Version Date: 06-01-2023

This Data Processing Addendum and its Exhibits (the “Addendum”) is made and entered into by and between Centercode, Inc. (“Centercode”) and the customer (“Customer”) specified in the parties’ Agreement into which this Addendum is incorporated. This Addendum is effective as of the effective date of the Agreement, or if sooner, the date that Centercode first Processed Personal Data on behalf of Customer under the Agreement.

This Addendum includes the Data Processing Terms, Exhibit 1 (Details of Processing), Exhibit 2 (Centercode Security Standards), and where applicable, the Professional Services Exhibit, and supplements, amends, and is incorporated by reference into the Agreement. Terms not otherwise defined in this Addendum shall have the meaning set forth in the Agreement.

In this Addendum:

“Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by, or under common control with a party, where control means the ownership of a majority share of the stock, equity, or voting interests of such entity.

“Administrators” has the definition provided in the Agreement, or if none, it means the Customer’s end users of the Services assigned roles by the Customer within the Services that enable the administration of some or all of the Services, including but not limited to “Community Administrators” in the Services.

“Agreement” means the agreement between Centercode and Customer that incorporates this Addendum and contains the terms and conditions governing the provision of the Services, and any order forms or order documents entered into under that agreement.

“Applicable Data Protection Laws” means legislation, and rules and regulations adopted thereunder, as amended or superseded from time to time, relating to data protection and privacy applicable to the processing of Personal Data in connection with the Services, including applicable United States federal laws, Applicable US State Privacy Laws, and Applicable European Data Protection Laws, in each case where and to the extent applicable.

“Applicable European Data Protection Laws” means data protection and privacy laws in Europe and their implementing regulations, as amended or superseded from time to time, including: (i) the GDPR; (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss FDPA”); and (v) other applicable data protection and privacy laws and regulations of the European Union, the EEA, and their member states, Switzerland, and the United Kingdom, in each case where and to the extent applicable.

“Applicable US State Privacy Laws” means U.S. state data protection and privacy laws and their implementing regulations, as amended or superseded from time to time, including but not limited to: (i) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the “CCPA”); (ii) the Colorado Privacy Act; (iii) the Connecticut Personal Data Privacy and Online Monitoring Act; (iv) Utah Consumer Privacy Act; and (v) Virginia Consumer Data Protection Act, in each case where and to the extent applicable.

“Betabound” means Centercode’s web-based portal and community used by Centercode to register third parties interested in participating in product and service tests of Centercode’s customers and other third parties and to announce these tests.

“Betabound Personal Data” means personal data or information (as defined under Applicable Data Protection Laws) of members of Centercode’s Betabound community that is collected from such members into Centercode’s Betabound portal (such personal data or information being owned and controlled by Centercode) and that is shared by Centercode with Customer or its Affiliates in connection with the Services.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and shall be interpreted in accordance with Applicable Data Protection Laws. For the sake of clarity, as applicable, Controller includes “Business” as defined in Applicable US State Privacy Laws.

“Data Subject” means the individual to whom the Personal Data relates and shall be interpreted in accordance with Applicable Data Protection Laws. For the sake of clarity, as applicable, Data Subject includes “Consumer” as defined in Applicable US State Privacy Laws.

“EEA” means the European Economic Area.

"Europe” means member states of the EEA, the United Kingdom, and Switzerland.

“European Personal Data” means Personal Data that is subject to the protection of Applicable European Data Protection Laws.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

“Personal Data” means any Customer Data that relates to an identified or identifiable individual where the information is protected as personal data or personal information under Applicable Data Protection Laws and shall be interpreted in accordance with Applicable Data Protection Laws. For the sake of clarity, as applicable, Personal Data includes “Personal Information” as defined in Applicable US State Privacy Laws.

“Processing” (or “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and shall be interpreted in accordance with Applicable Data Protection Laws.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller and shall be interpreted in accordance with Applicable Data Protection Laws. For the sake of clarity, as applicable, Processor includes “Service Provider” and “Contractor” as defined in Applicable US State Privacy Laws.

“Professional Services” has the definition provided in any Agreement under which Professional Services are ordered by Customer from Centercode.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored, or otherwise Processed by Centercode or its Sub-Processors in connection with the provision of the Services, and does not include unsuccessful activities, attacks, or attempts to access Personal Data that do not compromise the security of the Personal Data.

“Services” is any Services and Subscription services as defined in the Agreement.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, as may be amended, superseded, or replaced.

“Supervisory Authority” shall be interpreted in accordance with Applicable European Data Protection Laws.

“UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2.1 Applicability. This Addendum shall apply only to the extent: (a) Centercode Processes Personal Data on behalf of Customer in connection with the Services; and/or (b) as applicable, where Centercode shares Betabound Personal Data with Customer in connection with its performance of Professional Services. If and to the extent the Services include the performance by Centercode of Professional Services on Customer’s behalf, as documented in a mutually executed Order Form, the Professional Services Exhibit   to this Data Processing Addendum applies.

2.2 Term. This Addendum will terminate automatically upon termination of the Agreement except to the extent expressly provided otherwise in this Addendum.

4.1 Security. Centercode shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data from a Security Incident, which at a minimum shall include standards no less stringent as those set forth in Exhibit 2.

4.2 Confidentiality. Centercode personnel (whether employee or contractor) authorized to Process the Personal Data and Centercode Sub-Processors shall be subject to a duty of confidentiality with respect to the Personal Data.

4.3 Training. Centercode personnel (whether employee or independent contractor) authorized to Process the Personal Data shall receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection, and confidentiality of the Personal Data.

4.4 Security Incidents. Upon becoming aware of a Security Incident, Centercode shall notify Customer without undue delay and pursuant to the terms of the Agreement, but within no more than forty-eight (48) hours and shall provide such timely information as Customer may reasonably request, including reasonable assistance to enable Customer to fulfill any data breach reporting obligations under Applicable Data Protection Laws, and to identify and remediate the cause of such Security Incident. Notification(s) of Security Incidents, if any, will be delivered as set forth in the Agreement or, if not provided in the Agreement, to one or more of Customer’s Administrators by any means Centercode selects, including via email. Customer must ensure that Customer’s Administrators maintain accurate contact information in Centercode’s systems at all times.

4.5 Data Deletion. Upon termination or expiration of the Agreement, Centercode shall delete all Personal Data (including copies) in Centercode’s possession in accordance with this Section 4.5, except to the extent that Centercode is required by applicable law to retain some or all of the Personal Data. Upon expiration or termination of Services, Centercode shall make the Personal Data available to Customer for retrieval for the period provided in the Agreement. No later than ninety (90) days after the expiration or termination of Services, Centercode shall complete deletion of all the Personal Data on the Centercode Platform, with Personal Data in Centercode’s backups deleted within thirty (30) days of deletion of that underlying data. Prior to that date, if Customer requires deletion, it must issue a written deletion request to Centercode, which serves to confirm that Customer is ready for Centercode to delete the Personal Data, in which case Centercode will delete Personal Data within seven (7) days of its receipt of such a written request, with Personal Data in backups deleted within thirty (30) days of deletion of the underlying data. In any period following expiration or termination of the Agreement during which Centercode is authorized to continue to Process the Personal Data under the Agreement or this Addendum, Centercode shall extend the protections of the Agreement and this Addendum to such Personal Data and limit any further Processing of such Personal Data to only those purposes that require the retention, for so long as Centercode maintains the Personal Data.

5.1 Requests by Data Subjects or Supervisory Authorities Under Applicable Data Protection Laws. The Centercode Platform provides Customer with tools that may assist Customer in complying with its obligations under Applicable Data Protection Laws relating to responding to Data Subject Personal Data requests (“Data Subject Requests”). Customer is responsible for properly configuring the Services and using available controls in connection with the Services, including properly labeling data collection fields as Personal Data fields or not. To the extent that Customer is not reasonably able to respond to a Data Subject or Supervisory Authority request without assistance by Centercode, Centercode shall assist Customer as reasonably necessary to enable Customer to comply with Applicable Data Protection Laws. If Centercode must provide cooperation contemplated in this Section 5.1 that requires Centercode to take action that is outside of the scope of its ordinary Services and results in a material increase in the amount of time required by Centercode to perform the Services, Customer agrees to reimburse Centercode for commercially reasonable costs arising from this assistance. Any charge will be as agreed in writing between the parties.

5.2 Requests Made to Centercode. In the event a Data Subject or Supervisory Authority request or complaint is made directly to Centercode, Centercode shall promptly inform Customer, except to the extent prohibited by applicable law, by providing the full details of the request or complaint and Customer is responsible for responding to its Data Subjects, provided that Centercode may respond to a Data Subject request for data deletion that does not identify Customer with general instructions regarding the data deletion tools available within the Centercode Platform and to notify the Data Subject to contact the company operating the Centercode Platform implementation on which it has an account.

9.1 Customer agrees that it enters into this Addendum on behalf of itself and, to the extent required by Applicable Data Protection Laws, any of its Affiliates that is a Controller of the Personal Data and that is permitted to use the Services. Each such Affiliate agrees to be bound by the terms and conditions in this Addendum and the Agreement. Customer represents and warrants that it is authorized to enter into the Addendum on behalf of itself and, where applicable, all such Affiliates. Except to the extent prohibited by Applicable Data Protection Laws, only the entity that signs this Addendum as “Customer” shall have the right to exercise any rights or pursue any remedy under this Addendum.

9.2 Except as amended by this Addendum, the Agreement will remain in full force and effect. If any provision of this Addendum is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision, with all other provisions remaining in full force and effect.

9.3 If there is a conflict between the Agreement and this Addendum, where the Addendum is applicable, the terms of this Addendum will control, provided however, that the Addendum and the Standard Contractual Clauses do not replace any additional rights related to Processing of Customer Data set forth in the Agreement.

9.4 Any claims brought under this Addendum, including the Standard Contractual Clauses, shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.

9.5 Except in relation to a Data Subject’s rights under the Standard Contractual Clauses regarding the Processing of his or her Personal Data or as may be required by Applicable European Data Protection Laws, the Agreement and this Addendum apply only between the parties hereto and do not confer any rights to any third-party Data Subjects.

9.6 Except in relation to the Standard Contractual Clauses to the extent required by Applicable European Data Protection Laws, this Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law that governs the Agreement.

Data exporter(s):

Name: The entity identified as “Customer” in the parties’ agreement to which the Standard Contractual Clauses are attached or incorporated by reference (the “Agreement”) on behalf of itself and its affiliates that are permitted to use data importer’s services (the “Services”) pursuant to the Agreement.

Address: The Customer’s address, as set out in the parties’ Agreement and/or as set out in the Customer’s account or billing details provided to data importer, or where Customer has executed this Addendum, as set forth in the execution page to this Addendum.

Contact person’s name, position and contact details: The Customer’s contact details, as set out in the parties’ Agreement and/or as set out in the Customer’s account or billing details provided to data importer, or where Customer has executed this Addendum, as set forth in the execution page to this Addendum.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with data exporter’s use of the data importer’s Services.

Role (controller/processor): Controller

‍

Data importer(s):

Name: Centercode, Inc.

Address: 23422 Mill Creek Drive, Suite 105, Laguna Hills, CA 92653

Contact person’s name, position and contact details: Luke Freiler, President, CEO, and Data Protection Officer, Centercode, Inc., 23422 Mill Creek Drive, Suite 105, Laguna Hills, CA 92653

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with data exporter’s use of the data importer’s Services.

Role (controller/processor): Processor

Categories of data subjects whose personal data is transferred:

Data exporter may submit Personal Data in the course of using the Services as determined and controlled by the data exporter in its sole discretion subject to prohibitions contained in the Agreement, and which may include but is not limited to Personal Data relating to the following categories of data subjects:

customers and customer prospects of the data exporter; employees and contractors of the data exporter; participants or prospective participants in product and service tests (e.g., Beta and Delta tests) performed by or on behalf of data exporter, and other end-users

Categories of personal data transferred:

Data exporter may submit Personal Data in the course of using the Services as determined and controlled by the data exporter in its sole discretion subject to prohibitions contained in the Agreement, and which may include but is not limited to the following categories of Personal Data:

full name, user identification, title, position, employer, email, phone number, address, gender, age, date of birth, professional life data, personal life data, connection data, location data, preferences, opinions, device or service ownership, possession and/or usage data, experiential data, photographs, audio, video, and any other personal data submitted by data exporter or its end users using the Services

Sensitive data transferred and applied restrictions or safeguards:

None. Data exporter is not permitted to collect “sensitive data” pursuant to the terms of the parties’ Agreement.

The frequency of the transfer:

Continuous

Nature of the processing:

Processing activities in the performance of the Services (including providing customer and technical support and as further instructed by data exporter in connection with its use of the Services) as set forth in the Agreement and/or as compelled by applicable law. Data exporter instructs data importer to Process Personal Data for these purposes in the countries in which data importer or its Sub-Processors maintain facilities as necessary for the provision of the Services as identified in the Data Processing Addendum.

Purpose of the data transfer and further processing:

Data importer will process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the parties’ order form and as further instructed by data exporter in its use of the Services.

The period for which the personal data will be retained:

Data importer will process the Personal Data for the duration of the Agreement, including any period following the end of the Agreement designated for transition of Services and data as specified in the Agreement, unless otherwise agreed in writing.

Sub-Processors:

Centercode’s Sub-Processors, including contact information and a description of the processing, are as identified in the Agreement and at https://www.centercode.com/legal/sub-processors.

For transfers to (sub-) processors, the subject matter, nature and duration of the processing:

The subject matter, nature, and duration of the processing are described in the parties’ Data Processing Addendum.

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority shall be as determined in accordance with the GDPR.

Customer is responsible for reviewing the information made available by Centercode relating to data security and making an independent determination as to whether the Services meet Customer’s requirements, and for ensuring that Customer’s personnel and contractors follow appropriate guidelines regarding data security.

1. Secure Storage

Centercode stores all Personal Data on cloud servers that are in a physically secure data center in the United States (unless a different location is expressly identified in the Agreement), as identified in the Agreement. Centercode shall ensure that any such data center is covered by a third-party security audit, such as ISO/IEC 27001, or SOC 2, Type 2 and shall provide Customer evidence of such audit upon request after execution by Customer of the data center’s standard non-disclosure agreement.

Each data center holding the Personal Data maintains physical security features including the following:

2. Availability

Appropriate measures are taken against accidental destruction or loss of Personal Data, including backup of all Personal Data on a regular basis. Centercode’s Service Level Agreement (available at https://www.centercode.com/sla) contains response and resolution commitments to Centercode Platform customers with annual or greater Service terms. In addition, the data center environment is designed with features for minimizing the impact of external environmental risks, including:

• Uninterruptible power supply (UPS) systems
• Diesel generators for backup power
• Fire detection and prevention systems
• 24x7 network operations center monitoring
• Redundant HVAC equipment

Centercode maintains a business continuity/disaster recovery plan that identifies and addresses risk factors associated with the Services.

3. Third-Party Network Penetration Test

Centercode shall have a third-party network penetration test performed annually. All critical vulnerabilities shall be remediated within thirty (30) days of identification to the extent reasonably possible. Centercode shall provide Customer an executive summary of such test upon request.

4. Vulnerability Scans

Centercode (either directly or through third parties) shall scan all internet-accessible sites related to Customer’s Services at least annually and at any time a major change is made to a hosted site that could introduce vulnerabilities using industry standard scanning tools such as Nessus.

5. Access Controls

Additional measures are taken to protect against unauthorized access to the IT systems holding the Personal Data and to the Personal Data including:

• Production systems behind stateful inspection firewall
• Intrusion detection systems
• Access rights assigned based on job role with management approval of new/modified access
• Terminated personnel access disabled within 24 hours
• Regular access review for personnel with access to production systems or Personal Data
• Password requirements and procedures for Centercode personnel
• No access for guest users or anonymous accounts
• Access to IT systems at data center restricted to appropriate individuals

6. Database and Disclosure Controls

Measures are taken to protect against unauthorized access, alteration, and removal of Personal Data during transport and otherwise, including:

• Customer Data on production systems is logically segregated into a separate database
• Data encryption in transit using the most current version of HTTPS/TLS
• Encryption of backups using AES-256
• Encryption at rest of Customer Data on the Centercode Platform using AES-256
• Dedicated cloud-based servers are available to customers with select Editions and with annual or greater subscription terms where expressly purchased by the Customer, as specified in Customer’s Agreement

Measures are taken to ensure the reliability of any Centercode personnel engaged in the Processing of the Personal Data, including:

• Appropriate background checks to the extent legally permissible in accordance with local labor law and statutory regulations
• Execution of confidentiality agreements
• Regular personnel training appropriate to role and access, including security and data privacy training

Measures are taken to log, test, and approve material changes to production systems, including:

• Testing and approval of critical/material application changes prior to implementation into production
• Restriction of access for migrating changes into production environments to appropriate individuals
• Regular review of critical changes to confirm appropriateness and authorization
• Local deployment of scheduled maintenance, patches, and material application changes in test environment prior to being introduced to production environment
• Customer notification prior to scheduled maintenance
• Backup of all data on servers hosting production systems prior to major updates

Customer is responsible for ensuring the security of access by its end users to the Services. The Services include features that enhance Customer’s ability to self-manage access controls and privileges, including:

• Customer’s administrators and end-users must authenticate themselves in order to use the Service
• Prior to display of data to an authorized end-user or administrator, login and password credentials are validated
• Password complexity standards default to an eight-character minimum with alpha and numeric requirements and prohibitions on using other identity fields (username, first and last name, or email) within the password, but these settings can be easily modified by the platform administrators to add additional characters and complexity requirements
• Passwords are stored in encrypted form (AES/128 bit)
• Passwords cannot be retrieved or viewed by anyone, including Centercode
• Where SSO integration is purchased or included in the edition Customer has ordered, Customer can optionally integrate its own single sign-on system (such as SAML) with its Centercode Platform implementation, and where the single sign-on system supports 2-factor authentication, Customer can extend this feature to its access to the Services
• By default, Customer’s users on its Centercode Platform implementation may attempt three invalid password attempts before account is locked for a period of time
• Any modifications to Customer user’s personal account on its Centercode Platform implementation will email the user to inform the user of the change
• Role-based access, allowing Customer administrators on Customer’s Centercode Platform implementation to define access for Customer’s users
• Logical isolation of data on a per-user basis, with user security access checked prior to loading every individual page
• HTTPS encryption (also referred to as TLS connection) is required to use the Services (non-secure links are redirected to HTTPS equivalents)

When a request is made to Centercode Support from a customer, a ticket is created in Centercode’s internal request tracking system and progress is tracked until final resolution. A similar system will be used to track any Security Incidents. Centercode monitors and logs access to the production systems and logs are maintained for at least ninety days.

Prior to onboarding of any Sub-Processor and on an annual basis, Centercode conducts a review of the security and practices of the Sub-Processor to ensure an appropriate level of security. The Sub-Processor is required to enter into appropriate written security, confidentiality, and privacy contract terms with Centercode consistent with the requirements of Applicable Data Protection Laws.

Some editions and/or purchased feature sets of the Centercode Platform offer the ability for Customer to integrate it with, and share data with, other systems (“Centercode Platform Integrations”). With Centercode Platform Integrations, Customer can automatically exchange Centercode Platform data to and from Customer’s and third parties’ systems, platforms, and applications (in Customer’s discretion) without the need for manual duplication of data.

If Customer enables and uses Centercode Platform implementations to move Personal Data from the Centercode Platform to the systems, platforms, or applications of third parties, Customer (and not Centercode) is sharing this Personal Data with these third parties. Customer understands and agrees that these third parties are Customer’s Processors and not Centercode’s Sub-Processors even if Centercode, at Customer’s request, assists Customer in integrating a third-party system, platform, or application. Customer is the party responsible for ensuring that it has appropriate terms in place with each of these Sub-Processors that are compliant with Applicable Data Protection Laws.

If and where the Services involve the performance by Centercode of Professional Services (as specified in a mutually executed Order Form), Centercode and Customer understand and agree that the standards and commitments set forth in the Data Processing Addendum and its exhibits are modified as provided in this Professional Services Exhibit.

To perform Professional Services for Customer, in some circumstances Centercode needs to remove Personal Data from the Centercode Platform production systems to other Centercode systems (or the systems of Centercode’s Sub-Processors) in order to perform the Services or at the request of Customer. In this event, Centercode will remove the Personal Data only to the extent necessary to perform the services or respond to Customer’s request and will abide by internal policies governing the handling of Personal Data removed from the production systems. These policies are designed to ensure that the Personal Data is only accessible by Centercode employees, contractors, and Sub-Processors as necessary to perform the Professional Services. When the Personal Data is removed from the production systems, Centercode maintains a record of the location(s) of the Personal Data. Please review Centercode’s Sub-Processors at https://www.centercode.com/legal/sub-processors to better understand the additional Sub-Processors for Professional Services customers.

Where Centercode discloses Betabound Personal Data to Customer in connection with Professional Services (as opposed to the Participant sharing its own Personal Data with the Customer directly), it agrees to Process the Betabound Personal Data in accordance with the terms of the Agreement and this Section 2.

2.1 In connection with Services involving Data Subjects from Centercode’s Betabound community of test participants, where Centercode (in its capacity as a Controller) transfers to Customer or provides Customer with access to Betabound Personal Data for Customer to Process, it does so for the purpose(s) specified in Appendix 1 to this Professional Services Exhibit (the “Purpose”) and Customer shall not use the Betabound Personal Data except for the Purpose.

2.2 Each party shall comply with Applicable Data Protection Laws in carrying out their obligations with respect to the Betabound Personal Data, including those under this Professional Services Exhibit. Customer will not: (a) “Sell” (as defined under Applicable US State Privacy Laws) or “Share” (as defined under the Applicable US State Privacy Laws) the Betabound Personal Data; (b) retain, use, or disclose the Betabound Personal Data for any purpose (including any “Commercial Purpose” as defined under the CCPA) except for the Purpose; (c) retain, use, or disclose the Betabound Personal Data outside the direct business relationship between Centercode and Customer, including by not combining any Betabound Personal Data with other personal data collected or received from another source, except as permitted by Applicable US State Privacy Laws.

2.3 Customer will provide the same level of privacy protection as is required by Applicable Data Privacy Laws. If Customer is engaged in unauthorized use of Betabound Personal Data, Centercode may, upon reasonable notice to Customer, take reasonable and appropriate steps to stop and remediate the unauthorized use of Betabound Personal Data. Customer certifies that it understands the restrictions in the CCPA and will comply with them.

2.4 Customer will, upon Centercode’s request, assist Centercode in its response to a consumer’s request to exercise a right it has under Applicable Data Protection Laws with respect to the Betabound Personal Data. Customer will allow Centercode to take reasonable and appropriate steps to ensure Customer uses and protects the Betabound Personal Data in a manner consistent with Centercode’s obligations under Applicable Data Protection Laws.

2.5 If Customer is no longer able to Process the Betabound Personal Data in a manner that is consistent with Applicable Data Protection Laws and this Professional Services Exhibit, it shall immediately inform Centercode and advise Centercode of any steps it proposes to take to remediate any such inconsistency. If requested by Centercode, Customer shall immediately suspend any inconsistent Processing.

2.6 Centercode will not transfer any Betabound Personal Data to Customer except as specifically contemplated by the terms of the Agreement, this Professional Services Exhibit , and Applicable Data Protection Laws.

2.7 If required to do so by a Supervisory Authority, Customer acknowledges and agrees that Centercode may disclose the Data Processing Addendum, including this Professional Services Exhibit , to such Supervisory Authority and that such disclosure will not constitute a breach of confidence.

2.8 As a minimum, each party’s privacy policy shall comply with Applicable Data Protection Laws and each party shall ensure where acting in its capacity as a Controller, that it brings its privacy policy (and any amendments) to the attention of Data Subjects.

2.9 Customer may only transfer the Betabound Personal Data from a country within the EEA, the UK, or Switzerland to a non-Adequate Country or Sector if Customer has provided appropriate safeguards by entering into Standard Contractual Clauses, or by relying on Binding Corporate Rules applicable to Customer and, at Centercode’s request, Customer will provide a copy of the transfer mechanism it relies on.

2.10 Notwithstanding termination of the Agreement for any reason, Customer shall continue to protect the Betabound Personal Data it received prior to termination to the standard required by this Professional Services Exhibit, including as required under Applicable Data Protection Laws on an ongoing basis. If Customer is unable to do so, it must immediately inform Centercode and at Centercode’s request either delete or return all such Betabound Personal Data in its possession or control. This provision shall survive termination of the Agreement, the Data Processing Addendum, and this Professional Services Exhibit .

2.11 Each party shall be responsible for responding to any request, correspondence, inquiry, or complaint made directly to it regarding its Processing of the Betabound Personal Data but shall inform the other (to the extent the other may be implicated in the request) of the request and how it intends to respond, unless prohibited from doing so by Applicable Data Protection Laws.

2.12 Each party shall implement appropriate technical and organizational measures in accordance with Appliable Data Protection Laws, including Article 32 of the GDPR, to ensure the security of the Betabound Personal Data and protect it against any unauthorized and unlawful Processing, and against a Security Incident.

2.13 If Customer discovers or is notified of any Security Incident relating to the Betabound Personal Data, it shall notify Centercode without undue delay and in any event within forty-eight (48) hours and keep Centercode updated regarding the investigations into the Security Incident and the remedial actions it is taking, unless prohibited from doing so by applicable law. Notification(s) of Security Incidents, if any, will be delivered as agreed in the Agreement or, if not provided in the Agreement to security@centercode.com.

2.14 Customer shall not retain or Process the Betabound Personal Data for longer than is necessary to carry out the Purpose.

2.15 Customer shall ensure that subcontractors it appoints to Process the Betabound Personal Data provide at least the same level of protection for the Betabound Personal Data and the rights of Data Subjects as Customer is obligated to provide under this Professional Services Exhibit and Applicable Data Protection Laws. Each such subcontractor must be subject to a written agreement that is compliant with Applicable Data Protection Laws and that imposes obligations at least as restrictive as those imposed on Customer under this Professional Services Exhibit. Customer will remain fully responsible and liable to Centercode for the performance of those obligations by each subcontractor. Customer shall further ensure that any such subcontractor only Processes the Betabound Personal Data in accordance with Customer’s instructions and those instructions are consistent with the Purpose.

2.16 Customer shall ensure the reliability of any person that it authorizes to Process the Betabound Personal Data (including its employees and contractors) and that each such person is subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Customer shall not permit any person to Process the Betabound Personal Data who is not under such a duty of confidentiality. Customer shall ensure that all such authorized persons Process the Betabound Personal Data only as permitted by this Professional Services Exhibit  and Applicable Data Protection Laws.

This Appendix 1 to the Professional Services Exhibit forms part of the Data Processing Addendum where the Professional Services Exhibit is applicable and describes the Processing that Customer will perform as a Controller.

Purpose

The Purpose of the transfer of Betabound Personal Data to Customer is to enable Customer to use the Betabound Personal Data in connection with Customer’s internal use of Services deliverables (test results and feedback) relating to its product and service testing (e.g., Beta and Delta testing).

Personal Data

Customer is Processing the following categories of Betabound Personal Data in connection with the Purpose:

Data Subjects:

Members of Centercode’s community of prospective test participants commonly known as its “Betabound Community”

Categories of Personal Data:

Includes full name, user identification, title, position, employer, email, phone number, address, gender, age, date of birth, professional life data, personal life data, connection data, location data, preferences, opinions, device or service ownership, possession and/or usage data, experiential data, photographs, audio, and video

Centercode is not transferring to Customer any Betabound Personal Data that is Sensitive Personal Data

Processing operations

Processing activities are those that occur in the use by Customer of the Services and Service deliverables related to Customer’s product and service testing (e.g., Beta and Delta testing). The transfer of Betabound Personal Data may occur from time to time or continuously during the Services term.