EMERGENETICS DATA PROCESSING ADDENDUM

THIS EMERGENETICS DATA PROCESSING ADDENDUM ("Addendum"), including its three exhibits, "is made and entered into by and between The Browning Group International, Inc. dba Emergenetics International and its relevant affiliates, including, without limitation, STEP, LLC, Emergenetics Europe Limited, Emergenetics Caelan & Sage PTE Ltd, and Emergenetics Asia, Pte. Ltd. (collectively, "Emergenetics," "we," "us," "our") and you (the "Client" or "Partner", as applicable, each as defined below) (each a "Party" and collectively the "Parties"). This Addendum governs your Processing of Personal Data on the Emergenetics Platform. If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to Emergenetics that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this Addendum. This Addendum is effective as of the date on which you agree to it by accepting the Emergenetics User Agreement (the "Addendum Date").

RECITALS

WHEREAS, Emergenetics and you have executed an agreement for services (the "Services Agreement") involving the Processing of Personal Data (as defined below) of Data Subjects (as defined below) that the Parties now desire to amend as provided herein;

WHEREAS, in the course of providing services under the Services Agreement, you, as a Data Controller, Process certain Personal Data of Data Subjects;

WHEREAS, Emergenetics, as a Data Controller, requires that you and any subsequent Personal Data recipients who, in the course of your work with Emergenetics, may Process Personal Data, take all necessary measures to handle such information in compliance with the General Data Protection Regulation of the EU ("GDPR") and other Applicable Laws and regulations;

WHEREAS, whenever both Parties jointly determine the purposes and means of Processing, they shall act as Joint Controllers; and

WHEREAS, the Parties enter into this Addendum wishing to comply with the principles and standards for data protection as required by Applicable Laws, with respect to the Processing of Personal Data under the Services Agreement.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

DEFINITIONS

Capitalized terms used but not defined in this Addendum shall have the meanings assigned to them in the Services Agreement.

For purposes of this Addendum, the following capitalized terms shall have the meanings ascribed to them as set forth below wherever they appear within the provisions of this Addendum:

a) "Applicable Laws" means all laws applicable to the Processing of Personal Data under this Addendum and the Services Agreement, including, as applicable, the GDPR, laws implementing or supplementing the GDPR, the domestic legislation of each Member State, other laws of the European Union or any Member State thereof, and the privacy and Personal Data Processing laws of any other country;

b) "Client" means a legal entity with whom Emergenetics has executed the Services Agreement who uses the Platform for the benefit of its own employees, prospective employees, or other organizational team members, such as contractors;

c) "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Addendum, Data Controller or Data Controllers also refers specifically to a Party or the Parties to this Addendum;

d) "Data Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on Behalf of a Data Controller;

e) "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, commonly referred to as the General Data Protection Regulation;

f) "Joint Controllers" means two or more Data Controllers that jointly determine the purposes and means of Processing;

g) "Partner" means a third-party contractor filling a role as an Emergenetics Associate, Domain Administrator, Country Representative, or other applicable role on the Platform as a member of Emergenetics" network of licensed resellers of Emergenetics products and services;

h) "Personal Data" means any information relating to an identified or identifiable natural person within the scope of this Addendum ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

i) "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed;

j) "Platform" means the Emergenetics web application(s), including Emergenetics+, ESP, or STEP, as applicable;

k) "Processing" (and any iterations, such as "Processed," "Process," etc.) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

TERMS

The Parties agree as follows:

Effective Date. The Terms of this Addendum shall take effect on the Addendum Date and continue on concurrently for the term of the Services Agreement.

Scope. This Addendum serves as a framework for Personal Data Processing under the Services Agreement, as applicable, alone or jointly, as well as Personal Data sharing between the Parties as Data Controllers, and defines the principles and procedures that the Parties shall adhere to and the respective responsibilities of the Parties.

Applicability. This Addendum will not apply to the Processing of Personal Data where such Processing is not regulated by the Applicable Laws.

Controllership Representations and Warranties. Each Party represents, warrants, and covenants that:

a) with respect to the Processing of Personal Data under the Services Agreement, it is a Data Controller within the meaning of this Addendum and the GDPR;

b) all Personal Data has been and will be collected, transferred, and otherwise Processed in accordance with the Applicable Laws;

c) it will only conduct transfers of Personal Data, where such transfers would be subject to mandatory requirements under the Applicable Laws (and no lawful exemption or derogation applies), in compliance with all applicable conditions, as laid down in the Applicable Laws; and

d) it will, upon request of the respective other Party, provide that other Party with copies of all Applicable Laws or references to such laws (where relevant, and not including legal advice).

Joint Controllership Representation and Warranties. Each Party, when acting as a Joint Controller together with the other Party, warrants and covenants that:

a) it will determine its respective responsibilities for compliance with its obligations under the Applicable Laws;

b) it will determine its respective responsibilities vis-a-vis Data Subjects, taking into account the circumstances of each specific Processing situation, and, where necessary, duly communicate such information to the respective other Data Controller in the Joint Controllership context;

c) in consideration of the fact that Data Subjects may exercise their rights under the GDPR in respect of and against each of the Data Controllers irrespective of the terms of the arrangement between the Parties, each Data Controller in the Joint Controllership context will proactively, without having been requested to do so, provide all due assistance and information to the respective other Data Controller in the Joint Controllership context, including but not limited to forwarding requests lodged by Data Subjects to exercise their rights under Chapter III GDPR. Where a Data Controller has not fulfilled its obligation under this provision, it shall be fully liable with regard to the response, or lack thereof, to the respective request by the Data Subject to exercise his rights; and

d) where a conflict of competence occurs with regard to a specific set of Processing operations in the Joint Controllership context, each Data Controller shall act in good faith to communicate and resolve said conflict with the other respective Data Controller in an amicable manner, by taking into account and respecting, firstly, the interests and rights of the respective Data Subject(s), and, secondly, the mutual interest of both Parties, so as to avoid joint and several liability, where the Parties fail to respect the rights of a Data Subject(s) because of an unresolved conflict of competence.

Records of Processing Activities. Each Party agrees to maintain a record of Processing activities of Personal Data that it is responsible for, in accordance with Article 30 GDPR.

Processing of Personal Data. Within the context of this Addendum, the Parties are Joint Controllers of the Personal Data of the Data Subjects. Clients and Partners each jointly control the Personal Data Processed via the Emergenetics Platform with Emergenetics. Processing of Personal Data by each of the Data Controllers within the scope of this Addendum is subject to the following:

a) Processing is limited to those services and tasks outlined in the Services Agreement for services and any subsequent orders, statements of work, or work orders executed between the Parties.

b) Each Data Controller shall ensure that the Processing of the Personal Data for the purposes set out in the Services Agreement is performed only on lawful grounds, as provided by Article 6 GDPR and as further limited by Article 9 GDPR, or the equivalent provisions of any Applicable Laws, as the case may be.

c) The respective Data Controllers must ensure that persons they authorize to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security of Processing. Each Party agrees to implement and maintain appropriate technical and organizational security measures to ensure that the level of security of Personal Data Processed by them is appropriate to the risk, taking into account the nature of Processing and the information available to each Party, and to be able to demonstrate that Processing is performed in accordance with Applicable Laws, and as required by Article 24 and Articles 32 to 36 GDPR.

Data Subject Requests. Data Subject requests to exercise their rights under Applicable Law require Data Controllers to respond in an appropriate and timely way. In order to facilitate that requirement, the Parties agree to the following:

a) Each Party will be responsible for responding to requests for the exercise of a Data Subject"s rights under Chapter III GDPR or the equivalent provisions of other Applicable Laws, with regard to the Personal Data Processed by that Party.

b) Each Party will designate an appropriate point of contact for Data Subject requests within its respective organization. Each Party will maintain a record of Data Subjects" requests to exercise their rights, the decisions made, the timeline of the request and response, and any information that was exchanged.

c) In situations where the Parties are operating as Joint Controllers, the Parties will provide notice to each other of all such Data Subject requests they receive. Before deleting Personal Data or restricting Processing in response to a Data Subject request, each Party will obtain the approval of the other Party, which shall not be unreasonably withheld by that other Party, so as to avoid the possibility of one Party"s actions causing the other Party to be in breach of this Addendum or Applicable Laws.

d) The Parties agree to provide prompt and reasonable assistance to each other, if required, to enable them to comply with Data Subject requests. Each Party will ensure that its relevant privacy notices, where applicable, are published in accordance with the requirements of the GDPR and other Applicable Laws and that no conflicts exist among the Parties" privacy notices that would create confusion or mislead Data Subjects. In particular, each Party will ensure that its relevant privacy notices, where applicable, contain accurate contact information to which Data Subjects can submit requests to the respective Party to exercise their rights under the GDPR and other Applicable Laws, as the case may be.

Personal Data Breach Notifications. In the event of a Personal Data Breach, Data Controllers have certain obligations under Applicable Laws, including notifying appropriate authorities within set timelines. The Parties agree to the following actions and requirements.

a) Each Party shall provide timely notification of a Personal Data Breach to the competent supervisory authority or the affected Data Subject(s), as required by Articles 33 and 34 GDPR, or the equivalent provisions of other Applicable Laws, as the case may be. The Parties will also notify one another of a Personal Data Breach in a timely manner, if appropriate and if the other Party or its users may be affected.

b) Each Party shall cooperate with the other respective Party and take all reasonable commercial steps to assist each other in the investigation, mitigation, and remediation of each such Personal Data Breach.

Data Processors.

a) Each Party shall only engage a Data Processor to Process the Personal Data on its behalf if that Data Processor provides sufficient guarantees, by way of a written contract or other legal act under European Union or Member State law, that it will implement the same data protection obligations as this Addendum and the requirements of the GDPR or relevant provisions of any Applicable Laws.

b) Where that Data Processor fails to fulfill its data protection obligations, the respective Party shall remain fully liable to Data Subjects for the performance of that Data Processor's obligations.

International Data Transfers.

a) International transfers of Personal Data within the scope of this Addendum shall be conducted in accordance with the applicable terms and requirements of Exhibit B.

b) Where the Standard Contractual Clauses are the applicable data transfer mechanism according to the terms and requirements set out in Exhibit B, the applicable Standard Contractual Clauses will be the clauses applicable to the role of the Parties as described in Sections 4 and 5.

c) Emergenetics may update Exhibits A and C from time to time to reflect changes or additions necessary to conclude the Standard Contractual Clauses. Without limiting the generality of the foregoing, if the execution of a new version of the Standard Contractual Clauses adopted by the European Commission is later required in order for the Parties to rely on such instrument as a lawful mechanism for Restricted Transfers, the Parties are deemed to have agreed to the new version of the Standard Contractual Clauses by signing this Addendum, and, if necessary, Emergenetics shall be entitled to update Exhibits A and C accordingly.

d) Emergenetics may update Exhibit C from time to time to provide for additional safeguards to Personal Data subject to Restricted Transfers. If Emergenetics updates Exhibit C, it will provide the updated Exhibit C to the Client. If the Client does not object to the updated Exhibit C within fourteen (14) days of receipt, the Client will be deemed to have consented to the updated Exhibit C.

Liability. Without prejudice to any form of direct liability of a Party or a Data Processor in relation to Data Subjects, each Party shall be liable to the other respective non-defaulting Party for any damages the defaulting Party has caused to the non-defaulting Party by any breach of its obligations, as set out in this Addendum.

Disputes. In the event of a dispute or claim brought by a Data Subject or an EEA or UK data protection authority concerning the Processing of Personal Data against either or both of the Parties, the Parties will promptly inform each other about any such disputes or claims and will cooperate with a view to settling them amicably and in a timely fashion.

No Further Amendment. Except as expressly provided in this Addendum, the Parties intend no amendment or modification of the Services Agreement or any other document signed or otherwise entered into by the Parties.

Primary Agreement. The terms of the Services Agreement, together with any addendum or supplemental agreement executed prior to this Addendum, are preserved and remain in full force and effect. To the extent that any terms of this Addendum conflict with any terms contained within the Services Agreement, the terms of this Addendum shall control with respect to the subject matter described herein.

Contact Points for Data Protection Enquiries:

Emergenetics" Data Protection Officer ("DPO")
Steven Douglas

privacy@emergenetics.com
2 Inverness Dr East, Suite 189,

Centennial, CO 80112, USA

The Client shall provide the details of its contact point for data protection enquiries in the form located at: https://plus.emergenetics.com and https://esp.emergenetics.com (available upon login).

The Client warrants that it will promptly update, when necessary, all such information, and keep all such information complete and up to date.

""""""""""" The European Union Representative of Emergenetics pursuant to Article 27 GDPR is:

VeraSafe Czech Republic s.r.o.

Klimentsk" 46

Prague 1, 11002

Czech Republic

VeraSafe Ireland Ltd

Unit 3D North Point House,

North Point Business Park,

New Mallow Road, Cork T23AT2P, Ireland

Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

Exhibit A

Details of Processing

Subject Matter

The subject matter of the Processing of Personal Data pertains to the provision of the Emergenetics services under the Services Agreement.

Duration

The duration of the Processing of Personal Data is generally determined by the Services Agreement and is further subject to the terms of Section 1 of this Addendum.

Nature and Purpose

The nature and purpose of the Processing of Personal Data pertains to the provision of the Emergenetics services under the Services Agreement.

Data Subjects

The Personal Data transferred concern the following categories of Data Subjects:

The Personal Data transferred typically concern the individuals being evaluated or assessed via the Emergenetics Platform.

Categories of Personal Data

The Personal Data transferred typically concern the following categories of data:

Personal Data typically include biographical data, contact data, professional data, and learning/management and personality styles preferences.

Special categories of Personal Data (if appropriate)

No special categories of Personal Data are Processed.

Processing Operations

The Processing activities to which the Personal Data will be subject:

Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction for the purpose of providing the Emergenetics services in accordance with the terms of the Services Agreement.

Further Processing

The Parties shall not carry out further Processing on Personal Data.

Frequency of the Transfer

The frequency of the transfer of Personal Data is outlined in the Services Agreement between the Parties.

Maximum Retention of Personal Data

The retention period of Personal Data is outlined in this Addendum and the Services Agreement between the Parties.

Exhibit B

Jurisdiction Specific Terms

1. European Economic Area

1.1. Definitions.

a) "2021 EU Standard Contractual Clauses" means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/679 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

b) "European Economic Area" ("EEA") means the EU Member States, and Iceland, Liechtenstein, and Norway.

c) "Restricted Transfer of EEA Personal Data" (as used in this Section) means any transfer of Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to a Third Country (as defined below) or an international organization (including data storage on foreign servers).

d) "Standard Contractual Clauses" (as used in the Addendum) includes the 2021 EU Standard Contractual Clauses.

e) "Third Country" means a country outside of the EEA.

1.2. Restricted Transfers of EEA Personal Data.

a) With regard to any Restricted Transfer of EEA Personal Data from one Party to the other, within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(i) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection.

(ii) Emergenetics"s certification to any successor to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an "appropriate safeguard" pursuant to the GDPR), provided that the Services are covered by the certification.

(iii) The EU 20201 Standard Contractual Clauses (insofar as their use constitutes an "appropriate safeguard" under Article 46 of the GDPR).

(iv) Any other lawful data transfer mechanism, as laid down in the GDPR, as the case may be.

b) This Addendum hereby incorporates by reference the 2021 EU Standard Contractual Clauses (which may be updated from time to time if required by law or at the choice of Emergenetics to reflect the latest version adopted by the European Commission), provided that the content of the annexes of the 2021 EU Standard Contractual Clauses is set forth in Exhibit A to this Addendum. The Parties are deemed to have accepted, executed, and signed the 2021 EU Standard Contractual Clauses where necessary in their entirety (including the annexes thereto). For the purpose of the 2021 EU Standard Contractual Clauses and this Section 1:

(i) When Emergenetics is the "data importer" the Client shall be the "data exporter" and when Emergenetics is the "data exporter" the Client shall be the "data importer".

(ii) The Parties agree to apply module one of the 2021 EU Standard Contractual Clauses.

(iii) The Parties elect not to include Clause 7 of the 2021 EU Standard Contractual Clauses.

(iv) With respect to Clause 11, the Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.

(vi) With respect to Clause 13 and Annex I.C, the competent supervisory authority is the Data Protection Commission (Ireland).

(vii) With respect to Clause 17 of the 2021 EU Standard Contractual Clauses, the Parties select, under Option 1, the law of the Republic of Ireland.

(viii) With respect to Clause 18 of the 2021 EU Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

(ix) The additional safeguards identified in Exhibit C supplement the 2021 EU Standard Contractual Clauses.

(x) In cases where the 2021 EU Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the 2021 EU Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail.

2. Switzerland

2.1. Definitions

a) "2004 EU Standard Contractual Clauses" (as used in the Addendum and this Section) means the contractual clauses adopted by Decision of the European Commission C(2004)5721 for the purpose of adducing adequate protection of Personal Data transferred from a Data Controller to a Data Controller established in a Third Country, where the legislation in such third country has not been deemed to provide an adequate level of data protection.

b) "Applicable Laws" (as used in the Addendum) includes the Federal Act on Data Protection of 19 June 1992 ("FADP") and the Ordinance to the Federal Act on Data Protection ("OFADP"), as may be amended from time to time.

c) "Data Controller" (as used in the Addendum) includes "Controller of the Data File" as defined under the FADP.

d) "Personal Data" (as used in the Addendum) includes "Personal Data" as defined under the FADP.

e) "Processing" (as used in the Addendum) includes "Processing" as defined under the FADP.

f) "Restricted Transfer of Swiss Personal Data" (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country or an international organization.

g) "Standard Contractual Clauses" (as used in the Addendum) includes the 2004 EU Standard Contractual Clauses.

h) "Supervisory Authority" (as used in the Addendum) includes the Federal Data Protection and Information Commissioner.

i) "Third Country" means a country outside of the Swiss Confederation.

2.2. Restricted Transfer of Swiss Personal Data.

a) With regard to any Restricted Transfer of Swiss Personal Data from one Party to the other within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(i) The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP.

(ii) Emergenetics" certification to any successor to the Swiss-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an "appropriate safeguard" pursuant to the FADP and the OFADP, as the case may be), provided that the Services are covered by the self-certification.

(iii) The 2021 EU Standard Contractual Clauses (insofar as their use constitutes an "appropriate safeguard" under Article 6.2 (a) of the FADP).

(iv) Any other lawful transfer mechanism, as laid down in the Applicable Data Protection Laws, as the case may be.

b) This Addendum hereby incorporates by reference the 2004 EU Standard Contractual Clauses (updated from time to time if required by law or at the choice of Emergenetics to reflect the latest version adopted by the European Commission). The Parties are deemed to have accepted, executed, and signed the EU 2004 Controller Standard Contractual Clauses where necessary in their entirety. Each Party acting as a data importer, elects Clause II(h)(iii) as its choice pursuant to Clause II(h) of the EU 2004 Controller Standard Contractual Clauses.

c)"" In cases where the 2004 EU Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the 2004 EU Standard Contractual Clauses, the terms of the 2004 EU Standard Contractual Clauses shall prevail.

d) Where the 2004 EU Standard Contractual Clauses apply, the Client shall inform the Federal Data Protection and Information Commissioner about the use of the Standard Contractual Clauses.

3. United Kingdom

3.1. Definitions.

b) "Applicable Laws" (as used in the Addendum) includes the Data Protection Act 2018 and, when in full force and effect, the UK GDPR (as defined below).

c) "Standard Contractual Clauses" (as used in the Addendum) includes the 2004 EU Standard Contractual Clauses.

d) "Third Country" (as used in this Section) means a country outside of the UK.

e) "UK GDPR" (as used in this Section) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 "on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)" as has been amended, adopted, and forming part of the law of England, Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdraw) Act 2020.

f) "UK Restricted Transfer" (as used in this Section) includes any transfer of Personal Data (including data storage in foreign servers) subject to the UK GDPR to a Third Country or an international organization.

3.2. UK Restricted Transfers:

a) With regard to any UK Restricted Transfer from one Party to the other within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(i) A valid adequacy decision pursuant to the requirements under the UK GDPR and the Data Protection Act 2018 that provides that the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred, ensures an adequate level of data protection.

(ii) Emergenetics"s certification to any successor to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an "appropriate safeguard" pursuant to the UK GDPR and the Data Protection Act 2018, as the case may be), provided that the Services are covered by the self-certification.

(iii) The 2004 EU Standard Contractual Clauses (insofar as their use constitutes an "appropriate safeguard" under the UK GDPR and the Data Protection Act 2018).

(iv) Any other lawful basis, as laid down in the UK GDPR and the Data Protection Act 2018, as the case may be.

In cases where the 2004 EU Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the 2004 EU Standard Contractual Clauses, the terms of the 2004 EU Standard Contractual Clauses shall prevail.

Exhibit C

Supplemental Clauses to the Standard Contractual Clauses

By this Exhibit C (this "Exhibit"), the Parties provide additional safeguards and additional redress to the Data Subjects to whom transferred Personal Data pursuant to Standard Contractual Clauses relates. This Exhibit supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer.

Applicability of this Exhibit. This Exhibit only applies with respect to Restricted Transfers when the Parties have concluded the Standard Contractual Clauses pursuant to the Addendum.

Definitions. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:

a) "Data Importer" and "Data Exporter" shall have the same meaning assigned to them in the Standard Contractual Clauses concluded by the Parties.

b) "EO 12333" means U.S. Executive Order 12333.

c) "FISA" means the U.S. Foreign Intelligence Surveillance Act.

d) "Schrems II Judgment" means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

Applicability of Surveillance Laws to Data Importer and its Contracted Processors

a) The Data Importer represents and warrants that, as of the date of this Addendum , it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.

b) Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

i. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an "electronic communication service provider" within the meaning of 50 U.S.C. " 1881(b)(4); or (ii) a member of any of the categories of entities described within that definition.

ii. If Data Importer were to be found eligible for FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

c) EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information, and Data Importer shall take no action pursuant to EO 12333.

d) Data Importer commits to provide upon request information about the laws and regulation in the destination countries of the transferred data applicable to Data Importer and the Data Processors directly contracted by Data Importer that would permit access by public authorities to the transferred Personal Data, in particular in the areas of intelligence, law enforcement, and administrative and regulatory supervision applicable to the transferred data. In the absence of laws governing the public authorities" access to data, Data Importer shall provide Data Exporter with information and statistics based on the experience of the Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in situations similar to the kind of the data transfer at hand. Data Importer providing the information referred to in this Section 5(d) may choose the means to provide the information.

e) Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the Standard Contractual Clauses and this Exhibit, and promptly inform Data Exporter of any such changes and developments. When possible, Data Importer shall inform Data Exporter of any such changes and developments ahead of their implementation.

Obligation on the Data Importer Related to Orders for Compelled Disclosure of Personal Data. In the event Data Importer receives an order from any third party for compelled disclosure of any Personal Data that has been transferred under the Standard Contractual Clauses, Data Importer shall:

a) Promptly notify the Data Exporter, unless prohibited by law, or, if prohibited from notifying the Data Exporter, use all lawful efforts to obtain the right to waive the prohibition in order to communicate information relating to the order to the Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the order with the safeguards contained in the Standard Contractual Clauses and the resulting conflict of obligations for Data Importer and documenting this communication.

b) Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable EEA Member State law or any other Applicable Laws. For the purpose of this Exhibit, lawful efforts do not include actions that would result in civil or criminal penalty, such as contempt of court under the laws of the relevant jurisdiction.

c) Seek interim measures with a view to suspend the effects of the order until the competent court has decided on the merits.

d) Not disclose the requested Personal Data until required to do so under the applicable procedural rules.

e) Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

Redirection of the Request to the Data Exporter. Unless prohibited under the law applicable to the requesting third party, Data Importer shall use every reasonable effort to redirect the third party requesting the disclosure of any Personal Data subject to the Standard Contractual Clauses that has been transferred to Data Importer to instead request data directly from Data Exporter.

Information on Requests of Access to Personal Data by Public Authorities. Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests of access to Personal Data by public authorities which the Data Importer has received over a specified period of time (if any), in particular in the areas of intelligence, law enforcement, and administrative and regulatory supervision applicable to the transferred Personal Data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent the Data Importer has disclosed the requested Personal Data.

Backdoors

a) Data Importer certifies that:

i. It has not purposefully created back doors or similar programming that could be used to access Personal Data subject to the Standard Contractual Clauses;

ii. It has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data; and

iii. That national law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Personal Data or systems.

iv. Data Exporter will be entitled to terminate the contract on short notice in those cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

Information About Legal Prohibitions. Data Importer will provide the Data Exporter information about the legal prohibitions on Data Importer to provide information under Sections 6 through 8 of this Exhibit. Data Importer may choose the means to provide this information.

Other Measures to Prevent Authorities from Accessing Personal Data. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer shall implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Personal Data from unauthorized disclosure or access:

a) Encryption of the transferred Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;

b) Encryption at rest within the Data Importer"s software applications using a minimum of AES-256;

c) Active monitoring and logging of network and database activity for potential security events, including intrusion;

d) Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer;

e) Restriction of physical and logical access to IT systems that Process transferred Personal Data to those officially authorized persons with an identified need for such access;

f) Firewall protection of external points of connectivity in Data Importer"s network architecture;

g) Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer; [RV1] and

h) Internal policies establishing that:

i. Where Data Importer is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Personal Data, the Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent supervisory authorities;

ii. Data Importer must require an official, signed document issued pursuant to the Applicable Laws of the requesting third party before it will consider a request for access to transferred Personal Data;

iii. Data Importer"s compliance team shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and

iv. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.

Inability to Comply with this Exhibit.

a) Data Importer shall promptly inform Data Exporter of its inability to comply with the Standard Contractual Clauses and this Exhibit.

b) If Data Importer determines that it is no longer able to comply with its contractual commitments under this Exhibit, Data Exporter can swiftly suspend the transfer of data and/or terminate the Services Agreement.

c) If Data Importer determines that it is no longer able to comply with the Standard Contractual Clauses or this Exhibit, Data Importer shall return or delete the Personal Data received in reliance on the Standard Contractual Clauses. If returning or deleting the Personal Data received is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter"s instructions.

d) Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer and/or terminate the contract.

Termination. This Exhibit shall automatically terminate if the European Commission, a competent Member State supervisory authority, or an EEA or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (and, if such mechanism applies only to some of the data transfers, this Addendum will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Addendum.