Data Processing Addendum

ARTICLE 1. SCOPE, PURPOSE, AND INCORPORATION

1.1 Parties and Relationship. Bridge AI Technologies, Inc. ("Provider" or "Processor") and the entity identified as the customer in the applicable Order Form ("Customer" or "Controller") have entered into the Master Software and Services Agreement dated ___________ (the "MSA"), pursuant to which Provider provides access to the Memvid Platform and related Professional Services. In the course of performing its obligations under the MSA, Provider may process Personal Data on behalf of Customer. The Parties enter into this Data Processing Addendum ("DPA") to govern such processing and to satisfy the requirements of applicable Data Protection Laws, including the contractual requirements imposed upon controllers and processors under 6 Del. C. § 12D-107 of the Delaware Personal Data Privacy Act.

1.2 Incorporation. The DPA is incorporated into and forms an integral part of the MSA. Capitalized terms used but not defined in this DPA shall have the meanings ascribed to them in the MSA. In the event of any conflict between the terms of this DPA and the terms of the MSA, the terms of this DPA shall prevail with respect to the processing of Personal Data.

1.3 Applicability. The DPA applies to all processing of Personal Data performed by Provider on behalf of Customer in connection with the MSA, any Order Form, or any SOW. Where Customer's use of the Platform does not involve the processing of Personal Data (as defined herein), the obligations of this DPA shall not apply to such use.

1.4 Regulatory Framework. The Parties acknowledge that the processing of Personal Data under this DPA may be subject to one or more of the following Data Protection Laws (as defined below), depending on the nature of the data, the identities and locations of the data subjects, and the geographic scope of Customer's operations. The obligations set forth in this DPA are intended to satisfy the contractual requirements imposed by all applicable Data Protection Laws, and the Parties shall cooperate in good faith to implement any additional measures necessary to achieve compliance.

ARTICLE 2. DEFINITIONS

For the purposes of this DPA, the following terms shall have the meanings set forth below. Where a term defined below overlaps with or parallels a term defined under applicable Data Protection Law, the definition that affords the greater degree of protection to data subjects shall apply.

2.1 "Applicable Data Protection Law(s)" or "Data Protection Laws" means all laws, regulations, rules, and binding guidance relating to the processing, privacy, protection, security, or confidentiality of Personal Data that apply to a Party's performance under the MSA and this DPA, as such laws may be amended, superseded, or supplemented from time to time. Without limiting the generality of the foregoing, the term includes, to the extent applicable:

(a) The Delaware Personal Data Privacy Act, 6 Del. C. Ch. 12D ("DPDPA");

(b) The Delaware Computer Security Breaches statute, 6 Del. C. Ch. 12B;

(c) The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.100 et seq. ("CCPA/CPRA");

(d) The Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.;

(e) The Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.;

(f) The Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq.;

(g) The Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.001 et seq.;

(h) Any other state, federal, or local law or regulation of the United States relating to the processing or protection of Personal Data that applies to either Party's performance under the MSA;

(i) To the extent that Customer's operations bring Customer within the scope of the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), or the United Kingdom General Data Protection Regulation ("UK GDPR"), such regulations and their implementing legislation; and

(j) All binding regulatory guidance, orders, decisions, and interpretive opinions issued under any of the foregoing.

2.2 "Consumer Rights Request" means a verifiable request from a data subject (or an authorized agent acting on the data subject's behalf) to exercise rights conferred under applicable Data Protection Laws, including, without limitation, rights of access, correction, deletion, data portability, opt-out of sale or targeted advertising, and opt-out of profiling.

2.3 "Controller" means the Party that, alone or jointly with others, determines the purposes and means of processing Personal Data. For purposes of this DPA, Customer acts as Controller with respect to Personal Data processed by Provider on Customer's behalf through the Platform.

2.4 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2.5 "De-identified Data" means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person, and with respect to which the holder has taken reasonable measures to ensure the data cannot be associated with an individual, has publicly committed to process the data only in de-identified fashion, and has contractually obligated any recipients to comply with applicable Data Protection Laws, consistent with 6 Del. C. § 12D-102(12).

2.6 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable natural person, as defined under applicable Data Protection Laws, including 6 Del. C. § 12D-102(23). Personal Data does not include De-identified Data, aggregate data, or publicly available information as those terms are defined under applicable Data Protection Laws.

2.7 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Provider on behalf of Customer, including any "breach of security" as defined in 6 Del. C. § 12B-101(1).

2.8 "Processing" (and its cognates "Process," "Processed," "Processes") means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, including the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction of Personal Data.

2.9 "Processor" means the Party that processes Personal Data on behalf of and under the instruction of the Controller. For purposes of this DPA, Provider acts as Processor with respect to Personal Data processed on Customer's behalf through the Platform.

2.10 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, genetic data, biometric data processed for the purpose of uniquely identifying an individual, Personal Data of a known child, or any other category of data classified as "sensitive" under applicable Data Protection Laws, including 6 Del. C. § 12D-102(30).

2.11 "Sub-processor" means any third party engaged by Provider to process Personal Data on behalf of Customer in connection with the services provided under the MSA.

ARTICLE 3. ROLES AND RESPONSIBILITIES

3.1 Customer as Controller. Customer, in its capacity as Controller, shall:

(a) Determine the purposes and means of processing Personal Data in connection with the Platform and the MSA;

(b) Ensure that it has a lawful basis for each category of processing to be performed by Provider, and that all necessary consents, authorizations, notices, and permissions have been obtained from or provided to data subjects prior to submitting Personal Data to the Platform;

(c) Ensure that the instructions it provides to Provider for the processing of Personal Data comply with all applicable Data Protection Laws;

(d) Be solely responsible for the accuracy, quality, and legality of the Personal Data submitted to the Platform, and for the means by which Customer acquired such Personal Data;

(e) Maintain a privacy policy that satisfies the requirements of applicable Data Protection Laws, including 6 Del. C. § 12D-104(a), disclosing the categories of Personal Data processed, the purposes of processing, the categories of third parties to whom Personal Data may be disclosed, and the methods by which data subjects may exercise their rights; and

(f) Conduct such data protection assessments as may be required under applicable Data Protection Laws, including 6 Del. C. § 12D-105 (for controllers processing data of 100,000 or more consumers), and bear sole responsibility for any data protection impact assessments or similar evaluations mandated by applicable law.

3.2 Provider as Processor. Provider, in its capacity as Processor, shall:

(a) Process Personal Data only on behalf of and in accordance with Controller's documented instructions, as set forth in this DPA, the MSA, and any applicable Order Form or SOW. If Provider believes that an instruction from Controller infringes applicable Data Protection Laws, Provider shall promptly inform Controller and may suspend the relevant processing activity until the instruction is modified or confirmed in writing;

(b) Process Personal Data solely to the extent necessary to provide the Platform, perform Professional Services, and fulfill Provider's obligations under the MSA, and for no other purpose unless required by applicable Law, in which case Provider shall inform Controller (to the extent legally permissible) before carrying out such processing;

(c) Not sell, share, disclose, or otherwise make available Personal Data to any third party except as expressly permitted under this DPA or as directed by Controller's documented instructions;

(d) Not process Personal Data for purposes of targeted advertising, profiling, or any purpose other than those specified in this DPA and the MSA;

(e) Not combine Personal Data received from or on behalf of Controller with Personal Data received from or on behalf of another person or entity, or with Personal Data collected from Provider's own interactions with data subjects, except as expressly permitted by applicable Data Protection Laws or Controller's written instructions; and

(f) Comply with all obligations applicable to processors under applicable Data Protection Laws, including 6 Del. C. § 12D-107.

ARTICLE 4. DETAILS OF PROCESSING

Pursuant to the requirements of 6 Del. C. § 12D-107(b), the following information describes the nature, purpose, and subject matter of the processing activities contemplated under this DPA.

4.1 Subject Matter of Processing. Provider processes Personal Data on behalf of Customer in connection with the provision of the Memvid Platform and related Professional Services as described in the MSA and applicable Order Forms and SOWs.

4.2 Nature and Purpose of Processing. Processing activities include, without limitation: (a) ingestion, indexing, and storage of Customer Content containing Personal Data within the Platform's knowledge layer; (b) retrieval, search, and presentation of data in response to Authorized User queries; (c) execution of AI agent workflows and automated processes that interact with Customer Content; (d) data analytics and operational reporting as required to deliver Platform functionality; (e) technical support and troubleshooting; (f) security monitoring, access logging, and incident detection; and (g) any additional processing activities described in the applicable Order Form or SOW.

4.3 Duration of Processing. Processing shall commence on the Subscription Start Date and shall continue for the duration of the Subscription Term (including any Renewal Terms), plus the Data Export Period described in Section 18.3 of the MSA. Upon expiration of the Data Export Period, Provider shall delete or return Personal Data in accordance with Article 10 of this DPA.

4.4 Categories of Data Subjects. The categories of data subjects whose Personal Data may be processed under this DPA are determined by Customer and may include, without limitation: (a) Customer's employees, contractors, and agents; (b) Customer's end users and customers; (c) Customer's business partners and vendors; (d) prospective customers or contacts of Customer; and (e) any other individuals whose Personal Data Customer submits to the Platform.

4.5 Types of Personal Data. The types of Personal Data processed under this DPA are determined by Customer and may include, without limitation: (a) names, email addresses, telephone numbers, and physical addresses; (b) job titles, employer names, and professional information; (c) account credentials and authentication data; (d) communication content, including messages, documents, and correspondence; (e) usage data, interaction logs, and platform activity records; (f) device identifiers, IP addresses, and technical metadata; and (g) any other categories of Personal Data that Customer elects to submit to the Platform.

4.6 Sensitive Data. Customer acknowledges that the Platform is not designed or intended for the processing of Sensitive Data unless Customer expressly configures the Platform for such use. If Customer submits Sensitive Data to the Platform, Customer shall: (a) ensure that all necessary consents have been obtained from data subjects in accordance with applicable Data Protection Laws, including 6 Del. C. § 12D-104(b); (b) notify Provider in writing prior to the submission of Sensitive Data; and (c) be solely responsible for ensuring that the processing of Sensitive Data complies with all applicable legal requirements. Provider shall not be liable for any failure by Customer to comply with the requirements of this Section 4.6.

ARTICLE 5. CONFIDENTIALITY AND PERSONNEL

5.1 Confidentiality Obligation. Provider shall ensure that each person authorized to process Personal Data on Provider's behalf is subject to a binding duty of confidentiality with respect to such Personal Data, whether arising under a written confidentiality agreement, professional obligation, or statutory duty, in accordance with 6 Del. C. § 12D-107(b)(1). Such confidentiality obligation shall survive the termination or expiration of the individual's engagement with Provider.

5.2 Personnel Access. Provider shall limit access to Personal Data to those employees, contractors, and agents who have a legitimate need to access such data in order to perform Provider's obligations under the MSA and this DPA. Provider shall ensure that all such personnel have received appropriate training on data protection obligations and the requirements of applicable Data Protection Laws.

5.3 Background Checks. Provider shall maintain commercially reasonable practices for vetting personnel who have access to Personal Data, consistent with applicable Law and industry standards.

ARTICLE 6. SECURITY MEASURES

6.1 Technical and Organizational Measures. Provider shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, theft, or disclosure. Such measures shall be commensurate with the nature, scope, context, and purposes of the processing, and with the risks presented to data subjects. At a minimum, Provider's security program shall include the measures described in Section 22 of the MSA and in the Security and Compliance Exhibit (if attached), and shall encompass:

(a) Encryption of Personal Data in transit (using TLS 1.2 or higher, or equivalent protocols) and at rest (using AES-256 or equivalent encryption standards);

(b) Role-based access controls, multi-factor authentication for privileged access, and implementation of least-privilege principles;

(c) Logical and physical separation of Customer data from the data of other customers, to the extent commercially and technically practicable given the selected Deployment Model;

(d) Comprehensive logging and monitoring of access to systems, applications, and data repositories that contain Personal Data;

(e) Regular vulnerability assessments and penetration testing of systems used to process Personal Data, conducted no less frequently than annually;

(f) Secure software development practices, including code review, testing, and change management controls;

(g) Business continuity and disaster recovery planning sufficient to protect the availability and integrity of Personal Data;

(h) Incident response procedures, including documented escalation paths, roles, and responsibilities;

(i) Physical security measures for any facilities housing infrastructure used to process Personal Data, including access control, surveillance, and environmental controls; and

(j) Secure disposal of media and hardware containing Personal Data, in accordance with recognized industry standards (e.g., NIST SP 800-88).

6.2 Ongoing Evaluation. Provider shall periodically review and, where necessary, update its technical and organizational measures to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as evolving risks.

6.3 Security Certifications. Provider shall make available to Customer, upon written request and no more frequently than once per twelve-month period, a summary of its then-current security certifications, third-party audit reports (e.g., SOC 2 Type II), or equivalent assurance documentation, subject to Provider's confidentiality requirements. If Provider does not hold a SOC 2 Type II report or equivalent certification at the time of the request, Provider shall provide a written description of its security program in reasonable detail.

ARTICLE 7. SUB-PROCESSING

7.1 General Authorization. Customer hereby grants Provider a general written authorization to engage Sub-processors to process Personal Data on behalf of Customer, subject to the conditions set forth in this Article 7 and in compliance with 6 Del. C. § 12D-107(b)(4).

7.2 List of Current Sub-processors. Provider shall maintain a current list of its Sub-processors, identifying each Sub-processor's name, location, and the nature of the processing activities performed. Provider shall make such list available to Customer upon written request or by publication at a URL designated by Provider.

7.3 Notice of New Sub-processors. Before engaging a new Sub-processor or replacing an existing Sub-processor, Provider shall notify Customer in writing (including by electronic mail or through a mechanism designated by Provider) at least thirty (30) calendar days in advance, identifying the proposed Sub-processor, the nature of the processing to be performed, and the location of processing. Customer shall have the right to review and object to the engagement of a new Sub-processor in accordance with Section 7.4 below.

7.4 Objection Right. If Customer has a reasonable, good-faith basis for objecting to a proposed Sub-processor (for example, on data security, data protection, or compliance grounds), Customer shall notify Provider in writing within fifteen (15) calendar days of receipt of the notice described in Section 7.3, setting forth the specific grounds for the objection. Upon receipt of a timely objection, Provider shall use commercially reasonable efforts to: (a) make available to Customer a modification of the services that avoids the use of the objected-to Sub-processor; or (b) recommend a commercially reasonable alternative Sub-processor acceptable to Customer. If Provider is unable to accommodate Customer's objection within thirty (30) calendar days, Customer may, as its sole and exclusive remedy with respect to such objection, terminate the affected Order Form (or, if the Sub-processor's engagement affects the entirety of the services, this DPA and the MSA) upon written notice, and Provider shall refund to Customer any prepaid, unused Subscription Fees corresponding to the period following the effective date of such termination.

7.5 Sub-processor Agreements. Provider shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set forth in this DPA, including, without limitation, obligations of confidentiality, security, instruction-based processing, deletion or return of data, and audit facilitation. Provider shall remain fully responsible to Customer for the acts and omissions of each Sub-processor with respect to Personal Data as if Provider had performed the processing directly.

7.6 Liability for Sub-processors. Where a Sub-processor fails to fulfill its data protection obligations, Provider shall remain liable to Customer for the performance of that Sub-processor's obligations, without prejudice to any claims Provider may have against the Sub-processor.

ARTICLE 8. CONSUMER RIGHTS REQUESTS

8.1 Assistance with Consumer Rights Requests. Provider shall, taking into account the nature of the processing and the information available to Provider, assist Customer by appropriate technical and organizational measures, insofar as is reasonably practicable, in fulfilling Customer's obligation to respond to Consumer Rights Requests, as required under applicable Data Protection Laws, including 6 Del. C. § 12D-107(a)(1). Such assistance may include providing Customer with self-service tools within the Platform to locate, access, export, correct, or delete Personal Data, or, where self-service tools are not available, responding to Customer's documented requests for specific actions within commercially reasonable timeframes.

8.2 Requests Received by Provider. If Provider receives a Consumer Rights Request directly from a data subject, Provider shall: (a) not respond to the request on Customer's behalf unless expressly authorized in writing by Customer; (b) promptly (and in any event within five (5) business days) redirect the data subject to Customer or notify Customer of the request; and (c) cooperate with Customer in processing the request to the extent required by applicable Data Protection Laws.

8.3 Cost of Assistance. To the extent that Provider's assistance with Consumer Rights Requests requires effort materially beyond the scope of Provider's standard Platform functionality and standard support obligations, Customer shall reimburse Provider for the reasonable, documented costs of such additional assistance at Provider's then-current professional services rates, provided that Provider has notified Customer in advance of the anticipated costs and received Customer's written authorization to proceed.

ARTICLE 9. PERSONAL DATA BREACH NOTIFICATION AND RESPONSE

9.1 Notification Obligation. Provider shall notify Customer of any confirmed or reasonably suspected Personal Data Breach without unreasonable delay, and in any event no later than forty-eight (48) hours after Provider becomes aware of the breach. Notification shall be made to the contact designated by Customer in the applicable Order Form or, in the absence of such designation, to Customer's primary point of contact under the MSA.

9.2 Content of Notification. The initial notification shall include, to the extent reasonably available at the time:

(a) A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate volume of Personal Data records concerned;

(b) The name and contact information of Provider's designated point of contact from whom additional information may be obtained;

(c) A description of the likely consequences of the Personal Data Breach;

(d) A description of the measures taken or proposed to be taken by Provider to address the Personal Data Breach, including measures to mitigate its adverse effects; and

(e) Any other information reasonably necessary for Customer to fulfill its own breach notification obligations under applicable Data Protection Laws, including 6 Del. C. § 12B-102 (which requires notification to affected Delaware residents without unreasonable delay and no later than sixty (60) days after determination of the breach, and notification to the Delaware Attorney General where more than five hundred (500) Delaware residents are affected).

9.3 Supplemental Information. If the information described in Section 9.2 is not available at the time of the initial notification, Provider shall provide such information in phases as it becomes available, without further undue delay. Provider shall document all facts relating to the Personal Data Breach, its effects, and the remedial actions taken, and shall make such documentation available to Customer upon request.

9.4 Cooperation and Remediation. Following a Personal Data Breach, Provider shall: (a) take immediate steps to contain the breach and mitigate its effects; (b) conduct a thorough investigation into the root cause and scope of the breach; (c) cooperate fully with Customer and with any governmental authority investigating the breach; (d) implement appropriate remedial measures to prevent recurrence; and (e) provide Customer with such assistance as is reasonably necessary for Customer to fulfill its obligations under applicable Data Protection Laws in connection with the breach, including the preparation and delivery of notifications to affected data subjects and regulatory authorities.

9.5 No Acknowledgment of Fault. Provider's notification of a Personal Data Breach under this Article 9 shall not be construed as an acknowledgment by Provider of any fault or liability with respect to the breach.

ARTICLE 10. DATA RETURN AND DELETION

10.1 Upon Termination or Expiration. Upon termination or expiration of the MSA (or, where applicable, upon termination of a specific Order Form), Provider shall, at Customer's election and as communicated by Customer in writing:

(a) Return to Customer all Personal Data processed on behalf of Customer in a commercially reasonable, machine-readable format; or

(b) Securely delete or destroy all copies of Personal Data in Provider's possession or control, using methods consistent with recognized industry standards for data destruction.

Customer shall communicate its election within fifteen (15) calendar days following the effective date of termination or expiration. If Customer fails to make an election within such period, Provider shall securely delete all Personal Data following the expiration of the Data Export Period set forth in Section 18.3 of the MSA.

10.2 Certification of Deletion. Upon completion of the deletion of Personal Data pursuant to Section 10.1(b), Provider shall, upon Customer's written request, certify in writing that all Personal Data has been deleted or destroyed and that no copies remain in Provider's possession or control, except as provided in Section 10.3.

10.3 Retention Exceptions. Provider may retain copies of Personal Data to the extent and for the duration required by: (a) applicable Law or regulation; (b) a valid legal hold, court order, or governmental investigation; or (c) Provider's standard backup and disaster recovery procedures, provided that (i) such retained data continues to be protected in accordance with this DPA, (ii) Provider shall not actively process such retained data for any purpose other than compliance with the applicable retention obligation, and (iii) Provider shall delete such data promptly upon expiration of the applicable retention period.

10.4 Sub-processor Data. Provider shall ensure that each Sub-processor deletes or returns Personal Data in accordance with the requirements of this Article 10, subject to the same exceptions described in Section 10.3.

ARTICLE 11. AUDITS AND ASSESSMENTS

11.1 Audit Right. Customer shall have the right, no more than once per twelve-month period (unless a Personal Data Breach has occurred or a regulatory investigation is pending, in which case additional audits may be conducted as reasonably necessary), to verify Provider's compliance with this DPA. Such verification may be conducted by:

(a) Requesting and reviewing Provider's then-current third-party audit reports, certifications, or compliance attestations (e.g., SOC 2 Type II report, ISO 27001 certification), which Provider shall make available subject to Provider's reasonable confidentiality requirements; or

(b) Where the documentation described in clause (a) is unavailable or insufficient to address Customer's reasonable compliance concerns, conducting or commissioning an independent third-party audit of Provider's data processing activities and security measures, subject to the conditions set forth in Section 11.2.

11.2 Audit Conditions. If Customer exercises its right to conduct or commission a third-party audit under Section 11.1(b):

(a) Customer shall provide Provider with at least thirty (30) calendar days' prior written notice of the audit, including the proposed scope, duration, and identity of any third-party auditor;

(b) The audit shall be conducted during Provider's regular business hours, with reasonable accommodations for time zones, and shall not unreasonably interfere with Provider's business operations or the services provided to other customers;

(c) Any third-party auditor engaged by Customer shall execute a written non-disclosure agreement with Provider on terms reasonably acceptable to both Parties, prior to commencing the audit;

(d) The scope of the audit shall be limited to Provider's processing of Personal Data on behalf of Customer and to the technical and organizational measures implemented by Provider in connection with such processing;

(e) Customer shall bear all costs and expenses associated with the audit, including any reasonable fees charged by Provider for staff time and resources dedicated to facilitating the audit; and

(f) Customer shall provide Provider with a copy of the audit findings (in summary or full form) within a reasonable time following completion of the audit, and Provider shall have the opportunity to comment on the findings and to propose and implement corrective measures within a reasonable timeframe.

11.3 Data Protection Assessments. Provider shall make available to Customer such information as is reasonably necessary to enable Customer to conduct and document data protection assessments required under applicable Data Protection Laws, including 6 Del. C. § 12D-105 and § 12D-107(a)(3). Such information may include descriptions of processing activities, technical and organizational measures, Sub-processor arrangements, and data flows, and shall be provided within a commercially reasonable timeframe following Customer's written request.

ARTICLE 12. DATA TRANSFERS

12.1 Processing Location. Provider shall process Personal Data within the United States, unless the applicable Order Form or a written instruction from Customer specifies a different geographic location. If Customer's selected Deployment Model involves customer-controlled infrastructure in a jurisdiction outside the United States, the Parties shall cooperate to implement any additional safeguards required by applicable Data Protection Laws to facilitate the lawful transfer of Personal Data to such jurisdiction.

12.2 International Transfers. To the extent that Personal Data originating from a jurisdiction outside the United States (including the European Economic Area, the United Kingdom, or Switzerland) is processed under this DPA, the Parties shall implement such transfer mechanisms as are required by applicable Data Protection Laws to lawfully effect such transfer. Such mechanisms may include, as applicable:

(a) An adequacy decision issued by the relevant regulatory authority;

(b) Participation in a recognized cross-border data transfer framework (e.g., the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework);

(c) Standard Contractual Clauses approved by the European Commission, executed as a separate addendum and incorporated by reference into this DPA; or

(d) Any other transfer mechanism permitted under applicable Data Protection Laws.

12.3 Supplementary Measures. Where required by applicable Data Protection Laws or regulatory guidance, the Parties shall cooperate to identify and implement supplementary technical, organizational, or contractual measures necessary to ensure that the level of protection afforded to Personal Data is not undermined by the transfer.

ARTICLE 13. CCPA-SPECIFIC PROVISIONS

13.1 Applicability. The provisions of this Article 13 apply solely to the extent that the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act) ("CCPA/CPRA") applies to Customer's Personal Data processed by Provider under this DPA. Where the CCPA/CPRA does not apply, this Article 13 shall have no force or effect.

13.2 Service Provider Designation. To the extent required by the CCPA/CPRA, Provider is designated as a "Service Provider" (as defined in Cal. Civ. Code § 1798.140(ag)) with respect to Personal Data processed on behalf of Customer. Provider certifies that it understands the restrictions imposed by the CCPA/CPRA on a Service Provider and shall comply with those restrictions.

13.3 Prohibited Activities under CCPA/CPRA. Provider shall not:

(a) Sell or share (as defined in Cal. Civ. Code §§ 1798.140(ad) and 1798.140(ah)) Personal Data received from or on behalf of Customer;

(b) Retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA and the MSA, or as otherwise permitted by the CCPA/CPRA for Service Providers;

(c) Retain, use, or disclose Personal Data outside of the direct business relationship between Provider and Customer, unless expressly permitted by the CCPA/CPRA; or

(d) Combine Personal Data received from or on behalf of Customer with Personal Data received from or on behalf of another person, or with Personal Data collected from Provider's own interactions with consumers, except as expressly permitted by the CCPA/CPRA.

13.4 Notification of Inability to Comply. Provider shall notify Customer if Provider determines that it can no longer meet its obligations under the CCPA/CPRA, and Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

ARTICLE 14. DPDPA-SPECIFIC PROVISIONS

14.1 Applicability. The provisions of this Article 14 apply solely to the extent that the Delaware Personal Data Privacy Act (6 Del. C. Ch. 12D) applies to Customer's Personal Data processed by Provider under this DPA.

14.2 Contractual Requirements. In accordance with 6 Del. C. § 12D-107(b), this DPA constitutes the binding contract between Controller and Processor that:

(a) Clearly sets forth instructions for the processing of Personal Data;

(b) Specifies the nature and purpose of processing (Article 4);

(c) Identifies the type of data subject to processing (Section 4.5);

(d) Defines the duration of processing (Section 4.3); and

(e) Establishes the rights and obligations of both Parties.

14.3 Processor Obligations under DPDPA. In addition to the obligations set forth elsewhere in this DPA, Provider shall, in compliance with 6 Del. C. § 12D-107:

(a) Adhere to the documented instructions of Controller;

(b) Ensure that each person processing Personal Data is subject to a duty of confidentiality (Section 5.1);

(c) At Controller's direction, delete or return all Personal Data at the end of the provision of services (Article 10);

(d) Make available to Controller the information necessary to enable Controller to conduct and document data protection assessments (Section 11.3);

(e) After providing Controller an opportunity to object, engage Sub-processors pursuant to written contracts that require the Sub-processor to meet the obligations of the Processor with respect to Personal Data (Sections 7.3, 7.4, and 7.5); and

(f) Assist Controller in meeting Controller's obligations under the DPDPA, including obligations related to the security of processing and notification of security breaches.

14.4 Controller Status Determination. Consistent with 6 Del. C. § 12D-107(d), if Provider begins, alone or jointly with others, determining the purposes and means of the processing of Personal Data, Provider shall be deemed a Controller with respect to such processing and shall be subject to the obligations imposed on Controllers under the DPDPA.

ARTICLE 15. ADDITIONAL STATE PRIVACY LAW PROVISIONS

15.1 Multi-State Compliance. The Parties acknowledge that Customer may operate in jurisdictions with comprehensive data privacy laws beyond those specifically addressed in Articles 13 and 14 of this DPA. To the extent that the terms of this DPA satisfy the controller-processor contractual requirements of applicable state privacy legislation (including, without limitation, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Texas Data Privacy and Security Act), the Parties intend that this DPA shall serve as the binding processing agreement required by each such law.

15.2 Supplementary Terms. If any applicable Data Protection Law imposes controller-processor contractual requirements that are not addressed by the terms of this DPA, the Parties shall negotiate in good faith to incorporate supplementary terms as necessary to achieve compliance with such law. Any supplementary terms shall be documented in a written amendment to this DPA, executed by authorized representatives of both Parties.

ARTICLE 16. GENERAL PROVISIONS

16.1 Limitation of Liability. The aggregate liability of each Party arising out of or relating to this DPA (including any claims related to the processing of Personal Data) shall be subject to the limitations of liability set forth in Section 15 of the MSA. Nothing in this DPA shall be construed to limit or exclude liability to the extent that such limitation or exclusion is prohibited by applicable Data Protection Laws.

16.2 Term. This DPA shall become effective on the DPA Effective Date and shall remain in force for the duration of the MSA (including any Renewal Terms), and shall continue in effect thereafter with respect to any Personal Data that remains in Provider's possession or control until such Personal Data is deleted or returned in accordance with Article 10.

16.3 Amendments. No amendment to this DPA shall be effective unless set forth in a written instrument executed by authorized representatives of both Parties. Notwithstanding the foregoing, Provider may update the technical and organizational security measures described in Section 6.1 from time to time, provided that any such update does not materially diminish the overall level of protection afforded to Personal Data.

16.4 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The Parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves, to the greatest extent possible, the original intent.

16.5 Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-laws principles, consistent with Section 29.1 of the MSA. Any dispute arising under or in connection with this DPA shall be subject to the dispute resolution provisions of Section 28 of the MSA.

16.6 Entire DPA. This DPA, together with its Schedules and Annexes (if any), constitutes the entire agreement between the Parties with respect to the processing of Personal Data in connection with the MSA and supersedes all prior or contemporaneous agreements, representations, and understandings relating thereto.

SCHEDULE A TO THE DATA PROCESSING ADDENDUM

DESCRIPTION OF PROCESSING ACTIVITIES

The following table summarizes the processing activities contemplated under this DPA. Customer may update the information in this Schedule A by written notice to Provider where the scope of processing changes materially.

SCHEDULE B TO THE DATA PROCESSING ADDENDUM

SUB-PROCESSOR LIST

The following Sub-processors are authorized by Customer as of the DPA Effective Date. Provider shall update this list in accordance with Article 7 of this DPA.

Provider shall maintain the current version of this list and make it available to Customer upon request or at the following URL: ___________________________________________