THIS ADDENDUM is made as of the Effective Date of the main Agreement (“Effective Date”).

BETWEEN:

(1) The company listed on the applicable governing agreement in which this addendum is incorporated by reference, together with its affiliates, each of which will be treated as a party to this data processing addendum (“Company”); and

(2) ADMARKETPLACE INC., a Company with its place of business at 90 Park Avenue, 11th Floor, New York, NY 10016 (“Service Provider”),

together the “Parties” and each a “Party”, as supplemental to the Agreement of the Parties (referred to as “the Agreement”). This Addendum shall be an integral part of the Agreement.

1.  DEFINITIONS

For the Purposes of this Addendum:

1. "Personal  Data",  "special  categories  of  data",  "process/processing",  "controller", "processor", "data subject" and "supervisory authority" shall have the same meanings given to them in the Regulation (or where the same or similar terms are used under another applicable Data Protection Law, the meanings given to such terms under such Data Protection Law).
2. "European Personal Data" means personal data of natural persons subject to the Regulation.
3. "U.S.  Personal  Information"  means  any  information  that  relates  to,  is  capable  of  being associated with, or could be linked, directly or indirectly, with a particular United States resident or household.
4.  “DPF” means the EU-US Data Privacy Framework and/or the UK Extension to the EU-US Data Privacy  Framework  and/or  the  Swiss  Extension  to  the  EU-US  Data  Privacy  Framework,  as applicable or relevant (locus of Personal Data prior to transfer).
5. “Data  Protection  Laws”  means  any  and  all  privacy,  security  and  data  protection  laws  and regulations  that  apply  to  the  Personal  Data  Company  has  access  to  under  the  Agreement, including without limitation(i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);  (ii)  the  EU  e-Privacy  Directive (Directive 2002/58/EC); (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Federal Data Protection Act of 19 June 1992 (Switzerland); (v) the United Kingdom Data Protection Act 2018; (vi) the United Kingdom (“UK”) version of the GDPR which is part of United Kingdom law by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (vii) U.S. State privacy laws (collectively “State Privacy Laws”) including without  limitation  California  Consumer  Privacy  Act,  Cal.  Civ.  Code  §1798.100,  et  seq.  as amended  by  the  California  Privacy  Rights  Act  (“CCPA”);  the  Colorado  Privacy  Act,  C.R.S. §6-1-1301, et seq. and the Connecticut Data Privacy Act CTDPA § 1, et seq.
6. "Regulation" or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation).
7. "SOC2"  means  the  Service Organization Control 2 certification, a framework designed by the internationally  recognized  forum  for  global  standards,  AICPA,  to  ensure  service  providers manage data securely to protect the privacy and interests of qualified data types.
8. “Subprocessor” means any entity engaged with the Service Provider to process Personal Data in connection with the services.

2.  ROLE OF THE PARTIES

The Parties agree that Company is the controller and Service Provider is the processor of all Personal Data processed by Service Provider on Company's behalf under the Agreement ("Company Personal Data") and that Company is the business and Service Provider is the service provider or processor (as applicable) of all U.S. Personal Information processed by Service Provider on Company’s behalf under 1

the Agreement (collectively, "Company Data"). The details of the processing activities to be carried out by Service Provider on behalf of Company are specified in Schedule 1.

3.  OBLIGATIONS OF SERVICE PROVIDER

Service Provider warrants and undertakes that:

1. It will have in place and maintain throughout the term appropriate technical and organizational security  measures  to  protect  Company  Data  against  accidental  or  unlawful  destruction  or accidental  loss,  alteration,  unauthorized  disclosure  or  access,  and  against  all  other  unlawful forms of processing, which technical and organizational security measures will be commensurate with the nature of Company Data to be protected and with regard to the state of the art and cost of implementation, the nature, scope, context and purposes of the Processing;  More specifically, the  Service  Provider  will  maintain  its  industry-recognized  SOC2  certification  as  part  of  its commitment to high standards of data security.
2. it will have in place procedures so that any third-party it authorises, to the extent permitted by this Addendum,  to  have  access  to  Company  Data,  including  its  sub-contractors, will respect and maintain the confidentiality and security of Company Data;
3. it  will  process  the  Company  Data  only  on  behalf  of  Company  and  in  compliance  with  its documented instructions and this Addendum and within the scope and for the specific purpose of performing  the  works  under  the  Agreement  unless  otherwise  required  by,  with  respect  to European Personal Data, European Union or European Member State law, or, with regard to U.S. Personal  Information,  for  the  purpose  of  detecting  security  incidents  or  protecting  against fraudulent or illegal activity or required by U.S. law to which Service Provider is subject in which case  it  shall  notify  Company  as  soon  as  that  law  permits  it  to  do  so,  and Service Provider warrants that it has the legal authority to give the warranties and fulfil the undertakings set out hereunder;
4. it will identify to Company a contact point within its organisation authorised to respond to Security Breach(es)  (as  defined  below),  and  enquiries  concerning  processing  of  Company  Data.  The contact point for Service Provider will be:
   ‍
   Name:                 George Pappachen
   Designation:      Data Protection Officer
   Email address:  privacy@admarketplace.com

1. it will keep a record of all processing activities carried out on behalf of Company;
2. it  will  cooperate  in  good  faith  with  Company,  the  data  subject  and  the  supervisory  authority concerning all enquiries regarding the processing of Company Data within a reasonable time;
3. it  has  no  reason  to  believe  that  the  legislation  applicable  to  it  prevents  it  from  fulfilling  the instructions  received  from  Company  and  its  obligations  under the Agreement and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties  and  obligations  provided  by  this  Addendum,  it  will  promptly  notify  the  change  to Company as soon as it is aware, in which case Company is entitled to suspend the transfer of data and/or terminate the Agreement;
4. it will without undue delay notify Company if it becomes aware of:
   • any legally binding request for disclosure of Company Data by a law enforcement authority unless  otherwise  prohibited,  such  as  a  prohibition  under  criminal  law  to  preserve  the confidentiality of a law enforcement investigation;
   • any  actual  or suspected security breach, accidental or unauthorised access or unlawful processing, misappropriation, loss of, damage to or destruction of or other compromise of the security, confidentiality, or integrity of Company Data processed by Service Provider or a sub-contractor ("Security Breach"); or
   • any  complaint,  communication  or  request  received  directly  by  Service  Provider  or  a sub-contractor from a data subject without responding to that request, unless it has been otherwise  authorised  to  do  so,  in  which  case,  it  shall  provide  Company  with  full co-operation and assistance in relation to any such complaint or request;
5. upon discovery of any Security Breach, it shall:
   • immediately take action to prevent any further Security Breach; and
   • provide  Company  with  full  and  prompt  cooperation  and  assistance  in  relation  to  any notifications that Company is required to make as a result of the Security Breach;
   • shall notify the Company of any Security Breach without undue delay and in no event later than seventy two (72) hours.
6. it  shall  ensure  all  employees  (and,  to  the  extent  permitted  under  this  Addendum,  agents  or sub-contractors): (i) are informed of the confidential nature of Company Data and are obliged to keep such Company Data confidential; (ii) have undertaken training relating to handling personal data and U.S. Personal Information; and (iii) are aware both of Service Provider's duties and their personal  duties  and obligations under this Addendum. Service Provider shall take reasonable steps  to  ensure  the  reliability  of  any  of  Service  Provider's  employees  who  have  access  to Company Data;
7. it shall not disclose Company Data whether directly or indirectly to any data subject, person, firm, or  other  Company  entities  without  the  written  consent  of  Company  except  to  those  of  its employees  who  are  engaged  in  the  processing  of  the  data  and  are  subject  to  the  binding obligations  referred  in  clause  3(j)  above,  except when legally required under Data Protection Laws; and
8. It  will  provide  Company  with  full  and  prompt  cooperation  and  assistance  in  relation  to  any complaint, communication or request received from a data subject and in relation to any data protection  impact  assessment  or  regulatory  consultation  that  Company  is  legally  required  to make in respect of Company Data.

4.  INTERNATIONAL DATA TRANSFERS

The  Parties  agree  that  in  providing  the  Services  under  the  Agreement,  Personal  Data  may  be transferred  from  ‘European  Territories’  (for  reference  purposes  only,  this  term  is  to  include the UK and/or  Switzerland,  as  or  if  applicable)  to  the  United  States  or  other  territory(ies)  whose  level  of protection for Personal Data differs from that of the European Territories. Where such a transfer occurs in furtherance of the purposes under the Agreement, such transfer (where Company is Data Exporter and  Service  Provider  is  Data  Importer)  shall  be  subject  to  the  DPF  or  the  appropriate  Standard Contractual Clauses, as below.

1. In regard to transfers of Personal Data from the European Territories to the United States, the DPF will be applicable and serve as the transfer mechanism if the data importer herein is certified under the DPF.  In  such  case,  the  DPF  certified  data  importer  will  be  listed  in  the  DPF  registry (https://www.dataprivacyframework.gov/) as a certified registrant that is active and compliant with the DPF.  In  this  case,  the  obligations,  rights,  responsibilities,  liabilities,  protocols  (including the dispute resolution process and approved forums), and any other rules of the DPF shall apply and supersede any other competing or conflicting mechanism, framework, or rules. The Service Provider represents that  it  holds  a  valid  DPF  certification  and  will  maintain  such  certification  for  the  duration  of  this Agreement, including re-certification as required to remain active and compliant.
2. In  relation  to  Company  Personal  Data  that  is  protected by the EU GDPR, the EU SCCs will apply completed as follows:
   • Module Two will apply;
   • in Clause 7, the optional docking clause will apply;
   • in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in this DPA;
   • in Clause 11, the optional language will not apply;
   • in  Clause  17,  Option  1 will apply, and the EU SCCs will be governed the laws of Luxembourg;
   • in Clause 18(b), disputes shall be resolved before the courts of Luxembourg;
   • Annex  I  A  (List of Parties) shall be deemed completed with the information of the Parties to this DPA and as specified in schedule 2 to this DPA; and
   • Annex I B (Description of Transfer) shall be deemed completed with the information set out in Schedule 2 to this DPA; and
   • Annex I C: The competent supervisory authority shall be the National Commission for Data Protection of the Grand-Duchy of Luxembourg); and
   • Annex II shall be deemed completed with the information set out in Schedule 3 to this DPA
3. in relation to Company Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
   • Where Company and Service Provider are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information  Commissioner’s  Office  under  s.119A(1) of the Data Protection Act 2018, then:
   • The EU SCCs, completed as set out above shall also apply to transfers of Company Personal Data, subject to sub-clause (B) below; and
   • The  UK  Addendum  shall  be  deemed executed between Company and Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Processor Personal Data
   • If  sub-clause  (i)  does  not  apply,  then  Company  and  Processor shall cooperate in good faith to implement appropriate safeguards for transfers of the relevant Company Personal Data as required or permitted by the UK GDPR without undue delay;
4. in relation to Company Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Clause 5(a) amended as follows:
   • references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
   • references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA,
   • references  to  ‘EU’,  ‘Union’  and  ‘Member  State’  will  be  deemed  replaced  with ‘Switzerland’,
   • references  to  the  ‘competent  supervisory  authority’  and  ‘competent  courts’  are replaced  with  the  ‘Swiss  Federal  Data  Protection  Information  Commissioner’  and ‘applicable courts of Switzerland’ (as applicable),
   • in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and
   • in  Clause  18(b),  disputes  shall  be  resolved  before  the  competent  courts  of Switzerland;
5. in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

5.  AUDIT RIGHTS

Company  shall  have  the  right  to  review  the  Service  Provider's  SOC2  report  to  verify  ongoing compliance  with  established  standards.  Access  to  the  SOC  2 report shall be conditioned upon the Company’s agreement to maintain the confidentiality of the report in accordance with the confidentiality obligations  set  forth  in  an  existing  agreement with Service Provider or, if no such obligations exist, under the terms of a mutually executed non-disclosure agreement. The Company may use the SOC 2 report solely for the purpose of assessing the Service Provider’s compliance and may not disclose it to any third party without prior written consent from the Service Provider. Company is entitled, on giving at least thirty (30) days' notice to Service Provider to inspect or appoint representatives to inspect relevant documents relating to the processing of Company Data by Service Provider to examine that Service Provider is complying with its obligations under this Addendum. The requirement for notice shall not apply if Company reasonably believes that Service Provider is in breach of any of its obligations under this Addendum. Both Parties shall bear their respective costs for such audit(s). Company may conduct audits no more than once annually, and only during normal business hours, with reasonable prior notice as  outlined  in  this  Section  3,  and  in  a  manner  that  minimizes  disruption  to  Service  Provider’s operations.

6.  LIABILITY

The Parties acknowledge that any limitation of liability clause in the Agreement shall apply to liabilities arising out of or related to a breach of the terms of this Addendum or any failure to comply with the obligations  under  this  Addendum  by  Service  Provider  or  its  employees,  except  to  the  extent such liability cannot be limited under applicable law.

7.  SUBCONTRACTING

Service Provider shall not subcontract any of its processing operations performed specifically on behalf of Company under the Agreement without the written consent of Company. Where Service Provider subcontracts its obligations under this Addendum, with the consent of Company, it shall do so only by way  of  a  written  agreement  with  the  sub-contractor  which  imposes  the  same  obligations  on  the sub-contractor as are imposed on Service Provider under this Addendum. Where the sub-contractor fails to fulfil its data protection obligations under such written agreement Service Provider shall remain fully liable to Company for the performance of the sub-contractor’s obligations under such agreement and upon request it shall promptly send a copy of any agreement it concludes with a sub-contractor under this clause 7 relating specifically to Company Personal Data to Company.

8.  SUBPROCESSORS

1. Appointment  of  Subprocessors. Controller acknowledges and agrees that Service Provider may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting  a  third-party  Subprocessor  to  process Personal Data, Service Provider will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor.
2. List of Current Subprocessors.  A current list of Subprocessors for the Services, including the identities of those Subprocessors and their country of location, is accessible via  https://www.admarketplace.com/admarketplace-subprocessors.
3. Objection Right for New Subprocessors. Controller hereby consents to these Subprocessors, their locations and processing activities as it pertains to Personal Data. Controller may reasonably object to Service Provider’s use of a new Subprocessor by notifying Service Provider promptly in writing within thirty (30) days after the notice of the change of Subprocessors is sent. Such notice shall explain the reasonable grounds for the objection. In the event Controller objects to a new Sub-processor, Service Provider  will  use  commercially  reasonable  efforts  to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s configuration or use of the Services  to  avoid  Processing  of  Personal  Data  by  the  objected-to  new  Subprocessor  without unreasonably burdening Controller. If Service Provider is unable to make available such change within a  reasonable  period  of  time,  which  shall  not  exceed  thirty  (30)  days,  either  party  may terminate without penalty the applicable IOs with respect only to those services which cannot be provided by Service Provider without the use of the objected-to new Sub-processor by providing written notice to Service Provider.

9.  INDEMNITY

Service Provider agrees to indemnify and keep indemnified and defend at its own expense Company against  all  costs,  claims,  damages  or  expenses  incurred  by  Company  or  for  which Company may become liable due to any failure by Service Provider or its employees or agents to comply with any of its  obligations  under  this  Addendum.  Service  Provider’s  indemnification  obligations  under  this Addendum shall apply only to the extent of its proven gross negligence or willful misconduct and shall not exceed the liability cap set forth in the Agreement.

10.  ALLOCATION OF COSTS

Each Party shall perform its obligations under this Addendum at its own cost.

11.  TERMINATION

1. In  the event that Service Provider is in breach of its obligations under this Addendum, or the Agreement, then Company may temporarily suspend the transfer of Company Data to Service Provider until the breach is repaired.
2. In the event that:
   • the  transfer  of  Company  Data  to  Service Provider has been temporarily suspended by Company for longer than one month pursuant to clause 9(a);
   • compliance by Service Provider with this Addendum would put it in breach of its legal or regulatory obligations in the country where Service Provider exists;
   • Service Provider is in substantial or persistent breach of any warranties or undertakings given by it under this Addendum; or
   • a  petition  is  presented  for  the  administration  or  winding  up  of  Service  Provider, which petition is not dismissed within the applicable period for such dismissal under applicable laws;  a  winding  up  order  is  made;  a  receiver  is  appointed  over  any  of  its  assets;  a Company  voluntary  arrangement  is  commenced  by  it;  or  any  equivalent  event  in  any jurisdiction occurs;
     then Company, without prejudice to any other rights which it may have against Service Provider, shall be entitled to terminate the Agreement and this Addendum.
3. In the event that the Agreement terminates for any reason, this Addendum shall be immediately terminated and Service Provider shall cease processing Company Data.

12.  OBLIGATION AFTER TERMINATION OF PERSONAL DATA PROCESSING SERVICES

The  Parties  agree  that  on  the  termination  of  the  provision  of  data-processing  services,  Company, Service Provider and its sub-contractors shall, at the choice of Company, return all Company Data and the copies thereof, unless anonymized, to Company or shall securely destroy all Company Data and certify  to  Company  that  it  has  done  so,  unless,  for  European  Personal  Data,  European  Union  or Member State legislation, or, for U.S. Personal Information, U.S. law imposed upon Service Provider and its sub-contractors prevents them from returning or destroying all or part of Company Data. In that case, Service Provider warrants that it will guarantee the confidentiality of Company Data and will not actively process Company Data transferred anymore.