Common use of Data Processing Clause in Contracts

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum applies in accordance with the terms and conditions set out in this Addendum, and in particular the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor believes that compliance with any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. that persons entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.5. not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the obligations referred to in clause 3.3, or except as may be required by any law or regulation applicable to the Data Processor, its Representatives or Subprocessors; 3.6. that it will notify the Data Controller in writing and without undue delay about:

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum applies in accordance with the terms and conditions set out in this Addendum, and in particular the Data Processor agrees: 3.1. 3.1 not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. 3.2 to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are the Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor believes that compliance with any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay; 3.3. 3.3 that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. 3.4 that persons entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.5. 3.5 not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the obligations referred to in clause 3.3, or except as may be required by any law or regulation applicable to the Data Processor, its Representatives or Subprocessors; 3.6. that 3.6 That it will notify the Data Controller in writing and without undue delay about:

Data Processing. For the purposes of the Data Protection Legislation, the PCN Controller is the Controller and hereby appoints the PCN Processor as its Processor, on the basis that the only Processing that the PCN Processor is authorised to do is the Processing described in Annex 1. The PCN Processor shall notify the PCN Controller immediately if it considers that any of the PCN Controller's instructions does not comply with the Data Protection Legislation and/or with Law. If the PCN Processor agrees acts on the PCN Controller’s instructions without giving any such notification, the PCN Processor shall be deemed to Process have evaluated such instructions and concluded that they comply with the Data Protection Legislation and with Law. If the Processing to be carried on by the PCN Processor is to any extent subject to Article 35 and/or Article 36 of GDPR, the PCN Processor shall provide reasonable assistance to the PCN Controller in the preparation of the Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the PCN Controller, include: a systematic description of the envisaged Processing operations and the purpose of the Processing; an assessment of the necessity and proportionality of the Processing operations; an assessment of the risks that the Processing shall pose to the rights and freedoms of Data Subjects; and the measures proposed or envisaged to address such risks, including appropriate technical and organisational measures to ensure the protection of the Processor Shared Personal Data. The PCN Processor shall, in relation to any Processor Shared Personal Data to which this Addendum applies Processed by it: Process that Processor Shared Personal Data only in accordance with Annex 1 and in accordance with the terms and conditions set out in this Addendum, and in particular the Data Processor agrees: 3.1. not PCN Controller’s written instructions (including with respect to Process the transfers of Personal Data for any purpose other than to a Third Country or International Organisation), unless the specific purpose of performing PCN Processor is required to do otherwise by Law (and if so required by Law the Services set forth in this Addendum. The Data PCN Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the PCN Controller before Processing the Processor Shared Personal Data Controller of its inability unless prohibited by Law); keep the Processor Shared Personal Data confidential and not disclose it to comply, unless laws applicable to any third party without the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor believes that compliance with any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements prior written consent of the protection of Personal Data. The Data Processor shall PCN Controller; take appropriate technical and organizational organisational measures to adequately protect ensure a level of security appropriate to the risks that are presented by such Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Processor Shared Personal Data Processed on behalf Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Controller against misuse Subjects, including as appropriate: the pseudonymisation and loss encryption of the Processor Shared Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to the Processor Shared Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; ensure that: the Processor Personnel do not Process any Processor Shared Personal Data except in accordance with this Agreement (and in particular Annex 1); it takes all reasonable steps to ensure the requirements reliability and integrity of Data Protection Laws and Regulations. An overview of any Processor Personnel who have access to the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Shared Personal Data against misuse and loss as long as such changes will not materially decrease the overall security ensure that they: are aware of the Services during the subscription term; 3.4. that persons entrusted and comply with the Processing of PCN Processor’s duties under this Clause 3; are subject to appropriate confidentiality undertakings that are enforceable by the Data Controller’s Personal Data have committed themselves to confidentiality or PCN Processor and/or are under an appropriate statutory obligation of confidentiality; 3.5. not to divulge ; are informed of the confidential nature of the Processor Shared Personal Data whether directly and do not publish, disclose or indirectly divulge any of the Processor Shared Personal Data to any personthird party unless directed in writing to do so by the PCN Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, firm care, protection and handling of Personal Data; not transfer the Processor Shared Personal Data outside of the EU (for so long as the United Kingdom remains a member of the EU) or company outside of the United Kingdom (if the United Kingdom ceases to be a member of the EU), or otherwise without to any International Organisation unless the express prior written consent of the Data PCN Controller except has been obtained and the following conditions are fulfilled: the PCN Processor has, prior to those such transfer, established, or procured the establishment of, appropriate safeguards in relation to the transfer of the Processor Shared Personal Data; each Data Subject whose Personal Data is transferred has enforceable rights and effective legal remedies which are enforceable against the PCN Processor’s partners, officersand the PCN Processor has ensured prior to any such transfer that such rights and remedies are available; and the PCN Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection for all Processor Shared Personal Data that is transferred (or procures that such protection is provided); and the PCN Processor complies with all reasonable instructions notified to it in advance of such transfer by the PCN Controller with respect to such transfer. Subject to Clause 3.6, directorsthe PCN Processor shall notify the PCN Controller immediately if it: receives any Data Subject Access Request (or purported Data Subject Access Request); receives any request to rectify, employeesblock or erase any Processor Shared Personal Data; receives any other request, accountants, attorneys, independent contractors, temporary employees, affiliates, agents complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from any Supervisory Authority or any other representatives that may regulatory authority in connection with Processor Shared Personal Data; receives a request from time any third party for disclosure of Processor Shared Personal Data where compliance with such request is required by Law; or becomes aware of any Personal Data Breach (and such notification shall be made not later than twenty-four (24) hours following the PCN Processor becoming aware of each Personal Data Breach). The PCN Processor’s obligation to time be employednotify the PCN Controller under Clause 3.5 shall include an obligation to provide information in accordance with Clause 3.7, retained byand an obligation to provide further information to the PCN Controller in phases, working foras further details become available. The PCN Processor shall assist and co-operate with the PCN Controller in relation to the PCN Controller’s compliance with its obligations under Data Protection Legislation (including each complaint, communication or acting on behalf ofrequest made under Clause 3.5 as well as any other complaint, communication or request relating to any Processor Shared Personal Data), and shall do so within the timescales reasonably required by the PCN Controller. In particular the PCN Processor shall promptly provide the PCN Controller with: full details and copies of each complaint, communication or request received by the PCN Processor (or received by the PCN Controller and relating to any Processor Shared Personal Data); such assistance as is reasonably requested by the PCN Controller to enable the PCN Controller to comply with each Data Subject Access Request within the relevant timescales specified in or under the Data Protection Legislation; copies of any Processor with a bona fide need to have access to such Shared Personal Data (collectivelyspecified by the PCN Controller, “Representatives”) and Subprocessors who are engaged in details of the Processing of the such Processor Shared Personal Data and are by or on behalf of the PCN Processor; assistance as requested by the PCN Controller in relation to any Personal Data Breach; assistance to ensure that Processing of Processor Shared Personal Data by or on behalf of the Processor complies with any exercise by any relevant Data Subject of any of his or her rights under Data Protection Legislation, including to ensure that the Processor Shared Personal Data relating to such Data Subject is (for example) deleted and/or rectified and/or made subject to restrictions in accordance with such exercise of such rights; and assistance as requested by the obligations referred PCN Controller with respect to in clause 3.3any request from a Supervisory Authority, or except any consultation by the PCN Controller with a Supervisory Authority. The PCN Processor shall maintain complete and accurate records and information of the Processing it carries out in connection with this Agreement, which shall contain as may be required by any law or regulation applicable a minimum: its details, the PCN Controller’s details and the details of the PCN Processor’s data protection officer (if applicable) or, if the PCN Processor is not subject to a mandatory requirement under Data Protection Legislation to appoint such an officer, the details of the person who has overall responsibility for the PCN Processor’s compliance with the Data Protection Legislation; the categories of Processing of the Processor Shared Personal Data that are carried out by or on behalf of the PCN Processor; the details of any transfers to any Third Countries, its Representatives or Subprocessors; 3.6. that it will notify where applicable, and the Data Controller safeguards in writing and without undue delay about:place for each such transfer; and

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum Agree- ment applies by reason of clause 2 in accordance with the terms and conditions condi- tions set out in this AddendumAgreement, the applicable Privacy Laws and in particular particu- lar the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum Agreement, and all applicable data protection laws, including without limi- tation the CCPA and the Service Agreement are CPRA, and solely for the purposes (connected with provision of the Services by the Data Processor) and in the manner specified from time to time by t he Data Controller in writing and for no other pur- pose or in any manner except with the express prior written consent of the Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the . Data Processor shall not Process Personal Data for its own “commercial purposes,” as that term is defined in the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separatelyCCPA and the CPRA. Instructions orally given shall be promptly confirmed in writing by the Data Controllerwriting. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to in which case the Data Processor prohibit such information on important grounds Controller is entitled to suspend the transfer of public interestData and/or termi- nate this Agreement. Where the Data Processor believes that compliance with any Instructions instructions by the Data Controller would result in a violation of Data Protection Laws and Regulationsany applicable law on data protection, the Data Processor shall notify the Data Controller thereof in writing without delaywithin a reasonable period of time; 3.2. that it has no reason to believe that any applicable law prevents it from ful- filling the Instructions received from the Data Controller and its obligations under this Agreement and that in the event of a change of any applicable law which is likely to have a substantial adverse effect on the obligations provided under this Agreement, it will promptly notify the Data Controller of the change as soon as it is aware of such change, in which case the Data Controller is entitled to suspend the transfer of Personal Data and/or termi- nate this Agreement; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor Pro- cessor shall take ensure appropriate technical and organizational measures are implemented and maintained to adequately protect the Data Controller‘s Personal Data Processed on behalf of the Data Controller against misuse unauthorized or unlawful processing and loss in accordance with the requirements of Data Protection Laws and Regulationsagainst accidental loss, de- struction, damage, theft, alteration or disclosure. An overview of the technical tech- nical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 (Descrip- tion of Technical and Organizational Measures) to this AddendumAgreement. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. to ensure that persons each of its employees, agents and Subprocessors are made aware of its obligations under this Agreement with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement; 3.5. to ensure that any personnel entrusted with the Processing of the Data ControllerCon- troller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain data secrecy shall survive the termination of the respective em- ployment relationship; 3.53.6. not to divulge the Personal Data whether directly or indirectly to any personper- son, firm or company or otherwise otherwise, including without limitation in a manner that would constitute a “sale”, Selling, or Sharing of Personal Data under the CCPA and CPRA, without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, its employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the binding obligations referred to in clause 3.3, 3.4 or 3.5 or except as may be required re- quired by any law or regulation applicable to the Data Processor, its Representatives or Subprocessorsregulation; 3.6. that it will notify the Data Controller in writing and without undue delay about:

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum applies by reason of clause 2 in accordance with the terms and conditions set out in this Addendum, and in particular the Data Processor agrees: 3.1. not Not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose;. 3.2. to To Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor believes that compliance with any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay; 3.3. that That within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term;. 3.4. that That persons entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.5. not Not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the obligations referred to in clause 3.3, or except as may be required by any law or regulation applicable to the Data Processor, its Representatives or Subprocessors; 3.6. that That it will notify the Data Controller in writing and without undue delay about:

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum Agree- ment applies by reason of clause 2 in accordance with the terms and conditions condi- tions set out in this AddendumAgreement, and in particular the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum Agreement, and all applicable data protection laws, including without limi- tation the Service Agreement are Data Controller’s complete CCPA, and final documented Instructions at solely for the time of execution purposes (connected with provision of the Service Agreement to Services by the Data Processor) and in the manner specified from time to time by the Data Controller in writing and for no other purpose or in any manner except with the express prior written consent of the Data Con- troller. Data Processor shall not Process Personal Data for its own “commer- cial purposes,” as that term is defined in the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separatelyCCPA. Instructions orally given shall be promptly confirmed in writing by the Data Controllerwriting. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to in which case the Data Processor prohibit such information on important grounds Controller is en- titled to suspend the transfer of public interestData and/or terminate this Agreement. Where the Data Processor believes that compliance with any Instructions instructions by the Data Controller would result in a violation of Data Protection Laws and Regulationsany applicable law on data protection, the Data Processor shall notify the Data Controller thereof in writing without delaywithin a reasonable period of time; 3.2. that it has no reason to believe that any applicable law prevents it from ful- filling the Instructions received from the Data Controller and its obligations under this Agreement and that in the event of a change of any applicable law which is likely to have a substantial adverse effect on the obligations provided under this Agreement, it will promptly notify the Data Controller of the change as soon as it is aware of such change, in which case the Data Controller is entitled to suspend the transfer of Personal Data and/or termi- nate this Agreement; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor Pro- cessor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security loss. An overview of the Services during the subscription termtechnical and organizational measures has been attached as Schedule 2 (Description of Technical and Organizational Measures) to this Agreement. The Data Processor regularly monitors compliance with these measures; 3.4. to ensure that persons each of its employees, agents and Subprocessors are made aware of its obligations under this Agreement with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement; 3.5. to ensure that any personnel entrusted with the Processing of the Data ControllerCon- troller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain data secrecy shall survive the termination of the respective em- ployment relationship; 3.53.6. not to divulge the Personal Data whether directly or indirectly to any personper- son, firm or company or otherwise otherwise, including without limitation in a manner that would constitute a “sale” of Personal Data under the CCPA, without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, its employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the binding obligations referred to in clause 3.3, 3.4 or 3.5 or except as may be required by any law or regulation regulation; 3.7. that it will promptly notify the Data Controller about: 3.7.1. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; 3.7.2. any substantial disruption of the Services or serious interruptions of the operations, any infringements by the Data Processor or its employees, of applicable data protection laws or of this Agree- ment, or any material irregularity in relation to the Processing of the Personal Data belonging to the Data Controller; 3.7.3. any Personal Data Breach of which it becomes aware. Such notif- ication shall include, taking into account the nature of the Process- ing and the information available to the Data Processor, any infor- mation relevant to assist the Data Controller with its Representatives or Subprocessorsown notif- ication obligations under applicable law: 3.7.4. any request received directly from the Data Subjects without re- sponding to that request, unless it has been otherwise authorized to do so in writing by the Data Controller; 3.63.8. in the event of the exercise by Data Subjects of any of their rights under applicable law in relation to the Personal Data (including rights to access, rectification, erasure, blocking, objection, restriction, data portability, and the right not to be subject to a decision based solely on automated Process- ing, including profiling), to inform the Data Controller as soon as possible, and the Data Processor further agrees to assist the Data Controller with all Data Subject requests which may be received from any Data Subject in rela- tion to any Personal Data; 3.9. taking into account the nature of the Processing, to assist the Data Con- troller by appropriate technical and organisational measures, insofar this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down by applicable law; 3.10. to deal promptly and properly with all inquiries from the Data Controller re- lating to its Processing of the Personal Data, including making available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement or information necessary for the Data Controller to apply with applicable laws; 3.11. that it any Processing services carried out by a Subprocessor will notify be carried out in accordance with clause 6; 3.12. that the Data Processor has appointed a data protection officer to the ex- tent this is required by applicable law. The Data Processor will provide the contact details of the appointed person; and 3.13. to assist the Data Controller in writing ensuring compliance with applicable law, in- cluding the obligation to carry out data protection impact assessments and without undue delay about:prior consultations with supervisory authorities, taking into account the na- ture of the Processing and the information available to the Data Processor.

Data Processing. The 3.1. Instructions for Data Processor agrees to Processing. dbt Labs will only Process the Subscriber Personal Data to which this Addendum applies as a Processor or Service Provider, as applicable, in accordance with the terms Agreement and conditions pursuant to the processing details set out in this AddendumSchedule 1, to the extent necessary to provide the Service to the Subscriber, and in particular the Subscriber's written instructions provided to dbt Labs (the "Permitted Purpose"), unless Processing is otherwise required or permitted by the Data Processor agrees: 3.1Protection Laws to which dbt Labs is subject, in which case dbt Labs shall, to the extent required or permitted by such Data Protection Laws, inform the Subscriber of that legal requirement before Processing that Subscriber Personal Data. dbt Labs shall not to Sell, Share, retain, use, disclose or Process Subscriber Personal Data, or combine the Subscriber Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell received from or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the business with personal information dbt Labs received elsewhere, unless specific statutory or regulatory exceptions apply (i) for any purposes other than the Permitted Purpose, or (ii) outside of the direct business relationship between dbt Labs and Subscriber. Should dbt Labs no longer be able to comply with this subsection, dbt Labs will cease processing Subscriber Personal Data Controller and at all times notify Subscriber, and Subscriber may take reasonable and appropriate steps to (a) determine dbt Labs’s compliance herewith, subject to Section 5.3 hereof; and/or (b) may terminate the Agreement, to be effective upon payment in compliance with full of Fees, and request in writing for dbt Labs to delete without undue delay Subscriber Personal Data after receiving notice that dbt Labs can no longer meet its CPRA obligations. 3.2. The Agreement and this DPA shall be the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are Data Controller’s Subscriber's complete and final documented Instructions at the time of execution of the Service Agreement instructions to dbt Labs in relation to the Data Processor for the Processing processing of Subscriber Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by In the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor event dbt Labs reasonably believes that compliance with the Subscriber’s written instructions violate applicable law, dbt Labs will inform the Subscriber in writing, and not be required to fulfill any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay;such instructions. 3.3. that within Processing outside the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution scope of this Addendum DPA will require a prior written agreement between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical Subscriber and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. that persons entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.5. not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the obligations referred to in clause 3.3, or except as may be required by any law or regulation applicable to the Data Processor, its Representatives or Subprocessors; 3.6. that it will notify the Data Controller in writing and without undue delay about:dbt Labs.

Data Processing. The Parties acknowledge that the provision of the Braintree Payment Services and any sharing of Customer Data shall require the Processing of Personal Data and each Party shall be responsible for complying with its respective obligations under the applicable Data Protection Requirements. Braintree and its affiliated companies may use, reproduce, electronically distribute, and display Customer Data (a) for the purposes of providing and improving the Braintree Payment Services; (b) as data controller in the meaning of Luxembourg data protection law for the purposes of complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with local laws. The Parties acknowledge where Personal Data is made available to Braintree for the purpose of providing the Braintree Payment Services, Braintree shall act as a Data Processor agrees to Process the Personal Data to which Merchant. In this Addendum applies respect, Braintree shall (a) keep the data confidential, (b) process such data only in accordance with the terms and conditions set out in this Addenduminstructions of the Merchant, and in particular the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum and the Service Agreement are Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controller. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to the Data Processor prohibit such information on important grounds of public interest. Where the Data Processor believes that compliance with any Instructions by the Data Controller would result in a violation of Data Protection Laws and Regulations, the Data Processor shall notify the Data Controller thereof in writing without delay; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take (c) implement appropriate technical and organizational measures to adequately protect the Personal Data Processed on behalf against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. US, provided that Braintree ensures that the organizations hosting that Persona Data Controller against misuse and loss in accordance with have been certified as fulfilling the requirements of the U.S. EU Safe Harbour Framework with respect to any processing of any such Personal Data. In respect of the provisions of the Braintree Payment Services, and in all instances in which the Merchant is a Data Controller, the Merchant warrants and undertakes to Braintree that it has satisfied the appropriate Data Protection Laws and Regulations. An overview Requirements regarding the disclosure of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s such Personal Data against misuse to Braintree for the purposes of providing the Braintree Payment Services including any complying with any appropriate notice or consent requirements. Braintree will Process Customer Data for internal usage, including but not limited to, data analytics and loss as metrics so long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. that persons entrusted Customer Data has been anonymized and aggregated with the Processing of the Data Controller’s other customer data, i.e. no longer qualify as Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.5. not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the obligations referred to in clause 3.3, or except as may be required by any law or regulation applicable to the Data Processor, its Representatives or Subprocessors; 3.6. that it will notify the Data Controller in writing and without undue delay about:Data.

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum Agreement applies by reason of clause 2 in accordance with the terms and conditions set out in this AddendumAgreement, and in particular the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum Agreement, and all applicable data protection laws and solely for the Service Agreement are purposes (connected with provision of the Services by the Data Processor) and in the manner specified from time to time by the Data Controller in writing and for no other purpose or in any manner except with the express prior written consent of the Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the Data Processor for the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separately. Instructions orally given shall be promptly confirmed in writing by the Data Controllerwriting. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to in which case the Data Processor prohibit such information on important grounds Controller is entitled to suspend the transfer of public interestData and/or terminate this Agreement. Where the Data Processor believes that compliance with any Instructions instructions by the Data Controller would result in a violation of Data Protection Laws and Regulationsany applicable law on data protection, the Data Processor shall notify the Data Controller thereof in writing without delaywithin a reasonable period of time; 3.2. that it has no reason to believe that any applicable law prevents it from fulfilling the Instructions received from the Data Controller and its obligations under this Agreement and that in the event of a change of any applicable law which is likely to have a substantial adverse effect on the obligations provided under this Agreement, it will promptly notify the Data Controller of the change as soon as it is aware of such change, in which case the Data Controller is entitled to suspend the transfer of Personal Data and/or terminate this Agreement; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take appropriate technical and organizational measures to adequately protect Personal Data Processed on behalf of the Data Controller against misuse and loss in accordance with the requirements of Data Protection Laws and Regulations. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 to this Addendum. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security loss. An overview of the Services during the subscription termtechnical and organizational measures has been attached as Schedule 2 (Description of Technical and Organizational Measures) to this Agreement. The Data Processor regularly monitors compliance with these measures; 3.4. to ensure that persons each of its employees, agents and Subprocessors are made aware of its obligations under this Agreement with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement; 3.5. to ensure that any personnel entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain data secrecy shall survive the termination of the respective employment relationship; 3.53.6. not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, its employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the binding obligations referred to in clause 3.3, 3.4 or 3.5 or except as may be required by any law or regulation regulation; 3.7. that it will promptly notify the Data Controller about: 3.7.1. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; 3.7.2. any substantial disruption of the Services or serious interruptions of the operations, any infringements by the Data Processor or its employees, of applicable data protection laws or of this Agreement, or any material irregularity in relation to the Processing of the Personal Data belonging to the Data Controller; 3.7.3. any Personal Data Breach of which it becomes aware. Such notification shall include, taking into account the nature of the Processing and the information available to the Data Processor, any information relevant to assist the Data Controller with its Representatives or Subprocessorsown notification obligations under applicable law: 3.7.4. any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so in writing by the Data Controller; 3.63.8. in the event of the exercise by Data Subjects of any of their rights under applicable law in relation to the Personal Data (including rights to access, rectification, erasure, blocking, objection, restriction, data portability, and the right not to be subject to a decision based solely on automated Processing, including profiling), to inform the Data Controller as soon as possible, and the Data Processor further agrees to assist the Data Controller with all Data Subject requests which may be received from any Data Subject in relation to any Personal Data; 3.9. taking into account the nature of the Processing, to assist the Data Controller by appropriate technical and organisational measures, insofar this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down by applicable law; 3.10. to deal promptly and properly with all inquiries from the Data Controller relating to its Processing of the Personal Data, including making available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement or information necessary for the Data Controller to apply with applicable laws; 3.11. that it any Processing services carried out by a Subprocessor will notify be carried out in accordance with clause 6; 3.12. that the Data Processor has appointed a data protection officer to the extent this is required by applicable law. The Data Processor will provide the contact details of the appointed person; and 3.13. to assist the Data Controller in writing ensuring compliance with applicable law, including the obligation to carry out data protection impact assessments and without undue delay about:prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to the Data Processor.

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum Agreement applies by reason of clause 2 in accordance with the terms and conditions set out in this AddendumAgreement, the applicable Privacy Laws and in particular the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum Agreement, and all applicable data protection laws, including without limitation the CCPA and the Service Agreement are CPRA, and solely for the purposes (connected with provision of the Services by the Data Processor) and in the manner specified from time to time by the Data Controller in writing and for no other purpose or in any manner except with the express prior written consent of the Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the . Data Processor shall not Process Personal Data for its own “commercial purposes,” as that term is defined in the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separatelyCCPA and the CPRA. Instructions orally given shall be promptly confirmed in writing by the Data Controllerwriting. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to in which case the Data Processor prohibit such information on important grounds Controller is entitled to suspend the transfer of public interestData and/or terminate this Agreement. Where the Data Processor believes that compliance with any Instructions instructions by the Data Controller would result in a violation of Data Protection Laws and Regulationsany applicable law on data protection, the Data Processor shall notify the Data Controller thereof in writing without delaywithin a reasonable period of time; 3.2. that it has no reason to believe that any applicable law prevents it from fulfilling the Instructions received from the Data Controller and its obligations under this Agreement and that in the event of a change of any applicable law which is likely to have a substantial adverse effect on the obligations provided under this Agreement, it will promptly notify the Data Controller of the change as soon as it is aware of such change, in which case the Data Controller is entitled to suspend the transfer of Personal Data and/or terminate this Agreement; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor shall take ensure appropriate technical and organizational measures are implemented and maintained to adequately protect the Data Controller‘s Personal Data Processed on behalf of the Data Controller against misuse unauthorized or unlawful processing and loss in accordance with the requirements of Data Protection Laws and Regulationsagainst accidental loss, destruction, damage, theft, alteration or disclosure. An overview of the technical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 (Description of Technical and Organizational Measures) to this AddendumAgreement. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. to ensure that persons each of its employees, agents and Subprocessors are made aware of its obligations under this Agreement with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement; 3.5. to ensure that any personnel entrusted with the Processing of the Data Controller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain data secrecy shall survive the termination of the respective employment relationship; 3.53.6. not to divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise otherwise, including without limitation in a manner that would constitute a “sale”, Selling, or Sharing of Personal Data under the CCPA and CPRA, without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, its employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the binding obligations referred to in clause 3.3, 3.4 or 3.5 or except as may be required by any law or regulation regulation; 3.7. that it will promptly notify the Data Controller about: 3.7.1. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; 3.7.2. any substantial disruption of the Services or serious interruptions of the operations, any infringements by the Data Processor or its employees, of applicable data protection laws or of this Agreement, or any material irregularity in relation to the Processing of the Personal Data belonging to the Data Controller; 3.7.3. any Personal Data Breach of which it becomes aware. Such notification shall include, taking into account the nature of the Processing and the information available to the Data Processor, any information relevant to assist the Data Controller with its Representatives or Subprocessorsown notification obligations under applicable law: 3.7.4. any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so in writing by the Data Controller; 3.63.8. in the event of the exercise by Data Subjects of any of their rights under applicable law in relation to the Personal Data (including rights to access, rectification, erasure, blocking, objection, restriction, data portability, and the right not to be subject to a decision based solely on automated Processing, including profiling), to inform the Data Controller as soon as possible; the Data Processor agrees to assist the Data Controller with all Data Subject requests related to personal data where the identity of the Data Subject has been verified by the Data Controller; the Data Processor shall fulfill the obligations of the Data Subject requests at the direction of the Data Controller, or enable the Data Controller to fulfill the obligation; 3.9. taking into account the nature of the Processing, to assist the Data Controller by appropriate technical and organizational measures, insofar this is possible, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down by applicable law; 3.10. to deal promptly and properly with all inquiries from the Data Controller relating to its Processing of the Personal Data, including making available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement or information necessary for the Data Controller to comply with applicable laws and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller; 3.11. that it any Processing services carried out by a Subprocessor will notify be carried out in accordance with clause 6; 3.12. that the Data Processor has appointed a data protection officer to the extent this is required by applicable law. The Data Processor will provide the contact details of the appointed person; 3.13. to assist the Data Controller in writing ensuring compliance with applicable law, including the obligation to carry out data protection impact assessments and without undue delay about:prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to the Data Processor; 3.14. the Data Processor will not combine the Personal Data which the Data Processor receives from or on behalf of the Data Controller, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer, provided that the Data Controller may combine Personal Data to perform any Business Purpose in accordance with applicable data privacy laws.

Data Processing. The Data Processor agrees to Process the Personal Data to which this Addendum Agree- ment applies by reason of clause 2 in accordance with the terms and conditions condi- tions set out in this AddendumAgreement, the applicable Privacy Laws and in particular particu- lar the Data Processor agrees: 3.1. not to Process the Personal Data for any purpose other than the specific purpose of performing the Services set forth in this Addendum. The Data Processor also agrees it will not sell or rent the Personal Data for any purpose; 3.2. to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller’s Instructions based on this Addendum. This Addendum Agreement, and all applicable data protection laws, including without limi- tation the CCPA and the Service Agreement are CPRA, and solely for the purposes (connected with provision of the Services by the Data Processor) and in the manner specified from time to time by the Data Controller in writing and for no other pur- pose or in any manner except with the express prior written consent of the Data Controller’s complete and final documented Instructions at the time of execution of the Service Agreement to the . Data Processor shall not Process Personal Data for its own “commercial purposes,” as that term is defined in the Processing of Personal Data. Any additional or alternate Instructions must be agreed upon separatelyCCPA and the CPRA. Instructions orally given shall be promptly confirmed in writing by the Data Controllerwriting. If the Data Processor cannot provide such compliance for whatever reasons, it agrees to promptly notify the Data Controller of its inability to comply, unless laws applicable to in which case the Data Processor prohibit such information on important grounds Controller is entitled to suspend the transfer of public interestData and/or termi- nate this Agreement. Where the Data Processor believes that compliance with any Instructions instructions by the Data Controller would result in a violation of Data Protection Laws and Regulationsany applicable law on data protection, the Data Processor shall notify the Data Controller thereof in writing without delaywithin a reasonable period of time; 3.2. that it has no reason to believe that any applicable law prevents it from ful- filling the Instructions received from the Data Controller and its obligations under this Agreement and that in the event of a change of any applicable law which is likely to have a substantial adverse effect on the obligations provided under this Agreement, it will promptly notify the Data Controller of the change as soon as it is aware of such change, in which case the Data Controller is entitled to suspend the transfer of Personal Data and/or termi- nate this Agreement; 3.3. that within the Data Processor’s area of responsibility, the Data Processor shall structure its internal corporate organization to ensure compliance with the specific requirements of the protection of Personal Data. The Data Processor Pro- cessor shall take ensure appropriate technical and organizational measures are implemented and maintained to adequately protect the Data Controller‘s Personal Data Processed on behalf of the Data Controller against misuse unauthorized or unlawful processing and loss in accordance with the requirements of Data Protection Laws and Regulationsagainst accidental loss, de- struction, damage, theft, alteration or disclosure. An overview of the technical tech- nical and organizational measures agreed at the time of execution of this Addendum between the Parties has been attached as Schedule 2 (Descrip- tion of Technical and Organizational Measures) to this AddendumAgreement. The Data Processor regularly monitors compliance with these measures. The Data Processor may change the technical and organizational measures implemented to adequately protect the Data Controller‘s Personal Data against misuse and loss as long as such changes will not materially decrease the overall security of the Services during the subscription term; 3.4. to ensure that persons each of its employees, agents and Subprocessors are made aware of its obligations under this Agreement with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement; 3.5. to ensure that any personnel entrusted with the Processing of the Data ControllerCon- troller’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain data secrecy shall survive the termination of the respective em- ployment relationship; 3.53.6. not to divulge the Personal Data whether directly or indirectly to any personper- son, firm or company or otherwise otherwise, including without limitation in a manner that would constitute a “sale”, Selling, or Sharing of Personal Data under the CCPA and CPRA, without the express prior written consent of the Data Controller except to those of the Data Processor’s partners, officers, directors, its employees, accountants, attorneys, independent contractors, temporary employees, affiliates, agents or any other representatives that may from time to time be employed, retained by, working for, or acting on behalf of, the Data Processor with a bona fide need to have access to such Personal Data (collectively, “Representatives”) and Subprocessors who are engaged in the Processing of the Personal Data and are subject to the binding obligations referred to in clause 3.3, 3.4 or 3.5 or except as may be required re- quired by any law or regulation regulation; 3.7. that it will promptly notify the Data Controller about: 3.7.1. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; 3.7.2. any substantial disruption of the Services or serious interruptions of the operations, any infringements by the Data Processor or its employees, of applicable data protection laws or of this Agree- ment, or any material irregularity in relation to the Processing of the Personal Data belonging to the Data Controller; 3.7.3. any Personal Data Breach of which it becomes aware. Such notif- ication shall include, taking into account the nature of the Process- ing and the information available to the Data Processor, any infor- mation relevant to assist the Data Controller with its Representatives or Subprocessorsown notif- ication obligations under applicable law: 3.7.4. any request received directly from the Data Subjects without re- sponding to that request, unless it has been otherwise authorized to do so in writing by the Data Controller; 3.63.8. in the event of the exercise by Data Subjects of any of their rights under applicable law in relation to the Personal Data (including rights to access, rectification, erasure, blocking, objection, restriction, data portability, and the right not to be subject to a decision based solely on automated Process- ing, including profiling), to inform the Data Controller as soon as possible; the Data Processor agrees to assist the Data Controller with all Data Subject requests related to personal data where the identity of the Data Subject has been verified by the Data Controller; the Data Processor shall fulfill the obligations of the Data Subject requests at the direction of the Data Con- troller, or enable the Data Controller to fulfill the obligation; 3.9. taking into account the nature of the Processing, to assist the Data Con- troller by appropriate technical and organizational measures, insofar this is possible, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down by applicable law; 3.10. to deal promptly and properly with all inquiries from the Data Controller re- lating to its Processing of the Personal Data, including making available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement or information necessary for the Data Controller to comply with applicable laws and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller; 3.11. that it any Processing services carried out by a Subprocessor will notify be carried out in accordance with clause 6; 3.12. that the Data Processor has appointed a data protection officer to the ex- tent this is required by applicable law. The Data Processor will provide the contact details of the appointed person; 3.13. to assist the Data Controller in writing ensuring compliance with applicable law, in- cluding the obligation to carry out data protection impact assessments and without undue delay about:prior consultations with supervisory authorities, taking into account the na- ture of the Processing and the information available to the Data Processor; 3.14. the Data Processor will not combine the Personal Data which the Data Pro- cessor receives from or on behalf of the Data Controller, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer, provided that the Data Con- troller may combine Personal Data to perform any Business Purpose in ac- cordance with applicable data privacy laws.