Marketing 360 Data Processing Agreement

This Marketing 360 Data Processing Agreement ("DPA"), including the Standard Contractual Clauses adopted by the European Commission as applicable, reflects the parties' agreement with respect to the terms governing the Processing of Personal Data under your Marketing 360 Service Agreement and the Marketing 360 Terms of Service (the "Agreement"). This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement. Upon incorporation, the DPA will form a part of the Agreement.

The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

1. Definitions and Interpretation1.1 Definitions

"Authorized Persons" means the persons or categories of persons that the Client authorizes to give Processor personal data processing instructions.

"Business Purpose" means the services described in the Agreement.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended or replaced from time to time.

"Personal Data" (also referred to as "Personal Information") means any information relating to an identified or identifiable natural person that Processor processes for the Client, or that the relevant Privacy and Data Protection Requirements otherwise define as protected personal data.

"Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Privacy and Data Protection Requirements" means all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including without limitation the GDPR, the UK GDPR (as defined in the UK Data Protection Act 2018), the Swiss Federal Act on Data Protection, applicable EU Member State implementing legislation, U.S. state privacy laws (including the CCPA/CPRA and Colorado CPA), and guidance issued by competent supervisory authorities, as amended, repealed, consolidated, or replaced from time to time.

"Security Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2: Controller to Processor), a completed copy of which comprises Appendix B.

"Sub-Processor" means any Processor engaged by Madwire to process Personal Data on behalf of the Controller.

"Supervisory Authority" means an independent public authority established pursuant to Article 51 GDPR, or equivalent authority under applicable Privacy and Data Protection Requirements.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018, as updated from time to time.

1.2

This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.3

The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA.

2. Personal Data Types and Processing Purposes2.1 Categories of Data Subjects

Client's contacts and other end users including Client's employees, contractors, collaborators, customers, leads, suppliers, and subcontractors.

2.2 Types of Personal Data

Contact information (the extent of which is determined by Client in its sole discretion), navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Subscription Service.

2.3 Subject-Matter and Nature of Processing

The subject-matter of Processing by Processor is the provision of services to the Controller that involves the Processing of Personal Data as specified in the Agreement. Controller retains control of Personal Data and remains responsible for its compliance obligations under applicable Privacy and Data Protection Requirements, including providing required notices and obtaining required consents, and for the processing instructions it gives to Processor.

2.4 Purpose of Processing

Personal Data will be Processed for purposes of providing the services set out in the Agreement and any applicable Order. Controller represents and warrants that it has identified and relies upon a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories) for each Processing activity, and shall document such bases in its own records of processing activities as required by Article 30 GDPR.

2.5 Duration of Processing

Personal Data will be Processed for the duration of the Agreement, subject to Section 5 of this DPA.

3. Controller Obligations

Client is the data Controller for purposes of Privacy and Data Protection Requirements. Controller shall be solely responsible for complying with applicable requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to Processor. For the avoidance of doubt, Controller's instructions for Processing shall comply with the GDPR and all other applicable Privacy and Data Protection Requirements.

This DPA constitutes Client's complete instruction to Madwire in relation to Personal Data; additional instructions outside the scope of this DPA require prior written consent between the parties.

Client will ensure that it has all necessary consents, notices, and lawful bases in place to enable lawful transfer of Personal Data to Processor for the duration and purposes of this Agreement.

Controller shall promptly inform Processor about any errors or irregularities related to statutory provisions on the Processing of Personal Data.

Data Protection Impact Assessments. Where required under Article 35 GDPR, Controller is responsible for conducting Data Protection Impact Assessments (DPIAs). Processor shall provide reasonable cooperation and information to Controller in connection with any DPIA upon Controller's reasonable written request, at Controller's cost.

4. Processor's Obligations

The parties acknowledge and agree that Client is the Controller of Personal Data and Marketing 360 is the Processor.

4.1 Limitation

Processor will only Process Personal Data to the extent, and in such manner, as is necessary for the Business Purposes in accordance with Controller's documented instructions. Processor will not Process Personal Data for any other purpose or in a way that does not comply with this DPA or applicable Privacy and Data Protection Requirements. Processor must promptly notify Controller if, in Processor's reasonable opinion, a Controller instruction would violate applicable Privacy and Data Protection Requirements.

Data Minimization and Purpose Limitation. Processor shall ensure that Personal Data collected and processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) GDPR), and shall not process Personal Data for purposes incompatible with those specified by Controller (Article 5(1)(b) GDPR).

4.2 Security

Processor will maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:

• pseudonymisation and encryption of Personal Data;

• the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident;

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

4.3 Personnel

Processor shall ensure that all personnel who have access to and/or process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training. Access to Personal Data shall be limited to those personnel for whom access is necessary for the performance of the Agreement.

4.4 Assistance

Processor shall provide reasonable assistance to Controller, at Controller's cost, in responding to any request from a Data Subject and in ensuring compliance with Controller's obligations under applicable Privacy and Data Protection Requirements with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.

4.5 Personal Data Breaches

Processor will notify Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of a Security Breach, to enable Controller to meet its obligations under Article 33 GDPR (72-hour notification to supervisory authority) and Article 34 GDPR (notification to Data Subjects where required). Such notification shall include, to the extent available:

• a description of the nature of the Security Breach, including categories and approximate number of Data Subjects and Personal Data records affected;

• the name and contact details of the data protection officer or other relevant contact point;

• a description of the likely consequences of the Security Breach;

• a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Processor shall cooperate with Controller and take such steps as are reasonably directed by Controller to assist in investigating, mitigating, and remediating any Security Breach.

4.6 Data Subject Rights

Processor shall, to the extent legally permitted, promptly (and in any event within 5 business days) notify Controller if it receives a request from a Data Subject exercising their rights under applicable Privacy and Data Protection Requirements (including rights of access, rectification, erasure, restriction, portability, and objection). Processor shall not respond to any such request without Controller's prior written authorisation, except to inform the Data Subject that the request has been referred to Controller.

At Controller's written direction, Processor shall delete or return Personal Data and copies thereof to Controller upon termination of the Agreement, unless retention is required by applicable law.

4.7 Records of Processing Activities

Processor shall maintain complete and accurate records of all categories of Processing activities carried out on behalf of Controller, as required under Article 30(2) GDPR, and shall make such records available to Controller or any supervisory authority upon request.

4.8 Sub-Processors

Processor shall be entitled to engage Sub-Processors only with Controller's prior written consent. Controller hereby provides general written consent to the engagement of Sub-Processors listed in Appendix C, and consents to Processor's affiliated companies acting as Sub-Processors for the Business Purposes. This constitutes prior written consent for purposes of the SCCs.

If Processor intends to appoint a new or replacement Sub-Processor not listed in Appendix C, Processor will provide Controller with at least 30 days' prior written notice (email to Controller's address on record is sufficient). Controller may object within that 30-day period on reasonable grounds relating to data protection. If the parties cannot resolve the objection, either party may terminate the Agreement, and Controller shall receive a refund of prepaid but unused fees for the period following termination.

Where Processor engages Sub-Processors, Processor will enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA, including the SCCs where required. Processor remains fully liable to Controller for any failure by a Sub-Processor to fulfil its data protection obligations.

Processor shall keep an up-to-date list of Sub-Processors, available to Controller upon request, and shall grant Controller the right to audit Sub-Processors' data protection compliance through Processor, including by obtaining copies of relevant Sub-Processor agreements (with commercial terms redacted).

4.9 International Data Transfers

Controller acknowledges that, in connection with the performance of the services, Personal Data will be transferred to Madwire, LLC in the United States. All transfers of Personal Data from the European Economic Area (EEA) to the United States shall be conducted pursuant to the 2021 Standard Contractual Clauses (Module 2: Controller to Processor) set out in Appendix B.

UK Transfers. For transfers of Personal Data from the United Kingdom, the parties shall comply with the UK Addendum to the SCCs, incorporated as Appendix B-UK, which shall take precedence over the SCCs to the extent of any conflict.

Swiss Transfers. For transfers of Personal Data from Switzerland, the parties agree that the SCCs shall apply with such modifications as are necessary to comply with the Swiss Federal Act on Data Protection (FADP), including substituting references to EU Member State law with references to Swiss law and references to supervisory authority with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

4.10 Deletion or Return of Personal Data

Following termination or expiry of the Agreement, and unless otherwise required by applicable law, Processor will (at Controller's election) either securely delete or return all Personal Data (including copies thereof) processed pursuant to this DPA within 30 days of termination. Processor shall provide written certification of deletion upon Controller's request. Where Processor is required by law to retain Personal Data, Processor will notify Controller, limit Processing to what is strictly required by such law, and ensure Personal Data is blocked from any further Processing.

4.11 Data Protection Officer

Madwire, LLC has appointed a Data Protection Officer. The appointed person may be reached at: privacy@madwire.com.

4.12 Audits

Controller may, upon reasonable written notice (not less than 30 days except in the event of a confirmed Security Breach), audit Processor's technical and organisational measures no more than once per calendar year, or at any time following a confirmed Security Breach. Audits shall be conducted during regular business hours and in a manner that minimises disruption to Processor's operations. Processor may satisfy the audit right by providing an up-to-date third-party certification or audit report (e.g., SOC 2 Type II, ISO 27001) unless Controller reasonably demonstrates that such report is insufficient.

5. Term and Termination5.1

This DPA will remain in full force and effect so long as the Agreement remains in effect or Processor retains any Personal Data related to the Agreement.

5.2

Any provision of this DPA that expressly or by implication should come into or continue in force following termination shall remain in full force and effect.

6. Limitation of Liability

Each party's and all of its affiliates' aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement. Nothing in this DPA shall limit either party's liability to Data Subjects under the SCCs, nor any liability that cannot be limited under applicable law, including liability for gross negligence or willful misconduct.