Common use of DATA PROCESSOR’S OBLIGATIONS Clause in Contracts

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows: (a) The Data Processor shall process Personal Data in accordance with the instructions set forth in this Processing Agreement; (b) the Data Processor shall ensure that all staff and management of the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b); (c) the Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Humly’s Data Security Standards; (d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking into account the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a “Data Subject Request”). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to the Data Controller, the Data Processor, shall, on the Data Controller’s written request and the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under GDPR; (g) upon request, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9; (i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this Processing Agreement; and (j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement. 4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Controller’s processing instructions infringe any law or regulation. In such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, 3.1 Data Processor shall comply with only Process Customer Personal Data on behalf of Data Controller and in accordance with, and for the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows: (a) The purposes set out in the documented instructions received from Data Controller from time to time. If Data Processor shall process Personal cannot provide such compliance for whatever reason (including if the instruction violates Applicable Data in accordance with the instructions set forth in this Processing Agreement;Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as reasonably practicable. (b) the 3.2 Data Processor shall ensure that all staff and management of its personnel who are authorized to Process the Data Processor are fully aware of their responsibilities to protect Customer Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);confidentiality. (c) the 3.3 Data Processor shall implement and maintain appropriate hold in force for the term of this Agreement specific technical and organizational security measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented required by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Humly’s Data Security Standards;GDPR. (d) the 3.4 Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event promptly upon receipt by Data Processor of a confirmed request from an individual seeking to exercise any of their rights under Applicable Data Security Breach affecting the Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security BreachProtection Laws. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking Taking into account the nature of the Processingprocessing, the Data Processor shall shall, at Data Controller’s expense, assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil for the fulfilment of Data Controller’s obligation to respond to requests from by Data Subjects to exercise their rights under Chapter III of the GDPR (a “Data Subject Request”including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing). In the event the Data Processor receives shall carry out a request from Data Subject Request directly from a Controller to amend, correct, block, transfer or delete any of the Customer Personal Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the extent necessary to allow Data Controller is unable to address the Data Subject Request, taking comply with its responsibilities as a data controller. 3.5 Taking into account the nature of the Processing under the Master Services Agreement and the information available to Data Processor, Data Processor shall, insofar as possible and at Data Controller’s expense, assist Data Controller in carrying out its obligations under Articles 32 to 36 of the GDPR and any other Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Data Processor shall promptly notify Data Controller about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data or any accidental or unauthorized access or any other event affecting the integrity, availability or confidentiality of Customer Personal Data. 3.6 Upon termination of the Processing of Personal Data by Data Processor and at the choice of Data Controller, Data Processor shall either (i) delete all Customer Personal Data; or (ii) return all Customer Personal Data to the Data Controller and delete existing copies unless applicable law requires storage of the Customer Personal Data. 3.7 Data Processor shall upon written request from Data Controller from time to time provide Data Controller with all information necessary to demonstrate compliance with the obligations laid down in this Agreement. Data Processor shall permit Data Controller or a third party authorized by it and which is not a competitor of Data Processor, to carry out audits and inspections of the processing of Customer Personal Data by the Data Processor, shallon reasonable notice in normal business hours. Data Processor may require a third party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. Unless such audit or inspection has been necessitated by a material breach by Data Processor of the terms of this Agreement, on such audits and inspections shall be carried out at Data Controller’s expense. 3.8 Data Controller acknowledges and agrees that Data Processor may, or may appoint an affiliate or third party subcontractor to, Process the Data Controller’s written request and Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of Applicable Data Controller’s instruction Protection Laws. Data Controller hereby consents to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior access to Customer Personal Data from the United States to the extent necessary for Data Processor’s response Processor to provide the Data Subject Request), address the Data Subject Request, as required under GDPR;Services. (g) upon request, 3.9 Where the Data Processor shall provide the processes, accesses, and/or stores Customer Personal Data Controller with commercially reasonable information and assistancein any Third Country, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of Clause 9; (ithis Agreement. The processing details set out at paragraphs a) to d) of the first page of this Agreement shall apply for the purposes of Appendix 1 of the Model Clauses and the terms of the Security Policy apply for the purposes of Appendix 2 of the Model Clauses. Data Controller hereby grants Data Processor shall comply with a mandate to execute the requirements Model Clauses, for and on behalf of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this Processing Agreement; and (j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreementany relevant subcontractor (including affiliates) it appoints. 4.3 The 3.10 Data Controller acknowledges and agrees that Data Processor shall immediately inform the relies solely on Data Controller if, in its opinion, for direction as to the Data Controller’s processing instructions infringe any law or regulation. In such event, the extent to which Data Processor is entitled to refuse Processing of access, use and process Customer Personal Data. Consequently, Data Processor is not liable for any claim brought by Data Controller or a data subject arising from any action or omission by Data Processor to the extent that it believes to be in violation of any law such action or regulationomission resulted from Data Controller’s instructions.

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, 3.1 Data Processor shall comply with only Process Personal Data on behalf of Data Controller and in accordance with, and for the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows: (a) The purposes set out in, the documented instructions received from Data Controller from time to time. If Data Processor shall process Personal cannot provide such compliance for whatever reason (including if the instruction violates Applicable Data in accordance with Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as reasonably practicable at the instructions set forth in this Processing Agreement;email address provided by Data Controller to Data Processor unless such law prohibits such information on important grounds of public interest. (b) the 3.2 Data Processor shall ensure that all staff and management of its personnel who are authorized to Process or Sell the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);confidentiality. (c) the 3.3 Data Processor shall implement and maintain appropriate hold in force for the term of this Addendum specific technical and organizational security measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented required by the Processing and Applicable Data Protection Laws which are further detailed at xxxxx://xxx.xxxxxxxxx.xxx/privacy/information-security-policy (the nature of the Personal Data to be protected, including data security consistent with the Humly’s Data “Security Standards;Policy”). (d) the 3.4 Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event promptly upon receipt by Data Processor of a confirmed request from a Data Security Breach affecting the Subject seeking to exercise any of their rights under Applicable Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security BreachProtection Laws. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking Taking into account the nature of the Processingprocessing, the Data Processor shall shall, at Data Controller’s expense, assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil for the fulfillment of Data Controller’s obligation to respond to requests from by Data Subjects Subject s to exercise their rights under GDPR Applicable Data Protection Laws (a “Data Subject Request”). In including the event the Data Processor receives a Data Subject Request directly from a Data Subjectright to transparency and information, it shall (unless prohibited by law) direct the Data Subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing) and any other Applicable Data Protection Laws. Data Processor shall carry out a request from Data Controller to amend or correct any of the Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities under Applicable Data Protection Laws. Further, Data Processor shall carry out a request from Data Controller to block, transfer or delete any of the Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a Data Controller. However, in the event the Data Controller is unable to address the Data Subject Request, taking . 3.5 Taking into account the nature of the Processing under the Terms of Service and the information available to Data Processor, Data Processor shall, insofar as possible and at Data Controller’s expense, assist Data Controller in carrying out its obligations under Applicable Data Protection Laws, including Articles 32 to 36 of the GDPR, with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Data Processor shall promptly notify Data Controller about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or any accidental or unauthorized access or any other event affecting the integrity, availability or confidentiality of Personal Data, as required by Applicable Data Protection Laws. 3.6 Upon termination of the Processing of Personal Data by Data Processor and at the choice and expense of Data Controller, the Data Processor, shall, on the Data Controller’s written request and the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under GDPR; (g) upon request, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9; either (i) the delete all Personal Data; or (ii) return all Personal Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller and delete existing copies unless otherwise permitted or required by Applicable Data Protection Laws. To the extent any Personal Data is “deidentified” or in the “aggregate” as those terms are defined under Applicable Data Protection Laws, Data Processor may use such information for any commercial purpose in accordance with Applicable Data Protection Laws, including but not limited to developing analytics, and may retain, use and disclose such information for such purpose, without restriction. 3.7 Data Controller may collect voluntary disclosures from the Data Processor or request the Data Processor to provide an expert opinion that demonstrates proves compliance with their obligations under this Addendum or Applicable Data Protection Laws. If Data Controller has a good faith and reasonable belief that the voluntary disclosures or the expert opinion are not reasonably sufficient to prove Data Processor’s compliance with this Processing Agreement; and (j) Applicable Data Protection Laws, Data Processor shall, subject to reasonable advance notice, permit the Data Controller or a third-party authorized by the Data Controller and which is not a competitor of Data Processor to carry out the audits and inspections of the processing of Personal Data by the Data Processor during normal business hours. Data Processor may require a third-party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. The auditing party shall appoint a security officer who will act as a point of contact for bear its own costs in relation to such audit. The obligations set forth in this Section 3.7 shall only apply to Data Processor to the extent required by Applicable Data Controller, and coordinate and control compliance with this Processing AgreementProtection Laws. 4.3 The 3.8 Data Controller acknowledges and agrees that Data Processor shall immediately inform the Data Controller ifmay, in its opinionor may appoint an Affiliate or third-party subcontractor to, Process the Data Controller’s processing instructions infringe any law or regulationPersonal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of Applicable Data Protection Laws. In such eventData Controller hereby consents to Data Processor’s access to Data Subject Personal Data from the United States to the extent necessary for Data Processor to provide the Services. 3.9 The Data Controller acknowledges and agrees that the Data Processor may process the Data Subject Personal Data in the United States in accordance with the data importer’s obligations set out in the Applicable Data Protection Laws, the Terms of Service and this Addendum. 3.10 Data Controller acknowledges and agrees that Data Processor relies solely on Data Controller for direction as to the extent to which Data Processor is entitled to refuse Processing of access, use, Process and Sell Personal Data. Consequently, Data Processor is not liable for any claim brought by Data Controller or a Data Subject arising from any action or omission by Data Processor to the extent that it believes to be in violation of any law such action or regulationomission resulted from Data Controller’s instructions.

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that 3.1 Data Processor shall only Process Personal Data on behalf of the subject-matter Data Controller and duration in accordance with, and for the purposes set out in the documented instructions received from the Data Controller from time to time and the terms of Processing performed by this Agreement; if it cannot comply with such instructions and/or the terms of the Agreement for whatever reason (including if the instruction violates the Applicable Data Protection Laws), it agrees to inform the Data Controller promptly of its inability to comply, in which case the Data Controller is entitled to suspend the Processing. In no circumstances shall the Data Processor be entitled to Process the Personal Data for its own purposes. 3.2 Data Processor warrants that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Controller and its obligations under this Processing Agreement and that in the Purchase event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Agreement, including it will promptly notify the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services change to the Data Controller under as soon as it is aware, in which case the Purchase Agreement, Data Processor shall comply with Controller are entitled to suspend the obligations imposed upon it under GDPR Articles 28 - 32 transfer and agrees and declares as follows:Processing of Personal Data. (a) 3.3 The Data Processor shall process grant access to the Personal Data in accordance with to members of its personnel only to the instructions set forth in extent strictly necessary for the implementation, management and monitoring of this Processing Agreement;. (b) the 3.4 Data Processor shall ensure that all staff and management of its personnel authorised to Process the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);confidentiality. (c) the 3.5 Before Processing Data Controller’s Personal Data, Data Processor shall implement implement, and maintain ensure that its authorised personnel comply with, appropriate technical and organizational organisational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental lossensure a level of security appropriate to the risk, alterationas well as ensuring that those measures continue to provide an appropriate level of security, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes purpose of Processingthe Processing as set out in Schedule 3, or otherwise agreed and documented between the Data Controller and Data Processor from time to time, and shall continue to comply with them during the term of this Agreement. Such measures shall include, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by risk: (i) the Processing pseudonymisation and the nature encryption of the Personal Data to be protected, including data security consistent with the Humly’s Data Security StandardsData; (dii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Personal Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, a timely manner in the event of a confirmed Data Security Breach affecting physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the Data Controller’s Services Data effectiveness of technical and to cooperate with organisational measures for ensuring the Data Controller as necessary to mitigate or remediate security of the Data Security Breach. Further, the Processing. 3.6 Data Processor shall cooperate with provide data protection and security training to those persons authorised to access the Personal Data Controller and take such commercially reasonable steps as are directed by keep a copy of the Data Controller to assist in documentation that evidences the investigation, mitigation and remediation of any such Data Security Breach under GDPR;same. (e) the 3.7 Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking into account the nature of the Processing, the Data Processor shall promptly notify and assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil about any legally binding request for disclosure of Data Controller’s obligation Personal Data by a regulatory body, government agency, or law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to respond preserve the confidentiality of a law enforcement investigation. The Data Processor shall review the legality of any such request for disclosure and shall challenge the request if it considers there are reasonable grounds to do so; it shall provide the minimum amount of information permissible when responding to such a request. The Data Processor will provide relevant information about disclosure requests to the Data Controller, including in relation to its legality review and any challenges to the request. 3.8 In the event that Data Processor directly receives a request from a Data Subjects Subject for access to exercise their that Data Subject’s Personal Data, or for the rectification or erasure of such Personal Data, or any other request or query from a Data Subject relating to its own Personal Data (including Data Subjects’ exercising rights under GDPR Applicable Data Protection Laws, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making) (a “Data Subject Request”). In the event , Data Processor will: (i) notify the Data Processor receives a Controller immediately of the Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject without responding to the Data Controller. However, in the event the Data Controller is unable to address the that Data Subject Request, taking into account unless it has been otherwise authorised by the nature Data Controller to do so); (ii) provide details of the Processing Data Subject Request (and any other relevant information the information available Data Controller may reasonably request) to the Data Controller, the Controller within [3] business days of receipt of Data Processor, shall, on the Data Controller’s written request and the Data Controller’s instruction Subject Request; and (iii) provide such assistance to the Data Processor, and at Controller as that Data Controller may require for the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response purposes of responding to the Data Subject Request), address the Request and to enable that Data Subject Request, Controller to comply with all obligations which arise as required under GDPR;a result thereof. (g) upon request, the 3.9 Data Processor shall deal promptly and properly with all inquiries from Data Controller relating to its Processing of that Data Controller’s Personal Data and abide by any specific advice that the Regulator addresses to Data Processor with regard to the Processing of such Personal Data. 3.10 Data Processor shall upon written request from Data Controller from time to time provide the that Data Controller with commercially reasonable all information necessary to demonstrate Data Processor or Data Controller's compliance with Applicable Data Protection Laws, including of the measures Data Processor has taken to comply with its obligations under this Agreement, and assistance, taking into account the nature will at its own cost implement any further steps that are necessary to ensure compliance. 3.11 Data Processor shall keep appropriate documentation of the Processing it carries out under this Agreement and the information available to the Data Processor, to help the shall also inform Data Controller to conduct if it becomes aware of any data protection impact assessment or Supervisory Authority consultation Applicable Data Protection Laws that prevent it is required to conduct from fulfilling its obligations under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9; (i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this Processing Agreement; and (j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement. 4.3 The 3.12 Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws. 3.13 [Data Processor shall permit Data Controller at any time upon [seven (7)] days’ notice, to be given in writing, to have access to the appropriate part of Data Processor’s premises, systems, equipment, and other materials and data Processing facilities to enable the Data Controller (or its designated representative) to inspect or audit the same for the purposes of monitoring compliance with Data Processor’s obligations under this Agreement. Such inspection shall: (i) be carried out by Data Controller or an inspection body composed of independent members and in possession of the required professional qualifications and bound by a duty of confidentiality, selected by the Data Controller’s processing instructions infringe any law or regulation. In such event, where applicable, in agreement with the Regulator; and (ii) not relieve Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationof its obligations under this Agreement.]

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows: (a) 3.1 The Data Processor shall only process Personal Data under the Master Subscription Agreement for the limited and specific purpose of performing the services provided for in the Master Subscription Agreement, and at all times in compliance with Applicable Data Protection Laws, and shall provide the same level of privacy protection as is required by Applicable Data Protection Laws. The Data Processor shall notify the Data Controller without undue delay if the Data Processor makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws. To the extent required by Applicable Data Protection Laws, the Data Controller shall have the right to take reasonable and appropriate steps to help ensure that the Data Processor uses the Personal Data in a manner consistent with the Data Controller’s obligations under Applicable Data Protection Laws and stop and remediate any unauthorized use of the Personal Data. 3.2 The Data Processor shall only retain, use, disclose, and otherwise Process Personal Data on behalf of the Data Controller(s) and in accordance with, and for the business purposes set out in the documented instructions received from the Data Controller(s) unless required to Process such Personal Data by applicable law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller(s) of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest 3.3 To the extent required by Applicable Data Protection Laws, the Data Processor is prohibited from selling the Personal Data; sharing the Personal Data for cross-context behavioral advertising purposes; retaining, using, or disclosing the Personal Data outside of the direct business relationship between Data Processor and Data Controller; and combining the Personal Data received from Data Controller with any Personal Data that may be collected from Data Processor’s separate interactions with the instructions set forth in this Processing Agreement;individual(s) to whom the Personal Data relates or from any other sources. (b) the 3.4 The Data Processor shall ensure that all staff and management of its personnel authorised to Process the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);confidentiality. (c) the 3.5 The Data Processor shall implement reasonable and maintain appropriate technical and organizational organisational measures to protect the Personal Data in accordance with GDPR Article 32 against accidental from unauthorized or unlawful destruction illegal access, destruction, use, modification, or accidental lossdisclosure, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take taking into account the nature of the Personal Data, the state of the art, the costs of implementation and the nature, scope, context and purposes purpose of Processingthe Processing as set out in Schedule 3, as well as or otherwise agreed and documented between the risk of varying likelihood Data Controller and severity for Data Processor from time to time. 3.6 The Data Processor shall without undue delay notify the rights and freedoms of natural persons, so as to ensure a level relevant Data Controller(s) about any breach of security appropriate leading to the risks represented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Processing and Personal Data belonging to the nature Data Controller(s) or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of the Personal Data belonging to be protected, including data security consistent the Data Controller(s) (with further information about the Humly’s Data Security Standards;breach provided in phases as more details become available). (d) the 3.7 The Data Processor shall notify the upon written request from any Data Controller from time to time provide that Data Controller with such information as is reasonably necessary to demonstrate compliance with the obligations laid down in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event this Agreement. 3.8 Upon reasonable request of a confirmed Data Security Breach affecting the Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall make available to Data Controller all information in its possession necessary to demonstrate the Data Processor’s compliance with its obligations under Applicable Data Protection Laws. The Data Processor shall allow and cooperate with the Data Controller and take such commercially reasonable steps as are directed assessments by the Data Controller to assist in or the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking into account the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a “Data Subject Request”). In the event designated auditor, at the Data Processor receives a Data Subject Request directly from a Data SubjectController’s expense, it shall (unless prohibited by law) direct of the Data Subject Processor’s compliance with its obligations under this Agreement and Applicable Data Protection Laws. The Data Controller shall be permitted to conduct such an assessment no more than once every twelve months, upon thirty days’ advance written notice to the Data Controller. HoweverProcessor, in and only after the event parties come to agreement on the Data Controller is unable to address the Data Subject Request, taking into account the nature scope of the Processing and audit. As an alternative to an audit performed by or at the information available to direction of the Data Controller, the Data ProcessorProcessor may arrange for a qualified and independent auditor to conduct, shall, on the Data Controller’s written request and the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to expense, an assessment of the Data Processor’s response to the policies and technical and organizational measures in support of its obligations under Applicable Data Subject Request)Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, address the Data Subject Request, as required under GDPR; (g) upon request, the Data Processor shall and will provide the Data Controller with commercially reasonable information and assistance, taking into account the nature a report of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact such assessment or Supervisory Authority consultation it is required to conduct under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9; (i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates upon reasonable request. Notwithstanding the Data Processor’s compliance with this Processing Agreement; and (j) foregoing, in no event shall the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement. 4.3 The Data Processor shall immediately inform be required to give the Data Controller ifaccess to information, in its opinionfacilities, or systems to the Data Controller’s processing instructions infringe any law or regulation. In such event, extent doing so would cause the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law confidentiality obligations owed to other customers or regulationits legal obligations.

DATA PROCESSOR’S OBLIGATIONS. 4.1 3.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor may sub-contract its duties or obligations arising under this Processing Agreement and data processing agreement in accordance with the Purchase Agreement, including the nature and purpose terms of Processing, the type of Personal Data, and categories of Data Subjects, shall this agreement. Details regarding any changes to sub-contracting relationships (if any) will be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services supplied to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows:appropriate. (a) 3.2 The Data Processor shall shall: 3.2.1 only process the Personal Data in accordance with the terms of this agreement or any further documented instructions set forth from the Data Controller and solely in this Processing Agreement; relation to the performance thereof. The Schedule sets out the type of Personal Data to be processed and the nature and purpose of the processing. If in the reasonable opinion of the Data Processor any such term or instruction infringes the General Data Protection Regulations (b“GDPR”) the Data Processor shall inform the Data Controller of such infringement and may suspend its processing without being in breach of the Contract; 3.2.2 ensure that all staff and management of persons employed to process the Data Processor are fully aware of their responsibilities to protect Personal Data have been required to commit themselves in accordance with this Processing Agreement and have committed themselves writing via an employment agreement or some other contractual document to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b)confidentiality; (c) the Data Processor shall 3.2.3 assess and implement and maintain appropriate technical and organizational organisational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks risk to the Data Subject represented by the Processing processing, including as appropriate: a) the pseudonymisation and/or encryption of Personal Data; b) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; c) the nature of ability to restore the availability and access to Personal Data to be protected, including data security consistent with the Humly’s Data Security Standards; (d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, a timely manner in the event of a confirmed Data Security Breach affecting physical or technical incident; and d) a process for regularly testing, assessing and evaluating the Data Controller’s Services Data effectiveness of technical and to cooperate with organisational measures for ensuring the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor; (f) taking into account the nature security of the Processing, the . 3.2.4 The Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a “Data Subject Request”). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the Data Controller is unable to address the Data Subject Requestshall, taking into account the nature of the Processing processing, assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, to enable the information fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR; 3.2.5 The Data Processor shall assist the Data Controller in the compliance of its obligations pursuant to Article 32-36 of the GDPR; 3.2.6 The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of the Services, and delete existing copies unless copies of the Personal Data need to be retained for compliance with the Data Processor’s statutory obligations. 3.2.7 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and, if requested, contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. 3.2.8 Where the Data Processor engages a sub-processor to carry out specific processing activities on behalf of the Data Controller, the Data Processor, shall, Processor must enter into a contract with the sub-processor on terms mirroring those contained in this data processing agreement insofar as they relate to data processing. The Data Processor shall remain fully liable to the Data Controller for the performance of sub-processor's obligations. 3.2.9 The Data Processor must keep electronic records of its processing activities performed on behalf of the Data Controller’s written request and , including: a) the details of the Data Controller’s instruction Controller/ Data Processor and any representatives, sub-processors and data protection officers; b) the categories of processing activities performed; c) information regarding cross-border data transfers, if any; and d) a description of the technical and organisational security measures implemented in respect of the processed data. 3.2.10 The Data Processor must notify any Data Breach to the Data Processor, and Controller (at the Data Processor’s reasonable expense (scoped prior Protection Officer details in the Schedule below, as soon as possible after it becomes aware of the same. Such notice can be given verbally but must be followed up in writing within 24 hours with the following details: the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; 3.2.11 Regarding transfers of Personal Data to a third country or an international organisation, such shall only be undertaken on the instruction of the Data Processor’s response to Controller save where the Data Subject Request), address the Data Subject Request, as Processor is required under GDPR; (g) upon requestto do so by law; in which case, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR; (h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9; (i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this Processing Agreement; and (j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement. 4.3 The Data Processor shall immediately inform the Data Controller ifof that legal requirement before processing, in its opinion, the Data Controller’s processing instructions infringe any unless that law or regulation. In prohibits such event, the Data Processor is entitled to refuse Processing information on important grounds of Personal Data that it believes to be in violation of any law or regulationpublic interest.