DATA PROCESSING ADDENDUM

This Data Processing Addendum together with its Attachment 1 (“DPA”) forms part of the Terms and Conditions between Customer (“Customer” shall mean the entity or entity’s Affiliates bound by the Agreement) and Monte Carlo, or other written or electronic agreement between Monte Carlo and Customer, for the licensing of access to and use of the Service from Monte Carlo (the “Agreement”) to reflect the parties’ agreement with regards to Data Protection Laws and Regulations and US State Privacy Laws (as defined below). 1. DEFINITIONS Any capitalized terms not defined herein shall have the meaning given to that term in the Agreement, US State Privacy Laws, or Data Protection Laws and Regulations.

“CCPA” means the California Consumer Privacy Act of 2018, (Cal. Civ. Code §§ 1798.100 to 1798.199), to include the California Privacy Rights Act of 2020, and any related regulations provided by the California Attorney General, all of which as may be amended or superseded from time to time.

“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Privacy Framework” or “DPF” means the program developed pursuant to the EU Commission Implementing Decision of 10 July 2023 under Regulation (EU) 2016/679 of the European Parliament and of the Council, by and between the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration, to provide a lawful mechanism for the transfer of personal data to the United States from the European Union, United Kingdom and Switzerland, as described in more detail at https://www.dataprivacyframework.gov/s/. As used herein the terms Data Privacy Framework and DPF include the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

“Data Protection Laws and Regulations” means the laws and regulations applicable to the Processing of Personal Data with the Service under the Agreement, including but not limited to the: (i) EU General Data Protection Regulation (“EU GDPR”), laws and regulations of the European Union, the European Economic Area (“EEA”) and their member states; (ii) Data Protection Act of 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) the Swiss Federal Act on Data Protection (“FADP”). .

“Data Subject” means the individual to whom Personal Data relates.

“Monte Carlo” means Monte Carlo Data, Inc.

“Personal Data” means any information submitted to the Service that (i) identifies, relates to, describes, is capable of being associated with (a) an identified or identifiable person or, (b) an identified or identifiable legal entity (where protected under applicable Data Protection Laws and Regulations); and (ii), is otherwise considered Personal Data pursuant to applicable Data Protection Laws and Regulations (including equivalent terms).

“Processing” shall have the meaning set forth under applicable Data Protection Laws and Regulations (including equivalent terms) including, without limitation, any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Service” means as defined in the Agreement or the software-as-a-service applications provided by Monte Carlo to which Customer is licensed or otherwise authorized to access.

"Sell” and “Share” each have the meaning set forth under applicable US State Privacy Laws.

“Standard Contractual Clauses” means, when applicable, the applicable module(s) of the standard contractual clauses for international transfers of personal data to third countries annexed to the European Commission’s implementing decision 2021/914 of 4 June 2021, or any subsequent versions of such standard contractual clauses that may be adopted by the European Commission from time to time. Upon the effective date of adoption of any revised standard contractual clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.

“Subprocessor” means any third party appointed by or on behalf of Monte Carlo to Process Personal Data in connection with the Service.

“US State Privacy Laws” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws.

2. PROCESSING OF PERSONAL DATA

1. 1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller and Monte Carlo is a Data Processor.
   2. Customer’s Responsibilities. Customer shall, in Customer’s use of the Service, submit or make available Personal Data to Monte Carlo for Processing in accordance with the requirements of Data Protection Laws and Regulations, and Customer’s instructions to Monte Carlo for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the initial accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Without limiting the foregoing, Company shall secure any and all necessary authorizations, consents, permissions, or licenses to permit Monte Carlo to Process Personal Data in accordance with Customer’s instructions, and shall notify Monte Carlo in writing of any restriction to the Processing of Personal Data Customer has agreed to or is required to abide by in accordance with appliable law, to the extent such restriction may affect Monte Carlo’s Processing of Personal Data.
   3. Customer’s Instructions. Monte Carlo shall only Process Personal Data on behalf of and in accordance with Data Protection Laws and Regulations, Customer’s instructions (including as is necessary to provide the Service to Customer under the Agreement), and shall treat Personal Data as Confidential Information. Customer instructs Monte Carlo to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s), including to provide you the Service; (ii) Processing initiated by users of the Service (“Users”); and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email). Monte Carlo will notify Customer upon becoming aware and if in Monte Carlo’s reasonable judgement that Customer’s instruction violates Data Protection Laws and Regulations.
   4. US State Privacy Laws. The parties agree that Monte Carlo is a “Service Provider” or “Processor” as such terms are defined under applicable US State Privacy Laws. Accordingly, to the extent US State Privacy Laws apply to the Processing of Personal Data by Monte Carlo, Monte Carlo shall not (a) retain, use, or disclose any Personal Data outside the direct business relationship between Monte Carlo and Customer, or for any purpose other than for the “Contracted Business Purpose,” as set out in Annex 1 to Attachment 1 hereto, and Monte Carlo shall only Process Personal Data only as long as it provides Service to Customer; (b) Sell any Company Personal Data; (c) Share any Personal Data; or (d) combine the Personal Data that Monte Carlo receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws and Regulations) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that Monte Carlo may combine Personal Data if it is within the scope of providing the Services to Customer. Where applicable, each party shall notify the other party if it makes a determination that it can no longer meet its obligations under US State Privacy Laws.
   5. Aggregated Data. Notwithstanding the foregoing, where permitted by applicable Data Protection Laws and Regulations, Monte Carlo may aggregate, deidentify, and/or anonymize Personal Data, so it no longer meets the definition of Personal Data, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes. Monte Carlo will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized Personal Data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.

3. RIGHTS OF DATA SUBJECTS

1. 1. Correction, Blocking, and Deletion. To the extent Customer, in Customer’s use of the Service, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Monte Carlo shall reasonably assist Customer in facilitating such actions, at Customer’s expense, to the extent Monte Carlo is legally permitted to do so.
   2. Data Subject Requests. Monte Carlo shall, to the extent legally permitted, promptly notify Customer if Monte Carlo receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Unless otherwise legally required, Monte Carlo shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Monte Carlo shall reasonably cooperate and assist in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, at Customer’s expense, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through use of the Service.

4. MONTE CARLO PERSONNEL

1. 1. Confidentiality. Monte Carlo shall take reasonable actions to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Monte Carlo shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
   2. Limitation of Access. Monte Carlo shall take reasonable actions to ensure that Monte Carlo’s access to Personal Data is limited to those personnel who require such access to perform under the Agreement.

5. SECURITY. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Monte Carlo shall implement reasonable technical and organizational security measures (“TOSMs”) designed to ensure a level of security appropriate to the risk. The current TOSMs are described at: https://www.montecarlodata.com/technical-and-organizational-security-measures/ unless agreed to otherwise in the Agreement. Monte Carlo regularly monitors compliance with these safeguards. Monte Carlo may update these technical and organization measures from time to time, but will not materially decrease the overall security of the Service. 6. SECURITY BREACH MANAGEMENT AND NOTIFICATION.  Monte Carlo maintains security incident management policies and procedures and shall, to the extent permitted by law, without undue delay, and in any event within 72 hours of becoming aware, notify Customer of any actual or reasonably suspected unauthorized access, use, modification, or disclosure of Personal Data, by Monte Carlo or its Subprocessors (a “Security Breach”). Monte Carlo shall make reasonable efforts to identify and take all reasonable steps to remediate the cause of such Security Breach. 7. ADDITIONAL TERMS

1. 1. Data Transfer Mechanism. Where the transfer of Personal Data is from the EEA, United Kingdom or Switzerland to the United States or a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws and Regulations, Monte Carlo agrees to process that Personal Data in compliance with the provisions set out in Attachment 1 below, which forms an integral part of this DPA.
   2. Objective and Duration. The objective of Processing of Personal Data by Monte Carlo is the provision of the Service pursuant to the Agreement for the term(s) of the Agreement.
   3. Subprocessors. Pursuant to this DPA and the Standard Contractual Clauses, Customer acknowledges and expressly agrees that: (a) Monte Carlo’s Affiliates may be retained as Subprocessors; and (b) Monte Carlo and Monte Carlo’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Service or support services.
      1. 1. Liability. Monte Carlo shall be liable for the acts and omissions of its Subprocessors to the same extent Monte Carlo would be liable if performing the services of each Subprocessor directly.
         2. List of Current Subprocessors and Notification of New Subprocessors. A list of current Subprocessors for the Service is available upon request and Customer agrees to Monte Carlo’s use of the listed Subprocessors in Attachment 1 as of the execution of this DPA. Monte Carlo shall notify Customer if it adds or replaces any Subprocessors prior to any such changes if Customer subscribes to such notifications by sending an email to privacy@montecarlodata.com with the subject line “Subprocessor Notification Request” (or by other means established by Monte Carlo and communicated to Customer from time to time). This notification process is Monte Carlo’s only responsibility for notifying Customer of a new Subprocessor.
         3. Objection to Subprocessors. Customer may object in writing to Monte Carlo’s appointment of a new Subprocessor on reasonable grounds relating to data protection (e.g. if making Personal Data available to the Subprocessor may violate applicable Data Protection Laws) by notifying Monte Carlo promptly in writing within fifteen (15) calendar days of receipt of Monte Carlo’s notice in accordance with Section 7.3.2 above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Monte Carlo will, at its sole discretion, either not appoint that proposed Subprocessor, or permit Customer in writing to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
         4. Subprocessor Agreements. Monte Carlo or a Monte Carlo Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Agreement to the extent applicable to the nature of the services provided by such Subprocessor.
   4. Audits and Certifications. The parties agree that the audits described in the Standard Contractual Clauses and otherwise required by Applicable Data Protection Laws and Regulations shall be carried out in accordance with the following specifications:
      1. 1. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Monte Carlo shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Monte Carlo) information demonstrating Monte Carlo’s compliance with the obligations set forth in this DPA in the form of the certifications and audit reports for the Service. Examples of potentially relevant certifications and audit reports include: SOC 2, SOC 3; ISO 27001; ISO 27701, Binding Corporate Rules; APEC Cross Border Privacy Rules System; EU-U.S. and Swiss-U.S. Privacy Shields; industry codes of conduct or their successor. In the event Customer does not find the certifications and audit reports suitable, Monte Carlo will make its applicable premises and personnel available to Customer for audit upon request but no more than once annually and at Customer’s cost. Before the commencement of any such audit, Customer and Monte Carlo shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Monte Carlo. Customer shall promptly notify Monte Carlo with information regarding any non-compliance discovered during the course of an audit and all findings during the audit shall be considered confidential information between Customer and Monte Carlo except as expressly required otherwise by Data Protection Laws and Regulations. If material non-compliance is discovered during Customer’s audit, Monte Carlo shall bear the costs.
   5. Return and Deletion of Personal Data. Where applicable based on the Service, Monte Carlo will return and delete Personal Data in accordance with the Agreement. Customer is responsible for the correction, amendment, blocking or deleting of Personal Data within its control within the Service.
   6. Privacy Impact Assessment and Prior Consultation. To the extent Monte Carlo is required under Data Protection Laws and Regulations, Monte Carlo will provide reasonably requested information regarding Monte Carlo’s processing of Customer Data under the Agreement, to the extent Customer does not otherwise have access to the relevant information and to the extent that such information is available to Monte Carlo, to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

8. OTHER

1. 1. This DPA and liability or remedies arising herefrom are subject to any and all limitations on liability and disclaimers of types of damages in the Agreement, including but not limited to Section 8 of the Agreement. This DPA automatically terminates upon termination or expiration of the Agreement.
   2. Notices under the DPA and the Standard Contractual Clauses shall be in accordance with the Agreement.

 

ATTACHMENT 1

CROSS BORDER DATA TRANSFERS

1. Transfer Mechanisms. Monte Carlo complies with the Data Privacy Framework as set forth by the U.S. Department of Commerce and has certified to the U.S. Department of Commerce that it adheres to the DPF principles. For transfers of personal data from the EEA, United Kingdom, or Switzerland to the United States, Monte Carlo agrees to process such personal data in accordance with the DPF and to maintain its certification of compliance with the DPF during the term of the Agreement. Monte Carlo will provide prompt notice to Customer if it withdraws from the DPF. If the DPF is invalidated as a lawful transfer mechanism of personal data to the United States, or if a transfer of personal data from the EEA, United Kingdom, or Switzerland is to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws and Regulations, Monte Carlo agrees to process such Personal Data in compliance with the Standard Contractual Clauses as detailed in Section 2 below. 2. Incorporation of the Standard Contractual Clauses.

1. 1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 1 above, the parties agree that the obligations and rights of the Standard Contractual Clauses shall be incorporated into the DPA and that:
      1. Clause 7 [Docking Clause] will not apply.
      2. In Clause 9(a), Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 7.3 of the DPA.
      3. In Clause 11(a) [Redress], the optional language will not apply.
      4. In Clause 17 [Governing Law], Option 1 will apply and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.
      5. In Clause 18(b) [Choice of Forum and Jurisdiction], disputes will be resolved before the courts of the Republic of Ireland.
   2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):
      1. Data Exporter: Customer
         • Contact details: Customer’s account owner email address as shown on the applicable Order Form.
         • Data Exporter Role: Data Exporter’s role is outlined in Section 2 of the DPA.
         • Signature and Date: By entering into the Agreement and/or DPA, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 2 of this Schedule 1 to the DPA, as of the effective date of the Agreement and/or DPA.
      2. Data Importer: Monte Carlo Data, Inc.
         • Contact details: Monte Carlo’s Head of Security & Compliance at privacy@montecarlodata.com.
         • Data Importer Role: Data Exporter’s role is outlined in Section 2 of the DPA.
         • Signature and Date: By entering into the Agreement and/or DPA, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 2 of this Schedule 1 to the DPA, as of the effective date of the Agreement and/or DPA.

3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer):

Monte Carlo primarily collects metadata, logs, and metrics for the purpose of identifying data reliability issues. However, Monte Carlo acknowledges that, in the course of the performance of the Service, it may collect and process personal data as part of query logs, dimension tracking, or data sampling, which are passed to it from Customer’s data infrastructure environment or through other search functionality that Customer initiates within the Monte Carlo platform (collectively, the “Contracted Business Purpose.”). To the extent that any such personal data is passed to Monte Carlo, Monte Carlo processes and utilizes such data only for the sole purpose of identifying back to Customer data reliability issues and recommendations for resolution of such issues, and not for any other purpose.

Categories of data subjects whose personal data may be processed

• • • • • Prospects, customers, business partners and vendors of Controller (who are natural persons)
        • Employees or contact persons of Controller’s prospects, customers, business partners and vendors
        • Employees, agents, advisors, freelancers of Controller (who are natural persons)
        • Controller’s Users authorized by Controller to use the Service

Categories of personal data which may be processed

• • • • • First and last name
        • Title
        • Position
        • Employer
        • Contact information (company, email, phone, physical business address)
        • ID data
        • professional life data
        • personal life data
        • connection data
        • localization data
        • contract data

Sensitive data which may be processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Controller may submit special categories of data to the Service, the extent of which is solely determined and controlled by the Controller in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health or sex life.

Nature of the processing

The objective of any Processing of Personal Data by Processor is the performance of the Service pursuant to the Agreement and as described in the first paragraph of this Section.

Purpose(s) for which the personal data may be processed on behalf of the controller

The objective of any Processing of Personal Data by Processor is the performance of the Service pursuant to the Agreement and as described in the first paragraph of this Section 2.3.

Duration of the processing

As described in the Agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.

5. Sections 5 and 7.3.4 of the DPA contain the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures). Unless otherwise agreed to in the Agreement, Monte Carlo’s applicable Technical and Organizational Measures are described at: https://www.montecarlodata.com/technical-and-organizational-security-measures/.

6. For purposes of Annex III of the Standard Contractual Clauses (List of Sub-Processors):

The controller has authorised the use of the following sub-processors:

1. Amazon Web Services

Address: 410 Terry Avenue North, Seattle, WA 98109-5210

Contact person’s name, position and contact details: We do not have a dedicated person at AWS. Rather, we log into Monte Carlo’s AWS account and open support request ticket and we get a contact person assigned OR we fill out the form located at https://aws.amazon.com/contact-us/compliance-support/.

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Hosting of data

2. Snowflake

Address: 450 Concar Drive, San Mateo, CA 94402

Contact person’s name, position and contact details: Tel: (844) 766-9355 Email: privacy@snowflake.com

Also, we can log in and open a support request ticket and get a contact person assigned.

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data storage, processing, and analytics

3. Databricks

Address: 160 Spear Street, 13th Floor, San Francisco, CA 94105

Contact person’s name, position and contact details: Tel: 1-866-330-0121 Email: privacy@databricks.com

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data storage, processing, and analytics

7. To the greatest extent permitted under Data Protection Laws and Regulations, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.

3. Transfers of Personal Data Protected by UK GDPR. With respect to transfers of Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into the DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 2 of this Attachment 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 2 of this Attachment 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer. 4. Transfers of Personal Data Protected by FADP.

1. 1. With respect to transfers of Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 above, with the following modifications:
      1. any references in the Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to FADP;
      2. references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
      3. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.