Data Processing Addendum

This Data Processing Addendum (“DPA”) is made and entered into as of the date of its acceptance and forms part of the Mimic Terms and Conditions or other agreement to license or purchase any Mimic Solution in which this addendum is incorporated (the “Agreement”). You acknowledge that you, on behalf of your entity which is a party to the Agreement (collectively, “You”, “Customer”, or “Data Controller”) have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with Mimic Networks, Inc. (“Mimic”, “Company” or “Data Processor”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of individuals protected by Applicable Data Protection Laws (defined below). Both parties shall be referred to as the “Parties” and each, a “Party”.WHEREAS, Mimic shall provide the products and/or services set forth in the Agreement (collectively, the “Solutions”) for Customer, as described in the Agreement; andWHEREAS, In the course of providing the Solutions pursuant to the Agreement, Company may process Personal Data on Customer’s behalf, and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Solutions and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:This DPA applies in respect of the processing of any Personal Data (as defined below) collected, provided, or otherwise made available to Company in connection with the provision of the Solutions, including software or other Products and any services related to Products, under the Agreement, if the processing of such Personal Data is subject to the GDPR, only to the extent the Customer is a Controller of Personal Data and Company is a Processor. The DPA is intended to satisfy the requirements of European Union data protection law, including Article 28(3) of the GDPR. This DPA shall be effective for the term of the Agreement or until deletion of Personal Data as instructed by Customer under this DPA, whichever is earlier.1. Definitions. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Cognate terms shall be construed to have the same meaning.1.1. “Applicable Data Protection Laws” means any statutes, regulations or other laws pertaining to privacy or data protection, processing of Personal Information, and/or information security of Customer Personal Data and that are directly applicable to each respective party to this DPA in the context of Mimic processing Customer Personal Data, which may include, but are not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 (“UK GDPR”); the revised Swiss Federal Act on Data Protection (“revFADP”); Brazil Law No. 13,709/2018 (General Law for the Protection of Personal Data or “LGPD”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (“VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (“CPA”), the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (“UCPA”), the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (“PDPOM”); the Personal Information Protection Law of the People’s Republic of China (“PIPL”); and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Agreements.1.2. “Authorized Affiliate” means an Aﬃliate (as defined in the Agreement) of Customer who has not signed an Order but acts as a controller or processor for the Customer Personal Data processed by Company pursuant to the Agreement, for so long as such entity remains a Customer Aﬃliate.1.3. “Customer Personal Data" means any Personal Data processed by Company on behalf of Customer as a service provider or processor (as applicable) in connection with any Company Solution offering, as more particularly described in Section 3.6 of this DPA.1.4. “EEA” means any countries that are parties to the European Economic Area and Switzerland.1.5. “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy, in each case as the same may be amended, superseded or replaced.1.6. “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws.1.7. "Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.1.8 “2021 Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).1.9. “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom (and any successor thereto).1.10. “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.1.11. “Sub-Processor” means any processor engaged by Company or its Affiliates to process Customer Data. Sub-processors may include third parties or Company Affiliates.1.12. The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly.2. Scope and Applicability of this DPA. This DPA applies where and only to the extent that Company processes Customer Personal Data on behalf of Customer as a processor in the course of providing the Solutions.

3. Roles and Scope of Processing

3.1. Role of the Parties. As between Company and Customer, Company shall process Customer Personal Data only as a processor (or sub-processor) acting on behalf Customer in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Customer Personal Data.3.2. Customer Instructions. Company shall process Customer Personal Data only for the purposes described in the Agreement and in accordance with Customer's documented lawful instructions. The parties agree that the Agreement (including this DPA) and applicable Order sets out the Customer's complete and final instructions to Company in relation to the processing of Customer Personal Data. Without prejudice to Section 3.3 (Customer Responsibilities), Company shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws.3.3. Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Solutions, including when making decisions and issuing instructions for the processing of Customer Personal Data. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Company to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the Solutions to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; (iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to Company and its Sub-processors; and (iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws.Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and Company a sub-processor).3.4. Customer Affiliates. Company’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:3.4.1. Customer shall be responsible for Authorized Affiliates’ compliance with this DPA.Any and all acts and/or omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and3.4.2. Authorized Affiliates shall not bring a claim directly against Company. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Company (an “Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against Company on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.3.5. Details of Processing. Details of processing by Company are set forth below:3.5.1. Subject Matter of Processing. Customer Personal Data that Customer elects to transfer to Company to be processed for the provision, receipt and/or use of the applicable Solutions as set forth in the Agreement.3.5.2. Frequency and Duration of Processing. For duration of the Solutions.Notwithstanding expiration or termination of the applicable Order or the Agreement, Company shall continue to process Customer Personal Data until such Customer Personal Data is deleted. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement.Any Customer Personal Data not deleted by Customer shall be deleted by Company promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.3.5.3. Nature of Processing. Customer Personal Data that Customer elects to transfer to Company to be processed for the provision, receipt and/or use of the applicable Solutions as set forth in the Agreement.3.5.4. Purpose of Processing. The operation, support, use or provisioning of the Solutions as set out in the Agreement and in compliance with applicable laws.3.5.5. Categories of Data Subjects. Customer, rather than Company, determines which categories of Personal Data exist and will be disclosed to and processed by Company and may include Personal Data of natural persons whose Personal Data Customer elects to transfer to Company for processing for the purchase, provision, receipt and/or use of the applicable Solutions as set forth in the Agreement.Customer, rather than Company, determines which Data Subjects’ Personal Data is processed by Company through Customer Data put into or collected by Company Solutions.3.5.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement.Includes Personal Data types that are included in data that Customer transfers to Company for processing for the provision, receipt and/or use of the applicable Solutions as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) employer, job title, geographic location; and/or (iii) IP addresses, usage data, cookie data, location data.

4. Sub-Processing

4.1. Authorized Sub-Processors. Customer provides Company with a general authorization to engage Sub-Processors.The Sub-Processors currently engaged by Company and authorized by Customer are available for external Sub-Processors as set forth at https://www.mimic.com/subprocessors. The Sub-Processor list as of the date of execution of this DPA is hereby authorized by Customer.4.2. Sub-Processor Obligations. Company shall: (i) enter into a contractual agreement with each Sub-Processor imposing data protection obligations offering substantially the same level of protection of Personal Data than those required by this DPA and Applicable Data Protection Law, to the extent applicable to the nature of the service provided by the Sub-Processor; and (ii) remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Company to breach any of its obligations under this DPA.Upon written request, and subject to any confidentiality restrictions, Company shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-Processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.4.3. Changes to Sub-Processors. Company shall notify Customer if it changes its Sub-Processors in advance to any such changes for the applicable Solutions. Customer may object in writing to Company’s appointment of a new Sub-Processor by notifying Company promptly in writing within ten (10) calendar days of notice of the change. Customer’s notification shall explain the reasonable grounds relating to data protection for the objection.The parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution.If the parties are not able to reach resolution, Company will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer (as Customer’s sole and exclusive remedy) to suspend or terminate the Agreement or Order to the extent that is related to the Solutions which require the use of the proposed Sub-Processor without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

5. Security and Audits

5.1. Company Security Standards. Company shall implement and maintain the appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incident and to preserve the security and confidentiality of the Customer Personal Data, in each case in accordance with the Company’s then-current security standards. Company shall ensure that any person who is authorized by Company to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).5.2. Customer Security Responsibilities.Customer shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data while in its dominion and control including, without limitation, any measures of the Solutions that can be selected or configured by Customer. Company shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify whether any data transferred to Company for processing is subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by Company relating to data security and making an independent determination as to whether the Solutions meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.5.3. Audit. Subject to Sections 5.3.1 to 5.3.3, Company shall make available to Customer on request information necessary to demonstrate compliance with Applicable Laws and this DPA.5.3.1. To the extent required by Applicable Laws, Company shall contribute to audits by Customer or an independent auditor engaged by the Customer, that is not a competitor of Mimic, in relation to the processing of the Customer Personal Data.5.3.2. Information and audit rights of the Customer only arise under this section to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Laws.5.3.3. Notwithstanding the foregoing, Company may exclude information and documentation that wouldreveal the identity of other Company customers or information that Mimic is required to keepconfidential. Any information or records provided pursuant to this assessment process shall be considered Mimic’s Confidential Information and subject to the Confidentiality section of the Agreement.5.4. Data Protection Impact Assessment.Upon Customer’s request, Company shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Solutions, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available.

6. International Transfers

6.1. Hosting and Processing Locations.Company will only host Customer Personal Data in the region(s) offered by Company and selected by Customer as set forth on an Order or as otherwise configured by Customer via the Solutions.Company will not Process Customer Personal Data from outside the selected hosting region except as reasonably necessary to provide the Solutions or as necessary to comply with the law or binding order of a governmental body.As between Customer and Company, Customer is solely responsible for selecting the regions from which its end users will access the Solutions and for any transfers of Customer Personal Data conducted by its end users via the Solutions.6.2. Personal Data Transfers Outside of the EEA or the UK.Any transfers in connection with the performance of the Solutions from the EEA and/or Switzerland and/or the UK to a country that does not ensure an adequate level of protection under the applicable European Data Protection Law shall be governed by and performed in accordance with the SCCs, which are incorporated by reference into this DPA and deemed executed concurrent with the execution of this DPA.Schedule I to this DPA sets forth the specific, additional and/or optional clauses for the SCCs.6.3. Alternate Transfer Mechanism.If Company adopts an alternative transfer mechanism (including, without limitation, any new version or successor to the SCCs) pursuant to the applicable European Data Protection Law, such alternate transfer mechanism shall automatically apply in lieu of the SCCs to the extent that such alternative transfer mechanism complies with the applicable European Data Protection Law and applies in the territories into which the Personal Data is transferred.

7. Rights of Individuals and Cooperation

7.1. Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Solutions, Company shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. If any such request is made to Company directly, Company shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.7.2. Data Impact Assessments. To the extent Company is required under applicable European Data Protection Law, Company shall provide reasonably requested information regarding Company’s processing of Customer Personal Data under the Agreement to assist the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.7.3. Third Party Demands. If Company receives a demand from a third party (including, without limitation, any governmental, regulatory or supervisory authority) to retain, disclose or transfer Customer Personal Data, Company shall use commercially reasonable efforts to direct the demanding party to Customer and Customer authorizes Company to share such information with such third party as may be reasonably necessary to direct the third party to Customer.Where Company is unable to direct the demanding party to Customer, Company shall, to the extent legally permitted, provide Customer notice of the demand and cooperate with Customer, at the Customer’s cost and expense, in seeking a protective order, or confidential treatment, or taking other measures to oppose or limit such demand.

8. Relationship to the Agreement; Limitation of Liability

8.1. Relationship to the Agreement. Except for the changes made by this DPA as applicable to the Solutions, the Agreement remains unchanged and in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.8.2. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the SCCs (including any SCCs between Authorized Affiliates and Company), whether in contract, tort or under any other theory of liability is subject to the liability restrictions set forth in the Agreement, including the damages disclaimer and any aggregate limitation of liability.

Schedule I – Transfer Mechanisms for European Data Transfers

Pursuant to Section 6.2 of the Company and Customer, the SCCs are deemed incorporated into and form part of this DPA.The following specific and/or optional clauses shall apply to the SCCs as described in more detail below; any optional clauses in the SCCs not expressly selected are not included.

Module Two terms apply where Customer is the controller of Customer Personal Data and Module Three terms apply where Customer is the processor of Customer Personal Data.
Customer is the data exporter, and Company is the data importer.
The optional docking clause in Clause 7 is incorporated with respect to Authorized Affiliates only; Authorized Affiliates may accede to the DPA and SCCs under the same terms and conditions, subject to Section 3.4 of this DPA with the agreement of parties.
For Clause 9, Option 2 (“General Authorization) is selected and the process and time period for additional or replacement Sub-Processors shall be as set out in Section 4.3 of this DPA.
For Clause 9(c), where confidentiality restrictions prohibit Company from providing a copy of a Sub-Processor agreement to Customer, Company shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-Processor Agreement to Customer.
For Clause 11, the optional language does not apply.
For Clause 13 and Annex I.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Company on request.
For Clause 17, Option 1 shall apply and the Member State for purposes of governing law shall be Ireland.
For Clause 18(b), any dispute shall be resolved by the courts of Ireland.
For Annex I.A., the “data importer” shall be Company and the “data exporter” shall be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to the DPA.
For Annex I.B., the description of the transfer is as described in Section 3.5 (“Details of Processing”) of this DPA.
For Annex II, the and organizational measures are:(i) with respect to Company, those measures described in Section 5.1 (“Company Security Standards”) and (ii) with respect to Customer, those measures described in Section 5.2 (“Customer Security Responsibilities”).
For Annex III, the Sub-Processors shall be as described in Section 4.1 (“Authorized Sub-Processors”).

Schedule II – Competent Supervisory Authority

Where Customer makes a Restricted Transfer of Customer Personal Data originating from the EEA, the competent Supervisory Authority shall be determined in accordance with Section 11.1.7 of the DPA.Where Customer makes a Restricted Transfer of Customer Personal Data originating from Switzerland, and the Standard Contractual Clauses apply, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner with respect to the Customer Personal Data originating from Switzerland.Where Customer makes a Restricted Transfer of Customer Personal Data originating from the UK, and the Standard Contractual Clauses apply, the competent supervisory authority shall be the ICO with respect to the Customer Personal Data originating from the UK.Where Customer makes a Restricted Transfer of Customer Personal Data originating from another jurisdiction requiring the determination of the competent supervisory authority under Applicable Laws, the competent supervisory authority shall be determined by Applicable Laws.