Data Processing Addendum

For the purposes of this DPA:

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

GrowthX will Process Customer Personal Data on behalf of Customer and in accordance with Customer's prior written instructions, including any instructions provided through Customer's use of the Service. GrowthX is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA and in accordance with Data Protection Laws.

GrowthX will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws, unless it is prohibited from doing so by law on important grounds of public interest.

The details of GrowthX's Processing of Customer Personal Data are described in Schedule 1.

If applicable laws preclude GrowthX from complying with Customer's instructions, GrowthX will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

Each of Customer and GrowthX will comply with their respective obligations under the Data Protection Laws.

GrowthX certifies that it will not (a) "sell" (as defined in Data Protection Laws) Customer Personal Data; (b) share or otherwise disclose Customer Personal Data to third parties for targeted advertising purposes; (c) retain, use, or disclose Customer Personal Data for any purpose other than as permitted under this DPA or outside the context of the direct relationship with Customer in accordance with the Agreement and Data Protection Laws; and (d) combine Customer Personal Data that GrowthX receives from, or on behalf of, Customer with Customer Personal Data that GrowthX receives from, or on behalf of, any entity other than Customer, or any Customer Personal Data that GrowthX collects from its own interaction with the individuals, unless explicitly authorized by Customer in writing.

In the event that Customer is subject to European Data Protection Law and the transfer of Customer Personal Data to GrowthX would be restricted in the absence of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the "data exporter" and GrowthX as the "data importer."

For purposes of the EU SCCs the parties agree that:

• In Clause 7, the optional docking clause will not apply;
• In Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 5.1 of this DPA;
• In Clause 11, the optional language will not apply;
• For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;
• For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
• For Annex I, Section A (List of Parties), (i) the data exporter's and the data importer's identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a controller, and GrowthX is a processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party's signature of Annex I, Section A, as of the effective date of this DPA;
• For Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes GrowthX's Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) GrowthX uses Subprocessors to support the provision of the Services.
• For Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to GrowthX. Unless and until Customer communicates a competent supervisory authority to GrowthX, the competent supervisory authority shall be the Irish Data Protection Commission.
• For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.

For the purposes of the UK Addendum parties agree that Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like the equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer.

GrowthX will require GrowthX's personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

GrowthX will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

To the extent required by Data Protection Laws, GrowthX will provide Customer with reasonable assistance as necessary for the fulfilment of Customer's obligations under Data Protection Laws to maintain the security of Customer Personal Data.

Customer agrees that GrowthX may use third-party suppliers to Process Customer Personal Data ("Subprocessors") in accordance with the terms of this DPA by posting to website https://growthx.ai/legal/subprocessors which shall have a mechanism allowing Customer to subscribe to notifications of new Subprocessors (the "Notification Mechanism"), and sending email notification to Customers who have subscribed to the Notification Mechanism. If Customer does not subscribe to such notifications, Customer shall be deemed to have received notice of a new Subprocessor when such changes are posted to the Subprocessors list website. In response to Customer's reasonable objection, the parties will work together in good faith to determine an appropriate resolution.

GrowthX will impose on its Subprocessors substantially the same obligations that apply to GrowthX under this DPA. GrowthX will be liable to Customer for any breaches of this DPA caused by its Subprocessors' acts and omissions as it would be for its own.

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data ("Requests"). If GrowthX receives any Requests during the term, GrowthX will advise the Data Subject to submit the request directly to Customer. GrowthX will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

Upon becoming aware of a Security Incident affecting Customer Personal Data, GrowthX will (i) promptly take measures designed to remediate the Security Incident and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer. At Customer's request, GrowthX will reasonably assist Customer's efforts to notify Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. GrowthX's notice of or response to a Security Incident under this Section 7 will not be an acknowledgement or admission by GrowthX of any fault or liability with respect to the Security Incident.

Taking into account the nature of the Processing and the information available to GrowthX, GrowthX will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by GrowthX of Customer Personal Data.

Customer instructs GrowthX to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer's written request. Notwithstanding the foregoing, GrowthX may retain Customer Personal Data to the extent and for the period required by applicable laws and compliance with GrowthX's retention policies provided that GrowthX maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

To the extent required of GrowthX under Data Protection Laws governing GrowthX's processing of Customer Personal Data, Customer may audit GrowthX's compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits in the event: (1) GrowthX suffers a Security Incident affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding GrowthX's compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. GrowthX will contribute to such audits by providing Customer or Customer's regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

To request an audit, Customer must submit a detailed proposed audit plan to privacy@growthx.ai at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. GrowthX will review the proposed audit plan and provide Customer with any concerns or questions (for example, GrowthX may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise GrowthX confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least 30 days in advance of the proposed audit start date. Nothing in this Section 10 shall require GrowthX to breach any duties of confidentiality.

GrowthX may object to third party auditors that are, in GrowthX's reasonable opinion, not suitably qualified or independent, a competitor of GrowthX, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.

If the requested audit scope is addressed in an SOC 2, ISO, NIST or similar audit report performed by a qualified third party auditor on GrowthX's systems that Process Customer Personal Data ("Audit Reports") within twelve (12) months of Customer's audit request and GrowthX confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.

The audit must be conducted at a mutually agreeable time during regular business hours at the applicable business facility, subject to the agreed final audit plan and GrowthX's health and safety or other relevant policies and may not unreasonably interfere with GrowthX business activities.

Any audits are at Customer's expense and Customer will promptly disclose to GrowthX any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.

Customer acknowledges and agrees that GrowthX may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject ("Analytics Data"), and use, publicize or share with third parties such Analytics Data to improve the Service and for GrowthX's other legitimate business purposes in accordance with Data Protection Laws.

Each party's liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

Customer acknowledges that GrowthX is reliant on Customer for direction as to the extent to which GrowthX is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, GrowthX will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by GrowthX in compliance with Customer's instructions or (b) from Customer's failure to comply with its obligations under the Data Protection Laws.

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

GrowthX will implement and maintain the security practices and procedures set out in this Schedule 2.

1. Organizational management and staff responsible for the development, implementation and maintenance of GrowthX's information security program.
2. Periodic review and assessment of risks to GrowthX's organization, monitoring and maintaining compliance with GrowthX's policies and procedures, and reporting the condition of its information security and compliance to internal senior management as appropriate.
3. Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and use of commercially available and industry standard encryption technologies for Customer Personal Data as appropriate.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Authentication controls designed to manage and control password strength, password management requirements, multi-factor authentication, and single sign-on (SSO) for assigned GrowthX credentials as appropriate.
6. Change management procedures and tracking mechanisms designed to test, approve and monitor changes to GrowthX's technology and information assets.
7. Incident response procedures design to allow GrowthX to investigate, respond to, mitigate and notify events related to GrowthX's technology and information assets.
8. Network security controls that provide for the use of firewalls and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, as appropriate.
9. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
10. Logging controls including authentication, access, and system activity monitoring designed to record security-relevant events, detect anomalous behavior, support incident investigation, and maintain audit trails for a commercially reasonable retention period.