Singuli Data Privacy Addendum

This Data Privacy Addendum ("DPA") is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement (as defined below) between Singuli, Inc. ("Singuli"), and the company receiving the Service (as defined in the Agreement) from Singuli("Client"), each a “Party” and collectively the “Parties.” This DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, including the Service Agreement, Terms of Service, order form, statement of work or data protection addendum thereunder (collectively, the “Agreement”), to the extent of any conflict.

Client and Singuli agree as follows:

1. Definitions. For purposes of this DPA:

   1. “Data Privacy Laws” means all applicable laws and regulations in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 ("CCPA"), privacy laws passed by other U.S. states (together with the CCPA, “U.S. State Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), the United Kingdom Data Protection Act of 2018 ("UK Privacy Act"), and the Swiss Federal Act on Data Protection ("FADP"). For the avoidance of doubt, if Singuli’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.

   2. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes “consumer” as defined in Data Privacy Laws.

   3. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.

   4. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the Agreement. For clarity, Personal Data does not include the Parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a Party’s contact persons’ names used solely to facilitate the Parties’ communications for administration of the Agreement).

   5. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

   6. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

   7. “Subprocessor” means any third party or Singuli affiliate that Singuli engages to Process Personal Data.

   8. “’UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf and completed as set forth herein.

   9. The terms “Business”, “Controller”, “Processor”, and “Service Provider” are defined as in applicable Data Privacy Laws.

2. Roles of the Parties; Scope and Purposes of Processing.

   1. This DPA applies to Personal Data, if any, that Singuli Processes pursuant to the Agreement.

   2. The Parties agree that where Client is a Controller or Business, Singuli is its Processor or Service Provider. Where Client is a Processor or Service Provider, Singuli acts as Client’s Processor (i.e., its Subprocessor) or Service Provider.

   3. Singuli will Process Personal Data solely: (i) to fulfill its obligations to Client under the Agreement, including this DPA; (ii) on Client’s behalf; and (iii) in compliance with Data Privacy Laws. Except as explicitly authorized under Data Privacy Laws, Singuli will:

      1. not retain, use, or disclose the Personal Data outside of the direct business relationship between Client and Singuli;
      2. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S. State Privacy Laws, to any third party;
      3. not attempt to (1) re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data, or (2) link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data, without Client’s express written permission;
      4. comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that Singuli receives from, or on behalf of, another person or persons, or that Singuli collects from any interaction between it and any individual; and
      5. not otherwise engage in any Processing of the Personal Data that is prohibited or not permitted by Processors or Service Providers under Data Privacy Laws.

   4. Client retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.

3. Personal Data Processing Requirements. Singuli will:

   1. Provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to Client.
   2. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   3. Assist Client in the fulfilment of Client’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data).
   4. Promptly notify Client of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Singuli’s Processing of Personal Data on Client’s behalf, unless prohibited by Data Privacy Laws. If Singuli receives a third party, Data Subject, or governmental request, except where prohibited by Data Privacy Laws, Singuli will await written instructions from Client on how, if at all, to assist in responding to the request. Singuli will provide Client with reasonable cooperation and assistance in relation to any such request.
   5. Provide reasonable assistance to and cooperation with Client for Client’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws.
   6. Provide reasonable assistance to and cooperation with Client for Client’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Singuli under Data Privacy Laws to consult with a regulatory authority in relation to Singuli’s Processing or proposed Processing of Personal Data.
   7. Promptly notify Client if Singuli determines that (i) it can no longer meet its obligations under this DPA or Data Privacy Laws; or (ii) it has breached this DPA, and shall cooperate to remediate such breach; or (iii) in Singuli’s opinion, an instruction from Client infringes Data Privacy Laws.

4. Data Security. Singuli will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B hereto.

5. Security Breach. Singuli will notify Client promptly, and in any event within forty-eight (48) hours, of any Security Breach. Singuli will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist Client in Client’s compliance with its Security Breach-related obligations, including without limitation by:

   1. At Singuli’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
   2. Providing Client with the following information, to the extent known:
      1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      2. The likely consequences of the Security Breach; and
      3. Measures taken or proposed to be taken by Singuli to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6. Subprocessors.

   1. Client acknowledges and agrees that Singuli may use Subprocessors to Process Personal Data in accordance with the provisions in this DPA and Data Privacy Laws. Where Singuli sub-contracts any of its rights or obligations concerning Personal Data to a Subprocessor, Singuli will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws; and (ii) require that each Subprocessor complies with obligations that are no less restrictive than those imposed on Singuli under this DPA.
   2. To the extent Singuli Processes Personal Data subject to applicable Data Privacy Laws in the European Economic Area, Switzerland, or the United Kingdom, Singuli has provided a current list of Singuli’s Subprocessors in Exhibit C hereto. Singuli will maintain an up-to-date list of its Subprocessors, and it will provide Client with notice of any new Subprocessor added to the list prior to transferring Personal Data to such new Subprocessor. In order to receive such notice, Client is required to register with Singuli by sending an email to dpa-notifications@singuli.co. In the event Client objects to a new Subprocessor within twenty (20) days after receipt of such notice at the email address registered with Singuli, the Parties will cooperate in good faith to resolve the objection Client has identified with such Subprocessor’s access to Personal Data.If Singuli and Client reach an impasse as to how to mitigate material risks that Client has identified with such Subprocessor’s access to Personal Data, Client may terminate the Agreement by notifying Singuli within sixty (60) days after Singuli’s notice of its engagement of such Subprocessor.

7. Data Transfers.

   1. Singuli will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws. Where Singuli engages in an onward transfer of Personal Data, Singuli shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
   2. To the extent legally required, by entering into this DPA, Client and Singuli are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(c) and (d) below) will be deemed completed as follows:
      1. Module 2 of the EU SCCs applies to transfers of Personal Data from Client (as a Controller) to Singuli (as a Processor) and Module 3 of the EU SCCs applies to transfers of Personal Data from Client (as a Processor) to Singuli (as a Subprocessor);
      2. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;
      3. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the Parties select Option 2 (General written authorization). The list of Subprocessors shall be provided to Client and updated in accordance with Section 6 of this DPA;
      4. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
      5. Under Clause 17 of Modules 2 and 3 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland;
      6. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
      7. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A hereto;
      8. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;
      9. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B hereto; and
      10. Annex III of Modules 2 and 3 (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
   3. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within UK SCCs are deemed completed as follows:
      1. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement;
      2. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(b) of this DPA;
      3. Table 3: Annexes I and II are set forth in Exhibit A and Exhibit B hereto, respectively. Annex III is inapplicable.
      4. Table 4: Client may end this DPA as set out in Section 19 of the UK SCCs.
      5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
   4. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (iii) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iv) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

8. Audits. Subject to the conditions set forth herein, Singuli will make available to Client all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.

   1. If the requested audit scope is addressed in an audit report issued by a third-party auditor within the prior twelve (12) months, and Singuli provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same controls covered by the report.
   2. In the event an audit report is not provided, any audit, whether by Client or a third party shall (i) be conducted only on an agreed date during normal business hours (9:00 a.m. – 5:00 p.m. local time); (ii) be limited to no more than one business day; and (iii) be conducted subject to Client’s payment of Singuli’s then-current audit fee.
   3. If a third party will conduct the audit, the third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). Singuli will not unreasonably withhold its consent to a third-party auditor requested by Client. Any third-party auditor must execute a written confidentiality agreement acceptable by Singuli.
   4. Client must promptly provide Singuli with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Client’s Personal Data) is confidential information of Singuli.
   5. Nothing herein shall require Singuli to disclose or make available (i) any data of any other customer or client of Singuli; (ii) Singuli’s internal accounting or financial information; (iii) any trade secret of Singuli; (iv) any information that, in Singuli’s reasonable opinion, could (1) compromise the security of Singuli systems or premises; or (2) cause Singuli to breach its obligations under applicable law or its security and/or privacy obligations to any third party; or (v) any information sought for any reason other than the good-faith fulfillment of Client’s obligations under the EU SCCs, UK SCCs, or Data Privacy Laws.
   6. Client agrees that any audit conducted in accordance with this Section 8 satisfies Singuli’s audit obligations under Data Privacy Laws.

9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Singuli will, at the choice of Client, return to Client and/or securely destroy all Personal Data upon (a) written request of Client or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, Singuli will inform Client if it is not able to return or delete the Personal Data. For the avoidance of doubt, Singuli may retain Personal Data that is included in routine backups, and the provisions of this DPA will apply to such Personal Data for as long as Singuli retains it.

10. Indemnification and Limitation of Liability. To the extent permitted by Data Privacy Laws, the Parties will indemnify each other and their liability will be limited as provided in the Agreement.

11. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Singuli or its Subprocessors Process the Personal Data.

Exhibit A

ANNEX I TO THE EU SCCS

A. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s):

Name : Client, as identified in the Agreement.

Address : As provided in the Agreement.

Contact person’s name, position, and contact details : As provided in the Agreement.

Activities relevant to the data transferred under these Clauses : The data exporter receives the data importer’s Service pursuant to their underlying Agreement.

Signature and date : The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.

Role: Controller or Processor

Data importer(s):

Name : Singuli, as identified in the Agreement.

Address : As provided in the Agreement.

Contact person’s name, position, and contact details : As provided in the Agreement.

Activities relevant to the data transferred under these Clauses : The data importer provides the Service to the data exporter pursuant to their underlying Agreement.

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.

Role: Processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred:

If any Personal Data is transferred, the Personal Data will concern customers of Client.

Categories of personal data transferred:

If any Personal Data is transferred, the Personal Data will concern transaction information of customers of Client.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

If transferred, shall be continuous for the duration of the Agreement.

Nature of the processing:

If applicable, data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.

Purpose(s) of the data transfer and further processing:

If transferred, the objective of the transfer and further Processing of personal data by Singuli is to provide the Service to the Client.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

If any personal data will be processed, that personal data will be retained for the period of time necessary to provide the Service to Client under the Agreement, the DPA, and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:

If Singuli processes personal data, same as above to the extent such information is provided to Subprocessors for purposes of providing the Service.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.

Exhibit B

SINGULI DATA SECURITY MEASURES

If Singuli Processes Personal Data, Singuli will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Singuli’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data ("Data Personnel"). Singuli’s security requirements covers the following areas:

1. Information Security Policies and Standards. Singuli will maintain written information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. These policies, standards, and procedures shall be designed and implemented to:
   1. Prevent unauthorized persons from gaining physical access to Personal Data Processing systems (e.g. physical access controls);
   2. Designate one or more employees, or competent subcontractors, to coordinate the Information Security Program;
   3. Prevent Personal Data Processing systems from being used without authorization (e.g. logical access control);
   4. Ensure that Data Personnel gain access only to such Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that Personal Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
   5. Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls);
   6. Ensure that all systems that Process Personal Data are the subject of a vulnerability management program that includes regular internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities;
   7. Ensure that Personal Data is encrypted while in transit between Client and Singuli and its Sub-Processors; and
   8. Ensure that Personal Data is encrypted at rest at Singuli and its Subprocessors.
2. Physical Security. Singuli will maintain commercially reasonable security systems at all Singuli sites at which an information system that uses or stores Personal Data is located ("Processing Locations") that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Singuli will maintain information security policies and procedures addressing:
   1. Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Personal Data stored on media before they are withdrawn from the Singuli’s inventory or control.
   2. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Personal Data stored on media.
   3. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
   4. Incident Response. All Security Breaches are managed in accordance with appropriate incident response and remediation procedures.
4. Network Security. Singuli maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control (Governance).
   1. Singuli governs access to information systems that Process Personal Data.
   2. Only authorized Singuli staff can grant, modify, or revoke access to an information system that Processes Personal Data.
   3. Singuli implements commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Singuli protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel.
   1. Singuli has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and Security Breach reporting.
   2. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
   3. Singuli shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Personal Data.
8. Business Continuity. Singuli implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective. Singuli shall also adjust its Information Security Program in light of new laws and circumstances, including as Singuli’s business and Processing change.

Exhibit C

SINGULI SUBPROCESSORS