Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the customer identified in the applicable Order Form ("Customer," "Controller," or "you") and Aperture Technologies, Inc. ("Aperture," "Processor," "we," or "us") governing Customer's use of the Aperture verified delivery platform (the "Agreement"). This DPA applies to the extent that Aperture processes Personal Data on behalf of Customer in connection with the Service.

In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA will prevail.

1. Scope and Application

This DPA governs the processing of Personal Data by Aperture (acting as Processor) on behalf of Customer (acting as Controller) in connection with the provision of the Service under the Agreement. This DPA applies to all processing activities performed by Aperture, its affiliates, and its Subprocessors on behalf of Customer.

This DPA does not apply to Personal Data for which Aperture is an independent controller, such as data collected for account administration, billing, or compliance with legal obligations, which is governed by Aperture's Privacy Policy.

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following definitions apply to this DPA:

• "Data Controller" (or "Controller") means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the Customer is the Data Controller.
• "Data Processor" (or "Processor") means the entity that processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Aperture is the Data Processor.
• "Data Protection Law" means all applicable data protection and privacy laws, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA"); (d) the Colorado Privacy Act ("CPA"); (e) the Virginia Consumer Data Protection Act ("VCDPA"); (f) the Connecticut Data Privacy Act ("CTDPA"); and (g) the Utah Consumer Privacy Act ("UCPA"), each as amended from time to time.
• "DPA Data" means Personal Data that Aperture processes on behalf of Customer in connection with the provision of the Service.
• "Instructions" means the documented instructions provided by Customer to Aperture regarding the processing of Personal Data, as set forth in this DPA, the Agreement, and any applicable Order Form, or as otherwise agreed in writing.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Aperture on behalf of Customer in connection with the Service, as defined under applicable Data Protection Law.
• "Processing" (including "process" and "processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, DPA Data transmitted, stored, or otherwise processed by Aperture or its Subprocessors.
• "Standard Contractual Clauses" (or "SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
• "Subprocessor" means any third party engaged by Aperture (or by another Subprocessor of Aperture) to process DPA Data on behalf of Customer.

3. Processing of Personal Data

3.1 Scope of Processing

Aperture will process DPA Data solely in accordance with Customer's documented Instructions and only to the extent necessary for the purposes of providing, maintaining, and securing the Service. Aperture will not process DPA Data for any other purpose unless required to do so by applicable law, in which case Aperture will inform Customer of that legal requirement before processing (unless the law prohibits such notification on important grounds of public interest).

3.2 Categories of Data Subjects

The categories of data subjects whose Personal Data may be processed under this DPA include:

• Customer's authorized users of the Service;
• Clients, counterparties, and contacts of Customer's authorized users whose information is included in Customer Data;
• Other individuals whose Personal Data is contained within documents, files, or information uploaded to or processed through the Service.

3.3 Types of Personal Data

The types of Personal Data processed under this DPA may include:

• Names and professional titles;
• Business contact information (email addresses, phone numbers, business addresses);
• Professional and employment details;
• Other Personal Data contained within Customer Data uploaded to or processed through the Service.

3.4 Duration of Processing

Aperture will process DPA Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

3.5 Compliance

If Aperture becomes aware that processing DPA Data in accordance with Customer's Instructions would violate applicable Data Protection Law, Aperture will promptly notify Customer. Aperture will not be liable for non-compliance resulting from following Customer's Instructions that violate applicable law, provided Aperture has given such notice.

4. Subprocessor Management

4.1 Use of Subprocessors

Customer grants Aperture general authorization to engage Subprocessors to process DPA Data, subject to the requirements of this Section 4. Aperture maintains a current list of Subprocessors, which is available upon request to privacy@runaperture.com.

4.2 Advance Notice

Aperture will provide Customer with at least thirty (30) days' advance written notice before engaging any new Subprocessor or replacing an existing Subprocessor, including the name, location, and nature of the processing to be performed by the proposed Subprocessor.

4.3 Objection Rights

Customer may object in writing to Aperture's engagement of a new Subprocessor within fifteen (15) days of receiving notice. The objection must state reasonable grounds related to data protection. If Customer objects, the parties will work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days of the objection, Customer may terminate the affected portion of the Service without penalty by providing written notice to Aperture, and Aperture will refund any prepaid, unused fees attributable to the terminated portion.

4.4 Subprocessor Obligations

Aperture will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set forth in this DPA. Aperture will remain fully liable to Customer for the performance of each Subprocessor's obligations regarding the processing of DPA Data.

5. Data Subject Requests

5.1 Assistance with Requests

Aperture will assist Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Law ("Data Subject Requests"), including rights of access, rectification, erasure, restriction, data portability, and objection. Aperture will provide such assistance by appropriate technical and organizational measures, taking into account the nature of the processing.

5.2 Direct Requests

If Aperture receives a Data Subject Request directly from a data subject, Aperture will notify Customer within five (5) business days and will not respond to the request directly unless legally required to do so or instructed by Customer. Aperture will provide Customer with commercially reasonable cooperation and assistance in relation to the handling of such requests.

5.3 Costs

To the extent that Customer's request for assistance with Data Subject Requests requires Aperture to undertake effort beyond the scope of the Service, Aperture may charge a reasonable fee for such assistance, provided that Aperture notifies Customer of such fees in advance.

6. Security Measures

6.1 Technical and Organizational Measures

Aperture will implement and maintain appropriate technical and organizational measures designed to protect DPA Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, as further described in Aperture's Security Addendum. These measures include, but are not limited to:

• Encryption of DPA Data in transit and at rest;
• Session-level isolation of Customer environments;
• Access controls aligned with the principle of least privilege;
• Regular security testing and vulnerability assessments;
• Logging and monitoring of access to DPA Data;
• Business continuity and disaster recovery procedures.

6.2 Continuous Improvement

Aperture will regularly evaluate and update its security measures to address evolving threats and industry standards. Aperture will not materially reduce the overall level of security protection during the term of the Agreement.

6.3 Personnel

Aperture will ensure that all personnel authorized to process DPA Data are bound by appropriate obligations of confidentiality, whether contractual or statutory. Aperture will provide appropriate data protection training to personnel with access to DPA Data.

7. Security Incident Notification

7.1 Notification

Aperture will notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Security Incident. Notification will be made to Customer's designated security contact or, if none has been designated, to the primary account contact.

7.2 Incident Details

Aperture's notification will include, to the extent reasonably available at the time of notification:

• The nature and scope of the Security Incident, including the categories and approximate number of data subjects and data records affected;
• A description of the DPA Data affected or likely affected;
• The likely consequences of the Security Incident;
• The measures taken or proposed to be taken by Aperture to address the Security Incident, including measures to mitigate its potential adverse effects;
• The name and contact details of the Aperture point of contact from whom further information may be obtained.

7.3 Ongoing Cooperation

Aperture will provide timely updates as additional information becomes available and will cooperate with Customer's reasonable requests to investigate, mitigate, and remediate the Security Incident. Aperture will take all commercially reasonable steps to contain the Security Incident, mitigate any damage, and prevent recurrence.

7.4 Notification Not an Admission

Aperture's notification of, or response to, a Security Incident under this Section 7 will not be construed as an acknowledgment by Aperture of any fault or liability with respect to the Security Incident.

8. Audit Rights

8.1 Documentation and Reports

Upon Customer's written request (no more than once per twelve-month period), Aperture will make available to Customer the following:

• A copy of Aperture's most recent SOC 2 report or equivalent independent audit report;
• A summary of the results of Aperture's most recent penetration test, with commercially sensitive details redacted;
• Responses to a reasonable security questionnaire, not to exceed one hundred (100) questions annually.

8.2 Onsite Audit

If the documentation provided under Section 8.1 is insufficient for Customer to verify Aperture's compliance with this DPA, Customer may conduct (or appoint a qualified, independent third-party auditor to conduct) an onsite audit of Aperture's processing facilities and operations, subject to the following conditions:

• Customer must provide at least thirty (30) days' prior written notice of the audit;
• The audit must be conducted during normal business hours and in a manner that minimizes disruption to Aperture's operations;
• The audit will be conducted at Customer's sole expense;
• Any third-party auditor must execute a confidentiality agreement acceptable to Aperture prior to conducting the audit;
• Customer may conduct no more than one onsite audit per twelve-month period.

8.3 Regulatory Audits

Nothing in this Section 8 limits the audit rights of any data protection authority or other regulatory body with jurisdiction over Customer or Aperture under applicable Data Protection Law.

9. Cross-Border Data Transfers

9.1 General

To the extent that Aperture processes DPA Data originating from the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland in a country that has not been deemed to provide an adequate level of data protection, Aperture will ensure that appropriate safeguards are in place as required by applicable Data Protection Law.

9.2 EU-US Data Privacy Framework

Aperture relies on the EU-US Data Privacy Framework ("EU-US DPF"), as set forth by the U.S. Department of Commerce, for transfers of Personal Data from the EEA to the United States. Aperture commits to comply with the EU-US DPF Principles with regard to such transfers.

9.3 Standard Contractual Clauses

To the extent that the EU-US DPF does not apply or is invalidated, the parties agree to enter into the Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission in Implementing Decision (EU) 2021/914, which are hereby incorporated by reference. For purposes of the SCCs:

• The data exporter is the Customer (Controller);
• The data importer is Aperture (Processor);
• The competent supervisory authority is the supervisory authority of the EEA Member State in which the data exporter is established;
• The governing law is the law of the EEA Member State in which the data exporter is established.

9.4 UK International Data Transfer Addendum

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is hereby incorporated by reference and supplements the SCCs as described in Section 9.3.

9.5 Swiss-US Data Privacy Framework

For transfers of Personal Data from Switzerland, Aperture relies on the Swiss-US Data Privacy Framework ("Swiss-US DPF"). To the extent the Swiss-US DPF does not apply, the SCCs as described in Section 9.3 will apply, with the modifications required by the Swiss Federal Data Protection Act.

10. US State Privacy Law Obligations

10.1 CCPA Compliance

To the extent that the CCPA applies to Customer's Personal Data, Aperture acts as a "Service Provider" (as defined in the CCPA) with respect to DPA Data. Aperture certifies that it understands the restrictions and obligations set forth in this DPA and will comply with them.

10.2 Prohibited Activities

Aperture will not:

• Sell or share (as those terms are defined under the CCPA) DPA Data;
• Retain, use, or disclose DPA Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA;
• Retain, use, or disclose DPA Data outside of the direct business relationship between Aperture and Customer;
• Combine DPA Data with Personal Data received from or on behalf of another person or entity, or collected from Aperture's own interactions with data subjects, except as expressly permitted by the CCPA;
• Attempt to reidentify any deidentified data received from Customer.

10.3 Other State Laws

To the extent that other US state privacy laws apply (including the CPA, VCDPA, CTDPA, and UCPA), Aperture will process DPA Data in compliance with its obligations as a processor under such laws and in accordance with Customer's Instructions.

11. Customer Obligations

11.1 Lawful Basis

Customer is responsible for ensuring that it has a valid lawful basis for the processing of Personal Data under applicable Data Protection Law, including obtaining all necessary consents, providing all required notices to data subjects, and maintaining appropriate records of processing activities.

11.2 Instructions

Customer is responsible for ensuring that its Instructions to Aperture comply with applicable Data Protection Law. Customer will promptly inform Aperture if it becomes aware that any Instruction may violate applicable law.

11.3 Cooperation

Customer will cooperate with Aperture in connection with Aperture's compliance with its obligations under this DPA, including providing timely information and assistance as reasonably requested by Aperture.

11.4 Secure Configuration

Customer is responsible for properly configuring the Service and implementing appropriate access controls, authentication settings, and security measures within its control. Aperture is not liable for Security Incidents resulting from Customer's failure to implement reasonable security configurations.

12. AI-Specific Provisions

12.1 Regulatory Review

Both parties acknowledge that the regulatory landscape for artificial intelligence is evolving. Each party will periodically review this DPA to assess its compliance with applicable AI legislation and data protection requirements, including the EU AI Act and any other applicable AI governance frameworks.

12.2 No Training on Customer Data

Aperture will not use DPA Data to train, fine-tune, or improve general-purpose AI or machine learning models. This restriction extends to Aperture's Subprocessors, who are contractually prohibited from retaining, using, or training on DPA Data, except as strictly necessary for the provision of cloud hosting and infrastructure services.

12.3 Good-Faith Amendment

In the event that new AI-specific legislation or regulatory guidance materially affects the processing activities contemplated by this DPA, either party may request amendments to this DPA to ensure continued compliance. The parties will negotiate such amendments in good faith and without undue delay.

13. Data Return and Deletion

13.1 Data Export

Upon termination or expiration of the Agreement, Aperture will make DPA Data available for Customer to export for a period of thirty (30) days following the effective date of termination or expiration. Aperture will provide commercially reasonable assistance with data export upon Customer's request.

13.2 Deletion

Following the thirty (30) day export period described in Section 13.1, Aperture will delete all DPA Data in its possession and in the possession of its Subprocessors, including all existing copies, unless applicable law requires retention of such data. Where retention is legally required, Aperture will isolate the retained DPA Data from further processing and will delete it when the retention obligation expires.

13.3 Certification

Upon Customer's written request, Aperture will provide written certification confirming that it has complied with the deletion obligations set forth in this Section 13.

14. Term

This DPA takes effect on the effective date of the Agreement and remains in effect for the duration of the Agreement. Notwithstanding the foregoing, this DPA will survive termination or expiration of the Agreement until Aperture ceases all processing of DPA Data on behalf of Customer, including completion of the data return and deletion obligations set forth in Section 13.

15. Order of Precedence

In the event of a conflict between the provisions of this DPA and the Agreement (including any Order Form) with respect to the processing of Personal Data, the provisions of this DPA will prevail. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.