Data Processing Addendum

Last Updated: January 17, 2024

This Data Processing Addendum (the “DPA”) is incorporated into and forms part of the Master Services Agreement or any other written agreement governing the Services and access to and use of the Platform (the “Services Agreement”) between Valid8 Financial, Inc., a corporation (“Valid8”), and the legal entity that has accepted the Services Agreement (“Customer").

1. DEFINITIONS AND INTERPRETATION

The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Services Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Services Agreement, the provisions of this DPA will prevail with respect to the subject matter hereof; and in the case of conflict or ambiguity between any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail. This DPA shall only apply to the processing of Personal Information subject to applicable Privacy and Data Protection Requirements. Except as expressly modified below, the terms of the Services Agreement shall remain in full force and effect.

The following definitions and rules of interpretation apply in this DPA; any capitalized terms not defined herein that are defined in the Services Agreement shall have the definition given in the Services Agreement.

“Business Purpose” means performing the Services described in the Services Agreement and carrying out Customer’s lawful processing instructions, including to perform Valid8’s obligations and exercise its rights under the Services Agreement and to prevent or address technical problems with the Services.

“Data Subject” means an individual who is the subject of Personal Information.

“European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Personal Information in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this DPA.

“Personal Information” means any information Valid8 processes on behalf of Customer to perform the Services under the Services Agreement that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under the relevant Privacy and Data Protection Requirements.

“Processing,” “processes,” or “process” means any operation or set of operations performed upon Personal Information, whether or not by automated means, that the relevant Privacy and Data Protection Requirements include in the definition of processing, processes, or process, such as collecting recording, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the Processing, protection, or privacy of the Personal Information, including, in each case to the extent applicable, European Data Protection Laws and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”).

“Security Breach” means a breach of Valid8’s security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized access, disclosure, or acquisition of Personal Information in Valid8’s possession, custody, or control.

“Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (currently available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1688587744942), as supplemented or modified herein.

2. ROLES OF THE PARTIES; DETAILS OF PROCESSING

The parties acknowledge and agree that, as between the parties, with regard to the Processing of Personal Information under the Services Agreement, Customer is a data controller (or acting on behalf of a third-party data controller) and Valid8 is a processor or service provider (as such terms are defined under applicable Privacy and Data Protection Requirements). The parties further acknowledge that the Personal Information disclosed by Customer to Valid8 is provided for the limited and specified Business Purposes. Customer retains control of the Personal Information it submits through the Services and remains responsible for its compliance obligations pursuant to the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to Valid8. Customer shall notify Valid8 of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Information that would impact Valid8’s ability to comply with the Services Agreement, this DPA, or Privacy and Data Protection Requirements.

3. VALID8'S OBLIGATIONS

3.1 Valid8 shall only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Customer's instructions unless otherwise required by applicable law. Valid8 will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements; except that Valid8 may process, retain, and use aggregated, and anonymized forms of the Personal Information and anonymous or de-identified data derived from the Personal Information provided Valid8 (i) takes reasonable measures to ensure that such de-identified data cannot be associated with a Data Subject, (ii) complies with Privacy and Data Protection Requirements with respect to creation of such de-identified data, (iii) publicly commits to maintaining and using de-identified data without attempting to reidentify the data, and (iv) contractually obligates any recipients of the de-identified data to comply with substantially similar restrictions. Valid8 shall notify Customer if, in its opinion, Customer's instruction would not comply with the Privacy and Data Protection Requirements.

3.2 Valid8 shall comply with any reasonable Customer request or instruction requiring Valid8 to amend, transfer, or delete the Personal Information, or to stop any unauthorized Processing. Valid8 will take reasonable steps to maintain the confidentiality of all Personal Information, will not sell (as such term is defined under the Privacy and Data Protection Requirements) it to anyone or use it for cross-context behavioral advertising, and will not disclose it to third parties or combine it with personal information received outside of the parties’ business relationship unless Customer, the Service Agreement, or this DPA authorizes such disclosure or Processing, or as required by law.

3.3 Valid8 will reasonably assist Customer with meeting Customer's compliance obligations pursuant to the Privacy and Data Protection Requirements, accounting for the nature of Valid8's Processing and the information available to it. Customer acknowledges that Valid8 is under no duty to investigate the completeness, accuracy, or sufficiency of any Customer instructions or the Personal Information other than as required pursuant to the Privacy and Data Protection Requirements.

4. CONFIDENTIALITY

Valid8 will take reasonable steps to (i) limit Personal Information access to Valid8 personnel who require Personal Information access to meet Valid8's obligations pursuant to this DPA and the Services Agreement; and (ii) ensure that all such personnel: (a) are informed of the Personal Information's confidential nature and use restrictions; (b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information; and (c) are aware both of Valid8's duties and their personal duties and obligations pursuant to the Privacy and Data Protection Requirements and this DPA.

5. SECURITY

Valid8 shall implement and periodically review appropriate technical and organizational measures designed to safeguard Personal Information against a Security Breach. Valid8 shall take reasonable precautions designed to preserve the integrity of any Personal Information it Processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing back-up and data restoration procedures. Customer agrees that, without limitation of Valid8’s obligations under this Section 5, Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Information; and (ii) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services.

6. SECURITY BREACHES

Valid8 shall notify Customer without undue delay upon becoming aware of a confirmed Security Breach and take reasonable steps to identify the cause of such Security Breach, minimize harm, and prevent a recurrence. Valid8 will take reasonable steps to provide Customer with information available to Valid8 that Customer may reasonably require to comply with its obligations under Privacy and Data Protection Requirements. Valid8 shall not inform any third party of Customer’s involvement in a Security Breach without first obtaining Customer's consent, except when law or regulation requires it. Valid8’s notification of or response to a Security Breach under this Section 6 will not be construed as an acknowledgement by Valid8 of any fault or liability with respect to the Security Breach.

7. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION

7.1 Customer acknowledges that Valid8 may, subject to Sections 7.2 and 7.3, Process Personal Information in the United States or anywhere Valid8 or its Subprocessors maintains facilities. Customer is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Privacy and Data Protection Requirements.

7.2 If Customer transfers Personal Information to Valid8 that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Valid8 (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (i) the execution of the Services Agreement shall constitute execution of the applicable Standard Contractual Clauses as of the effective date of the Services Agreement; (ii) the Standard Contractual Clauses shall automatically terminate once the Personal Information transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis; and (iii) the following selections, terms, and modifications shall apply, as applicable:

(a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 8 of this DPA;

(b) the optional language in Clause 11(a) is omitted;

(d) in Clause 18(b), the parties select the courts of the Republic of Ireland;

(e) the name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Services Agreement and this DPA shall be used to complete Annex I.A. of the Standard Contractual Clauses

(f) the details of the processing set forth in this DPA shall be used to complete Annex I.B. of the Standard Contractual Clauses

(g) the competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, and if such determination is not clear, then the competent supervisory authority shall be the Irish Data Protection Authority;

(h) the technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures described in this DPA; and

(i) in accordance with Clause 2 of the Standard Contractual Clauses, the parties agree that the applicable terms of the Services Agreement and this DPA shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the provisions pertaining to audits, limitation of liability, and termination.

7.3 If Customer transfers Personal Information to Valid8 that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (i) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (ii) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Customer’s Processing when making the transfer; (iii) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in Section 7.2 and this DPA; and (iv) either party may end the UK Addendum in accordance with section 19 thereof.

7.4 If Customer transfers Personal Information to Valid8 that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to Customer’s Processing when making that transfer: (i) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (ii) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (iii) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.

7.5 If Customer transfers Personal Information to Valid8 that is subject to Privacy and Data Protection Requirements other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Personal Information, and the transfer is not subject to an alternative adequate transfer mechanism under Privacy and Data Protection Requirements or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant supervisory authority pursuant to such Privacy and Data Protection Requirements shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 7.2.

8. SUBPROCESSORS

Subject to the requirements of this Section 8, Customer generally authorizes Valid8 to engage third parties as Valid8 considers reasonably appropriate for the Processing of Personal Information (each a “Subprocessor”). A list of Valid8’s Subprocessors, including their functions and locations, is available upon Customer’s written request and may be updated by Valid8 from time to time in accordance with this Section 8. Valid8 may only authorize a Subprocessor to Process the Personal Information if: (a) the Customer is given an opportunity to object within five (5) business days after Valid8 notifies Customer of such Subprocessor; (b) Valid8 enters into a written contract with the Subprocessor that contains terms substantially the same as those set out in this DPA; (c) Valid8 maintains control of all Personal Information it entrusts to the Subprocessor; and (d) the Subprocessor’s right to process Personal Information of Customer terminates immediately upon termination of this DPA. Where a Subprocessor fails to fulfill its obligations pursuant to such written agreement, Valid8 remains fully liable to Customer for the Subprocessor’s performance of its obligations.

9. COMPLAINTS, DATA SUBJECT REQUESTS, AND THIRD-PARTY RIGHTS

Valid8 shall notify Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information Processing or to either party's compliance with the Privacy and Data Protection Requirements. Valid8 will reasonably cooperate and assist Customer with responding to any complaint, notice, communication, or Data Subject request. Valid8 reserves the right to charge Customer on a time and materials basis in the event that Valid8 considers that such assistance is onerous, complex, frequent, or time consuming. Valid8 shall not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at Customer's request or instruction, permitted by this DPA, or is otherwise required by law.‍

10. TERM AND TERMINATION

10.1 This DPA will remain in full force and effect so long as: (a) the Services Agreement remains in effect; or (b) Valid8 retains any Personal Information related to the Services Agreement and subject to the Privacy and Data Protection Requirements in its possession or control. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services Agreement in order to protect Personal Information will remain in full force and effect. In the event of either party’s material breach of this DPA and (provided that such breach is capable of cure) such breach is not cured within 30 days following written notice of such breach, the non-breaching party may terminate any part of the Services Agreement authorizing the Processing of Personal Information effective immediately upon written notice to the breaching party in accordance with the termination rights set forth in the Services Agreement.

10.2 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Services Agreement obligations, the parties will suspend the Processing of Personal Information until that Processing complies with the new requirements, and any delay in performance of other obligations related to the Processing of Personal Information shall be excused until such compliance is attained. If the parties are unable to bring the Personal Information Processing into compliance with the Privacy and Data Protection Requirement within a reasonable period of time agreed to between the parties, either party may terminate the Services Agreement upon written notice to the other party.

11. DATA RETURN AND DESTRUCTION

At Customer's written request, Valid8 will give Customer a copy of or access to all or part of Customer's Personal Information in its possession or control in a commercially reasonable, machine readable format. On termination of the Services Agreement for any reason or expiration of its term, Valid8 will securely destroy or, if directed in writing by Customer, return and not retain, all or any Personal Information in its possession or control in accordance with the terms of the Services Agreement, except as required by any law, regulation, or government or regulatory body. Valid8 may only use such retained Personal Information for the required retention reason or audit purposes.

12. RECORDS

Upon Customer’s reasonable written request, Valid8 will make available to Customer all information in Valid8’s possession reasonably necessary to demonstrate Valid8’s compliance with Privacy and Data Protection Requirements and Valid8’s obligations set out in this DPA. Such information will be available to Customer upon written request, and no more than once per calendar year and subject to the confidentiality obligations of the Services Agreement or a mutually-agreed non-disclosure agreement.

13. AUDIT

No more than once per year during the term of the Services Agreement, upon Customer's written request, Valid8 will provide a copy of its most recent SOC Type II report or similar industry certification or any successor standards (“Report”) for information security management. Customer will treat such Report as Valid8's Confidential Information subject to all the confidentiality obligations of the Services Agreement. Customer may use the Report solely for the purposes of meeting Customer’s audit requirements under Privacy and Data Protection Requirements to confirm that Valid8’s Processing of Personal Information complies with this DPA.

14. GENERAL TERMS

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Services Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this DPA are subject to the limitations of liability under the Services Agreement. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Services Agreement, unless required otherwise by Privacy and Data Protection Requirements.