Data Processing Addendum

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Applicable Law" means all applicable laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the CCPA, the European Union ("EU") General Data Protection Regulation 2016/679 ("GDPR"), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC ("e-Privacy Directive"), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.

"CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time

"Data Controller" means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

"Data Processor" means a person who Processes Personal Data on behalf of the Data Controller.

"Data Security Measures" means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.

"Data Subject" means an identified or identifiable natural person to which the Personal Data pertain.

"EEA" means the European Economic Area.

"Instructions" means this Addendum and any further written agreement or documentation (including without limitation the Master Agreement) through which the Customer instructs Knak to perform specific Processing of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person provided by Customer and Processed by Knak in accordance with Customer's Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data in the course of it being Processed by Knak.

"Process", "Processed", or "Processing" means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Restricted Transfer" means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).

"Services" means the services offered by Knak and subscribed for by Customer under the Master Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.

"Sub-Processor" means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.

"UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.

(A) The Parties acknowledge and agree that, as between the parties, Customer is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and Knak is acting as a Data Processor on behalf of and under the Instructions of Customer. Where Customer is processing Personal Data for a third-party Data Controller, it is acknowledged that Customer is acting as Data Processor and Knak is acting as a Sub-Processor of Customer.

(A) The Customer is responsible for ensuring that the processing of Personal Data takes place in compliance with the Applicable Laws, and this Addendum.

(B) The Customer has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.

(C) The Customer shall be responsible for ensuring that the processing of Personal Data, which the Data Processor is instructed to perform, has a legal basis and, if such legal basis is consent, the Customer shall retain copies of all relevant consents.

Knak agrees to and warrants that it shall:

(A) Process Personal Data disclosed to it by Customer only on behalf of and in accordance with the Instructions of Customer and Annex 1 of this Addendum, unless Knak is otherwise required by Applicable Law, in which case Knak shall inform Customer of that legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by Applicable Law on important grounds of public interest. Knak shall immediately inform Customer if, in Knak's opinion, an Instruction provided infringes Applicable Law;

(B) Ensure that any person authorised by Knak to Process Personal Data in the context of the Services is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller;

(C) Store and Process all data, including Personal Data, only in those jurisdictions detailed in the list of sub-processors set out at https://knak.com/subprocessors. Knak has and shall continue to enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from Knak;

(D) Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of Knak. Customer may, if it so chooses, seek a protective order. Knak shall reasonably cooperate with Customer in such defence;

(E) Provide assistance to Customer in complying with Customer's obligations relating to the security of Personal Data, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Knak;

(F) Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by Knak or to supervisory authorities upon request; and

(G) Inform Customer about any actions of a data protection authority against Knak that could affect Customer's Personal Data unless such notification is prohibited by Applicable Law.

(A) Customer acknowledges and agrees that (a) Knak's Affiliates may be retained as Sub-Processors; and (b) Knak and Knak's Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services where Knak or a Knak Affiliate has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in the Master Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-Processor.

(B) Knak's current list of Sub-Processors for the Services identified is set out at https://knak.com/subprocessors. Such Sub-Processor lists shall include the identities of those Sub-Processors and their country of location. Knak shall provide written notification to Customer of a new Sub-Processor(s) upon Knak's authorizing or appointing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.

(C) Customer may object to Knak's use of a new Sub-Processor by notifying Knak promptly in writing within thirty (30) days after receipt of Knak's notice in accordance with the mechanism set out above. In the event Customer objects to a new Sub-Processor, as permitted in the preceding sentence, Knak will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If Knak is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services which cannot be provided by Knak without the use of the objected-to new Sub-Processor by providing written notice to Knak. Knak will refund Customer any prepaid fees covering the remainder of the term in respect of such Services following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. For the avoidance of doubt, Customer's right of objection under this section 5(C) shall not delay Knak's appointment of any new Sub-Processor(s).

(D) Knak shall be liable for the acts and omissions of its Sub-Processors to the same extent Knak would be liable if performing the services of each Sub-Processor directly under the terms of this Addendum, except as otherwise set forth in the Master Agreement.

(A) Knak will Process Personal Data in accordance with the GDPR requirements directly applicable to Knak's provision of its Services.

(B) Knak shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Addendum, to the extent required under the GDPR.

(C) Where the transfer of Personal Data to Knak is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.

(D) Customer consents to the transfers of Personal Data to the countries outside of Canada and the EU set out in list of Sub-Processors for the Services set out at https://knak.com/subprocessors.

(E) To the extent that the Parties are relying on a specific statutory mechanism to allow for data transfer to third countries and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.

(A) Each Party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.

(B) Without limiting the above, (i) Customer – unless Customer is a Data Processor itself, in which case it shall require the Data Controller assume such responsibility – is responsible for ensuring that it has a lawful basis for the processing of Personal Information in the manner contemplated by this Master Agreement, and has adequate record of such basis (whether directly or through another third-party provider); and (ii) Knak is not responsible for determining the requirements of laws applicable to Customer's business or that Knak's provision of the Services meet the requirements of such laws. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.

(C) If a Data Subject brings a claim directly against Knak for a violation of their Data Subject rights in breach of Applicable Laws and such claim does not arise from a breach by Knak of the terms of this Addendum, Customer will indemnify Knak for any cost, charge, damages, expenses, or loss arising from such a claim, to the extent that Knak has notified Customer about the claim and given Customer the opportunity to cooperate with Knak in the defence and settlement of the claim. Subject to the terms of this Addendum, Customer may claim from Knak amounts paid to a Data Subject for a violation of their Data Subject rights caused by Knak's breach of its obligations under GDPR.

(A) Knak shall develop, maintain, and implement a comprehensive written information security program that complies with Applicable Law and good industry practice. Details of Knak's current security policy are set out at https://knak.com/security/. Knak's information security program includes appropriate administrative, technical, physical, organisational, and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:

• a) The pseudonymisation and encryption of the Personal Data;
• b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
• c) The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
• d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of Processing.

(B) Knak shall supervise Knak personnel to the extent required to maintain appropriate privacy, confidentiality, and security of Personal Data. Knak shall provide training, as appropriate, to all Knak personnel who have access to Personal Data.

(C) Knak shall promptly: (i) on written request of Customer; and (ii) following the expiration or earlier termination of the Master Agreement, return to Customer, or its designee, if so requested during such period, or if not so requested within 90 days of termination, securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Knak's, its affiliates', or their respective subcontractors' possession, custody, or control. In the event Applicable Law does not permit Knak to comply with the delivery or destruction of the Personal Data, Knak warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum. It is acknowledged that deletions during the term of the Master Agreement may result in Knak being unable to perform all or part of the Services, and may result in additional costs where multiple requests for deletions impact on the delivery of the Service.

(A) Knak shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer to enable the Customer to comply with:

• the rights of Data Subjects under the Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
• information or assessment notices served on the Customer by any supervisory authority under the Data Protection Laws.

(B) Knak shall promptly inform the Customer in the event of receiving a Data Subject access request and will advise the Data Subject of the request having been forwarded to the Data Controller. Knak shall not provide Data Subjects with access to their personal data nor will it engage directly with a Data Subject in relation to such requests, save for advising that their request has been forwarded to the Data Controller.

(C) Knak shall provide such co-operation and assistance as may be reasonably required to enable the Customer to deal with any subject access request or other Data Subject right in accordance with the provisions of the Data Protection Laws. In particular, Knak shall assist the Customer in the fulfilment of the Data Controller's obligation to respond to requests exercising Data Subjects' rights under Data Protection Laws.

(D) Data Protection Impact Assessments (DPIAs): Knak may be required to assist the Customer in undertaking a DPIA before carrying out any processing that uses new technologies (and taking into account the nature, scope, context, and purposes of the processing) that is likely to result in a high risk (such as monitoring activities, systematic evaluations, or processing special categories of data) to the Data Controller's data.

(A) Knak shall, without undue delay, inform Customer in writing of any Personal Data Breach of which Knak becomes aware. The notification to Customer shall include all available information regarding such Personal Data Breach, including information on:

• a) The nature of the Personal Data Breach, including, where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
• b) The likely consequences of the Personal Data Breach; and
• c) The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate any possible adverse effects.

(B) Knak shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate, or rectify such Personal Data Breach. Knak shall provide such assistance as required to enable Customer to satisfy Customer's obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.

(A) Knak shall, on written request (but not more than once per year, other than in the event of a Personal Data Breach), make available to Customer all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Customer's expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior written request by Customer (provided that it shall be not more than once per year other than in the event of a Personal Data Breach), Knak agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports (if any) and all information necessary to demonstrate Knak's compliance with the obligations laid down in this Addendum; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in Knak's systems, or to the extent that any such vulnerability was detected, that Knak has fully remedied such vulnerability.

(B) Where Customer is a Data Processor itself, the Customer may provide the Data Controller with respective documentation received by Knak and Data Controller is entitled to conduct audits contemplated at Knak, but only insofar as this is required by Applicable Law, a competent court, or regulator, all at the Data Controller's expense.

(A) For purposes of this Addendum, Knak is a "Service Provider" as defined in CCPA Section 1798.140(v).

(B) Customer discloses Personal Data to Knak (or facilitates such disclosure by Customer's users) solely for (a) a valid business purpose as defined in the CCPA and (b) to facilitate Knak's performance of the Services.

(C) In connection with its processing of Personal Data as described in this Addendum and the Main Agreement, Knak shall not (a) sell any Personal Data; or (b) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services as provided in the Main Agreement and this Addendum, or as otherwise permitted by the CCPA; and (c) Knak certifies that it understands and will comply with the restrictions described in this Section 12.

(A) Knak reserves the right to transfer information (including Personal Data) to a third party in the event of a sale, merger, liquidation, receivership, or transfer of all or substantially all of the assets of Knak's business provided that the third party agrees to adhere to Knak's terms relating to Personal Data and provided that the third party only uses Personal Data for the purposes that it has been provided to Knak. The Customer will be notified in the event of any such transfer.

(A) This Addendum shall be governed by the laws of the jurisdiction specified in the Master Agreement.

This Annex forms part of the Data Processing Addendum between Customer and Knak.

The Processing of Personal Data concerns the following categories of Data Subjects:

• Employees and contractors of Customer who use the Service (who are natural persons) ("Users")

Categories and nature of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• First and last name
• Title
• Position
• Employer
• Contact information (company, email, phone, physical business address)
• Social media URLs
• Marketing Automation API Credentials

No Sensitive Data is Processed by Knak.

Scope and purpose of Processing

The objective of Processing of Personal Data by Knak is the performance of the Services pursuant to the Master Agreement.

Frequency and Duration of Processing

Knak will Process Personal Data continuously for the duration of the Master Agreement and will delete all Personal Data following termination of the Master Agreement in accordance with section 8(C), unless otherwise agreed upon in writing.

Competent Supervisory Authority

Data Protection Commission of Ireland.

Where the transfer of Personal Data to Knak is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:

In relation to transfers of Personal Data protected by the EU GDPR, the SCCs shall apply as follows:

• Module Two terms shall apply (where Customer is the controller of Personal Data) and the Module Three terms shall apply (where Customer is the processor of Personal Data);
• in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;
• in Clause 9, option 2 ("general authorization") is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 5(B) of the DPA;
• in Clause 11, the optional language shall not apply;
• in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;
• in Clause 18(b), disputes shall be resolved before the courts of Ireland;
• Annex I shall be deemed completed with the information set out in Annex A to the DPA; and
• Annex II shall be deemed completed with the information set out in the Security Addendum, subject to Section 8 (Data Security) of the DPA.

In relation to transfers of Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:

• the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
• Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party"; and
• any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

In relation to transfers of Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:

• references to "Regulation (EU) 2016/679" and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
• references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" and/or "Swiss law" (as applicable);
• references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland");
• the SCCs shall be governed by the laws of Switzerland; and
• disputes shall be resolved before the competent Swiss courts.

Where the Standard Contractual Clauses apply, this section sets out the parties' interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:

• where Customer is itself a processor of Personal Data acting on behalf of a third party controller and Knak would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Knak may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
• the certification of deletion described in Clause 16(d) of the SCCs shall be provided by Knak to Customer upon Customer's written request;
• for the purposes of Clause 15(1)(a) the SCCs, Knak shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
• taking into account the nature of the processing, Customer agrees that it is unlikely that Knak would become aware of Personal Data processed by Knak is inaccurate or outdated. To the extent Knak becomes aware of such inaccurate or outdated data, Knak will inform the Customer in accordance with Clause 8.4 SCCs.