Common use of PURPOSE OF THE SUPPLEMENT Clause in Contracts

PURPOSE OF THE SUPPLEMENT. This supplement (“Supplement”) is made under and forms an integral part of the DPA by and between the Parties. The terms and conditions of the DPA shall be applied to this Supplement and shall not be amended by this Supplement more than specified below. The Processor undertakes to process Personal Data on behalf of the Controller and in accordance with the terms and conditions of the DPA. The Parties agree the following: Controller As in Data Processing Agreement, page 1, section (a) Processor As in Data Processing Agreement, page 1, section (b) Processor's data protection officer or other person responsible for data protection See list of Data Protection Officers at xxxxxxxxx.xxx/xxxxx-xx/xxxx-xxxxxxxxxx/ Subject-matter of the processing of personal data The Personal data is processed for: • hosting services as stated and described in the main agreement Nature and Purposes of the processing The Personal Data is processed for the following purposes: • to be able to fulfill the obligations in the main agreement Duration of processing Personal Data shall be processed until the main agreement is terminated. Deletion of data in the services (e.g., web-based services offered by the Processor) should be executed by (a) the Controller, or (b) by the Processor up on request from the Controller Approved Sub-processors The following categories of Sub-processors may process the Personal Data: • AddSecure Group subsidiary companies: this covers the processing of Personal Data in order to manage and develop the Service • Service providers: this covers the processing of Personal Data in order to provide the Service Transfers of Personal Data Personal Data may be transferred to countries outside the EU/EEA Personal Data may not be transferred to countries outside the EU/EEA Instrument used for transfer of Personal Data EU Commission's Standard Contractual Clauses Binding Corporate Rules EU Commission decisions on the adequacy of the protection of personal data in third countries An exception of the Transfer of Personal Data applies if and when the Service is temporarily used outside EU/EEA. In such situations the derogations for specific situations (Article 49 GDPR) applies such as: a) the data subject has explicitly consented to the proposed transfer, b) the transfer is necessary for the performance of a contract between the data subject and the controller, or c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject. Geographic location of Personal Data The Personal Data will be processed (remotely accessed or hosted) in following countries or locations: European Union (EU) or European Economic Area (EEA) territory United States (enter Data Importer): Other territory (please specify and enter Data Importer): Data Security The Processor shall conduct the following additional Data Security measures: Pseudonymize the Personal Data Encrypt the Personal Data Additional data security requirements are agreed on in a separate Appendix to the Agreement or this Supplement. No additional Data Security measures requested Categories of Data Subjects The categories of Data Subjects (individuals) whose Personal Data is processed consist of the following: Employees (only valid if the Controller has uploaded such personal data to the Service) Customers (only valid if the Controller has uploaded such personal data to the Service) Other (please specify):

PURPOSE OF THE SUPPLEMENT. This supplement (“Supplement”) is made under and forms an integral part of the DPA by and between the Parties. The terms and conditions of the DPA shall be applied to this Supplement and shall not be amended by this Supplement more than specified below. The Processor undertakes to process Personal Data on behalf of the Controller and in accordance with the terms and conditions of the DPA. The Parties agree the following: Controller As in Data Processing Agreement, page 1, section (a) Processor As in Data Processing Agreement, page 1, section (b) Processor's data protection officer or other person responsible for data protection See list of Data Protection Officers at xxxxxxxxx.xxx/xxxxx-xx/xxxx-xxxxxxxxxx/ Subject-matter of the processing of personal data The Personal data is processed for: •  hosting services as stated and described in the main agreement Nature and Purposes of the processing The Personal Data is processed for the following purposes: •  to be able to fulfill the obligations in the main agreement Duration of processing Personal Data shall be processed until the main agreement is terminated. Deletion of data in the services (e.g., web-based services offered by the Processor) should be executed by (a) the Controller, or (b) by the Processor up on request from the Controller Approved Sub-processors The following categories of Sub-processors may process the Personal Data: •  AddSecure Group subsidiary companies: this covers the processing of Personal Data in order to manage and develop the Service •  Service providers: this covers the processing of Personal Data in order to provide the Service Transfers of Personal Data Personal Data may be transferred to countries outside the EU/EEA Personal Data may not be transferred to countries outside the EU/EEA Instrument used for transfer of Personal Data EU Commission's Standard Contractual Clauses Binding Corporate Rules EU Commission decisions on the adequacy of the protection of personal data in third countries An exception of the Transfer of Personal Data applies if and when the Service is temporarily used outside EU/EEA. In such situations the derogations for specific situations (Article 49 GDPR) applies such as: a) the data subject has explicitly consented to the proposed transfer, b) the transfer is necessary for the performance of a contract between the data subject and the controller, or c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject. Geographic location of Personal Data The Personal Data will be processed (remotely accessed or hosted) in following countries or locations: European Union (EU) or European Economic Area (EEA) territory United States (enter Data Importer): Other territory (please specify and enter Data Importer): Data Security The Processor shall conduct the following additional Data Security measures: Pseudonymize the Personal Data Encrypt the Personal Data Additional data security requirements are agreed on in a separate Appendix to the Agreement or this Supplement. No additional Data Security measures requested Categories of Data Subjects The categories of Data Subjects (individuals) whose Personal Data is processed consist of the following: Employees (only valid if the Controller Processor has uploaded such personal data to the Service) Customers (only valid if the Controller Processor has uploaded such personal data to the Service) Other (please specify):

PURPOSE OF THE SUPPLEMENT. This supplement (“Supplement”) is made under and forms an integral part of the DPA by and between the Parties. The terms and conditions of the DPA shall be applied to this Supplement and shall not be amended by this Supplement more than specified below. The Processor undertakes to process Personal Data on behalf of the Controller and in accordance with the terms and conditions of the DPA. The Parties agree the following: Controller As in Data Processing Agreement, page 1, section (a) Processor As in Data Processing Agreement, page 1, section (b) Processor's data protection officer or other person responsible for data protection See list of Data Protection Officers at xxxxxxxxx.xxx/xxxxx-xx/xxxx-xxxxxxxxxx/ Subject-matter of the processing of personal data The Personal data is processed for: •  hosting services as stated and described in the main agreement Nature and Purposes of the processing The Personal Data is processed for the following purposes: •  to be able to fulfill the obligations in the main agreement Duration of processing Personal Data shall be processed until the main agreement is terminated. Deletion of data in the services (e.g., web-based services offered by the Processor) should be executed by (a) the Controller, or (b) by the Processor up on request from the Controller Approved Sub-processors The following categories of Sub-processors may process the Personal Data: •  AddSecure Group subsidiary companies: this covers the processing of Personal Data in order to manage and develop the Service •  Service providers: this covers the processing of Personal Data in order to provide the Service Transfers of Personal Data Personal Data may be transferred to countries outside the EU/EEA Personal Data may not be transferred to countries outside the EU/EEA Instrument used for transfer of Personal Data EU Commission's Standard Contractual Clauses Binding Corporate Rules EU Commission decisions on the adequacy of the protection of personal data in third countries An exception of the Transfer of Personal Data applies if and when the Service is temporarily used outside EU/EEA. In such situations the derogations for specific situations (Article 49 GDPR) applies such as: a) the data subject has explicitly consented to the proposed transfer, b) the transfer is necessary for the performance of a contract between the data subject and the controller, or c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject. Geographic location of Personal Data The Personal Data will be processed (remotely accessed or hosted) in following countries or locations: European Union (EU) or European Economic Area (EEA) territory United States (enter Data Importer):  Microsoft  Twilio (only applies for Services offered by AddSecure Smart Rescue)  Connexas (only applies for Services offered by AddSecure Smart Transport) Other territory (please specify and enter Data Importer): Data Security The Processor shall conduct the following additional Data Security measures: Pseudonymize the Personal Data Encrypt the Personal Data Additional data security requirements are agreed on in a separate Appendix to the Agreement or this Supplement. No additional Data Security measures requested Categories of Data Subjects The categories of Data Subjects (individuals) whose Personal Data is processed consist of the following: Employees (only valid if the Controller Processor has uploaded such personal data to the Service) Customers (only valid if the Controller Processor has uploaded such personal data to the Service) Other (please specify):

PURPOSE OF THE SUPPLEMENT. This supplement (“Supplement”) is made under and forms an integral part of the DPA by and between the Parties. The terms and conditions of the DPA shall be applied to this Supplement and shall not be amended by this Supplement more than specified below. The Processor undertakes to process Personal Data on behalf of the Controller and in accordance with the terms and conditions of the DPA. The Parties agree the following: Controller As in Data Processing Agreement, page 1, section (a) Processor As in Data Processing Agreement, page 1, section (b) Processor's data protection officer or other person responsible for data protection See list of Data Protection Officers at xxxxxxxxx.xxx/xxxxx-xx/xxxx-xxxxxxxxxx/ Subject-matter of the processing of personal data The Personal data is processed for: •  hosting services as stated and described in the main agreement Nature and Purposes of the processing The Personal Data is processed for the following purposes: •  to be able to fulfill the obligations in the main agreement Duration of processing Personal Data shall be processed until the main agreement is terminated. Deletion of data in the services (e.g., web-based services offered by the Processor) should be executed by (a) the Controller, or (b) by the Processor up on request from the Controller Approved Sub-processors The following categories of Sub-processors may process the Personal Data: •  AddSecure Group subsidiary companies: this covers the processing of Personal Data in order to manage and develop the Service •  Service providers: this covers the processing of Personal Data in order to provide the Service Transfers of Personal Data Personal Data may be transferred to countries outside the EU/EEA Personal Data may not n ot be transferred to countries outside the EU/EEA Instrument used for transfer of Personal Data EU Commission's Standard Contractual Clauses Binding Corporate Rules EU Commission decisions on the adequacy of the protection of personal data in third countries An exception of the Transfer of Personal Data applies if and when the Service is temporarily used outside EU/EEA. In such situations the derogations for specific situations (Article 49 GDPR) applies such as: a) the data subject has explicitly consented to the proposed transfer, b) the transfer is necessary for the performance of a contract between the data subject and the controller, or c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject. Geographic location of Personal Data The Personal Data will be processed (remotely accessed or hosted) in following countries or locations: European Union (EU) or European Economic Area (EEA) territory United States (enter Data Importer): Other territory (please specify and enter Data Importer): Data Security The Processor shall conduct the following additional Data Security measures: Pseudonymize the Personal Data Encrypt the Personal Data Additional data security requirements are agreed on in a separate Appendix to the Agreement or this Supplement. No additional Data Security measures requested Categories of Data Subjects The categories of Data Subjects (individuals) whose Personal Data is processed consist of the following: Employees (only valid if the Controller Processor has uploaded such personal data to the Service) Customers (only valid if the Controller Processor has uploaded such personal data to the Service) Other (please specify):