Third Countriesany European Commission approved country, provided that such Processing takes place in accordance with the requirements of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. then Customer hereby grants Mimecast a mandate agrees to enter and hereby enters into the Controller to Controller Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses (Module One)) (“C2C SCCs”) with a Third-Party Subcontractor or Affiliate it appoints. 6.2 IfHTM, and the following terms shall apply: (A) HTM will be the “data exporter” and Customer will be the “data importer”; (B) the optional Clause 7 docking clause will not apply; (C) in fulfilling its obligations under Clause 11, the Agreement or pursuant to other lawful instructions from Customeroptional language will not apply; (D) in Clause 17, Personal Data is to Option 1 will apply, and the EU SCCs will be governed by Irish law for personal data transferred from out of the European Economic Area and/or Switzerland to any country that has not been recognized by or Swiss law for personal data transferred out of Switzerland; (E) in Clause 18(b), disputes will be resolved before the courts of Ireland for personal data transferred out of the European Commission Economic Area or Switzerland for personal data transferred out of Switzerland; (F) Annex I will be deemed completed with the information set out in Schedule 1 of this DPA Addendum, with HTM as providing an adequate level the data exporter and Customer as the data importer; and (G) Annex II will be deemed completed with the information set out in Schedule 2 of protection for Personal Datathe DPA. For purposes of any transfers of personal data also subject to the Swiss FADP, the parties agree to enter into and abide by C2C SCC shall apply with the EU Standard Contractual Clauses, which are incorporated into this DPA as followsfollowing amendments: (iA) Customer is References to “Regulation (EU) 2016/679” or “that Regulation” are to be interpreted as references to the Data Exporter and Mimecast is the Data ImporterSwiss FADP; (iiB) References to “Regulation (EU) 2018/1725” are removed; (C) References to “Union”, “EU”, and “EU Member State” shall be interpreted to mean Switzerland; (D) Clause 7, 13 (a) and Part C of Annex I are not used and the "Docking Clause competent supervisory authority is the Federal Data Protection and Information Commissioner (Optionalthe “FDPIC”)", shall be deemed incorporated; (iiiE) In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 days; (iv) the optional wording in Clause 11 shall be deemed not incorporated; (v) In Clause 17, the Data Exporter and Data Importer agree 17 is replaced to state that the EU Standard Contractual “These Clauses shall be are governed by the laws of Switzerland”; (F) Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to the Germany, and choose Option 1 to this effect; (vi) In Clause 18, the Data Exporter and Data Importer agree that any disputes Swiss FADP shall be resolved by the courts of Switzerland. A data subject may bring legal proceedings against the Germany; (vii) Completed Annexes I, II and III data exporter and/or data importer before the courts in the Canton of Zug. The parties agree to submit themselves to the jurisdiction of such courts.” If HTM Personal Data subject to UK Data Protection Laws is transferred outside of the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses are included in Schedule 1-3 herein; and (viii) Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without the Standard Contractual Clauses actually being signed Clauses, issued by the partiesInformation Commissioner in force 21 March 2022 is agreed to and incorporated by reference, but, as permitted by clause 17 of such addendum, the parties agree that to change the execution of this DPA is deemed to constitute its execution format of the Standard Contractual Clauses on behalf information set out in Part 1 of the Data Exporter or Data Importer addendum such that: • For the purposes of Table 1, HTM shall be the “exporter” and Customer shall be the “importer,” with the applicable details the same as identified in the Agreement. • For the purposes of Table 2, (as applicable)A) the EU SCCs shall apply, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicableB) accordingly. (ix) The parties agree that the Standard Contractual Clauses shall cease to Module 1 will apply to the Processing of Personal Data if and personal data transferred to the extent that the relevant transfer of Personal Data ceases to be a “restricted transfer” by the relevant Regulator. third country; (xC) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal DataClause 7, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable to the cross- border transfers of Personal Data for purposes of providing the Services. 6.5 The parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum are updated, replaced, or are no longer available for any reason, the parties optional docking clause will cooperate in good faith to implement updated or replacement Standard Contractual Clauses, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers. 6.6 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-intercompany-agreement/), to provide for the adequate safeguards for the transfer of Personal Data among its Affiliates as such transfer may be necessary in order for Mimecast to fulfil its obligations under the Agreement.not apply;

Cross-Border Transfers. 6.1 Customer acknowledges and agrees that Mimecast may, in the course of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s If HTM EU Personal Data in one is transferred outside of the European Economic Area, Switzerland or more Third Countriesany European Commission approved country, provided that such Processing takes place in accordance with the requirements of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. then Customer hereby grants Mimecast a mandate agrees to enter and hereby enters into the Controller to Controller Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses (Module One)) (“C2C SCCs”) with a Third-Party Subcontractor or Affiliate it appoints. 6.2 IfHTM, and the following terms shall apply: (A) HTM will be the “data exporter” and Customer will be the “data importer”; (B) the optional Clause 7 docking clause will not apply; (C) in fulfilling its obligations under Clause 11, the Agreement or pursuant to other lawful instructions from Customeroptional language will not apply; (D) in Clause 17, Personal Data is to Option 1 will apply, and the EU SCCs will be governed by Irish law for personal data transferred from out of the European Economic Area and/or or Swiss law for personal data transferred out of Switzerland; (E) in Clause 18(b), disputes will be resolved before the courts of Ireland for personal data transferred out of the European Economic Area or Switzerland for personal data transferred out of Switzerland; (F) Annex I will be deemed completed with the information set out in Schedule 1 of this Addendum, with HTM as the data exporter and Customer as the data importer; and (G) Annex II will be deemed completed with the information set out in Schedule 2 of this Addendum. For purposes of any transfers of personal data also subject to any country that has FADP, (i) the term “member state” must not been recognized be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings to enforce their rights in their place of habitual residence in accordance with Clause 18(c) and (ii) the clauses also protect the data of legal entities until the entry into force of the revised FADP. If HTM UK Personal Data is transferred outside of the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the European Commission Information Commissioner in force 21 March 2022 is agreed to and incorporated by reference, but, as providing an adequate level permitted by clause 17 of protection for Personal Datasuch addendum, the parties agree to enter into change the format of the information set out in Part 1 of the addendum such that: • For the purposes of Table 1, HTM shall be the “exporter” and abide by Customer shall be the “importer,” with the applicable details the same as identified in the Agreement. • For the purposes of Table 2, (A) the EU Standard Contractual ClausesSCCs shall apply, which are incorporated into this DPA as follows: (iB) Customer is Module 1 will apply to the Data Exporter and Mimecast is the Data Importer; personal data transferred to a third country; (iiC) in Clause 7, the "Docking Clause (Optional)", shall be deemed incorporatedoptional docking clause will not apply; (iii) In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 days; (iv) the optional wording in Clause 11 shall be deemed not incorporated; (v) In Clause 17, the Data Exporter and Data Importer agree that the EU Standard Contractual Clauses shall be governed by the laws of the Germany, and choose Option 1 to this effect; (vi) In Clause 18, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Germany; (vii) Completed Annexes I, II and III of the EU Standard Contractual Clauses are included in Schedule 1-3 herein; and (viii) Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without the Standard Contractual Clauses actually being signed by the parties, the parties agree that the execution of this DPA is deemed to constitute its execution of the Standard Contractual Clauses on behalf of the Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. (ix) The parties agree that the Standard Contractual Clauses shall cease to apply to the Processing of Personal Data if and to the extent that the relevant transfer of Personal Data ceases to be a “restricted transfer” by the relevant Regulator. (x) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable to the cross- border transfers of Personal Data for purposes of providing the Services. 6.5 The parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum are updated, replaced, or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement Standard Contractual Clauses, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers. 6.6 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-intercompany-agreement/), to provide for the adequate safeguards for the transfer of Personal Data among its Affiliates as such transfer may be necessary in order for Mimecast to fulfil its obligations under the Agreement.

Cross-Border Transfers. 6.1 Customer acknowledges and agrees that Mimecast may, in the course of providing the Services, Process (or permit any Affiliate or Third-Party Subcontractor to Process) Customer’s Personal Data in one or more Third Countries, provided that such Processing takes place in accordance with the requirements of Applicable Law. In such case, Mimecast shall, comply with (or procure that any Affiliate or Third-Party Subcontractor comply with) the data importer obligations in the applicable Standard Contractual Clauses. Customer hereby grants Mimecast a mandate to enter into the Standard Contractual Clauses with a Third-Party Subcontractor or Affiliate it appoints. 6.2 If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Customer, Personal Data is to be transferred from the European Economic Area Area, Switzerland and/or Switzerland the UK (as applicable) by Customer to Mimecast in any country that has not been recognized by the European Commission as providing an adequate level of protection for Personal DataThird Country, the parties agree to enter into and abide by the EU Standard Contractual ClausesClauses and/or UK Addendum (as applicable), which are incorporated into this DPA as follows: (i) Customer is the Data Exporter and Mimecast is the Data ImporterImporter (the foregoing shall apply with respect to Table 1 of the UK Addendum); (ii) In Clause 7, the "Docking Clause (Optional)", shall be deemed incorporatedincorporated (the foregoing shall apply with respect to Table 1 of the UK Addendum); (iii) In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 20 daysdays (the foregoing shall apply with respect to Table 2 of the UK Addendum); (iv) the The optional wording in Clause 11 shall be deemed not incorporatedincorporated (the foregoing shall apply with respect to Table 2 of the UK Addendum); (v) In Clause 13, the competent Regulator shall be the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht). (vi) In Clause 17, the Data Exporter and Data Importer agree that the EU Standard Contractual Clauses shall be governed by the laws of the Germany, and choose Option 1 to this effecteffect (Part 2, Section 15(m) of the UK Addendum shall apply); (vivii) In Clause 18, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of Germany (Part 2, Section 15(n) of the GermanyUK Addendum shall apply); (viiviii) In accordance with Section 19 of the UK Addendum and Section 6.4 of this DPA, neither party may end the UK Addendum when the UK Addendum changes; (ix) Completed Annexes I, II and III of the EU Standard Contractual Clauses and Annexes 1B, II and III of Table 3 of the UK Addendum are included in Schedule Schedules 1-3 herein; and (viiix) Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without the Standard Contractual Clauses actually being signed by the parties, the parties agree that the execution of this DPA is deemed to constitute its execution of the Standard Contractual Clauses on behalf of the Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. (ixxi) The parties agree that the Standard Contractual Clauses shall cease to apply to the Processing of Personal Data if and to the extent that the relevant transfer of Personal Data ceases to be a “restricted transfer” by the relevant Regulator”. (xxii) The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEAEEA and/or Switzerland. 6.3 If, in fulfilling its obligations under this DPA or pursuant to other lawful instructions from Customer, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the applicable authorities in the United Kingdom as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum shall apply to such cross-border transfers. 6.4 The parties agree to enter into other standard contractual clauses as may be applicable approved under Applicable Law to the cross- cross-border transfers of Personal Data for purposes of providing the Services. 6.5 6.4 The parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum are updated, replaced, or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement Standard Contractual Clauses, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers. 6.6 6.5 Mimecast and its Affiliates have executed an Intercompany Agreement, a copy of which is available on the Trust Center (at xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr- center/mimecasts-xxxxx://xxx.xxxxxxxx.xxx/company/mimecast-trust-center/gdpr-center/mimecasts- intercompany-agreement/), to provide for the adequate safeguards for the transfer of Personal Data among its Affiliates as such transfer may be necessary in order for Mimecast to fulfil its obligations under the Agreement.