Last Modified: November 25th, 2025

Exhibit A

DATA PROCESSING ADDENDUM

1. INITIAL PROVISIONS

1.1. Agreement. This Data Processing Addendum including its annexes and the Standard Contractual Clauses, (the "DPA") is made by and between HEYREACH INC OÜ. (the "Provider"), and Customer, pursuant to the Master SaaS Subscription Agreement, the Terms of Service or other written or electronic agreement between the parties (as applicable) (the "Agreement").

1.2. Data Processing Agreement. By entering into the Agreement with the Provider You, the Customer, acknowledge that you have read and understood this DPA and agree to be bound by it.

2. DEFINITIONS

Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement.

"Account Data" means Personal Data that relates to Customer’s relationship with Provider, including to access Customer’s account and billing information, identity verification, maintain or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill legal obligations.

"Applicable Data Protection Legislation" refers to laws and regulations applicable to Provider's processing of personal data under the Agreement, including but not limited to (a) the GDPR, (b)

in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws"), (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), (d) CCPA & CPRA, and (e) Australian Privacy Principles and the Australian Privacy Act (1988), in each case, as may be amended, superseded or replaced.

"CCPA" or "CCPA and CPRA" means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, in each case, as may be amended from time to time. This includes but it is not limited to the California Privacy Rights Act of 2020.

"Controller" or "controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under the GDPR and other equivalent terms under Applicable Data Protection Legislation (e.g., ”Business” as defined under the CCPA), as applicable.

“Customer Personal Data” means Personal Data that Provider processes as a Processor on behalf of Customer.

"Europe" means for the purposes of this DPA the European Economic Area ("EEA"), the United Kingdom ("UK") and Switzerland, or another country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data, as determined by the European Commission in the case that EU Data Protection Law applies respectively as determined by the ICO in the case that UK Data Protection Law applies.

"GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

"Personal Data" or "personal data" or "personal information" means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Applicable Data Protection Legislation.

"Processor" or "processor" means the entity which processes Personal Data on behalf of the Controller. It shall have the meaning ascribed to “processor” under the GDPR and other equivalent terms under other Applicable Data Protection Legislation (e.g., “Service Provider” as defined under the CCPA), as applicable.

"Processing" or "processing" (and "Process" or "process") means any operation or set of operations performed upon Personal Data, whether or not by automated means, means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or

alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

"Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

"Security Breach" means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by Provider. A Security Incident shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

"Standard Contractual Clauses" or "SCCs" means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein ("UK SCCs") and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs") (in each case, as updated, amended or superseded from time to time).

"Sub-processor" or "sub-processor" means (a) Provider, when Provider is processing Customer Personal Data and where Customer is itself a processor of such Customer Personal Data, or (b) any third-party Processor engaged by Provider or its affiliates to assist in fulfilling Provider's obligations under the Agreement and which processes Customer Personal Data. Sub-processors may include third parties or Provider affiliates but shall exclude Provider employees, contractors or consultants.

"Third Party Request" means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.

"UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein. This is found in Schedule D below.

3. APPLICABILITY AND SCOPE

3.1. Applicability. This DPA will apply only to the extent that Provider processes, on behalf of Customer, Personal Data to which Applicable Data Protection Legislation applies.

3.2. Scope. The subject matter of the data processing is the provision of the Services, and the processing will be carried out for the duration of the Agreement. Schedule A (Details of Processing) sets out the nature and purpose of the processing, the types of Personal Data Provider processes and the categories of data subjects whose Personal Data is processed.

3.3. Provider as a Processor. The parties acknowledge and agree that regarding the processing of Customer Personal Data, Customer may act either as a controller or processor and Provider is a processor. Provider will process Customer Personal Data in accordance with Customer’s instructions as set forth in Section 3 (Customer Instructions).

3.4. Provider as a Controller of Account Data. The parties acknowledge that, regarding the processing of Account Data, Customer is a controller and Provider is an independent controller, not a joint controller with Customer. Provider will process Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out Provider's core business operations; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) identity verification; (e) to comply with Provider’s legal or regulatory obligations; and (f) as otherwise permitted under Applicable Data Protection Legislation and in accordance with this DPA, the Agreement, and the Privacy Policy.

4. PROVIDER AS A PROCESSOR

4.1. Customer Instructions. Customer appoints Provider as a processor to process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents, and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Applicable Data Protection Legislation; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).

4.2. Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Legislation. Customer acknowledges that Provider is neither responsible for determining which laws are applicable to Customer’s business nor whether Provider's Services meet or will meet the requirements of such laws. Customer will ensure that Provider's processing of Customer Personal Data, when done in accordance with Customer’s instructions,

will not cause Provider to violate any applicable law, including Applicable Data Protection Legislation. Provider will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate applicable law, including Applicable Data Protection Legislation.

4.3. Additional Instructions. Additional instructions outside the scope of the Agreement or this DPA will be mutually agreed to between the parties in writing.

4.4. Purpose Limitation. Provider will process Customer Personal Data in order to provide the Services in accordance with the Agreement. Schedule A (Details of Processing) of this DPA further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of Personal Data and categories of data subjects.

4.5. Responding to Third Party Requests. In the event any Third Party Request is made directly to Provider in connection with Provider’s processing of Customer Personal Data, Provider will promptly inform Customer and provide details of the same, to the extent legally permitted. Provider will not respond to any Third Party Request, without prior notice to Customer and an opportunity to object, except as legally required to do so or to confirm that such Third Party Request relates to Customer.

5. COMPLIANCE

Customer shall be responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Legislation, for Provider (and its affiliates and Sub-processors) to process Customer Personal Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Legislation; and c) it has, and will continue to have, the right to transfer, or provide access to, Customer Personal Data to Provider for processing in accordance with the terms of the Agreement and this DPA.

6. SUBPROCESSORS

6.1. Authorization for Sub-processing. Customer agrees that (a) Provider may engage Sub-processors as listed at its website (the "Sub-processor Page") which may be updated from time to time and Provider affiliates; and (b) such affiliates and Sub-processors respectively may engage third party processors to process Customer Personal Data on Provider's behalf. Customer provides a general authorization for Provider to engage onward sub-processors that is conditioned on the following requirements: (x) Provider will restrict the onward sub-processor’s access to Customer Personal Data only to what is strictly necessary to provide the Services, and Provider will prohibit the sub-processor from processing the Customer Personal Data for any other purpose. (y) Provider agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Legislation; and (z)

Provider will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.

6.2. Current Sub-processors. Customer understands that effective operation of the Services may require the transfer of Customer Personal Data to Provider affiliate or to Provider’s Sub-processors, see Schedule C. Customer hereby authorizes the transfer of Customer Personal Data to locations outside Europe (Provider's primary processing facilities are in the United States of America), including to Provider affiliates and Sub-processors, subject to continued compliance with this DPA throughout the duration of the Agreement. Customer hereby provides general authorization to Provider engaging additional third-party Sub-processors to process Customer Personal Data within the Services for the Permitted Purposes.

6.3. Notification of Sub-processor Additions. Provider may, by giving reasonable notice to the Customer, add to the Sub-processor Page. Provider will notify Customer if it intends to add or replace Sub-processors from the Sub-Processor Page at least 10 days prior to any such changes. Customer will receive this notification in Provider’s Platform. If Customer objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Customer Personal Data, then Provider will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.

7. IMPACT ASSESSMENTS AND CONSULTATIONS

Provider shall, to the extent required by Applicable Data Protection Legislation, provide Customer with reasonable assistance (at Customer's cost and expense) with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under such legislation.

8. SECURITY

8.1. Security Measures. Provider has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures designed to protect Customer Personal Data against Security Breaches. These measures shall at a minimum comply with applicable law and include the measures identified in Schedule B (Technical and Organizational Security Measures). Customer acknowledges that the security measures are subject to technical progress and development and that Provider may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

8.2. Staff. Provider will ensure that any person authorized to process Customer Personal Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality.

8.3. Security Breach. Upon becoming aware of a Security Breach involving Customer Personal Data processed by Provider on behalf of Customer under this DPA, Provider shall notify Customer without undue delay and shall provide such information as Customer may reasonably require, including to enable Customer to fulfil its data breach reporting obligations under Applicable Data Protection Legislation. Provider’s notification of or response to a Security Breach shall not be construed as an acknowledgement by Provider of any fault or liability with respect to the Security Breach.

8.4. Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Personal Data.

9. RETURN OR DELETION OF CUSTOMER'S PERSONAL DATA

Upon termination or expiry of this Agreement, Provider will (at Customer's election) delete or return to Customer all Customer Personal Data (including copies) in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Provider is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Provider will securely isolate and protect from any further processing, except to the extent required by applicable law.

10. AUDITS

10.1. Acknowledgment. The parties acknowledge that when Provider is acting as a processor on behalf of Customer, Customer must be able to assess Provider’s compliance with its obligations under Applicable Data Protection Legislation and this DPA.

10.2. Previous Audits. Upon written request and at no additional cost to Customer, Provider shall provide Customer, or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation evidencing Provider's compliance with its obligations under this DPA in the form of the relevant audits or certifications.

10.3. Customer Audit. While it is the parties’ intention ordinarily to rely on the provision of the documentation to demonstrate Provider’s compliance with this DPA and the provisions of Article 28 of the GDPR, Provider shall permit Customer or its Auditor to carry out an audit, at Customer’s cost and expense, (including, without limitation, the costs and expenses of Provider), of Provider’s processing of Customer Personal Data under the Agreement upon Customer’s written request for an audit, subject to the terms of this Section. Following Provider’s receipt of such request, Provider and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of any such audit. Any such audit shall be subject to Provider’s security and confidentiality terms and guidelines, may only be performed a maximum of once annually and will be restricted to only data relevant to

Customer. Where the Auditor is a third-party, Provider may object in writing to such Auditor, if in Provider's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Provider. Any such objection by Provider will require Customer to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of reports or an audit shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under the SCCs shall be as described in this Section 10.3.

11. TRANSFERS

11.1. Location of Processing. Customer acknowledges that Provider and its Sub-processors may transfer and process personal data to and in the United States of America and other locations in which Provider, its affiliates or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor Page. Provider shall ensure that such transfers are made in compliance with Applicable Data Protection Legislation and this DPA.

11.2. Transfer Mechanism. The parties agree that when the transfer of personal data from Customer (as “data exporter”) to Provider (as “data importer”) is a Restricted Transfer, Applicable Data Protection Legislation requires that appropriate safeguards are put in place. For the purposes of such Restricted Transfers from Customer to Provider, the parties rely on Provider’s certification under the EU-U.S Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK-US Data Privacy Framework (together, the “DPF”) operated by the U.S. Department of Commerce. To the extent that the DPF is invalidated or ceases to be an appropriate safeguard under Article 46 GDPR for transfers to the United States, then, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

a) In relation to transfers of Customer Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

i. Module Two or Module Three will apply (as applicable);

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 6.3 of this DPA;

iv. in Clause 11, the optional language will not apply;

v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the EU Member State in which the data exporter is established and if no such law by Irish law;

vi. in Clause 18(b), disputes shall be resolved before the courts of the EU Member State in which the data exporter is established and otherwise Ireland;

vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this DPA;

viii. and Subject to section 8.1 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this DPA,

b) In relation to transfers of Account Data protected by the GDPR and processed in accordance with Section 3.4 of this DPA, the EU SCCs shall apply, completed as follows:

i. Module One will apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 11, the optional language will not apply;

iv. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; v. in Clause 18(b), disputes shall be resolved before the courts of Ireland;

vi. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this DPA;

vii. and Subject to section 8.1 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this DPA;

c) In relation to transfers of Account Data protected by the GDPR and processed in accordance with Section 3.4 of this DPA, the EU SCCs shall apply, completed as follows:

i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);

ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);

iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable);

viii. and with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland;

d) To the extent that and for so long as the EU SCCs as implemented in accordance with sub-paragraph a)-c) above cannot be used to lawfully transfer Customer Personal Data and Account Data in accordance with the UK GDPR to Provider, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by the UK GDPR. For the purposes of the UK SCCs, the relevant annexes, appendices or tables shall be deemed populated with the information set out in Schedules A and B of this DPA. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows:

i. apply as completed in accordance with paragraph 7(a) above; and

ii. be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA.

In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Schedule A and Schedule B of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

11.3. SCC Conflict. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

11.4. Alternative Transfer Mechanism. To the extent that Provider adopts an alternative data export mechanism (including any new version of or successor to the DPF or Standard

Contractual Clauses adopted pursuant to Applicable Data Protection Legislation) ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall upon notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this

DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Legislation applicable to Europe and extends to territories to which Customer Personal Data and Account Data is transferred).

12. COOPERATION AND DATA SUBJECT RIGHTS

12.1. Data Subject Rights. Provider provides Customer with a number of self-service features via the Services, including the ability to delete, obtain a copy of, or restrict use of Customer Personal Data. Customer may use such self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to Third Party Requests from data subjects via the Services at no additional cost. Upon Customer’s request, Provider shall, taking into account the nature of the processing, provide reasonable assistance to Customer where possible and at Customer’s cost and expense, to enable Customer to respond to requests from a data subject seeking to exercise their rights under Applicable Data Protection Legislation. In the event that such request is made directly to Provider, if Provider can, through reasonable means, identify the Customer as the controller of the Customer personal data of a data subject, Provider shall promptly inform Customer of the same. As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data.

12.2. Cooperation. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Legislation or (b) any Third Party Request relating to the processing of Account Data or Customer Personal Data conducted by the other party, such party will promptly inform the other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Legislation.

13. NO SALE OR SHARING

To the extent that the processing of Customer Personal Data is subject to U.S. data protection laws, Provider is prohibited from: (a) selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration; (b) sharing Customer Personal Data with any third party for cross-behavioral advertising; (c) retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in this DPA or as otherwise permitted by U.S. data protection laws; (d) retaining, using or disclosing Customer Personal Data outside of the direct business relationship between the parties, and; (e) except as otherwise permitted by U.S. data protection laws, combining Customer Personal Data with personal data that Provider receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. Provider will notify Customer promptly if it makes the determination that it can no longer meet its obligations under applicable U.S. data protection laws.

14. MISCELLANEOUS

14.1. If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. The order of precedence will be: (a) this DPA; (a) the Agreement; and (c) the Privacy Policy. To the extent there is any conflict between the Standard Contractual Clauses, and any other terms in this DPA, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.

14.2. The parties agree that this DPA shall replace and supersede any prior data processing addendum that Provider and Customer may have previously entered into in connection with the Services.

14.3. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

14.4. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.

14.5. In the event (and to the extent only) of a conflict (whether actual or perceived) among Applicable Data Protection Legislation, the parties (or relevant party as the case may be) shall comply with the more onerous requirement or standard which shall, in the event of a dispute in that regard, be solely determined by Provider.

14.6. Notwithstanding anything else to the contrary in the Agreement, Provider reserves the right to make any modification to this DPA as may be required to comply with Applicable Data Protection Legislation.

14.7. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Provider access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

14.8. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the DPF and SCCs).

Schedule A

Description of the Processing Activities / Transfer

Schedule A(1) List of Parties:

Data Exporter

Data Importer

Name: Customer, as identified in the Order Form

Name: Provider, as identified in the Agreement

Address: As identified in the Order Form

Address: As identified in the Agreement

Contact details: As identified in the Order Form

Contact details: As identified in the Agreement

Activities relevant to the transfer: See Schedule A(2) below

Activities relevant to the transfer: See Schedule A(2) below

Role: Controller

Role: Processor

Schedule A(2) Description of Transfer

Description

Categories of data subjects:

● Permitted users – any of Customer's employees or other personnel, suppliers and other third parties authorized under the Agreement to use the Services.

● Third parties – employees, contractors, business partners, customers or other individuals having Personal Data stored, transmitted to, made available to, accessed or otherwise processed by Provider.

Categories of personal data:

● Permitted users – contact data

● Third Parties – contact data

Sensitive data:

The Provider does not require any special categories of data to provide the Services and does not intentionally collect or process such data in connection with the provision of the Services.

Frequency of the transfer:

Continuous

Nature and subject matter of processing:

The Personal Data may be subject to the following processing activities:

● storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Customer under the Agreement,

● technical support provided to the Customer on a case by case basis,

● disclosures in accordance with the Agreement and the DPA, as compelled by law, and

● collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Duration of the processing:

Processing Term.

Purpose(s) of the data transfer and further processing:

(i) Processing to provide, maintain, support, and improve the Services provided to the Customer in accordance with the Agreement;

(ii) Processing initiated by the Permitted users in their use of the Services; and

(iii) Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the Agreement of the Agreement (including this DPA).

Retention period (or, if not possible to determine, the criteria used to determine that period): Processing Term

Schedule A(3): Competent supervisory authority

With respect to EU Data the competent supervisory authority is The Office of the Information Commissioner of Ireland (the "Supervisory Authority").

Schedule B

Technical and Organizational Measures

The technical and organisational measures implemented by the Provider (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are outlined in AWS Security Measures. Provider’s Platform is built in AWS and Provider complies with best practices. More information on security can be found in AWS: Risk and Compliance.

Schedule C

Approved Sub-processors

Amazon Web Services, Inc.,

410 Terry Ave North

Seattle, WA 98109-5210, US

Hosting Services for the Provider's Platform

FullEnrich Corp,

166 Geary St STE 1500 Suite #436,

San Francisco, CA 94108, US

Data Enrichment Services for the Provider’s Platform

Schedule D

UK Addendum to the EU Commission Standard Contractual Clauses

1. Date of this Addendum: This Addendum is effective from the same date as the DPA.

2. Background: The Information Commissioner considers this Addendum to provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organization in reliance on Articles 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors.

3. Interpretation of this Schedule 4. Where this Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex. In addition, the following terms have the following meanings:

This Addendum

This Addendum to the Clauses.

The Annex

The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

UK Data Protection Laws

All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

UK GDPR

The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

UK

The United Kingdom of Great Britain and Northern Ireland.

1. This Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.

2. This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

3. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

4. Hierarchy: In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

5. Incorporation of the Clauses: This Addendum incorporates the Clauses which are deemed to be amended to the extent necessary so they operate:

a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and

b. to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.

6. The amendments required by Section 7 above, include (without limitation): a. References to the “Clauses” means this Addendum as it incorporates the Clauses.

b. Clause 6 Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer”.

c. References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.

d. References to Regulation (EU) 2018/1725 are removed.

e. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”.

f. Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner.

g. Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.

h. Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

i. The footnotes to the Clauses do not form part of the Addendum.

7. Amendments to this Addendum

a. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.

b. The Parties may amend this Addendum provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Clauses and making changes to them in accordance with Section 7 above.

8. Executing this Addendum

a. The Parties may enter into the Addendum (incorporating the Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Clauses. This includes (but is not limited to):

i. By attaching this Addendum as Schedule 4 to the Provider DPA.

ii. By adding this Addendum to the Clauses and including in the following above the signatures in Annex 1A:

“By signing we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses dated:” and add the date (where all transfers are under the Addendum)

“By signing we also agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses dated” and add the date (where there are transfers both under the Clauses and under the Addendum) (or words to the same effect) and executing the Clauses; or

iii. By amending the Clauses in accordance with this Addendum and executing those amended Clauses.

‍