Common use of Reviews and Audits of Compliance Clause in Contracts

Reviews and Audits of Compliance. 2.2.1 Customer may audit Virsae’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s supervisory authority. Virsae will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 If a third party is to conduct the audit, Virsae may object to the auditor if the auditor is, in Virsae’s reasonable opinion, not independent, a competitor of Virsae, or otherwise manifestly unsuitable. Such objection by Virsae will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 To request an audit, Customer must submit a detailed proposed audit plan to Virsae at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae security, privacy, employment or other relevant policies). Virsae will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 shall require Virsae to breach any duties of confidentiality. 2.2.4 If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures. 2.2.5 The audit must be conducted during regular business hours, subject to the agreed final audit plan and Virsae’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae business activities. 2.2.6 Customer will promptly notify Virsae of any non-compliance discovered during the course of an audit and provide Virsae any audit reports generated in connection with any audit under this Section 2.2, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 Any audits are at Customer’s expense. Customer shall reimburse Virsae for any time expended by Virsae or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 at Virsae’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 Customer may audit VirsaeProvider’s compliance with its obligations under this Addendum DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s any supervisory authorityauthority with competent jurisdiction. Virsae Provider will contribute to such audits by providing Customer or Customer’s such supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 . If a third party is to conduct the audit, Virsae Provider may object to the auditor if the auditor is, in VirsaeProvider’s reasonable opinion, not independent, a competitor of VirsaeProvider, or otherwise manifestly unsuitable. Such objection by Virsae Provider will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 . To request an audit, Customer must submit a detailed proposed audit plan to Virsae Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Provider security, privacy, employment or other relevant policies). Virsae Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 2(b) shall require Virsae Provider to breach any duties of confidentiality. 2.2.4 . If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae Provider has confirmed there are have been no known material changes in the controls auditedaudited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. 2.2.5 . The audit must be conducted during regular business hours, subject to the agreed final audit plan and VirsaeProvider’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae Provider business activities. 2.2.6 . Customer will promptly notify Virsae Provider of any non-compliance discovered during the course of an audit and provide Virsae Provider any audit reports generated in connection with any audit under this Section 2.22(b), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Virsae Provider for any time expended by Virsae or its Third Party Subprocessors Provider and any third parties in connection with any audits or inspections under this Section 2.2 2(b) at VirsaeProvider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 Customer Client may audit VirsaeCultivate’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by CustomerClient’s supervisory authority. Virsae Cultivate will contribute to such audits by providing Customer Client or CustomerClient’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 If a third party is to conduct the audit, Virsae Cultivate may object to the auditor if the auditor is, in VirsaeCultivate’s reasonable opinion, not independent, a competitor of VirsaeCultivate, or otherwise manifestly unsuitable. Such objection by Virsae Cultivate will require Customer Client to appoint another auditor or conduct the audit itself. 2.2.3 To request an audit, Customer Client must submit a detailed proposed audit plan to Virsae Cultivate at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Cultivate will review the proposed audit plan and provide Customer Client with any concerns or questions (for example, any request for information that could compromise Virsae Cultivate security, privacy, employment or other relevant policies). Virsae Cultivate will work cooperatively with Customer Client to agree on a final audit plan. Nothing in this Section 2.2 shall require Virsae Cultivate to breach any duties of confidentiality. 2.2.4 If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures. 2.2.5 The audit must be conducted during regular business hours, subject to the agreed final audit plan and Virsae’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae business activities. 2.2.6 Customer will promptly notify Virsae of any non-compliance discovered during the course of an audit and provide Virsae any audit reports generated in connection with any audit under this Section 2.2, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 Any audits are at Customer’s expense. Customer shall reimburse Virsae for any time expended by Virsae or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 at Virsae’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.twelve

Reviews and Audits of Compliance. 2.2.1 Customer may audit VirsaeProvider’s compliance with its obligations under this Addendum DPA up to once per year and on such other occasions as may be required by European Applicable Data Protection Laws, including where mandated by Customer’s supervisory authoritySupervisory Authority. Virsae Provider will contribute to such audits by providing Customer or Customer’s supervisory authority Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 If a third party is to conduct the audit, Virsae may object to the auditor if the auditor is, in Virsae’s reasonable opinion, not independent, a competitor of Virsae, or otherwise manifestly unsuitable. Such objection by Virsae will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 To request an audit, Customer must submit a detailed proposed audit plan to Virsae Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Provider security, privacy, employment or other relevant policies). Virsae Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 7 shall require Virsae Provider to breach any duties of confidentiality. 2.2.4 . If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae Provider has confirmed there are have been no known material changes in the controls auditedaudited since the date of such report, where permitted by law, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. 2.2.5 . The audit must be conducted during regular business hours, subject to the agreed final audit plan and VirsaeProvider’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae Provider business activities. 2.2.6 . Customer will promptly notify Virsae Provider of any non-compliance discovered during the course of an audit and provide Virsae Provider any audit reports generated in connection with any audit under this Section 2.27, unless prohibited by European Applicable Data Protection Laws or otherwise instructed by a supervisory authoritySupervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Virsae for any time expended by Virsae or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 at Virsae’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 5.4.1 Customer may audit Virsae’s Blinkfire Analytics’ compliance with its obligations under this Addendum up to once per year and on such other occasions as may be year. In addition, to the extent required by European Data Protection LawsLegislation, including where mandated by Customer’s supervisory authority, Customer or Customer’s supervisory authority may perform more frequent audits (including inspections). Virsae Blinkfire Analytics will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services. 2.2.2 5.4.2 If a third party is to conduct the audit, Virsae Blinkfire Analytics may object to the auditor if the auditor is, in Virsae’s Blinkfire Analytics’ reasonable opinion, not suitably qualified or independent, a competitor of VirsaeBlinkfire Analytics, or otherwise manifestly unsuitable. Such objection by Virsae Blinkfire Analytics will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 5.4.3 To request an audit, Customer must submit a detailed proposed audit plan to Virsae xxxxxxx@xxxxxxxxx.xxx addressed to the Chief Operating Officer at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereofdate. The proposed audit plan must describe the proposed scope, duration, duration and start date of the audit. Virsae Blinkfire Analytics will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Blinkfire Analytics security, privacy, employment or other relevant policies). Virsae Blinkfire Analytics will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 5.4 shall require Virsae Blinkfire Analytics to breach any duties of confidentiality. 2.2.4 5.4.4 If the controls or measures to be assessed in the requested audit are scope is addressed in an SOC 2 SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of Customer’s audit request and Virsae has confirmed Blinkfire Analytics confirms there are no known material changes in the controls audited, Customer agrees to accept such report those findings in lieu of requesting an audit of such the controls or measurescovered by the report. 2.2.5 5.4.5 The audit must be conducted during regular business hourshours at the applicable facility, subject to the agreed final audit plan and Virsae’s safety, security Blinkfire Analytics’ health and safety or other relevant policies, and may not unreasonably interfere with Virsae Blinkfire Analytics business activities. 2.2.6 5.4.6 Customer will promptly notify Virsae Blinkfire Analytics of any non-compliance discovered during the course of an audit and provide Virsae Blinkfire Analytics any audit reports generated in connection with any audit under this Section 2.25.4, unless prohibited by European Data Protection Laws Legislation or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. The audit reports are Confidential Information of the parties under the terms of the Agreement. 2.2.7 5.4.7 Any audits are at Customer’s expense. Customer shall reimburse Virsae Blinkfire Analytics for any time expended by Virsae Blinkfire Analytics or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 5.4 at Virsae’s Blinkfire Analytics’ then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. 5.4.8 The parties agree that this Section 5.4 shall satisfy Blinkfire Analytics’ obligations under the audit requirements of the Model Contractual Clauses applied to Data Importer under Clause 5(f) and to any Sub-processors under Clause 11 and Clause 12(2). Nothing in this Addendum shall To maintain such regularity and consistency, changes or additions to these audit obligations must be construed made pursuant to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customersModel Contract Clauses.

Reviews and Audits of Compliance. 2.2.1 i. Customer may audit VirsaeTx3’s compliance with its obligations under this Addendum DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s supervisory authority. Virsae Tx3 will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 ii. If a third party is to conduct the audit, Virsae Tx3 may object to the auditor if the auditor is, in VirsaeTx3’s reasonable opinion, not independent, a competitor of VirsaeTx3, or otherwise manifestly unsuitable. Such objection by Virsae Tx3 will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 To xxx. Xx request an audit, Customer must submit a detailed proposed audit plan to Virsae Tx3 at least two weeks thirty (30) days in advance of the proposed audit date and any third party auditor must sign a customary non-non- disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Tx3 will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Tx3 security, privacy, employment or other relevant policies). Virsae Tx3 will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 2 shall require Virsae Tx3 to breach any duties of confidentiality. 2.2.4 If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures. 2.2.5 iv. The audit must be conducted during Tx3’s regular business hours, subject to the agreed final audit plan and VirsaeTx3’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae Tx3 business activities. 2.2.6 v. Customer will promptly notify Virsae Tx3 of any non-compliance discovered during the course of an audit and provide Virsae Tx3 any audit reports generated in connection with any audit under this Section 2.22, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this AddendumDPA. 2.2.7 vi. Any audits are at Customer’s expense. Customer shall reimburse Virsae Tx3 for any time expended by Virsae Tx3 or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 2 at VirsaeTx3’s then-current professional services Professional Services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum DPA shall be construed to require Virsae Tx3 to furnish more information about its Third Third-Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 Customer may audit VirsaeProvider’s compliance with its obligations under this Addendum DPA up to once per year and on such other occasions as may be required by European Applicable Data Protection Laws, including where mandated by Customer’s supervisory authority. Virsae Provider will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 . If a third party is to conduct the audit, Virsae Provider may object to the auditor if the auditor is, in VirsaeProvider’s reasonable opinion, not independent, a competitor of VirsaeProvider, or otherwise manifestly unsuitable. Such objection by Virsae Provider will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 . To request an audit, Customer must submit a detailed proposed audit plan to Virsae Provider at least two weeks thirty (30) days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Provider security, privacy, employment or other relevant policies). Virsae Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 7 shall require Virsae Provider to breach any duties of confidentiality. 2.2.4 . If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Virsae Provider has confirmed there are have been no known material changes in the controls auditedaudited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. 2.2.5 . The audit must be conducted during regular business hours, subject to the agreed final audit plan and VirsaeProvider’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae Provider business activities. 2.2.6 . Customer will promptly notify Virsae Provider of any non-compliance discovered during the course of an audit and provide Virsae Provider any audit reports generated in connection with any audit under this Section 2.27, unless prohibited by European Applicable Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Virsae Provider for any time expended by Virsae or its Third Party Subprocessors Provider and any third parties in connection with any audits or inspections under this Section 2.2 7 at VirsaeProvider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 i. Customer may audit VirsaeAssistiv’s compliance with its obligations under this Addendum up to DPA not more than once per year year, and on such other occasions as may be required by European Data Protection Laws, including where if mandated by Customer’s supervisory authority. Virsae will contribute to such audits by providing Customer or , at Customer’s supervisory authority sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at Assistiv’s principal place of business, during regular business hours, subject to the agreed Final Audit Plan (defined below) and Assistiv’s safety, security or other relevant policies, and may not unreasonably interfere with the information and assistance reasonably necessary to conduct the auditXxxxxxxx’s business activities. 2.2.2 If a third party is to conduct the audit, Virsae may object to the auditor if the auditor is, in Virsae’s reasonable opinion, not independent, a competitor of Virsae, or otherwise manifestly unsuitableii. Such objection by Virsae will require Customer to appoint another auditor or conduct the audit itself. 2.2.3 To request an audit, Customer must submit a detailed proposed audit plan to Virsae Assistiv at least two weeks in advance of the proposed audit date and any third third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Assistiv will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Virsae Assistiv security, privacy, employment or other relevant policies). Virsae Assistiv will work cooperatively with Customer to agree on a final audit plan. “Final Audit Plan.” Nothing in this Section 2.2 4(c) shall require Virsae Assistiv to breach any duties of confidentiality. 2.2.4 iii. Assistiv will contribute to each audit by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party is to conduct the audit, Assistiv may object to the auditor within twelve (12) months if the auditor is, in Assistiv’s reasonable opinion, not independent, a competitor of Customer’s Assistiv, or otherwise manifestly unsuitable. Such objection by Assistiv will require the Customer to appoint another auditor or conduct the audit request and Virsae has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measuresitself. 2.2.5 The audit must be conducted during regular business hours, subject to the agreed final audit plan and Virsae’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae business activities. 2.2.6 iv. Customer will promptly notify Virsae Assistiv of any non-compliance discovered during the course of an audit and provide Virsae Assistiv any audit reports generated in connection with any audit under this Section 2.24(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this AddendumDPA. 2.2.7 Any audits are at Customer’s expense. v. Customer shall reimburse Virsae Assistiv for any time expended by Virsae or its Third Party Subprocessors Assistiv and any third parties in connection with any audits or inspections under this Section 2.2 4(c) at VirsaeAssistiv’s then-current professional services rates, which shall be made available to Customer upon request. For clarity, Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Virsae to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

Reviews and Audits of Compliance. 2.2.1 Customer Client may audit VirsaeCultivate’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by CustomerClient’s supervisory authority. Virsae Cultivate will contribute to such audits by providing Customer Client or CustomerClient’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. 2.2.2 . If a third party is to conduct the audit, Virsae Cultivate may object to the auditor if the auditor is, in VirsaeCultivate’s reasonable opinion, not independent, a competitor of VirsaeCultivate, or otherwise manifestly unsuitable. Such objection by Virsae Cultivate will require Customer Client to appoint another auditor or conduct the audit itself. 2.2.3 . To request an audit, Customer Client must submit a detailed proposed audit plan to Virsae Cultivate at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Virsae Cultivate will review the proposed audit plan and provide Customer Client with any concerns or questions (for example, any request for information that could compromise Virsae Cultivate security, privacy, employment or other relevant policies). Virsae Cultivate will work cooperatively with Customer Client to agree on a final audit plan. Nothing in this Section 2.2 shall require Virsae Cultivate to breach any duties of confidentiality. 2.2.4 . If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of CustomerClient’s audit request and Virsae Cultivate has confirmed there are no known material changes in the controls audited, Customer Client agrees to accept such report in lieu of requesting an audit of such controls or measures. 2.2.5 . The audit must be conducted during regular business hours, subject to the agreed final audit plan and VirsaeCultivate’s safety, security or other relevant policies, and may not unreasonably interfere with Virsae Cultivate business activities. 2.2.6 Customer . Client will promptly notify Virsae Cultivate of any non-compliance discovered during the course of an audit and provide Virsae Cultivate any audit reports generated in connection with any audit under this Section 2.2, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer Client may use the audit reports only for the purposes of meeting CustomerClient’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. 2.2.7 . Any audits are at CustomerClient’s expense. Customer Client shall reimburse Virsae Cultivate for any time expended by Virsae Cultivate or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 at VirsaeCultivate’s then-current professional services rates, which shall be made available to Customer Client upon request. Customer Client will be responsible for any fees charged by any auditor appointed by Customer Client to execute any such audit. Nothing in this Addendum shall be construed to require Virsae Cultivate to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.. Impact Assessments and Consultations Cultivate will (taking into account the nature of the processing and the information available to Cultivate) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of Cultivate’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement, including this Addendum. Data Transfers for purposes of the Standard Contractual Clauses, (a) Client will act as the data exporter and (b) Cultivate will act as the data importer; for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 1.1 to this Annex 1 (Subject Matter and Details of Processing); for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures; upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand; the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 2.2 of this Annex 1 (Reviews and Audits of Compliance); Client’s authorizations in Section 5 of this Annex 1 (Subprocessors) will constitute Client’s prior written consent to the subcontracting by Cultivate of the processing of Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses; and certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Client’s request; Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of Personal Data outside the EEA (e.g., US-E.U. Privacy Shield, binding corporate rules) applies to the transfer. Subprocessors