This Data Processing Exhibit, including its Exhibits, (“Exhibit”) supplements and is subject to the terms of the agreement between Seekr Technology Inc; (“Seekr”) and Customer governing Seekr’s provision of the Offerings to Customer (the “Agreement”), including the limitations of liability set forth in the Agreement, which shall apply in aggregate for all claims under the Agreement and this Exhibit. Each reference to the Exhibit herein means this Exhibit including its exhibits. If and to the extent language in this Exhibit conflicts with the Agreement, this Exhibit shall control.

1. Subject Matter and Duration.
   1. Subject Matter. This Exhibit reflects the parties’ commitment to abide by Data Protection Laws when Processing Customer Personal Data pursuant to the Agreement. In providing the Seekr Offerings to the Customer pursuant to the terms of the Agreement, Seekr may Process Personal Data on behalf of Customer and the parties agree to comply with the terms of this Exhibit with respect to any such Personal Data.
   2. Duration and Survival. This Exhibit will become legally binding upon the date that the parties sign this Exhibit. This Exhibit will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of the Exhibit.
2. Definitions. For the purposes of this Exhibit, the following terms and those defined within the body of this Exhibit apply. Any capitalized term not defined herein shall have the meaning given to it in the Agreement.
   1. “Customer Personal Data” means Personal Data Processed by Seekr on behalf of Customer under the Agreement.
   2. “Data Protection Laws” means all data privacy, data protection, and cybersecurity laws, rules and regulations of the United States and the European Union to which the Customer Personal Data are subject, including but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), and the EU General Data Protection Regulation 2016/679 (“GDPR”) that are applicable to the Processing of Personal Data under the Agreement.
   3. “Data Subject” means an identified or identifiable natural person.
   4. “Seekr Offering” means the Seekr Offering identified in an Order, including any updates, enhancements, or improvements thereto.
   5. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
   6. “Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   7. “Restricted Transfer” means a transfer of personal data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission.
   8. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Seekr.
   9. “Standard Contractual Clauses” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
   10. “Sub-processor(s)” means Seekr’s authorized vendors and third-party service providers that Process Customer Personal Data.
3. Data Use and Processing.
   1. Roles and Responsibilities. Seekr will comply with all Data Protection Laws applicable to it and the provision of the Seekr Offerings. When Processing Customer Personal Data in the provision of the Seekr Offerings to the Customer, the Customer will act as a “Business,” or “Controller” and Seekr will act as a “Service Provider,” or “Processor” (as such terms are defined by Data Protection Laws). Customer shall ensure that it has lawfully collected and that it may lawfully provide Customer Personal Data to Seekr for the purposes contemplated by the Agreement.
   2. Documented Instructions. Seekr shall Process Customer Personal Data only to provide the Seekr Offerings in accordance with the Agreement, this Exhibit, any applicable ordering document between the parties, and any instructions agreed upon by the parties. The parties agree that this Agreement and Customer’s use of the features and functionality within the Seekr Offering are Customer’s complete and final instructions to Seekr in relation to Processing of Customer Personal Data. Processing outside the scope of this Agreement (if any) will require prior written agreement between Customer and Seekr regarding additional instructions for Processing. Seekr shall immediately inform the Customer if, in Seekr’s opinion, their instructions infringe Data Protection Laws.
   3. Authorization to Use Sub-processors. To the extent necessary to fulfill Seekr’s contractual obligations under the Agreement, Customer hereby authorizes Seekr to engage Sub-processors.
   4. Seekr and Sub-processor Compliance. Seekr agrees to (i) enter into a written agreement with Sub-processors regarding such Sub-processors’ Processing of Customer Personal Data that imposes on such Sub-processors data protection requirements for Customer Personal Data that are consistent with this Exhibit; and (ii) remain responsible to Customer for Seekr’s Sub-processors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
   5. Right to Object to Sub-processors. Prior to engaging any new Sub-processors that Process Customer Personal Data, Seekr will notify Customer of these changes in writing (email sufficient). Seekr will allow Customer 20 calendar days to object after notice is given. If Customer has legitimate objections to the appointment of any new Sub-processor that relates to Seekr’s compliance with this Exhibit, Seekr will make reasonable efforts to address Customer’s objection. After this process, if a resolution has not been agreed to within five calendar days, Seekr will proceed with engaging the Sub-processor. During the 30 days that follow any failure to reach such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Seekr without use of the objectionable Sub-processor by providing written notice to Seekr.
   6. Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
   7. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Seekr agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws in cases where Customer cannot reasonably fulfill such requests independently.
   8. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Seekr agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by Seekr requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
   9. Demonstrable Compliance. Seekr agrees to provide information reasonably necessary to demonstrate compliance with this Exhibit upon Customer’s reasonable request.
   10. California Privacy Rights Act Terms. To the extent the CPRA applies to Seekr’s Processing of Customer Personal Data, this Section applies. Seekr shall: (i) comply with its obligations under the CPRA; (ii) provide the same level of protection as required under the CPRA; (iii) notify Customer if it can no longer meet its obligations under the CPRA; (iv) not “sell” or “share” (as such terms are defined by the CPRA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose other than to provide the Seekr Offerings under the Agreement and any applicable ordering document between the parties; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Seekr; and (vii) not combine Customer Personal Data with Personal Data that Seekr (a) receives from, or on behalf of, another person or (b) collects from its own, independent consumer interaction, except, in either case, except as permitted under the CPRA. Customer may: (1) take reasonable and appropriate steps to help ensure that Seekr processes Customer Personal Data in a manner consistent with Seekr’s CPRA obligations; and (b) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Personal Data by Seekr.
4. Information Security Program. Seekr shall implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data in accordance with the technical and organizational controls attached hereto as Attachment A.
5. Security Incidents. Upon becoming aware of a Security Incident, Seekr agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer. A delay in giving such notice requested by law enforcement and/or in light of Seekr’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. Seekr’s notification of or response to a Security Incident will not be construed as an acknowledgement by Seekr of any fault or liability with respect to the Security Incident. Seekr will take reasonable measures to mitigate the risks of further Security Incidents.
6. Cross-Border Transfers of Personal Data.
   1. Cross-Border Transfers of Personal Data. Customer authorizes Seekr and its Sub-processors to transfer Customer Personal Data across international borders. With respect to any Restricted Transfers, the Parties agree that such transfers shall be subject to the EU Standard Contractual Clauses as follows:
      1. Module Two will apply;
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 3(e) of this Exhibit;
      4.  in Clause 11, the optional language will not apply;
      5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the Republic of Ireland;
      6. in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Attachment A to this Exhibit;
      8. Annex II of the EU SCCs shall be deemed completed with the information set out in Attachment B to this Exhibit;
   2. SCCs Prevail. In the event that any provision of this Exhibit contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
   3. Onwards transfers. Seekr shall not participate in (nor permit any Sub-processor to participate in) any other Restricted Transfers of Customer Personal Data (whether as an exporter or an importer of Customer Personal Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Laws.
   4. Data Transfer Impact Assessment Outcome. Based on the information set forth in this Exhibit, the parties agree that the transfer of Customer Personal Data originating in the European Economic Area to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws is consistent with the obligations applicable to the parties under Standard Contractual Clauses incorporated into this Exhibit.
7. Audits.
   1. Customer Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of Seekr’s facilities, policies, procedures, and records relevant to the Processing of Customer Personal Data.
   2. Audit Process. Any audit must be: (i) conducted during Seekr’s regular business hours; (ii) with 45 days’ advance notice to Seekr; (iii) carried out in a manner that prevents unnecessary disruption to Seekr’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction. Customer shall be responsible for any costs arising from such audit.
8. Data Deletion. At the expiry or termination of the Agreement, Seekr will, as directed by Customer and at Customer’s option, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Seekr’s data retention schedule), except where Seekr is required to retain copies under applicable laws, in which case Seekr will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
9. Processing Details.
   1. Subject Matter. The subject matter of the Processing is Seekr’s provision and maintenance of the Seekr Offerings for Customer.
   2. Duration. The Processing will continue during the term of the Agreement, plus the period from expiration or termination until deletion of all Customer Personal Data by Seekr in accordance with this Exhibit.
   3. Categories of Data Subjects. Users of the Offerings.
   4. Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Seekr is the performance of the Services contained within the Offerings.
   5. Types of Customer Personal Data. Name, Email Address, Job Title (if provided).

Exhibit C – Information Security Provisions

This Attachment A forms part of the Agreement and describes the Processing that the processor will perform on behalf of the Controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection] 

B. Description of Transfer

C. COMPETENT SUPERVISORY AUTHORITY