Common use of Place of jurisdiction Clause in Contracts

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Client Udine , date 05.05.2021 Gunzenhausen, date 27/02/2021 Client 05/02/2021 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client Supplier is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16/12/2019 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Oslo , date 21/2/2020 Gunzenhausen, date 27/02/2021 21/02/2020 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 12/09/2021 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties IBBS Members I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes 8 / 11 • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Cham , date 19.10.2022 Gunzenhausen, date 27/02/2021 19/10/2022 Xxxxxx XX Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees • Third parties included in reports 7 / 12 I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16/05/2023 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Client , date Gunzenhausen, date 27/02/2021 Client 16.03.18 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Saint-Petersburg , date 12.05.2019 Client Gunzenhausen, date 27/02/2021 Client 16.03.18 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes 8 / 11 • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Visitor logs • Talkwalker service personal data • Talkwalker employees personal data Affected People Those affected as a result of this additional agreement include: • The Client's Users having published information on social media or on the internet • Talkwalker customers and interested parties users • Talkwalker employees • Website visitors 7 / 11 I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Nürnberg and Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 26/10/2020 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 10/04/2024 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 21/02/2024 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 27/02/2021 03/04/2024 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Xxxxxxxxxxx Falkenstein and Helsinki • Drives that were in operation on canceled servers will be swiped multiple times wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.