Synthetic Users Data Processing Addendum

This Data Processing Addendum (this "Addendum") supplements and forms part of the terms and conditions between the Customer and the Provider (the "Agreement"). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as of the Effective Date of the Agreement and will remain in effect until termination of the Agreement or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

"Customer Personal Data" means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.

"Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Supervisory Authority," and "Processing" all have the meanings given to those terms in Data Protection Laws (and related terms such as "Process," "Processes," and "Processed" shall have corresponding meanings); and

"Data Protection Laws" means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the United Kingdom General Data Protection Regulation as defined by the UK Data Protection Act 2018 ("UK GDPR"); (iii) the Swiss Federal Act on Data Protection ("FADP"); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); (v) applicable federal and state laws and regulations of the United States; and (vi) any other applicable data protection and privacy laws, in each case as amended, supplemented, or replaced from time to time.

"Standard Contractual Clauses" or "SCCs" means: (i) with respect to transfers of Personal Data from the EEA, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) with respect to transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office ("UK Addendum").

"Sub-Processor" means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.

2. Data Processing Details and Compliance

2.1 The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer as Controller. Each Party shall comply with its obligations under Data Protection Laws as they relate to Customer Personal Data.

2.2 Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

a. Subject Matter, Nature, and Purpose of Processing. The Provider's provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider's customer service platform.

b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider's retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed.

c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as but not limited to account information, order information, subscriptions, chat and email messages); and

d. Category of Data Subjects. Customer's end customers; Customer personnel (employees, contractors, etc.), and Customer associated parties.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws of the United States or the State of Delaware. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event the Provider is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer's instructions, prior to any such Processing and to the extent permitted by applicable laws, the Provider shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.2 The Provider shall promptly inform the Customer if the Provider becomes aware of a written instruction given by the Customer under this Clause 3 that, in the Provider's reasonable opinion, infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorizes the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors):

a. the Sub-Processors included in the Sub-Processor list provided to the Customer and set out in our Sub Processor List at subprocessors-data-flow ("Sub-Processor List"); and

b. the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.

4.3 Where the Provider intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Provider shall notify the Customer of the proposed engagement of the Sub-Processor (and provide such information regarding the proposed Sub-Processor as the Customer may reasonably require) giving the Customer the opportunity to object. If the Customer does not make a reasonable objection to the proposed engagement within 14 days of the Provider providing notice to the Customer under this Clause, the Customer is deemed to have authorized the engagement of such Sub-Processor. The Provider shall keep the Sub-Processor List updated.

4.4 Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, the Provider may, at its option:

a. use its reasonable endeavors to remedy the situation giving rise to the reasonable objection; or

b. propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum,

provided that, in the event that the Provider is unable to remedy the situation in accordance with Clause 4.4(a) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(b) of this Addendum, then the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer, and the Customer shall pay the Provider any fees due for the Services performed prior to termination.

4.5 The Provider shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Provider that imposes obligations substantially equivalent to the obligations imposed on the Provider as a Processor under this Agreement. The Provider shall remain fully liable to the Customer for the performance of the Sub-Processor's data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfill those obligations.

5. International Transfers

5.1 The Provider shall not transfer Customer Personal Data to any country or territory outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland that has not been deemed adequate for the protection of Personal Data by the European Commission, the UK Secretary of State, or the Swiss Federal Data Protection and Information Commissioner (as applicable), unless appropriate safeguards are in place as required under Article 46 of the GDPR (or equivalent provisions under UK GDPR or FADP).

5.2 Where Customer Personal Data originating from the EEA is transferred to a country not covered by an adequacy decision, the Parties agree that the EU SCCs shall apply to such transfer, incorporated by reference into this Addendum as follows:

a. Module Two (Controller to Processor) shall apply where the Customer is a Controller and the Provider is a Processor;

b. Module Three (Processor to Processor) shall apply where the Customer is a Processor and the Provider is a Sub-Processor;

c. For Clause 7 of the EU SCCs, the optional docking clause shall apply;

d. For Clause 9(a) of the EU SCCs, Option 2 (general written authorization) shall apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Clause 4.3 of this Addendum;

e. For Clause 11 of the EU SCCs, the optional language shall not apply;

f. For Clause 17 of the EU SCCs, Option 1 shall apply, and the EU SCCs shall be governed by the law of the EU Member State in which the Customer (as data exporter) is established, or where the Customer is not established in an EU Member State, the laws of Ireland;

g. For Clause 18(b) of the EU SCCs, disputes shall be resolved before the courts of the jurisdiction specified in Clause 5.2(f) above;

h. Annex I of the EU SCCs shall be deemed completed with the information set out in Clause 2.2 of this Addendum;

i. Annex II of the EU SCCs shall be deemed completed with the technical and organizational security measures described in Clause 6.1 of this Addendum and the Provider's Security Policy Document; and

j. Annex III of the EU SCCs shall be deemed completed with the Sub-Processors listed in the Sub-Processor List.

5.3 Where Customer Personal Data originating from the United Kingdom is transferred to a country not covered by an adequacy decision under UK GDPR, the UK Addendum shall apply to such transfer. The EU SCCs as specified in Clause 5.2 shall apply as amended by the UK Addendum, and the mandatory information required under Table 1 to Table 4 of the UK Addendum shall be deemed completed with the information set out in this Addendum.

5.4 Where Customer Personal Data originating from Switzerland is transferred to a country not covered by an adequacy decision under FADP, the EU SCCs as specified in Clause 5.2 shall apply with the following modifications: (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the FADP; (ii) references to specific GDPR articles shall be interpreted as references to the equivalent provisions under the FADP; and (iii) the competent supervisory authority under Clause 13 of the EU SCCs shall be the Swiss Federal Data Protection and Information Commissioner.

5.5 In the event that any provision of the SCCs (as incorporated by this Clause 5) conflicts with any other provision of this Addendum, the SCCs shall prevail to the extent of such conflict.

5.6 The Provider shall ensure that any onward transfer of Customer Personal Data by a Sub-Processor to a third country or international organization is subject to appropriate safeguards in accordance with Article 46 of the GDPR (or equivalent provisions under UK GDPR or FADP), including by requiring the Sub-Processor to enter into the SCCs or equivalent transfer mechanism with the onward recipient.

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks that may occur as a result of Processing Customer Personal Data, and in particular, the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

6.2 The Provider shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:

a. the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;

b. the name and contact details of the data protection officer or other contact point of the Provider, where more information can be obtained;

c. a description of the likely consequences of the Personal Data Breach; and

d. a description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to the Provider), the Provider shall promptly provide the Customer with reasonable assistance:

a. using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

b. to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; and

c. in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing by the Provider of any Customer Personal Data is no longer required for the purposes of this Agreement and delete all existing copies unless required by applicable laws to store Customer Personal Data.

9. Information Requests and Audits

9.1 The Provider shall, on request from the Customer, make available to the Customer all information necessary to demonstrate the Provider's compliance with its obligations under this Agreement. The Provider shall allow for audits (including inspections) conducted by the Customer or the Customer's designated auditor on reasonable prior written notice, for the purpose of demonstrating the Provider's compliance with its obligations under this Agreement. For the avoidance of doubt, such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 9.1.

9.2 The Provider's obligations under Clause 9.1 of this Addendum are subject to the Customer:

a. giving the Provider reasonable prior notice of such information requests, audits, and/or inspections being required by the Customer;

b. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections, and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

c. ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Provider's business and the business of other customers of the Provider.

Last updated: March 2025