Data Processing Addendum

This Data Processing Addendum (this "Addendum") supplements and forms part of the terms and conditions between the Customer and the Provider (the "Agreement"). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

• Customer Personal Data means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.
• "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Supervisory Authority" and "Processing" all have the meanings given to those terms in Data Protection Laws (and related terms such as "Process", "Processes" and "Processed" shall have corresponding meanings); and
• Data Protection Laws means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 ("GDPR"), the GDPR in such form as incorporated into the laws of the United Kingdom ("UK GDPR"), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.
• EU Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).
• Restricted Transfer means a transfer of Personal Data between either party to the Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Laws.
• Sub-Processor means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.
• Supervisory Authority means a governmental or government chartered regulatory body having binding legal authority over a party.

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer, the Customer acting as either Controller or a Processor on the behalf of another Controller (in respect of the latter, the Provider shall act as its Sub-Processor). Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

• a. Subject Matter, Nature and Purpose of Processing. The Provider's provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider's customer service platform.
• b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider's retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
• c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as not but not limited to account information, order information, subscriptions, chat and email messages); and
• d. Category of Data Subjects. Customer's end customers; Customer personnel (employee, contractors, etc) and Customer associated parties.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorizes the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors) the Sub-Processors included in the Sub-Processor list provided to the Customer.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by a relevant Supervisory Authority, including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless the transfer/access is in compliance with Data Protection Laws.

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur.

6.2 The Provider shall notify the Customer without undue delay on becoming aware of a Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data, the Provider shall promptly provide the Customer with reasonable assistance in complying with Data Subject requests and meeting its obligations under Data Protection Laws.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing is no longer required for the purposes of this Agreement.