Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

This Data Processing Addendum (this "DPA") is incorporated into and forms an integral part of the Terms of Service, together with any applicable Service Order Forms (the "Agreement") between Rocket Science Corporation (UK) Ltd, located at 4th Floor Elgin House, 106-107 St Mary's Street, Cardiff, United Kingdom, CF10 1DX (company number: 14437277) ("Provider") and you ("Customer" or "you"), each a "party" and collectively the "parties".

Acceptance of the Terms of Service includes acceptance of this DPA. Capitalized but undefined terms used in this DPA shall have the meanings assigned to those terms in the Agreement.

To the extent you are using the services named herein and absent any other offline agreement, you shall be deemed to have accepted this DPA and applicable Standard Contractual Clauses upon acceptance or execution of the Terms of Service or applicable Service Order Form.

1. Scope of Addendum

1.1. Applicable Data Protection Law.

The parties agree that this DPA is designed to set forth the parties' obligations resulting from Applicable Data Protection Law. As such, the parties acknowledge and agree that this DPA shall only apply to the extent, as applicable, that (a) EU Data Protection Law applies to the processing of personal data of data subjects located in or from Customer located (or where Customer is a processor, where the relevant controller is located) in the EEA, or Switzerland, (b) UK Data Protection Law applies to the processing of personal data of data subjects located in or from Customer located (or where Customer is a processor, where the relevant controller is located) in the UK, (c) the LGPD applies to the processing of personal data of data subjects located in Brazil and to any processing activity that is for the purpose of providing goods or services in Brazil, (d) the PIPEDA applies to the processing of personal data of data subjects located in Canada; (e) the Private Sector Act applies to the processing of personal data of data subjects located in Québec; (f) the Personal Data Protection Act, Act No. 25.326 of 2000 applies to the processing of personal data within the territory of Argentina, (g) the CCPA as amended applies to the processing of personal data of data subjects located in the State of California, United States of America, (h) the CPA applies to the processing of personal data of data subjects located in the State of Colorado, United States of America, (i) the VCDPA applies to the processing of personal data of data subjects located in the State of Virginia, United States of America, (j) the CTDPA applies to the processing of personal data of data subjects located in the State of Connecticut, United States of America, (k) the UCPA applies to the processing of personal data of data subjects located in the State of Utah, United States of America, (l) the FDBR applies to the processing of personal data of data subjects located in the State of Florida, United States of America, (m) the OCPA applies to the processing of personal data of data subjects located in the State of Oregon, United States of America, (n) the TDPSA applies to the processing of personal data of data subjects located in the State of Texas, United States of America, (o) the MTCDPA applies to the processing of personal data of data subjects located in the State of Montana, United States of America; (p) the DPDPA applies to the processing of personal data of data subjects located in the State of Delaware, United States of America; (q) the ICDPA applies to the processing of personal data of data subjects located in the State of Iowa, United States of America; (r) the NDPA applies to the processing of personal data of data subjects located in the State of Nebraska, United States of America; (s) the NHDPA applies to the processing of personal data of data subjects located in the State of New Hampshire, United States of America; (t) the NJDPA applies to the processing of personal data of data subjects located in the State of New Jersey, United States of America; and (u) the TIPA applies to the processing of personal data of data subjects located in the State of Tennessee, United States of America.

1.2 Other-Applicable Data Protection Law.

Notwithstanding the foregoing, where applicable, certain Additional Terms for Other-Applicable Data Protection Law shall supplement this DPA, as set forth in Section 8.

2. Definitions

2.1 "controller", "processor", "data subject", "personal data", "personal data breach", "processing" (and "process"), and "special category" shall have the meanings given in EU Data Protection Law; provided, however, that:

2.1.1 To the extent that the CCPA is applicable, the definition of "personal data" includes "Personal Information"; the definition of "data subject" includes "Consumer"; the definition of "controller" includes "Business"; and the definition of "processor" includes "Service Provider", all as defined under the CCPA, and

2.1.2 To the extent that Non-EU Data Protection Law is applicable, definitions shall have the meanings given under applicable law.

2.2 "Additional Terms for Other-Applicable Data Protection Law" means the additional terms referred to in Section 8, which reflect the parties' agreement on the terms governing the processing of certain data in connection with certain other data protection regulations.

2.3 "Affiliates" means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

2.4 "Applicable Data Protection Law" means (i) EU Data Protection Law; and (ii) Non-EU Data Protection Law.

2.5 "Approved Addendum" means the template addendum issued by the United Kingdom Information Commissioner's Office and laid before the United Kingdom Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of such addendum.

2.6 "Argentina Data Protection Law" means Personal Data Protection Act, Act No.

25.326 of 2000 ('the Act') and Decree No.1558/2001 Regulating Law No. 25.326 ('the Decree'), amended by Decree No. 1160/10.

2.7 "Argentinian Model Clauses" mean the model contract for the international transfer of "personal data" (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016.

2.8 "DPA 2018" means the UK Data Protection Act, 2018.

2.9 "End User" means customers of Customer and end users of Customer's services and applications.

2.10 "EU Data Protection Law" means (i) the GDPR; (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii) including the UK GDPR and the DPA 2018.

2.11 FADP means the Swiss Federal Act on Data Protection of 25. September 2022.

2.12 "GDPR" means the EU General Data Protection Regulation 2016/679.

2.13 "Non-EU Data Protection Law" means the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); Québec's Act Respecting the Protection of Personal Information in the Private Sector ("Private Sector Act"), the Brazilian General Data Protection Law ("LGPD"); Argentina Data Protection Law; and U.S. Data Protection Law.

2.14 "SCCs" means with respect to data transfers from the European Union to third countries that are not deemed adequate jurisdictions by the European Commission the Controller-Controller standard contractual clauses (the "C2C SCCs") and/or Controller-Processor standard contractual clauses (the "C2P SCCs") (as applicable) approved by the European Commission, as may be updated from time to time (the "EU SCCs") or, with respect to data transfers from the United Kingdom, the C2C SCCs and/or the C2P SCCs as further amended by the Mandatory Clauses of the Approved Addendum, as may be updated by the United Kingdom Information Commissioner's Office from time to time (the "UK SCCs"), for so long as this DPA is effective, subject to the following: (i) only the provisions pertaining to Module One are deemed applicable under the C2C SCCs standard contractual clauses; (ii) only the provisions pertaining to Module Two are deemed applicable under the C2P SCCs; (iii) except with respect to the UK SCCs, the governing law shall be that of the country of the Data Protection Authority with jurisdiction over the data exporter and any dispute arising in connection with the EU SCCs shall be subject to the exclusive jurisdiction of the courts of such country; (iv) the applicable annex to the applicable standard contractual clauses is amended as set forth in Appendix A below.

2.15 "Security, Privacy and Architecture Documentation" means the Security, Privacy and Architecture Documentation applicable to the Services purchased by Customer, as described in summaries that Provider generally makes available to its Customers as updated from time to time, or otherwise made reasonably available by Provider.

2.16 "Services" means the Controller Services and/or Processor Services (as outlined in Section 3) used by Customer in connection with the applicable Service Order Form.

2.17 "Sub-Processor" means any entity that Provider engages to process Customer's personal data on behalf of Provider, which entities may include Provider's Affiliates.

2.18 "UK GDPR" means the EU General Data Protection Regulation 2016/679, as incorporated into UK Data Protection Law.

2.19 "U.S. Data Protection Law" means the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); the Colorado Privacy Act ("CPA"), the Connecticut Data Protection Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"); the Florida Digital Bill of Rights ("FDBR"); the Oregon Consumer Privacy Act ("OCPA"); Texas Data Privacy and Security Act ("TDPSA"); Montana Consumer Data Privacy Act ("MTCDPA"); Delaware Personal Data Privacy Act ("DPDPA"); Iowa Consumer Data Protection Act ("ICDPA"); Nebraska Data Privacy Act ("NDPA"); New Hampshire Data Privacy Act ("NHDPA"); New Jersey Data Protection Act ("NJDPA"); and Tennessee Information Protection Act ("TIPA").

2.20 "Country of Concern" means any foreign government identified as such under Executive Order 14117 and 28 CFR Part 202 (the "Data Security Program"), as may be amended from time to time. As of the effective date of this DPA, the designated Countries of Concern are: China (including the Special Administrative Regions of Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

2.21 "Covered Person" means any foreign person meeting the criteria set forth in 28 CFR § 202.211, including: (a) an entity that is 50% or more owned, directly or indirectly, by one or more Countries of Concern, or that is organized or chartered under the laws of, or has its principal place of business in, a Country of Concern; (b) a foreign person who is an employee or contractor of a Country of Concern or of an entity described in (a); (c) a foreign person primarily resident in a Country of Concern; or (d) any person designated as a covered person by the U.S. Attorney General pursuant to the Data Security Program.

2.22 "U.S. Sensitive Personal Data" means a collection or set of sensitive personal data, as defined under 28 CFR Part 202, relating to U.S. persons that meets or exceeds the applicable bulk thresholds set forth in 28 CFR § 202.205, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. Categories of sensitive personal data include covered personal identifiers, precise geolocation data, biometric identifiers, human genomic and other 'omic data, personal health data, and personal financial data.

2.23 "Government-Related Data" means, as defined under 28 CFR Part 202: (a) precise geolocation data for any location within the geofenced areas on the Government-Related Location Data List maintained by the U.S. Department of Justice, regardless of volume; or (b) sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. federal government, including the military.

3. Controller Services and Processor Services

3.1 Controller Services.

3.1.1 Unless otherwise noted in 3.2, "Controller Services" shall refer to all Services governed by the applicable Agreement.

3.1.2 The term "Controller Services" shall encompass personal data relating to account information processed via both the Controller and Processor Services.

3.2 Processor Services.

3.2.1 "Processor Services" as used herein shall refer to data uploaded through infrastructure hosting and orchestration services provided by Provider, or as otherwise specified in Provider's Documentation or Service Order Forms, as applicable.

3.3 When personal data is transferred via a Processor Service in conjunction with, and transmitting data to a Controller Service, or where personal data processed in connection with a Processor Service is expressly provided by you to Provider as an independent controller, Provider shall act as both a Controller and a Processor as outlined below.

3.3.1 Provider as a Processor

For provision of the Processor Service for all purposes outlined in this DPA.

3.3.2 Provider as a Controller

For all purposes outlined in Provider's Privacy Policy, including but not limited to:

• Monitor, prevent, and detect fraudulent transactions and other fraudulent activity on Provider services;

• Implement, maintain, and perform internal processes that enable Provider to provide its products and services, including relationship management, billing, and invoicing;

• Analyze, develop, and improve Provider's products and services.

4. General Terms and Conditions

4.1 Control/Application of the DPA. In the event of any conflict or discrepancy between the SCCs, the Additional Terms for Other-Applicable Data Protection Law, the Agreement, and the terms and conditions of this DPA, the following order of precedence shall apply: (a) the SCCs (where applicable), (b) this DPA, (c) the Additional Terms for Other-Applicable Data Protection Law, (d) the Agreement. This DPA applies only to Customer and Provider and does not confer any rights to any third party hereunder. This DPA does not replace any additional rights related to privacy or data security set forth in the Agreement.

4.2 Treatment of Data Rights and Restrictions in Other Agreements. Customer agrees that this DPA does not enlarge any rights provided for in the Agreement, and Customer continues to be limited to the data use rights and restrictions provided for therein.

4.3 Limitations of Liability. This DPA in no way alters the limitations of liability or other legal terms set out in the Agreement.

4.4 Special Category Data. Special Category Data or information considered sensitive under Applicable Data Protection Law shall not be processed pursuant to this DPA and the Customer warrants and represents that the Customer shall not be sharing, disclosing or otherwise transferring such data to Provider.

4.5 Compliance with Law/Public Notices. Each party shall maintain a publicly-accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Data Protection Law. Customer shall list Provider as a third party that is collecting data within its application in its publicly available privacy policy, including by providing a link to Provider's privacy policy. Customer shall have all required rights, licences, and permissions to allow the processing of personal data by Provider under the Agreement and to make personal data available to Provider in accordance with the requirements of this DPA. Customer shall provide all notices and obtain all consents, as required by and in compliance with Applicable Data Protection Laws with respect to the collection of data by Provider and/or transfer of any data to Provider by Customer, in connection with the Agreement, in accordance with the requirements of this DPA.

4.5.1 Without limiting the generality of the foregoing, when a Consumer exercises an opt out of sale of personal data, opt out of cross-contextual advertising, or opt out of targeted advertising, Customer shall pass to Provider an indication of that Consumer's opt out. Provider agrees to comply with such opt out signals received by Provider.

4.6 Term and Termination. This DPA shall become effective as of the date Customer has accepted both: (i) a valid Agreement; and (ii) solely to the extent this DPA is not already incorporated into such Agreement, this DPA. Subject to Section 4.8, this DPA shall terminate simultaneously and automatically upon the termination of the Agreement. Provider may terminate this DPA (in whole or in part) at any time upon notice to Customer if Provider offers alternative means to Customer that complies with Applicable Data Protection Laws. Customer may terminate this DPA at Customer's discretion upon Provider's receipt of Customer's written notice of termination.

4.7 Governing Law. To the extent required by Applicable Data Protection Law, this DPA shall be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Agreement.

4.8 Survival. This DPA shall survive termination or expiry of the Agreement to permit Provider to comply with its legal obligations. Upon termination or expiry of the Parties' relationship, Provider may continue to process the personal data provided that such processing complies with the requirements of this Section 4.8 and otherwise with Applicable Data Protection Law.

5. Controller-Controller Terms

The Controller-Controller Terms set forth in this Section 5 shall apply only in connection with Customer's use of the Controller Services and Provider's processing of personal data in connection therewith.

5.1 Relationship of the Parties. Subject to Section 3 and Section 4.2, the parties acknowledge and agree in connection with the processing of personal data for Controller Services, each party (a) is an independent controller of the personal data under Applicable Data Protection Law; (b) shall individually determine the purposes and means of its processing of personal data; and (c) shall comply with the obligations applicable to it under Applicable Data Protection Law with respect to the personal data. Provider shall notify Customer after Provider makes a determination that it can no longer meet its obligations under Applicable Data Protection Law.

5.2 Purpose of Processing. Customer shall have all required rights, licences, and permissions to allow the Processing of Personal Data by Provider under the Agreement and to make Personal Data available to Provider in accordance with the requirements of this DPA. Customer shall provide all notices and obtain all consents, as required by and in compliance with Applicable Data Protection Law, prior to disclosing and/or allowing Provider to access any data, with respect to the collection of data by Provider and/or transfer of any data to Provider by Customer, in connection with the Agreement, in accordance with the requirements of this DPA and supporting documentation. To the extent required by applicable law, if such consent is not obtained or is withdrawn by the end user, Customer must not disclose any Personal Data to Provider in relation to that end user. Customer shall permit the disclosure of the personal data described in the Agreement or otherwise herein for the applicable Controller Services to Provider to process as a controller of the personal data for the purposes described in Provider's Privacy Policy (the "Permitted Purpose"). Specifically, and notwithstanding anything to the contrary in any prior data processing addendum, Provider shall use the personal data to provide infrastructure hosting and orchestration services to its customers, assist its customers with maintaining their own services, improving its services, and analysing the performance of its services. Notwithstanding the foregoing, data obtained by Provider independent of Customer using Provider software or services that is the same or similar to the personal data described herein shall not be restricted by this Addendum or any terms or conditions for such services. For the avoidance of doubt, Provider may use all personal data collected on an aggregated or de-identified basis as set out in its Privacy Policy, provided that such use does not reveal an individual or an individual's device directly or indirectly. As required under the CCPA, (i) Customer is making personal data available to Provider for the limited purposes set forth in this Section 5.2. and Provider shall only use such personal data for these limited and specified purposes; and (ii) Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal data Customer makes available to Provider.

5.3 Security.

Each party shall implement appropriate technical and organizational measures to protect the personal data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the personal data (a "Security Incident"). In the event that a party suffers a confirmed Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. Nothing herein prohibits either party from moving forward to notify regulatory authorities as may be required by law prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay.

5.4 Transfers of Personal Data.

1. General Obligations for Transfer of Data. Either party may transfer personal data to third countries if such transfer complies with the provisions for the transfer of such data set forth in Applicable Data Protection Law. To the extent 5.4.3 applies below, Customer represents that they are able to act as an exporting controller of data whether by their organisation being within the European Union or Switzerland or by being subject to categorisation under Clause 13(a) of the SCCs as an organisation capable of acting as an exporter from the European Union.

2. Transfers of EEA Personal Data to Customer. To the extent that Provider transfers personal data subject to EU Data Protection Law to Customer and Customer is established in a country outside of the EEA or the UK (as applicable) that is not subject to an adequacy decision/determination, then Customer shall be deemed to have entered into the required SCCs as the data importer with Provider as the data exporter, and such transfers shall be subject to those SCCs.

3. Transfers of EEA Personal Data to Provider. To the extent that Customer transfers personal data subject to EU Data Protection Law to Provider, then Customer shall be deemed to have entered into the required SCCs as the data exporter with Provider as the data importer, and such transfers shall be subject to those SCCs.

4. Transfers of Brazilian Personal Data. To the extent that a party transfers personal data subject to the LGPD to the other party, then the transferring party shall be deemed to have entered into the required SCCs as the data exporter with the receiving party as the data importer, and such transfers shall be subject to those SCCs.

5. Transfers of Swiss Personal Data. To the extent that a party transfers personal data subject to the FADP, the 2021 EU Standard Contractual Clauses with a “Swiss finish” shall form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict.

6. Transfers of Personal Data from Argentina to outside of Argentina. To the extent that provision of the Services involves the transfer of personal data from Argentina to outside of Argentina (either directly or via onward transfer) to a jurisdiction that does not have adequate legislation in the terms of article 12 of Law No. 25,326 and its regulatory Decree No. 1558/01, then the parties shall be deemed to have entered into the required Argentinian Model Clauses, and such transfers shall be subject to those Model Clauses. The roles of the parties and the description of transfers, for the purposes of Annex A to the Argentinian Model Clauses, is set out in Appendix A.

6. Controller-Processor Terms

The Controller-Processor Terms set forth in this Section 6 shall apply only in connection with Customer's use of the Processor Services and Provider's processing of personal data in connection therewith.

6.1 Processing of Customer Personal Data

6.1.1 Relationship of the Parties. The parties acknowledge and agree that with regard to the processing of personal data for Processor Services: (a) Customer is a controller or processor, as applicable, of the personal data under Applicable Data Protection Law; (b) Provider is a processor of the personal data under Applicable Data Protection Law or, where Customer is a processor, Provider is a sub-processor of the personal data under Applicable Data Protection Law; and (c) each party shall comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of personal data. If Customer is a processor, Customer represents and warrants to Provider that Customer's instructions and actions with respect to personal data, including its appointment of Provider as another processor, have been authorised by the relevant controller and that such controller is organised in the European Union and/or Switzerland and capable of acting as a data exporter or is acting upon the instruction of a controller that is or is otherwise categorised as a qualified exporter under Clause 13(a) of the SCCs.

6.1.2 Customer's Instructions. For the purposes of this DPA and, if applicable, the SCCs, Customer instructs Provider to process personal data for the following purposes: (i) to store and use data as described more fully in the Agreement and any applicable descriptions of the Processor Services, (ii) to analyse data to maintain and improve the service, and (iii) to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms and conditions of the Agreement, this DPA, and Applicable Data Protection Law. This DPA and the Agreement constitute Customer's complete and final instructions to Provider for the Processing of Customer personal data. Any additional instructions that are inconsistent with the terms of the Agreement or this DPA must be agreed upon separately in a writing signed by authorised representatives of both parties.

6.1.3 Provider's Processing of Personal Data. In connection with Customer's use of the Processor Services, Provider shall only process personal data on behalf of and in accordance with Customer's instructions and otherwise in accordance with the requirements of Applicable Data Protection Law. Provider shall not retain, use, or disclose personal data collected pursuant to the Agreement outside the direct relationship between the Provider and Customer, unless expressly permitted by Applicable Data Protection Law. Provider shall not sell personal data or disclose personal data for the purposes of cross-contextual or targeted advertising. Customer's instructions for the Processing of personal data by Provider shall comply with all Applicable Data Protection Law. Provider shall notify Customer after Provider makes a determination that it can no longer meet its obligations under U.S. Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of the personal data and the means by which Customer acquired such personal data. Customer agrees that Provider may and instructs Provider to transfer data to sub-processors in third countries under adequate protections equal to those found herein, including any SCCs.

6.1.4 Security of Processing. Provider shall secure Customer's personal data by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under Applicable Data Protection Law. Such measures include those set forth in the Security, Privacy and Architecture Documentation. Provider shall not materially decrease the overall security of the Services during the term of the Agreement.

6.1.5 Personal Data Breach Notification. Provider shall notify you without undue delay after it becomes aware of a personal data breach. To the extent such personal data breach is caused by a violation of the requirements of this DPA by Provider, Provider shall make reasonable efforts to identify and remediate the cause of such personal data breach. Any notification of a personal data breach provided hereunder shall not be construed as an acknowledgement by Provider of any fault or liability in connection with the personal data breach. Further, Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any personal data breach.

6.2 Compliance Assistance. To the extent required by Applicable Data Protection Law, Provider agrees to provide you with reasonable assistance in ensuring compliance with your obligations pursuant to Applicable Data Protection Law, including (i) assisting in your compliance with automated decision-making technology requirements; (ii) Articles 32 to 36 of the GDPR (and UK GDPR) and Articles 5, 6, 10, 38 and 46 of the LGPD or equivalent provisions under the FADP, taking into account the nature of Provider's processing and the information available to Provider; and (iii) Upon request from you, providing commercially reasonable assistance to you by appropriate technical and organisational measures, insofar as this is possible, in relation to handling of a Data Subject's request for exercising Data Subject's rights set forth in Applicable Data Protection Law, including Chapter III of the GDPR (and UK GDPR) and Article 18 of the LGPD or equivalent provisions under the FADP, taking into account the nature of Provider's processing of personal data and solely to the extent you are unable to fulfil such requests through the Services. You shall be responsible for any costs arising from Provider's provision of such assistance.

6.3 Data Subject Requests. If Provider receives a request from a data subject in relation to personal data, Provider shall direct the data subject to submit his or her data subject request to Customer, and Customer shall be responsible for responding to such request. To the extent required by Applicable Data Protection Law, Provider shall assist Customer in fulfilling such requests with respect to the personal data Provider maintains on behalf of Customer.

6.4 Government Requests. Provider shall notify Customer about any legally binding request for disclosure of the personal data by a law enforcement or other public authority unless otherwise prohibited.

6.5 Deletion of Customer Personal Data. Provider shall delete all Customer personal data and copies thereof upon the request of Customer either: a) following either the discontinuation of the applicable Service, or termination or expiration of the Agreement, or b) upon the request of Customer following either the discontinuation of the applicable Service or termination or expiration of the Agreement. Deletion of Customer Personal Data shall not apply if otherwise required by Applicable Data Protection Law and/or Customer's instructions. Provider shall only delete Customer personal data associated with the Processor Services to the extent that Customer is the sole originating source of such Customer personal data. The parties agree that the certification of the deletion of Customer personal data shall be provided by Provider to Customer upon Customer's request at such times and in such manner as the Customer prescribes.

6.6 Audits. Subject to Applicable Data Protection Law requirements, prohibitions, and permissions, you have the right to take reasonable and appropriate steps to (i) ensure that Provider uses the personal data that it collects pursuant to the Agreement in a manner consistent with your obligations under Applicable Data Protection Laws; and (ii) stop and remediate Provider’s unauthorized use of personal data. Provider shall make available to you all information necessary to demonstrate compliance with its obligations under Applicable Data Protection Law, as required by Applicable Data Protection Law. Upon your written request at reasonable intervals, Provider shall provide a copy of Provider's then most recent summaries of third-party audits or certifications or other documentation, as applicable, that Provider generally makes available to its Customers at the time of such request. The parties agree that the audit rights described in Article 28 of the GDPR, UK GDPR, and/or equivalent provisions under the FADP and, where applicable, as stipulated in the SCCs, shall be satisfied by Provider's provision of such summaries and/or reports. Provider shall provide assistance to Customer for Customer’s completion of Customer’s cybersecurity audits and risk assessments, as required under U.S. Data Protection Law.

6.7 Provider Personnel

6.7.1 Confidentiality. Provider shall ensure that its personnel engaged in the processing of personal data are informed of the confidential nature of personal data, have received appropriate training on their responsibilities, and have either executed written confidentiality agreements no less protective than the confidentiality provisions set forth in the Agreement or are under an appropriate statutory obligation of confidentiality. Provider shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

6.7.2 Limitation of Access. Provider shall ensure that Provider's access to personal data is limited to those personnel who require such access to perform under the Agreement.

6.7.3 Data Protection Officer. Provider has appointed a data protection officer where such appointment is required by Applicable Data Protection Law. The appointed person may be reached at dpo@rocketscience.gg.

6.8 Sub-Processors

6.8.1 General Authorization. To the extent required by Applicable Data Protection Law, you generally authorize Provider to subcontract processing of personal data under this DPA to Sub-processors (and permit each Sub-processor appointed in accordance with this Section 6.8 to appoint Sub-processors). Provider may continue to use those Sub-processors already engaged by Provider as at the date of this DPA as specified here. provided that Provider: (a) provides Customer with information about the Sub-processor(s) as may be reasonably requested by Customer from time to time; (b) flows down its obligations under this DPA to such Sub-processor, such that the processing requirements of such Sub-Processor with respect to Customer's personal data are no less onerous than the processing requirements of Provider as set forth in this DPA; and (c) shall be fully liable to Customer for the performance of the Sub-Processor's obligations under this DPA if such Sub-Processor fails to fulfil its data protection obligations. You agree that Provider has general written authorization to appoint sub-processors under the SCCs.

6.8.2 New Sub-Processors. Provider shall inform you of any intended changes concerning the addition or replacement of Sub-processors and provide you with five (5) business days to make reasonable objections to any new Sub-processors. In the event you reasonably object to a new Sub-processor, you may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services that cannot be provided by Provider without the use of the objected-to Sub-processor by providing Provider with written notice provided that all amounts due under the Agreement shall be duly paid to Provider.

6.8.3 Sub-Processor Agreement. The parties agree that if copies of Provider's agreements with a Sub-Processor must be sent by Provider to Customer pursuant to Applicable Data Protection Law, such copies may have all commercial information and provisions unrelated to this DPA redacted by Provider beforehand; and, that such copies shall be provided by Provider only upon reasonable request by Customer.

6.9 Transfers of Personal Data

6.9.1 General Obligations for Transfer of Data. Either party may transfer personal data to third countries if such transfer complies with the provisions for the transfer of such data set forth in Applicable Data Protection Law.

6.9.2 Customer agrees that Provider may and instructs Provider to transfer data to sub-processors in third countries under adequate protections equal to those found herein, including any SCCs. Provider may enter agreements as necessary to fulfil the requirements laid down herein.

6.9.3 Transfers of EEA Personal Data to Provider. To the extent that Customer transfers personal data subject to EU Data Protection Law to Provider, then Customer shall be deemed to have entered into the required SCCs as the data exporter with Provider as the data importer, and such transfers shall be subject to those SCCs.

6.9.4 Transfers of Brazilian Personal Data to Provider. To the extent that Customer transfers personal data subject to the LGPD to Provider, then Customer shall be deemed to have entered into the required SCCs as the data exporter with Provider as the data importer, and such transfers shall be subject to those SCCs.

6.9.5 Transfers of Swiss Personal Data. To the extent that a party transfers personal data subject to the FADP, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict.

6.9.6 Transfers of Personal Data from Argentina to outside of Argentina. To the extent that the provision of the Services involves the transfer of Personal Data from Argentina to outside of Argentina (either directly or via onward transfer) to a jurisdiction that does not have adequate legislation in the terms of article 12 of Law No. 25,326 and its regulatory Decree No. 1558/01, then Customer shall be deemed to have entered into the required Argentinian Model Clauses as the data exporter with Provider as the data importer, and such transfers shall be subject to those Model Clauses. The description of transfers, for the purposes of Annex A to the Argentinian Model Clauses, is set out in Appendix A.

7. Changes to this DPA

7.1 Provider may update the terms of this Addendum, including the designation of Controller Services and Processor Services in Section 3, from time to time, including, but not limited to: (a) as set forth in the applicable Agreement; (b) as required to comply with Applicable Data Protection Law, applicable regulation, court order, or regulatory guidance; or (c) to add new Additional Terms for Other-Applicable Data Protection Law. If such update shall have a material adverse impact on Customer, as reasonably determined by Provider, then Provider shall use reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with Applicable Data Protection Law) before the change shall take effect, or to obtain the consent of the Customer if required under applicable law. If Customer objects to any such change, Customer may terminate this DPA by giving written notice to Provider within 30 days of being informed by Provider of the change.

8. Additional Terms for Other-Applicable Data Protection Laws

8.1 The parties acknowledge that data protection laws in addition to Applicable Data Protection Law may apply to the parties' processing of personal data.

8.2 Japan. This Section of this DPA applies to all transfers and provisions of Personal Information or Personal Data from Customer to Provider as contemplated by the Agreement if the Personal Information or Personal Data is regulated under the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015 and thereafter) ('APPI'), including where applicable, rules, guidance and codes of practices issued by the regulatory bodies of Japan hereinafter, "Japanese Data Protection Laws." Terms not otherwise defined in Section 2 shall have the meaning ascribed to it by the Japanese Data Protection Laws.

8.2.1 Controller Services. To the extent Controller Services listed under Section 3.1 are subject to Japanese Data Protection Laws, Provider, as a Business Operator Handling Personal Information, is responsible for the handling of Personal Information or Personal Data in its possession. Customer is responsible for providing any consents and notices required to permit (a) Customer's use and receipt of the Controller Services and (b) Provider's accessing, storing, and processing of data provided by Customer (including Personal Information or Personal Data, if applicable) under the DPA. Additionally, Customer agrees to obtain the consent of each principal to the Provision of Personal Data to a Third Party including those in a Foreign Country as contemplated under this DPA providing necessary information for the principal to give consent thereto, if and to the extent required under the Japanese Data Protection Laws.

8.2.1.1 Purpose of Use. The Customer shall permit Provider to utilise the Personal Information or Personal Data within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing.

8.2.1.2 Compliance. Provider and the Customer shall warrant that the necessary proceedings under the Japanese Data Protection Laws have been implemented, including, without limitation, (i) the recording of any transfer of Personal Data or Personally Referable Information to a Third Party or receipt of Personal Data from a Third Party and (ii) disclosing, correcting, adding or deleting the contents of, ceasing utilisation of, erasing, or ceasing the third-party provision of Retained Personal Data or other relevant information upon the request from the data subjects, when meeting the requirements under the Japanese Data Protection Laws.

8.2.1.3 Safety Measures. Provider and the Customer shall comply with Japanese Data Protection Laws and take necessary measures for the management of Personal Information or Personal Data.

8.2.1.4 In the case that the Customer provides Personal Information or Anonymously Processed Information, or Pseudonymously Processed Information or Personally Referable Information under Japanese Data Protection Laws to Provider in effecting the Permitted Purpose, the Customer shall specify to that effect in advance. In the case that the Customer provides Anonymously Processed Information or Pseudonymously Processed Information to Provider in effecting the Permitted Purpose, the Customer shall warrant that the proceedings under the Japanese Data Protection Laws have been implemented with respect to the Anonymously Processed Information or Pseudonymously Processed Information in order to qualify as such.

8.2.1.4.1 Provider shall, if the data have been provided in accordance with Section 8.2.1.4, comply with Japanese Data Protection Laws and take any measures required thereof for the management of the applicable data.

8.2.1.4.2 If the Personally Referable Information is to become Personal Data to Provider, Customer shall confirm that Provider has obtained consent from the data subjects or obtain such consent from the data subjects on Provider's behalf when it provides the Personally Referable Information to Provider.

8.2.1.5 Provider shall at all times implement appropriate technical, physical, personnel and organisational measures designed to safeguard Personal Information or Personal Data as required by Japanese Data Protection Laws.

8.2.2 Processor Services. To the extent that Processor Services listed under Section 3.2 is subject to Japanese Data Protection Laws the definition of "processor" includes an entity entrusted by the Business Operator Handling Personal Information the handling of Personal Information or Personal Data in whole or in part within the scope necessary for the achievement of the purpose of utilisation (also a "trustee"), as described under Japanese Data Protection Laws. Customer may exercise necessary and appropriate supervision over the trustees including subcontractors to ensure the proper security management of the Personal Information or Personal Data.

8.2.2.1 Customer is responsible for providing any consents and notices required to permit (a) Customer's use and receipt of the Processor's Services and (b) Provider's accessing, storing, and processing of data provided by Customer (including Personal Information or Personal Data, if applicable) under the DPA. Additionally, Customer agrees to obtain the consent of each principal to the Provision of Personal Data to a Third Party including those in a Foreign Country as contemplated under this DPA by providing necessary information for the principal to give consent thereto, if and to the extent required under the Japanese Data Protection Laws.

8.2.2.2 To the extent required by Japanese Data Protection Laws, Sections 8.2.1.1 to 8.2.1.5 are incorporated by reference as if fully stated forth herein.

8.3 South Korea. This Section of this DPA applies to all transfers and provisions of Personal Information from Customer to Provider as contemplated by the Agreement if the personal information is within the scope of the Personal Information from Customer and Provider from South Korea as contemplated by the Agreement. Terms not otherwise defined in Section 2 shall have the meaning ascribed to it by the Personal Information Protection Act, the Enforcement Decree and the Enforcement Rule thereof, the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2), the Standard Guidelines on Protection of Personal Information Personal Information Protection Commission Notification No. 2020-1), including where applicable rules, guidance's and codes of practices issued by the regulatory bodies of South Korea. Hereinafter referred to "Korean Data Protection Laws."

8.3.1 To the extent Controller Services listed under Section 3.1 is subject to Korean Data Protection Laws the Customer is solely responsible for obtaining any consents and giving any notices required to permit (a) Customer's use and receipt of the Services and (b) Provider's accessing, storing, and processing of data provided by Customer (including Personal Information, if applicable) under the Agreement and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject for such third party provision and/or international data transfer as contemplated under this DPA if and to the extent required under the Korean Data Protection Laws.

8.3.1.1 The Customer shall permit Provider to utilize the Personal Information within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing.

8.3.1.2 Provider and the Customer shall warrant that the proceedings under the Korean Data Protection Laws have been implemented.

8.3.1.3 Provider and the Customer shall comply with Korean Data Protection Laws and take necessary measures for the management of Personal Information.

8.3.1.4 In the case that the Customer provides data containing personal information, Anonymised, or Pseudonymized Information under the Korean Data Protection Laws to Provider in effecting the Permitted Purpose, the Customer shall specify to that effect in advance. In the case that the Customer provides Anonymised or Pseudonymised Information to Provider in effecting the Permitted Purpose, the Customer shall warrant that the proceedings under the Korean Data Protection Laws have been implemented with respect to Anonymised or Pseudonymised Information.

8.3.1.4.1 Provider shall, if the data have been provided in accordance with Section 8.3.1.4, comply with Korean Data Protection Laws and take any measures required for the management of the data.

8.3.1.5. Provider shall at all times implement appropriate technical and organizational measures designed to safeguard Personal Information as required by Korean Data Protection Laws.

8.3.2 To the extent that Processor Services listed under Section 3.2 is subject to Korean Data Protection Laws the Customer hereby entrusts Provider as a Service Provider and Provider hereby agrees to provide the processing of personal information related to the services listed under Section 3.2.

8.3.2.1 Service Provider shall perform personal information processing for the Processor Services listed under Section 3.2 in accordance with the terms and conditions of this DPA.

8.3.2.2 Unless otherwise approved by the Customer in advance, Service Provider may not transfer or re-entrust all or a part of its rights and obligations hereunder to a third party. If Service Provider enters into an entrustment agreement with a third party in connection with this DPA, Service Provider shall inform and consult with the Customer prior to the execution of entrustment agreement.

8.3.2.3 Service Provider shall take managerial and technical measures necessary for securing safety of the personal information pursuant to Articles 23(2), 24(3) and 29 of the Personal Information Protection Act, Articles 21 and 30 of the Enforcement Decree thereof and the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2).

8.3.2.4 Service Provider shall not use the personal information beyond the scope of the tasks entrusted hereunder or disclose or divulge the personal information to any third party during the term of this DPA as well as after the termination of this DPA. Upon the termination or expiration of this DPA, Service Provider shall destroy or promptly return to the Customer the personal information in its possession regarding the tasks entrusted hereunder pursuant to Article 16 of the Enforcement Decree of the Personal Information Protection Act and the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2). If Service Provider destroys the personal information in accordance with the above, Service Provider shall give notice thereof the Customer without undue delay.

8.3.2.5 The Customer may supervise Service Provider in connection with the following matters, and Service Provider shall reasonably comply with such supervision:

• Status of personal information processing

• Status of those who can access personal information and their access logs

• Compliance with provisions prohibiting use or third-party transfer of personal information outside the scope of intended purpose or re-entrustment

• Enforcement of necessary measures for securing safety, such as encryption, etc.

• Other necessary matters for the protection of personal information

8.3.2.6 The Customer may reasonably request documentation to inspect the status of the matters set forth in Section 8.3.2.5 above and require the Service Provider to make necessary corrections thereto. Service Provider shall make commercially reasonable efforts to comply with such requests and make such corrections unless it has a justifiable reason.

8.3.2.7 The Customer reserves the right to conduct training for Service Provider once a year in order to prevent loss, theft, leakage, alteration or damage of personal information, and Service Provider agrees to attend such training by the Customer.

8.3.2.8 The details of the training under Section 8.3.2.7 above, including the time and method, shall be implemented upon consultation between the Customer and Service Provider as necessary.

8.3.2.9 Either party shall indemnify the other party, data subject or any third party for any damages due to the breach of this Section 8.3 by itself or its officer, employee or trustee, or any damages due to termination of this DPA for causes attributable to itself or its officer, employee or trustee.

8.3.2.10 With respect to Section 8.3.2.9 above, if the other party compensates for all or a part of the damage incurred by the data subject or other third party, the other party has the right to claim reimbursement from the offending party.

8.4 Singapore. This Section of this DPA applies to all transfers and disclosures of Personal Data from Customer to Provider as contemplated by the Agreement if the personal data is within the scope of the Singapore's Personal Data Protection Act 2012 (No. 26 of 2012), including where applicable, rules, guidance and codes of practices issued by the regulatory bodies of Singapore hereinafter, "Singapore Data Protection Laws". Terms not otherwise defined in Section 8.4 shall have the meaning ascribed to it by the Singapore Data Protection Laws

8.4.1 To the extent Controller Services listed under Section 3.1 are subject to Singapore Data Protection Laws, Customer is responsible for any consents and notices required to permit (a) Customer's use and receipt of the Controller Services and (b) Provider's accessing, storing, and processing of data provided by Customer (including Personal Data, if applicable) under the Agreement and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject to an International Data Transfer as contemplated under this DPA if and to the extent required under the Singapore Data Protection Laws. Personal Information may be transferred, as necessary, world-wide to provide the Controller Services under the Agreement.

8.4.1.1 Purpose. Provider shall comply with all its obligations under the PDPA at its own cost. Provider shall only process, use, or disclose Customer Personal Data: Strictly for the within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing of fulfilling its obligations and providing the services required under the Agreement; With the Customer's prior written consent; or When required by law or and order of court, but shall notify the Customer as soon as practicable before complying with such law or order of court at its own costs

8.4.1.2 Accuracy and Correction of Personal Data. Where the Customer provides Customer Personal Data to Provider, the Customer shall make reasonable effort to ensure that the Customer Personal Data is accurate and complete before providing the same to Provider. Provider shall put in place adequate measures to ensure that the Customer Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, Provider shall take steps to correct any errors in the Customer Personal Data, as soon as practicable upon the Customer's written request.

8.4.1.3 Protection. Provider shall protect Customer Personal Data in Provider's control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent unauthorized or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of Customer Personal Data, or other similar risks.

8.4.1.4 Retention limitation. Provider shall not retain Customer Personal Data (or any documents or records containing Customer Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this Agreement and this DPA.

8.4.1.5 Policies on personal data protection. Provider shall ensure that its employees, agents and subcontractors who may receive or have access to any of Customer Personal Data are aware of the obligations specified under this clause and agree to abide by the same.

8.4.1.6 Access. Provider shall provide the Customer with access to the Customer Personal Data that Provider has in its possession or control, as soon as practicable upon Customer's written request.

8.4.1.7 In the case that the Customer provides Personal Information or Anonymously Processed Information under Singapore Data Protection Laws to Provider in effecting the Purpose, the Customer shall specify that effect in advance. In the case that the Customer provides Anonymously Processed Information to Provider in effecting the Purpose, the Customer shall warrant that the proceedings under the Singapore Data Protection Laws have been implemented with respect to the Anonymously Processed Information.

8.4.1.7.1 Provider shall, if the data have been provided in accordance with Section 8.4.1.7, comply with Singapore Data Protection Laws and take any measures required for the management of the data.

8.4.2 To the extent that Processor Services listed under Section 3.2 is subject to Singapore Data Protection Laws the definition of "processor" includes a "data intermediary" as described under Singapore Data Protection Laws. Customer may exercise necessary and appropriate supervision over the data intermediary to ensure proper security management of the personal data

8.4.2.1 Customer is responsible for any consents and notices required to permit (a) Customer's use and receipt of the Processor's Services and (b) Provider's accessing, storing, and processing of data provided by Customer (including Personal Information, if applicable) under the Agreement and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject to an International Transfer as contemplated under this DPA if and to the extent required under the Singapore Data Protection Laws. Personal Information may be transferred, as necessary, world-wide to provide the Processor Services under the Agreement and this DPA.

8.4.2.1.1 Sections 8.4.1.2 to 8.4.1.6 are incorporated by reference as if fully set forth herein.

8.5 United States — Executive Order 14117 (Data Security Program). Provider shall, to the extent applicable and necessary, implement and maintain administrative, technical, and physical safeguards designed to prevent unauthorized access to U.S. Sensitive Personal Data and Government-Related Data by any Country of Concern or Covered Person.

APPENDIX A

Appendix A - Module One - ANNEX I - Controller-Controller Services

Appendix A - Module Two - ANNEX I to Controller-Processor SCCs

Appendix A - Module Four - ANNEX I to Processor-Controller SCCs