DATA PROTECTION ADDENDUM

This Data Protection Addendum (“DPA”) forms part of the Master Subscription Agreement between Aryaka and Customer (as applicable, the “Agreement”) under which Aryaka provides the Services to Customer. Capitalized terms used but not defined in this DPA shall have the meaning as set forth in the Agreement.

• 1.DEFINITIONS
• 1.1“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
• 1.2 “Data Protection Laws” mean all laws applicable to the respective Party’s Processing of Personal Data.
• 1.3 “Data Subject” means any individual about whom Personal Data may be Processed under this DPA.
• 1.4 “Personal Data” means information that relates to an identified or identifiable natural person that is provided by the Customer to the Services.
• 1.5 “Process” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
• 1.6 “Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
• 2. Relationship between the Parties. Customer and Aryaka have entered into an Agreement for Services. The Parties acknowledge that Customer is a Controller for purposes of the Agreement and Aryaka is a Processor. The Parties will Process Personal Data in accordance with the Agreement and applicable Data Protection Laws
• 3. Customer Obligations. Customer will provide only Personal Data that is adequate, relevant, and reasonably necessary for Aryaka to perform the Services. Customer represents and warrants that its collection of Personal Data and disclosure to Aryaka complies with all applicable Data Protection Laws.
• 4. Instructions. . Aryaka will Process the Personal Data only (i) in accordance with the Customer’s instructions as documented in the Agreement and further described in Annex IB; and (ii) as needed to comply with applicable law, provided that Aryaka shall not be required to act on any Customer instruction that could (in the reasonable opinion of Aryaka) cause Aryaka to breach applicable law. Aryaka will inform Customer if it believes that any Customer instructions regarding Personal Data Processing would violate applicable Data Protection Law.
• 5. Security. Aryaka will take reasonable steps to implement appropriate technical and organizational measures designed to protect Personal Data against anticipated threats or hazards to its security, confidentiality, or integrity. Aryaka will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 6. Data Breach. Aryaka will notify Customer without undue delay whenever Aryaka learns that there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed (each, a “Data Breach”), unless prohibited by applicable law or otherwise instructed by law enforcement or a supervisory authority. Taking into account the nature of Processing and the information available to Aryaka, Aryaka will take reasonable steps to assist the Customer at Customer’s reasonable request in complying with the Customer’s notification obligations regarding data breaches as required by applicable law. Aryaka reserves the right to charge a reasonable fee to Customer for any requested assistance.
• 7. Return or Disposal. Within 30 days of termination of the Agreement, Customer may request that Aryaka destroy or return all Personal Data to Customer, unless applicable law requires storage of the Personal Data by Aryaka.
• 8. Audits; Inquiries. Upon Customer’s reasonable request (to be exercised no more than once a year, unless required more frequently by a supervisory authority) Aryaka will promptly make available to Customer all information in its possession necessary to demonstrate Aryaka’s compliance with its obligations under this DPA and will allow for and contribute to reasonable audits. All information provided will be Aryaka’s Confidential Information and may not be disclosed without Aryaka’s prior written consent, except as required by applicable law.
• 9. Subcontracting. Customer authorizes Aryaka to transfer Personal Data to sub-processors for purposes of providing the Services to Customer. Aryaka will maintain a list of the sub-processors. A current list of sub-processors is included in Annex III. Aryaka will provide Customer 14 days’ prior notice when adding a sub-processor to this list and the opportunity to object to such addition. If Aryaka does not receive an objection within 14 days of the notice, the sub-processor is deemed to be accepted by Customer. Aryaka will enter into an agreement with such sub-processor that includes data protection terms similar to this DPA.
• 10. Aryaka Assistance. At Customer’s reasonable request and taking into account the nature of the Processing, Aryaka will take reasonable steps to assist Customer with Customer’s obligation to respond to Data Subjects’ requests to exercise their rights under applicable law by taking appropriate technical and organizational measures. Taking into account the nature of the Processing and the information available to Aryaka, Aryaka also will assist Customer at Customer’s reasonable request in meeting its compliance obligations regarding carrying out data protection impact assessments and related consultations of supervisory authorities. Aryaka reserves the right to charge a reasonable fee to Customer for such requested assistance.
• 11. California Consumer Privacy Act (CCPA) Provisions.
• 11.1 Legal Compliance. Aryaka will provide the same level of privacy protection for Personal Data of California residents as required of Customer under the CCPA. Aryaka will notify Customer in writing if Aryaka determines that it can no longer meet its obligations under the CCPA. Customer has the right, upon providing notice to Aryaka, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including where Aryaka has notified Customer that it can no longer meet its CCPA obligations.
• 11.2 Restriction on Processing. In no event may Aryaka: (a) disclose Personal Data of California residents to a third party for monetary or other valuable consideration or disclose Personal Data to a third party for cross-context behavioral advertising; (b) disclose Personal Data of California residents to any third party for the commercial benefit of Aryaka or any third party; (c) retain, use, or disclose Personal Data of California residents outside of Aryaka’s direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by applicable laws; or (d) combine Personal Data of California residents with personal information that Aryaka receives from, or on behalf of, other persons, or collects from its own interaction with the Data Subject, except as permitted under applicable laws. Aryaka certifies that it understands and will comply with the foregoing restrictions.
• 12. Data Transfers
• 12.1 Restricted Transfers of Personal Data Subject to GDPR. The EU Standard Contractual Clauses (Module 2 Controller to Processor) ((EU) 2021/914) available at [www.aryaka.com/SCC2021-Controller-to-Processor/] (“EU SCCs”), and incorporated herein by reference, together with the attached Annexes I and II will apply to any transfer of Personal Data that is subject to the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”). Notwithstanding the foregoing, the EU SCCs will not apply to the extent the transfer is covered by (i) a decision adopted by a competent authority with jurisdiction over Customer declaring that a jurisdiction meets an adequate level of protection of Personal Data (an “Adequacy Decision”).
• 12.1.1 In Clause 9, the parties agree that Option 2 will apply in accordance with Section [9] (Subcontracting).
• 12.1.2 The optional language in Clause 11 is excluded.
• 12.1.3 In Clause 17, the EU SCCs will be governed by the laws of the Netherlands.
• 12.1.4 In Clause 18, any dispute arising from the EU SCCs will be resolved by the courts of the Netherlands.
• 12.1.5 In Annex IC, the data protection authority where Customer is located is the competent supervisory authority.
• 12.2.Restricted Transfers from Switzerland. The EU SCCs, as modified in this section, will apply to any transfer of Personal Data that is subject to the Swiss Federal Act on Data Protection (FADP) and is not otherwise subject to an Adequacy Decision:
• 12.2.1 The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
• 12.2.2 References in the EU SCCs to the GDPR are to be understood as references to the FADP.
• 12.2.3 In Clause 17, the EU SCCs will be governed by the laws of Switzerland.
• 12.2.4 In Annex IC, the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.
• 12.3 Restricted Transfers from the United Kingdom. Where the Transfer of Personal Data is subject to the laws of the United Kingdom (including the UK General Data Protection Regulation) and are not otherwise subject to an Adequacy Decision, the parties agree:
• 12.3.1 The provisions of the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”), including Part 2 ‘Mandatory Clauses’, are herein incorporated by reference and shall apply in full;
• 12.3.2 In Table 1 of the UK Addendum, the names of the parties, their roles and their details shall be set out in the attached Annex 1;
• 12.3.3 In Tables 2 and 3 of the UK Addendum, Module 2 of the EU SCCs incorporated into this DPA by reference, including the information set out in the attached Annexes, shall apply; and
• 12.3.4.In Table 4 of the UK Addendum, either party may end the UK Addendum.
• 13. CONFLICTS; ENFORCEABILITY. If any provision of this DPA is held to be invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision of this DPA or any other contract between Customer and Aryaka. This DPA supplements the Agreement. This DPA will control in the event of any inconsistency between the Agreement and this DPA. Any other provisions of or obligations under the Agreement that are otherwise unaffected by this DPA will remain in full force and effect. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either party’s obligations under the laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this DPA.