Customer Data Processing Addendum

Mersive – Customer Data Processing Addendum

Updated: January 2, 2024

This Data Processing Addendum (“DPA”) is entered into as of the date last signed below (the “Effective Date”) by and between Mersive Technologies, Inc., headquartered at 1667 Cole Boulevard, Suite 225, Lakewood, Colorado, 80401 (“Mersive”), and the undersigned company below placing an order for or accessing any Mersive Services (“Customer”). This DPA forms part of, and is subject to, Mersive’s Terms of Service or other written agreement covering the same subject matter executed by Mersive (“Agreement”). Mersive and Customer may be referred to in this DPA individually as a “party” and collectively as the “parties.” Capitalized terms not specifically defined in this DPA will have the same meaning as in the Agreement.

1. Scope and Applicability of this DPA.

This DPA applies where and only to the extent that Mersive Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Services.

2. Roles of the Parties.

As between the parties, Mersive acts as a Data Processor and Customer acts as a Data Controller of Customer Personal Data. Mersive will process Customer Personal Data only as a Data Processor on behalf of Customer, and with respect to the CCPA, as a “service provider” as defined therein.

3. Customer Instructions.

Mersive will process Customer Personal Data solely to provide the Services in accordance with the Agreement, or as otherwise required by applicable law. If Customer provides other documented instructions (whether in written or electronic form) in accordance with the Agreement, Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate Data Protection Laws. The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Mersive for the Processing of Customer Personal Data. If Mersive is required by applicable law or any supervisory authority to Process Customer Personal Data other than in accordance with the Agreement or other documented instructions of Customer, Mersive will inform Customer of that legal requirement prior to such Processing, unless prohibited by applicable law.

4. Customer’s Processing Obligations.

Customer agrees that it: (i) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (ii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data; and (iii) has obtained all consents, permissions, and rights necessary under Data Protection Laws for Mersive to lawfully Process Customer Personal Data in accordance with the Agreement.

5. Compliance with Laws.

To the extent Mersive Processes Customer Personal Data on Customer’s behalf, Mersive will comply with all Data Protection Laws applicable to Mersive as a Data Processor Processing such Customer Personal Data.

6. Sub-Processors.

Customer agrees that Mersive may use Sub-Processors to Process Customer Personal Data for purposes of providing the Services to Customer, provided that Mersive will impose on its Sub-Processors data protection obligations that are at least as protective of Customer Personal Data as those set forth in this DPA. Mersive will be liable for the acts or omissions of its Sub-Processors to the same extent as if the acts or omissions were performed by Mersive. Information about Mersive sub-processors can be found here.

7. Changes to Sub-Processors.

Mersive will notify Customer of any new Sub-Processor by posting an updated list of Sub-Processors on its website, at least fourteen (14) days before authorizing any new Sub-Processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, Customer may object in writing to Mersive’s appointment of the new Sub-Processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss Customer’s concerns in good faith to seek resolution. If Customer can reasonably demonstrate that the new Sub-Processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Mersive cannot provide an alternative Sub-Processor, or the parties are not otherwise able to achieve resolution, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) only with respect to those portions of the Services which cannot be provided by Mersive without the use of the new Sub-Processor by providing written notice to Mersive, and then (1) Customer shall pay all amounts due for the Service up to the effective date of termination, and/or (2) Customer will receive a prorated refund of amounts pre-paid to Mersive for Customer’s use of the Service for the remainder of the Subscription Term.

8. Security.

Mersive will implement reasonable technical and organizational safeguards designed to protect Customer Personal Data in its possession or control against unauthorized loss, destruction, alteration, access, or disclosure, in accordance with the Mersive Security Policy. Mersive may modify such safeguards from time to time, provided that such modifications will not materially reduce the overall level of protection for Customer Personal Data.

9. Data Transfers.

9.1 Hosting Regions.

Mersive will only host Customer Personal Data in the region(s) offered by Mersive and as configured for Customer via the Services (the “Hosting Region”). Customer is solely responsible for the Hosting Regions from which its Users access the Customer Personal Data, for any transfer or sharing of Customer Personal Data by Customer or its Users, and for any subsequent designation of other Hosting Regions (either for the same account, a different account, or a separate Service). Once Customer has selected a Hosting Region, Mersive will not Process Customer Personal Data from outside the Hosting Region except as reasonably necessary to provide the Services procured by Customer, or as necessary to comply with the law or binding order of a governmental body.

9.2 Standard Contractual Clauses.

To the extent Customer transfers Customer Personal Data from the EEA to Mersive in a country outside of the EEA that has not been deemed by the European Commission to provide an adequate level of data protection, the Standard Contractual Clauses, as pre-populated by Mersive in Exhibit A, will govern such transfer. The Standard Contractual Clauses will not apply to Customer Data that is not transferred outside the EEA. The parties agree that the certifications or reports provided in Section 11 (“Audits and Inspections”) below will be used to satisfy any applicable audit rights under the Standard Contractual Clauses. For avoidance of doubt, nothing in this DPA modifies or amends the Standard Contractual Clauses.

10. Security Incident.

If Mersive discovers a Security Incident has occurred, Mersive will notify Customer promptly unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Such notification will provide information about the nature and likely consequences of the Security Incident and how to request additional information if required. In addition to providing such notification, Mersive will promptly take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident.

11. Audits and Inspections.

Mersive uses external auditors to verify the adequacy of its security measures, including the security of the physical facilities from which Mersive provides the Services. This audit: (i) will be performed at least annually; (ii) will be performed according to ISO 27001 and/or SSAE 18 standards or substantially equivalent alternative standards; (iii) will be performed by independent third-party security professionals at Mersive’s selection and expense; and (iv) will result in the generation of a SOC 2 audit report (“Audit Report”), which will be Mersive’s Confidential Information. At Customer’s written request, and provided that the parties have applicable confidentiality terms in place, Mersive will provide Customer with a copy of the Audit Report so that Customer can reasonably verify Mersive’s compliance with its obligations under this DPA. Customer agrees that the Audit Report, together with any third-party certification (e.g., ISO 27001) maintained by Mersive, will be used to satisfy any audit or inspection requests by or on behalf of Customer and to demonstrate compliance with applicable obligations of Mersive as set forth in this DPA.

12. Data Subject Requests.

To the extent legally permitted, Mersive shall promptly notify Customer if Mersive receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Customer Personal Data (“Data Subject Request”). The Service provides Customer with a number of controls that Customer may use to assist it in responding to a Data Subject Request, and Customer will be responsible for responding to any such Data Subject Request. Customer understands that Mersive does not have access to Customer Data sufficient to respond to such Data Subject Requests.

13. Term and Termination.

This DPA will expire on the earlier of: (i) an authorized termination in accordance with this DPA; (ii) the natural expiration or termination of the Agreement; or (iii) the execution of an updated DPA that supersedes this DPA. Either party may immediately terminate this DPA and the Agreement if the other party materially breaches any provision of this DPA and fails to cure such breach within 30 days from the date of such party’s written notice to the other party.

14. Return or Destruction.

Upon termination or expiration of the Agreement for any reason, (i) Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement, and (ii) Mersive may delete all Customer Personal Data as set forth in the Agreement, unless otherwise required by applicable law.

15. No Assignment.

This DPA will inure to the benefit of each party’s permitted successors and assigns. Except in connection with a merger, acquisition, or sale of all or substantially all of a party’s assets or voting securities, neither party may assign this DPA without the advance written consent of the other party. Any other transfer or assignment of this DPA except as expressly authorized under this Section will be null and void.

16. Interpretation.

It is the parties’ intent that any ambiguity under this DPA will be interpreted consistently with the intent to comply with applicable laws, including without limitation, Data Protection Laws.

17. Miscellaneous.

This DPA and the Agreement is the entire agreement between Mersive and Customer and supersedes all previous written and oral communications between the parties with respect to the subject matter hereof. The parties agree that this DPA shall replace and supersede any existing data processing addendum that the parties may have previously entered into in connection with the Services. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. This DPA may only be amended in a writing signed by duly authorized representatives of the parties. If any provision of this DPA is held to be invalid or unenforceable, that provision will be limited to the minimum extent necessary so that this DPA will otherwise remain in effect. Any waiver or failure to enforce any provision of this DPA on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. This DPA may be executed in the original or other electronic means in any number of counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement. Nothing in this DPA is intended to create an agency relationship between the parties.

18. Priority of Terms.

To the extent there is a conflict between the Agreement and the terms of this DPA, the terms of this DPA will prevail in connection with the Processing of Customer Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any Customer Personal Data comprised of patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state health care laws, rules or regulations (“HIPAA Data”), if there is any conflict between this DPA and the BAA, then the BAA shall prevail solely with respect to such HIPAA Data.

19. Definitions.

Capitalized terms not specifically defined in this DPA will have the same meaning as in the Agreement.

“BAA” means a business associate agreement as made available by Mersive on its website and executed by the parties, if applicable.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq.

“Customer Data” means any information, in any form, format or media (including paper, electronic and other records), which Customer uploads or submits, as applicable, to Mersive to Process on its behalf as a Data Processor in performing the Services.

“Customer Personal Data” means Customer Data relating to an identified or identifiable natural person.

“Data Controller” means an entity which, alone or jointly with others, determines the purposes and means of Processing of Customer Personal Data.

“Data Processor” means an entity which Processes Customer Personal Data on behalf of the Data Controller.

“Data Protection Laws” means all privacy or data protection laws applicable to the Processing of Customer Personal Data under the Agreement or this DPA, including, where applicable, EU Data Protection Laws and the CCPA.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

“EEA” means the European Economic Area.

“EU Data Protection Laws” means the European Union (“EU”) General Data Protection Regulation (“GDPR”) and EU Member State data protection laws implementing or supplementing the GDPR.

“Processing” means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process,” Processes,” and “Processed” will be interpreted accordingly.

“Security Incident” means a breach of security of the Services leading to accidental or unlawful destruction, loss, alteration, unauthorized discloser of, or access to Customer Personal Data in the possession or control of Mersive.

“Services” means the services provided by Mersive as set forth in the Agreement. Services may include Mersive’s software-as-a-service offerings which a Customer purchases as a subscription for a defined term (“SaaS Services”) and/or Mersive’s generally available technical support and maintenance services (“Support Services”), as may be further specified in the applicable Order.

“Standard Contractual Clauses” means the EU Standard Contractual Clauses (Controller to Processor) as made available by the Publications Office of the European Union.

“Sub-Processor” means any third-party Data Processor engaged by Mersive or its Affiliates to Process Customer Personal Data.

EXHIBIT A STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection:

The entity identified as “Customer” in the service order Agreement,

(the “data exporter”)

and

1667 Cole Blvd., Suite 225,

Lakewood Colorado, 80401

(the “data importer”)

each a “party” and together “the parties,”

HAVE AGREED on the Contractual Clauses (the Clauses) in order to evidence adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed by the parties.

Data Exporter:

The data exporter is the entity identified as “Customer” in the DPA, which uses the Service as described in a written agreement with Mersive.

Data Importer:

The data importer is Mersive Technologies, Inc., a US headquartered company (“Mersive”). Mersive provides cloud software-as-a-service.

Data Subjects:

The data exporter decides what data to upload or process through the Service. Such data potentially may include personal data concerning the data exporter’s personnel or other individuals with whom the data exporter interacts in the course of its business.

Categories of Data:

The data exporter decides what data to upload or process through the Service. Such data potentially may include personal data such as contact information (such as name and email), and other data regarding the data exporter and/or its personnel or other individuals with whom the data exporter interacts in the course of its business.

Processing Activities:

To the extent Mersive engages in processing of personal data, such processing would be for purposes of providing the applicable Services and in accordance with Mersive’s agreement with the data exporter.

Appendix 2 to the Standard Contractual Clauses