THIS ADDENDUM is made as of the Effective Date of the main Agreement (“Effective Date”).

BETWEEN:

(1) The company listed on the applicable governing agreement in which this addendum is incorporated by reference, together with its affiliates, each of which will be treated as a party to this data processing addendum (“Company”); and

(2) ADMARKETPLACE INC., a Company with its place of business at 90 Park Avenue, 11th Floor, New York, NY 10016 (“Service Provider”), together the “Parties” and each a “Party”, as supplemental to the Agreement of the Parties (referred to as “the Agreement”). This Addendum shall be an integral part of the Agreement.

1. DEFINITIONS

For the Purposes of this Addendum:

1. "Personal Data", "special categories of data",  "process/processing",  "controller", "processor", "data subject" and "supervisory authority" shall have the same meanings given to them in the Regulation (or where the same or similar terms are used under another applicable Data Protection Law, the meanings given to such terms under such Data Protection Law).
2. "European Personal Data" means personal data of natural persons subject to the Regulation.
3. "U.S. Personal Information" means any information that relates to, is capable of being associated with, or could be linked, directly or indirectly, with a particular United States resident or household.
4. “DPF” means the EU-US Data Privacy Framework and/or the UK Extension to the EU-US Data Privacy Framework and/or the Swiss Extension tothe EU-US Data Privacy Framework, as applicable or relevant (locus of Personal Data prior to transfer).
5. “Data Protection Laws” means any and all privacy, security and data protection laws and regulations that apply to the Personal Data Company has access to under the Agreement, including without limitation(i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);  (ii)  the  EU  e-Privacy  Directive (Directive 2002/58/EC); (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Federal Data Protection Act of 19 June 1992 (Switzerland); (v) the United Kingdom Data Protection Act 2018; (vi) the United Kingdom (“UK”) version of the GDPR which is part of United Kingdom law by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (vii) U.S. State privacy laws (collectively “State Privacy Laws”) including without  limitation California Consumer Privacy Act, Cal. Civ. Code  §1798.100, et seq. as amended by the California Privacy Rights Act (“CCPA”); the Colorado Privacy Act, C.R.S. §6-1-1301, et seq. and the Connecticut Data Privacy Act CTDPA § 1, et seq.
6. "Regulation" or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation).
7. "SOC2" means the Service Organization Control 2 certification, a framework designed by the internationally recognized forum for global standards, AICPA, to ensure service providers manage data securely to protect the privacy and interests of qualified data types.
8. “Subprocessor” means any entity engaged with the Service Provider to process Personal Data in connection with the services.

2. ROLE OF THE PARTIES

The Parties agree that Company is the controller and Service Provider is the processor of all Personal Data processed by Service Provider on Company's behalf under the Agreement ("Company Personal Data") and that Company is the business and Service Provider is the service provider or processor (as applicable) of all U.S. Personal Information processed by Service Provider on Company’s behalf under 1

the Agreement (collectively, "Company Data"). The details of the processing activities to be carried out by Service Provider on behalf of Company are specified in Schedule 1.

3. OBLIGATIONS OF SERVICE PROVIDER

Service Provider warrants and undertakes that:

1. It will have in place and maintain throughout the term appropriate technical and organizational security  measures  to  protect  Company  Data  against  accidental  or unlawful  destruction  or accidental  loss,  alteration,  unauthorized  disclosure  or  access, and  against  all  other  unlawful forms of processing, which technical and organizational security measures will be commensurate with the nature of Company Data to be protected and with regard to the state of the art and cost of implementation, the nature, scope, context and purposes of the Processing;  More specifically, the  Service  Provider  will maintain  its  industry-recognized  SOC2  certification  as  part  of  its commitment to high standards of data security.
2. it will have in place procedures so that any third-party it authorises, to the extent permitted by this Addendum,  to  have  access  to  Company  Data,  including  its  sub-contractors, will respect and maintain the confidentiality and security of Company Data;
3. it will process the Company Data only on behalf of Company and in compliance with  its documented instructions and this Addendum and within the scope and for the specific purpose of performing the works under the Agreement unless otherwise required by, with respect to European Personal Data, European Union or European Member State law, or, with regard to U.S. Personal Information, for the purpose of detecting security  incidents or protecting against fraudulent or illegal activity or required by U.S. law to which Service Provider is subject in which case it shall notify Company as soon as that law permits it to do so, and Service Provider warrants that it has the legal authority to give the warranties and fulfill the undertakings set out hereunder;
4. it will identify to Company a contact point within its organisation authorised to respond to Security Breach(es)(as defined below), and enquiries concerning processing of Company Data. The contact point for Service Provider will be:
   ‍
   Name:                 George Pappachen
   Designation:      Data Protection Officer
   Email address:  privacy@admarketplace.com

1. it will keep a record of all processing activities carried out on behalf of Company;
2. it  will  cooperate  in  good  faith  with  Company,  the  data  subject  and  the  supervisory authority concerning all enquiries regarding the processing of Company Data within a reasonable time;
3. it  has  no  reason  to  believe  that  the  legislation  applicable  to  it  prevents  it  from fulfilling  the instructions  received  from  Company  and  its  obligations  under the Agreement and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties  and  obligations  provided  by  this Addendum,  it  will  promptly  notify  the  change  to Company as soon as it is aware, in which case Company is entitled to suspend the transfer of data and/or terminate the Agreement;
4. it will without undue delay notify Company if it becomes aware of:
   • any legally binding request for disclosure of Company Data by a law enforcement authority unless  otherwise  prohibited,  such  as  a  prohibition  under  criminal  law  to preserve  the confidentiality of a law enforcement investigation;
   • any  actual  or suspected security breach, accidental or unauthorised access or unlawful processing, misappropriation, loss of, damage to or destruction of or other compromise of the security, confidentiality, or integrity of Company Data processed by Service Provider or a sub-contractor ("Security Breach"); or
   • any  complaint,  communication  or  request  received  directly  by  Service  Provider  or a sub-contractor from a data subject without responding to that request, unless it has been otherwise  authorised  to  do  so,  in  which  case,  it  shall  provide  Company  with full co-operation and assistance in relation to any such complaint or request;
5. upon discovery of any Security Breach, it shall:
   • immediately take action to prevent any further Security Breach; and
   • provide  Company  with  full  and  prompt  cooperation  and  assistance  in  relation  to any notifications that Company is required to make as a result of the Security Breach;
   • shall notify the Company of any Security Breach without undue delay and in no event later than seventy two (72) hours.
6. it  shall  ensure  all  employees  (and,  to  the  extent  permitted  under  this  Addendum, agents  or sub-contractors): (i) are informed of the confidential nature of Company Data and are obliged to keep such Company Data confidential; (ii) have undertaken training relating to handling personal data and U.S. Personal Information; and (iii) are aware both of Service Provider's duties and their personal  duties  and obligations under this Addendum. Service Provider shall take reasonable steps  to  ensure  the  reliability  of  any  of  Service Provider's  employees  who  have  access  to Company Data;
7. it shall not disclose Company Data whether directly or indirectly to any data subject, person, firm, or  other  Company  entities  without  the  written  consent  of  Company except  to  those  of  its employees  who  are  engaged  in  the  processing  of  the  data and are  subject  to  the  binding obligations  referred  in  clause  3(j)  above,  except when legally required under Data Protection Laws; and
8. It  will  provide  Company  with  full  and  prompt  cooperation  and  assistance  in  relation to  any complaint, communication or request received from a data subject and in relation to any data protection  impact  assessment  or  regulatory  consultation  that  Company  is legally  required  to make in respect of Company Data.

4. INTERNATIONAL DATA TRANSFERS

The  Parties  agree  that  in  providing  the  Services  under  the  Agreement,  Personal  Data may  be transferred  from  ‘European  Territories’  (for  reference  purposes  only,  this  term  is to include the UK and/or  Switzerland,  as  or  if  applicable)  to  the  United  States  or  other territory(ies)  whose  level  of protection for Personal Data differs from that of the European Territories. Where such a transfer occurs in furtherance of the purposes under the Agreement, such transfer (where Company is Data Exporter and  Service  Provider  is  Data  Importer)  shall be  subject  to  the  DPF  or  the  appropriate  Standard Contractual Clauses, as below.

1. In regard to transfers of Personal Data from the European Territories to the United States, the DPF will be applicable and serve as the transfer mechanism if the data importer herein is certified under the DPF.  In such case,  the  DPF certified data importer will be listed in the DPF  registry (https://www.dataprivacyframework.gov/) as a certified registrant that is active and compliant with the DPF.  In this case,  the obligations,  rights,  responsibilities, liabilities,  protocols  (including the dispute resolution process and approved forums), and any other rules of the DPF shall apply and supersede any other competing or conflicting mechanism, framework, or rules. The Service Provider represents that it holds a valid DPF certification  and  will  maintain  such  certification for  the duration  of  this Agreement, including re-certification as required to remain active and compliant.
2. In  relation  to  Company  Personal  Data  that  is  protected by the EU GDPR, the EU SCCs will apply completed as follows:
   • Module Two will apply;
   • in Clause 7, the optional docking clause will apply;
   • in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in this DPA;
   • in Clause 11, the optional language will not apply;
   • in  Clause  17,  Option  1 will apply, and the EU SCCs will be governed the laws of Luxembourg;
   • in Clause 18(b), disputes shall be resolved before the courts of Luxembourg;
   • Annex  I  A  (List of Parties) shall be deemed completed with the information of the Parties to this DPA and as specified in schedule 2 to this DPA; and
   • Annex I B (Description of Transfer) shall be deemed completed with the information set out in Schedule 2 to this DPA; and
   • Annex I C: The competent supervisory authority shall be the National Commission for Data Protection of the Grand-Duchy of Luxembourg); and
   • Annex II shall be deemed completed with the information set out in Schedule 3 to this DPA
3. in relation to Company Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
   • Where Company and Service Provider are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information  Commissioner’s  Office  under  s.119A(1) of the Data Protection Act 2018, then:
   • The EU SCCs, completed as set out above shall also apply to transfers of Company Personal Data, subject to sub-clause (B) below; and
   • The  UK  Addendum  shall  be  deemed executed between Company and Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Processor Personal Data
   • If  sub-clause  (i)  does  not  apply,  then  Company  and  Processor shall cooperate in good faith to implement appropriate safeguards for transfers of the relevant Company Personal Data as required or permitted by the UK GDPR without undue delay;
4. in relation to Company Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Clause 5(a) amended as follows:
   • references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
   • references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA,
   • references  to  ‘EU’,  ‘Union’  and  ‘Member  State’  will  be  deemed  replaced  with ‘Switzerland’,
   • references  to  the  ‘competent  supervisory  authority’  and  ‘competent  courts’  are replaced  with  the  ‘Swiss  Federal  Data  Protection  Information  Commissioner’  and ‘applicable courts of Switzerland’ (as applicable),
   • in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and
   • in  Clause  18(b),  disputes  shall  be  resolved  before  the  competent  courts  of Switzerland;
5. in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

5. AUDIT RIGHTS

Company  shall  have  the  right  to  review  the  Service  Provider's  SOC2  report  to  verify ongoing compliance  with  established  standards.  Access  to  the  SOC  2 report shall be conditioned upon the Company’s agreement to maintain the confidentiality of the report in accordance with the confidentiality obligations  set  forth  in  an  existing  agreement with Service Provider or, if no such obligations exist, under the terms of a mutually executed non-disclosure agreement. The Company may use the SOC 2 report solely for the purpose of assessing the Service Provider’s compliance and may not disclose it to any third party without prior written consent from the Service Provider. Company is entitled, on giving at least thirty (30) days' notice to Service Provider to inspect or appoint representatives to inspect relevant documents relating to the processing of Company Data by Service Provider to examine that Service Provider is complying with its obligations under this Addendum. The requirement for notice shall not apply if Company reasonably believes that Service Provider is in breach of any of its obligations under this Addendum. Both Parties shall bear their respective costs for such audit(s). Company may conduct audits no more than once annually, and only during normal business hours, with reasonable prior notice as  outlined  in  this  Section  3,  and  in  a  manner that  minimizes  disruption  to  Service  Provider’s operations.

6. LIABILITY

The Parties acknowledge that any limitation of liability clause in the Agreement shall apply to liabilities arising out of or related to a breach of the terms of this Addendum or any failure to comply with the obligations  under  this  Addendum  by  Service  Provider  or  its  employees, except  to  the  extent such liability cannot be limited under applicable law.

7. SUBCONTRACTING

Service Provider shall not subcontract any of its processing operations performed specifically on behalf of Company under the Agreement without the written consent of Company. Where Service Provider subcontracts its obligations under this Addendum, with the consent of Company, it shall do so only by way  of  a  written  agreement  with  the  sub-contractor  which imposes  the  same  obligations  on  the sub-contractor as are imposed on Service Provider under this Addendum. Where the sub-contractor fails to fulfil its data protection obligations under such written agreement Service Provider shall remain fully liable to Company for the performance of the sub-contractor’s obligations under such agreement and upon request it shall promptly send a copy of any agreement it concludes with a sub-contractor under this clause 7 relating specifically to Company Personal Data to Company.

8. SUBPROCESSORS

1. Appointment  of  Subprocessors. Controller acknowledges and agrees that Service Provider may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting  a  third-party  Subprocessor  to  process Personal Data, Service Provider will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor.
2. List of Current Subprocessors. A current list of Subprocessors for the Services, including the identities of those Subprocessors and their country of location, is accessible via https://www.admarketplace.com/admarketplace-subprocessors.
3. Objection Right for New Subprocessors. Controller hereby consents to these Subprocessors, their locations and processing activities as it pertains to Personal Data. Controller may reasonably object to Service Provider’s use of a new Subprocessor by notifying Service Provider promptly in writing within thirty (30) days after the notice of the change of Subprocessors is sent. Such notice shall explain the reasonable grounds for the objection. In the event Controller objects to a new Sub-processor, Service Provider  will  use commercially  reasonable  efforts  to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s configuration or use of the Services  to  avoid  Processing  of  Personal  Data  by  the  objected-to  new Subprocessor  without unreasonably burdening Controller. If Service Provider is unable to make available such change within a  reasonable  period  of  time,  which  shall  not exceed thirty  (30)  days,  either  party  may terminate without penalty the applicable IOs with respect only to those services which cannot be provided by Service Provider without the use of the objected-to new Sub-processor by providing written notice to Service Provider.

9. INDEMNITY

Service Provider agrees to indemnify and keep indemnified and defend at its own expense Company against  all  costs,  claims,  damages  or  expenses  incurred  by  Company  or  for which Company may become liable due to any failure by Service Provider or its employees or agents to comply with any of its  obligations  under  this  Addendum.  Service  Provider’s indemnification  obligations  under  this Addendum shall apply only to the extent of its proven gross negligence or willful misconduct and shall not exceed the liability cap set forth in the Agreement.

10. ALLOCATION OF COSTS

Each Party shall perform its obligations under this Addendum at its own cost.

11. TERMINATION

1. In the event that Service Provider is in breach of its obligations under this Addendum, or the Agreement, then Company may temporarily suspend the transfer of Company Data to Service Provider until the breach is repaired.
2. In the event that:
   • the  transfer  of  Company  Data  to  Service Provider has been temporarily suspended by Company for longer than one month pursuant to clause 9(a);
   • compliance by Service Provider with this Addendum would put it in breach of its legal or regulatory obligations in the country where Service Provider exists;
   • Service Provider is in substantial or persistent breach of any warranties or undertakings given by it under this Addendum; or
   • a  petition  is  presented  for  the  administration  or  winding  up  of  Service  Provider, which petition is not dismissed within the applicable period for such dismissal under applicable laws;  a  winding  up  order  is  made;  a  receiver  is  appointed  over  any  of  its  assets;  a Company  voluntary  arrangement  is  commenced  by  it;  or  any  equivalent  event  in  any jurisdiction occurs;
     then Company, without prejudice to any other rights which it may have against Service Provider, shall be entitled to terminate the Agreement and this Addendum.
3. In the event that the Agreement terminates for any reason, this Addendum shall be immediately terminated and Service Provider shall cease processing Company Data.

12. OBLIGATION AFTER TERMINATION OF PERSONAL DATA PROCESSING SERVICES

The Parties agree that on the termination of the provision of data-processing  services, Company, Service Provider and its sub-contractors shall, at the choice of Company, return all Company Data and the copies thereof, unless anonymized, to Company or shall securely destroy all Company Data and certify to Company that it has done so, unless, for European  Personal  Data,  European  Union or Member State legislation, or, for U.S. Personal Information, U.S. law imposed upon Service Provider and its sub-contractors prevents them from returning or destroying all or part of Company Data. In that case, Service Provider warrants that it will guarantee the confidentiality of Company Data and will not actively process Company Data transferred anymore.