Definitions In this Annex the following terms shall have the following meanings:

"Applicable Data Protection Law" means applicable data protection and privacy laws including, where applicable, EU Data Protection Law, UK Data Protection Law and the CCPA. "Business" "consumer" , , "personal information" and "service provider" shall have the meanings given in Applicable Data Protection Law.

"CCPA" means the U.S. California Consumer Privacy Act of 2018, as amended or superseded from time to time, and any implementing regulations as promulgated by the California Attorney General.

"Controller" , "data subject" , "personal data" , "processor" , "processing" (and "process"') and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law.

"EDPB Recommendations" means the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

"EU Data Protection Law" means: (i) the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all EU Member State laws made under or pursuant to any of the foregoing; in each case as amended or superseded from time to time.

"UK Data Protection Law" means the data privacy legislation adopted by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419 as supplemented by the terms of the Data Protection Act 2018 and the UK GDPR (Retained Regulation(EU)2016/679(UK GDPR) pursuant to section 3 of the European Union (Withdrawal) Act 2018).

Relationship of the Parties:

Customer (the controller) appoints Moveo as a processor to process the personal data described in the Agreement (the "Data") for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Moveo shall process the Data solely on the documented written instructions of Customer (including with regard to any transfer of Data to a third country or an international organisation) and shall not retain, use, combine, or disclose the Data for any purpose other than the Permitted Purpose, or as otherwise permitted by the Applicable Data Protection Law. Moveo confirms that it acts as a "service provider" under the CCPA and shall not "sell" or "share" (as those terms are defined in the CCPA) the Data or otherwise use the Data for any purpose not permitted under this Agreement. Moveo shall ensure that persons authorised to process the Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and shall maintain a record of all categories of processing activities carried out on behalf of Customer.

International Transfers & Data Localization Laws:

If any Data originates from the European Economic Area ("EEA") under the Agreement, Moveo shall not transfer the Data outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation):

(a) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data;

(b) transferring to a recipient that has implemented binding corporate rules authorised in accordance with EU Data Protection Law; or

(c) entering into with Customer the standard contractual clauses ("SCCs") adopted or approved by the European Commission (including any UK addendum where relevant), in which case the Parties shall each be deemed to have executed such SCCs (which shall automatically form part of this Addendum) on the effective date of the transfer. Prior to transferring Data to a country outside the EEA ("Third Country"), Moveo shall document and, on request, provide to Customer its transfer impact assessment in accordance with the EDPB Recommendations and shall implement any additional supplementary measures required to ensure "essentially equivalent" protection. Moveo shall (i) **promptly notify Customer (in any event within 24 hours)** if Moveo is, or is likely to become, unable to comply with its legal or contractual obligations related to international transfers under EU Data Protection Law; and (ii) at Customer's option, suspend the applicable transfers of Data **or allow Customer to terminate the Agreement without penalty and receive a pro-rated refund of pre-paid fees** .

Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Moveo shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (in accordance with Applicable Data Protection Law) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a "Security Breach").

Subprocessing: Customer consents to Moveo engaging subprocessors to process the Data for the Permitted Purpose *provided that: (i) Moveo updates the Subprocessor List at least 30 days before authorising a new subprocessor (except where a shorter period is necessary due to an emergency, in which case notice shall be given as soon as reasonably practicable) and provides Customer with a mechanism to subscribe to such updates; (ii) Customer may object in writing to any new subprocessor on reasonable data-protection grounds within that 30-day period. In the event of an objection the Parties shall, acting in good faith, discuss a commercially reasonable resolution; pending such resolution Moveo shall not permit the subprocessor to process the Data. If the Parties cannot reach agreement within 15 days, Customer may suspend or terminate the Agreement and shall be entitled to a refund of any prepaid fees for the unexpired portion of the term. Moveo shall impose data-protection terms on each subprocessor that are no less protective than those set out in this Addendum and shall remain fully liable for the acts and omissions of any subprocessor. A current list of approved subprocessors is attached as 'Attachment A – List of Subprocessors' .

Cooperation and Data Subjects' Rights: Taking into account the nature of the processing, Moveo shall provide reasonable and timely assistance to Customer to enable Customer to: (i) respond to any request from a data subject to exercise its rights under Applicable Data Protection Law; and (ii) respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. **Unless a request is manifestly unfounded or excessive, Moveo shall bear its own costs in providing such assistance. ** In the event that any such request, correspondence, enquiry or complaint is made directly to Moveo, Moveo shall promptly (and in any event within 48 hours) inform Customer and shall not respond to the requester except on Customer’s documented instructions, unless otherwise required by law.

Assessment, Consultation and Assistance: Taking into account the nature of the processing, Moveo shall provide Customer with reasonable cooperation to enable Customer to: (i) conduct any data-protection or transfer impact assessments that it is required to undertake under Applicable Data Protection Law; and (ii) consult competent supervisory authorities where required. Moveo shall bear its own internal costs of providing such cooperation; any additional, extraordinary out-of-pocket expenses shall be agreed in advance in writing by Customer.

Security Breaches: If Moveo becomes aware of a Security Breach it shall (i) **notify Customer without undue delay and, in any event, within 24 hours** of becoming aware of the Security Breach; (ii) provide Customer with such information as Customer may reasonably require to comply with its data-breach reporting obligations under Applicable Data Protection Law; and (iii) take all reasonably necessary measures and actions to mitigate the effects of the Security Breach and to prevent a recurrence. Moveo shall keep Customer informed of all material developments in connection with the breach. Where the Security Breach impacts a subprocessor, Moveo shall remain the primary point of contact for Customer and shall ensure that any notifications from the subprocessor are promptly forwarded to Customer. **Any costs reasonably incurred by Customer in mitigating the adverse effects of a Security Breach caused by Moveo or its subprocessors shall be reimbursed by Moveo. **

Deletion or Return of Data: Following termination or expiry of the Agreement, Customer shall have **ninety (90)** days to export its Data from the Software and, after such time has passed, Moveo shall irreversibly delete or return (at Customer's option) all Data in its possession or control and certify such deletion in writing within 10 business days of completion. This requirement shall not apply to the extent that: (i) Moveo is required by applicable law to retain some or all of the Data (in which case Moveo shall notify Customer of the legal requirement and shall continue to protect the Data in accordance with this Addendum and delete it promptly once the requirement ceases); or (ii) Data is archived on Moveo's back-up systems, provided that such Data is isolated from any further processing and is deleted within 180 days of the effective date of termination.

Review & Audit: Moveo shall deal promptly and adequately with any enquiries from the Customer about the processing of Data in accordance with this Data Processing Addendum and make available all information reasonably necessary to demonstrate compliance ("Review"). Where, following a Review, Customer reasonably requires an on-site or remote audit ("Audit"), Moveo shall permit and contribute to such Audit on at least **thirty (30)** days' notice, no more than once per calendar year **or at any time following: (a) a Security Breach; (b) a material breach of this Addendum; or (c) a request from a competent supervisory authority. ** Moveo shall bear its own costs of facilitating the Audit and shall not charge Customer any fee for exercising its Audit rights. The scope of the Audit shall be limited to documents and records necessary to verify compliance and shall be subject to reasonable confidentiality obligations. Remote audits shall be used where possible; on-site audits shall occur only if reasonably required.

Transparency Reports: Moveo will not disclose or provide access to any Data to any public authorities unless required by law. Where the Data impacted by the request is governed by EU Data Protection Law, Moveo commits to (i) reviewing the legality of the public authority's data requests and to challenging them where lawful and appropriate; and (il) where the Legal Request is incompatible with Art. 46 of the GDPR, to inform the public authority of the same.