DATA PROCESSING ADDENDUM

Last updated November 5, 2024

This Data Processing Addendum (the “Addendum”) supplements and forms part of the Master Services
Agreement, Statement of Work(s) and all other agreements governing the Services (collectively referred
to as the “MSA”) entered into by Newfold Digital, Inc. and/or its Affiliates (“Company”) and Supplier
(“Supplier”). Unless otherwise defined in this Addendum, all capitalized terms not defined in the
Addendum will have the meanings given to them in the MSA.

This Addendum is put in place to ensure that Supplier Processes the Personal Data of the Company
according to the Company’s instructions and in compliance with Applicable Data Protection Laws as the
Data Processor or as an independent Controller as identified in the MSA.

The parties to this Addendum hereby agree to be bound by the terms and conditions as applicable with
effect from the effective date of the MSA (the “Effective Date”). Company may amend this Addendum
from time to time due to changes in Applicable Data Protection Laws or as otherwise determined by
Company using commercially reasonable discretion. Notwithstanding the terms of the MSA, any
amendment to this Addendum will become effective upon notification to Supplier (by email to a relevant
email address as provided by Supplier to Company, or by posting on Company’s website) and through
Supplier’s continued performance of the services pursuant to the MSA.

Supplier questions relating to this Addendum may be addressed to Company at privacy@newfold.com.

STANDARD TERMS FOR PROCESSING ADDENDUM

1. Definitions

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control
with the Company. For purposes of this definition, “control” means ownership of more than fifty percent
(50%) of the voting stock or equivalent ownership interest in an entity.

“Applicable Data Protection Laws” means:

• Brazil's General Data Protection Law (LGPD)

• California Consumer Privacy Act and from January 1, 2023, as amended by the
California Privacy Rights Act of 2020 (CCPA) Cal. Civ. Code 1798.100 et seq.
• Canada’s Federal Personal Information Protection and Electronic Documents Act
(PIPEDA)
• Colorado Privacy Act (CPA)
• European Union General Data Protection Regulation 2016/679 (GDPR), and the Privacy
and Electronic Communications Directive 2002/58/EC.
• Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance.
• UK Data Protection Act 2018, UK General Data Protection Regulation as defined by the
DPA as amended by the Data Protection, Privacy and Electronic Communications (as
amended from time to time “Amendments”) (EU Exit) Regulations 2019 (together with

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 the DPA, the UK GDPR), and the Privacy and Electronic Communications Regulations
2003
• India’s Digital Personal Data Protection Act, 2023 ('the Act')
• Australia’s Privacy Act 1988 (No. 119, 1988) (as amended)
• New Zealand’s Privacy Act 2020 ('the Act')
• Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021
('PDPO')
• Ukraine’s Law of 1 June 2010 No. 2297-VI on Personal Data Protection
• Singapore’s Personal Data Protection Act 2012 (No. 26 of 2012)
• Philippines’ The Data Privacy Act of 2012 (Republic Act No. 10173)
• Virginia Consumer Data Protection Act (CDPA)
• Any other relevant law, statute, declaration, decree, directive, legislative enactment,
order, ordinance, regulation, rule or other binding instrument which implements any
of the above or which otherwise relates to data protection, privacy or the use of
Personal Data, in each case as applicable and in force from time to time, and as
amended, consolidated, re-enacted or replaced from time to time.

“Consumer” has the meaning given in the CCPA, the CPA, and/or the CDPA, as applicable.

“Controller to Controller Clauses” means (i) in respect of transfers of Personal Data and Customer
Account Information subject to the GDPR, the standard contractual clauses for the transfer of Personal
Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including
Module 1 (Controller to Controller); and (ii) in respect of transfers of Personal Data subject to the UK
GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
(version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or
replaced from time to time.

“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR,
the standard contractual clauses for the transfer of Personal Data to third countries set out in
Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor);
and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer
Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK
Information Commissioner, in each case as amended, updated or replaced from time to time.

“Data Subject” means individual identified or identifiable by the Personal Data.

“Personal Data” has the meaning given under the Applicable Data Protection Laws and which is
provided by Data Controller to Data Processor for Processing on behalf of Data Controller pursuant to
the MSA.

“Process,” “Processed,” or “Processing” have the meaning given in the Applicable Data Protection Laws.

“Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR,
the standard contractual clauses for the transfer of Personal Data to third countries set out in
Commission Decision 2021/914 of 4 June 2021 specifically including Module 3 (Processor to Processor);
(ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK
Information Commissioner, in each case as amended, updated or replaced from time to time.

“Sell,” “Selling,” “Sale,” or “Sold” have the meaning given in the CCPA.

“Services” means services as identified in the MSA.

“Share,” “Sharing,” or “Shared” have the meaning given in the CCPA.

“Third Country (ies)” means a country or territory that is not recognized under Applicable Data
Protection Laws from time to time as providing adequate protection for Personal Data, including (i) in
relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data
protection laws of the European Economic Area, excluding countries approved as providing adequate
protection for Personal Data by the European Commission from time to time; and (ii) in relation to
Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection
laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the
relevant competent authority of the UK from time to time.

2. Conditions of Processing
2.1 This Addendum governs the terms under which the Supplier is required to Process Personal
Data on behalf of Company as the Data Controller or the Supplier Processes Personal Data as an
independent Controller.
2.2 The Personal Data is processed solely for the purpose of providing the goods and Services
described in the MSA for the duration thereof, as set out in Schedule 1 (Processing Details).
2.3 In the event of any conflict or discrepancy between the terms of the MSA and this Addendum,
the terms of this Addendum shall prevail, to the extent of the conflict. In the event of any
conflict or discrepancy between this Addendum and any applicable Clauses shall prevail to the
extent of the conflict.
3. Supplier’s Obligations as Data Processor
3.1 Supplier shall only Process Personal Data on behalf of Company and in accordance with, and for
the purposes set out in, the documented instructions received from Company from time to time
or as required by Applicable Data Protection Laws as the Controller. If Supplier cannot provide
such compliance for whatever reason (including if the instruction violates Applicable Data
Protection Laws), it agrees to inform Company of its inability to comply as soon as reasonably
practicable by emailing privacy@newfold.com, unless such law prohibits such information on
important grounds of public interest.
3.2 Supplier shall ensure that its personnel who are authorized to Process or Sell the Personal Data
have committed themselves to confidentiality or are under an appropriate statutory obligation
of confidentiality.
3.3 Supplier shall implement appropriate technical and organizational security measures, including
those measures set out in Schedule 2 (Technical and Organization Security Measures to Ensure
the Security of the Data), and shall continue to comply with such measures during the term of
this Addendum.
3.4 When Supplier Processes Personal Data as a Data Processor, Supplier shall notify Company
promptly upon receipt by Supplier of a request from a Data Subject seeking to exercise any of
their rights under Applicable Data Protection Laws (without responding to such request)
relevant to the Company. Supplier shall, at Company’s expense, assist Company by appropriate
technical and organizational measures, for the fulfillment of Company’s obligations to respond

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 to any such requests by Data Subjects to exercise their rights under Applicable Data Protection
Laws (including the right to transparency and information, the Data Subject access right, the
right to rectification and erasure, the right to the restriction of processing, the right to data
portability and the right to object to processing). Supplier shall carry out a request from
Company to amend or correct any of the Personal Data to the extent necessary to allow
Company to comply with its responsibilities under Applicable Data Protection Laws. Further,
Supplier shall carry out a request from Company to block, transfer or delete any of the Personal
Data to the extent necessary to allow Company to comply with its responsibilities as a Data
Controller.
3.5 Supplier shall assist Company in carrying out its obligations under Applicable Data Protection
Laws, including Articles 32 to 36 of the GDPR and the UK GDPR, with respect to security, breach
notifications, impact assessments and consultations with supervisory authorities or
regulators. Supplier shall promptly notify Company at privacy@newfold.com about any breach
of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, Personal Data or any accidental or unauthorized access or any other
event affecting the integrity, availability or confidentiality of Personal Data, as required by
Applicable Data Protection Laws. Supplier shall assist Company in remediating or mitigating any
potential damage to Personal Data as a result of any such breach.
3.6 Upon termination of the Processing of Personal Data by Supplier and at the choice of Company,
Supplier shall either (i) promptly delete all Personal Data and any copies thereof; or (ii) promptly
return all Personal Data to Data Controller and delete existing copies unless otherwise required
by (and only to the extent required by) Applicable Data Protection Laws.
3.7 Company may collect voluntary disclosures from Supplier or request Supplier to provide an
expert opinion that proves compliance with their obligations under this Addendum or Applicable
Data Protection Laws, or to otherwise make available to Company all information necessary to
demonstrate compliance with this Addendum or Applicable Data Protection Laws. Supplier
shall, subject to reasonable advance notice, permit Company or a third-party authorized by
Company and which is not a competitor of Supplier to carry out an audit and inspection of the
processing of Personal Data by Supplier for the purposes of monitoring compliance with
Supplier’s obligations under this Addendum, during normal Supplier business hours. Supplier
may require a third-party auditor to enter into a confidentiality agreement before permitting it
to carry out an audit or inspection. The auditing party shall bear its own costs in relation to such
audit.
3.8 Supplier shall take all steps reasonably requested by Company to ensure that the Personal Data
is processed in compliance with Applicable Data Protection Laws, including (i) any guidance on
the interpretation of its provisions once it takes effect; or (ii) if changes to the membership
status of a country in the European Union or the European Economic Area require modification
to this Addendum, Supplier will negotiate such modifications in good faith.
3.9 The parties acknowledge and agree that some information provided to Supplier in connection
with the MSA may constitute “Personal Information” as defined under the CCPA. Terms defined
and used under the CCPA and used in the applicable provisions of this Addendum shall be
replaced as follows: "Personal Data" shall mean "Personal Information"; "Data Controller" shall
mean "Business"; "Data Processor" shall mean "Service Provider"; and "Data Subject" shall mean
"Consumer". Supplier will process Personal Data in accordance with the CCPA where applicable,
and solely for the purpose of providing the Services as specified in the MSA to Data
Controller. Supplier will not otherwise (i) process Personal Data for purposes other than those
set forth in the MSA or as instructed by Company’s documented written instruction, to the
extent feasible or required by CCPA; (ii) retaining, using, or disclosing the Personal Data for any

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 purpose other than for the specific purpose of performing the Services; (iii) sell or share
Personal Data; (iv) retain, use, or disclose Personal Data outside of the direct business
relationship between Supplier and Company; or (v) retaining, using, or disclosing the Personal
Data for any purpose other than for the specific purpose of performing the Services combining
the Personal Data with any other information it receives from or on behalf of a third party or
collects from its own interaction with a Data Subject. If Supplier obtains any Sensitive Personal
Information (as defined under the CCPA), then in addition to the above, Supplier shall not use
such Sensitive Personal Information for any other purpose other than those set forth in the MSA
or as instructed by Company’s documented written instruction. Supplier certifies that it
understands these restrictions and will comply with them. If Supplier must process Personal
Data as otherwise required by applicable law, Supplier shall inform Company of that legal
requirement before processing Personal Data, unless that law prohibits such disclosure on
important grounds of public interest.
3.10 The Parties acknowledge and agree that some information provided to Data Processor in
connection with the Terms of Service may constitute “Personal Data” as defined under the
CDPA. Terms defined and used under the CDPA and used in the applicable provisions of this
Addendum shall be replaced as follows: "Data Controller" shall mean "Controller"; "Data
Processor" shall mean "Processor"; and "Data Subject " shall mean "Consumer". Data Processor
will not otherwise process Personal Data for purposes other than those set forth in the MSA or
as instructed by Data Controller’s documented written instruction, to the extent feasible or
required by CDPA, and solely for the purpose of providing the Services as specified in Annex I to
Company. Supplier will (i) ensure that each person processing Personal Data is subject to a duty
of confidentiality with respect to the Personal Data; (ii) at Company direction, delete or return
all Personal Data to the Company as requested at the end of the provision of Services, unless
retention of the Personal Data is required by law; (iii) upon the reasonable request of the
Company, but in no event once annually, make available to the Company all information in
Supplier’s possession necessary to demonstrate Supplier’s compliance with the obligations in
this Section 3.10; and (iv) in accordance with the CDPA: (1) assist Company with response to
Data Subject requests pursuant to the CDPA, (2) assist the Company in meeting the Company’s
obligations in relation to (a) the security of processing the Personal Data and (b) the notification
of a breach of security of the system of the Supplier as Data Processor, and (3) provide
information as necessary to enable the Company to conduct and document data protection
assessments pursuant to the CDPA. Supplier certifies that it understands these restrictions and
will comply with them. If Supplier must process Personal Data as otherwise required by
applicable law, Data Processor shall inform Company of that legal requirement before
processing Personal Data, unless that law prohibits such disclosure on important grounds of
public interest.
3.11 The parties acknowledge and agree that some information provided to Supplier in connection
with the Terms of Service may constitute “Personal Data” as defined under the CPA. Terms
defined and used under the CPA and used in the applicable provisions of this Addendum shall be
replaced as follows: "Data Controller" shall mean "Controller"; "Data Processor" shall mean
"Processor"; and "Data Subject " shall mean "Consumer". Data Processor will not otherwise
process Personal Data for purposes other than those set forth in the MSA or as instructed by
Data Controller’s documented written instruction, to the extent feasible or required by CPA, and
solely for the purpose of providing the Services as specified in Annex I to Data Controller.
Supplier will (i) ensure that each person processing Personal Data is subject to a duty of
confidentiality with respect to the Personal Data; (ii) at Company direction, delete or return all
Personal Data to the Company as requested at the end of the provision of Services, unless

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 retention of the Personal Data is required by law; (iii) upon the reasonable request of the
Company, but in no event once annually, make available to the Company all information in Data
Processor’s possession necessary to demonstrate Supplier’s compliance with the obligations in
this Section 3.11; and (iv) in accordance with the CPA: (1) assist company with response to Data
Subject requests pursuant to the CPA, (2) assist the Company in meeting the Data Controller’s
obligations in relation to (a) the security of processing the Personal Data and (b) the notification
of a breach of security of the system of the Supplier as the Data Processor, and (3) provide
information as necessary to enable the Company to conduct and document data protection
assessments pursuant to the CPA. Supplier certifies that it understands these restrictions and
will comply with them. If Supplier must process Personal Data as otherwise required by
applicable law, Supplier shall inform Company of that legal requirement before processing
Personal Data, unless that law prohibits such disclosure on important grounds of public interest.

International Data Transfers

3.12 Company acknowledges and agrees that Supplier may, or may appoint an Affiliate or third-party
subprocessor to, Process Personal Data in a Third Country, provided that it ensures that such
Processing takes place in accordance with the requirements of Applicable Data Protection Laws,
the MSA and this Addendum.
3.13 To the extent Supplier processes Personal Data subject to the GDPR or the UK GDPR in a Third
Country or permit any third party including its subcontractors to Process such Personal Data in
any Third Country, and it or they are acting as data importer, Supplier shall:
(i) Comply with the Data Importer’s obligations set out in the following standard
contractual clauses, which are hereby incorporated into and form part of this
Agreement, and:
(A) for the purposes of Annex I or Part 1 (as relevant) of such Controller to
Processor Clauses, Processor to Processor Clauses, and Controller to Controller
Clauses (“Clauses”), the parties and processing details set out in Schedule 1
(Processing Details) shall apply, and the Start Date is the Effective Date;
(B) if applicable, for the purposes of Part 1 of such Clauses, the relevant Addendum
EU SCCs (as such term is defined in the applicable Clauses) are the standard
contractual clauses for the transfer of Personal Data to third countries set out in
Commission Decision 2021/914 of 4 June 2021 (Module 1, 2 or 3) as
incorporated into this Agreement by virtue of this Section 3.13;
(C) for the purposes of Annex II or Part 1 (as relevant) of such Clauses, the technical
and organisational security measures set out in Schedule 2 (Technical and
Organization Security Measures to Ensure the Security of the Data); and
(D) if applicable, for the purposes of: (i) Clause 9 of such Clauses, Option 2 (“General
written authorization”) is deemed to apply and a notice period of 30 days shall
apply; (ii) Clause 11(a) of such Clauses, the optional wording in relation to
independent dispute resolution is deemed to be included; (iii) Clause 13 and
Annex I.C, the competent supervisory authority shall be the Dutch Supervisory
Authority (Autoriteit Persoonsgegevens); (iv) Clause 17, Option 1 is deemed to
be selected and the governing law shall be Dutch laws; (v) Clause 18, the
competent courts shall be the courts of the Netherlands; (vi) Part 1 of such
Clauses, Company as data exporter may terminate the Clauses pursuant to
Section 19 of such Clauses;

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 (ii) execute the data processing addendums or agreements in compliance with Applicable
Data Protection Laws with any relevant sub-processor or subcontractor (including
Affiliates) it appoints on behalf of Company;
(iii) at Company’s request (from time to time), enter separately into additional data
processing addendums or agreements with Company; and
(iv) if agreed between parties, take any other alternative or additional steps reasonably
requested by Company in order to ensure that such Processing takes place in
accordance with the requirements of Applicable Data Protection Laws.
3.14 To the extent a party Processes Personal Data in a Third Country or permits any third party
including its subcontractors to Process Personal Data in any Third Country, other than as
described in Section 3.13, each party shall, and shall procure that any relevant third party shall,
comply with Applicable Data Protection Laws in relation to such Personal Data transfers. To the
extent required by Applicable Data Protection Laws, the parties agree that the Clauses; the
processing details set out in Schedule 1; and the description of technical and organizational
security measures set out in Schedule 2, shall apply mutually for the benefit of such transfer or
Third Country Processing.

4. Sub-Contracting

Company consents to Supplier engaging the third-party subprocessors listed on Supplier website or
otherwise notified to Company by Supplier to process the Personal Data solely to the extent necessary
for the purposes of providing the Services. Supplier shall provide Company with 30 days’ prior notice of
any intended changes to Supplier’s subprocessors (including by posting such notice on its website),
during which time Company may object to any such amendment. Supplier shall ensure that it has a
written agreement in place with all subprocessors which contains obligations on the subprocessors
which are no less onerous on the relevant subprocessor than the obligations on Supplier under this
Addendum. Supplier remains liable for the Processing under the terms of this Addendum and the MSA,
including Processing carried out by its subprocessors.

5. Termination

Termination of this Addendum shall be governed by the MSA.

6. Law and Jurisdiction

This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or
in connection with it or its subject matter or formation shall be governed by and construed in all
respects in accordance with the laws of the State of Florida and each of party hereby submits to the
jurisdiction of the federal or state courts located in the County of Duval, Florida.

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 Schedule 1

PROCESSING DETAILS

A. LIST OF PARTIES

Data exporter(s):

Name: Newfold Digital, Inc. and/or the relevant Newfold Digital Affiliate
Address: 5335 Gate Pkwy, Jacksonville, FL 32256, U.S.A.
Contact: Data Protection Officer, privacy@newfold.com

Activities relevant to the data transferred under this Addendum are as identified in the MSA and other
relevant agreements applicable to the Services provided to the Data Exporter by the Data Importer.

Role: Data Controller or Data Processor

Data importer(s):

See MSA between Supplier and Company.

Role: Data Processor or Data Controller

B. DESCRIPTION OF TRANSFER

i. The subject matter of the data processing covered by this Addendum is the Personal Data,
processed for the purposes of the MSA and this Addendum. The Personal Data is processed
solely for the purpose of providing the goods and Services described in the MSA for the
duration thereof. The nature of the Processing consists of collecting, analyzing, and utilizing
the data to perform the Services set forth in the MSA. Personal Data that may be Processed
under this MSA may belong to the following Data Subjects without limitation: (i) Company’s
customers, business partners and vendors; (ii) employees of Company’s customers, business
partners and vendors; and (iii) Company’s employees, agents, advisors and freelancers.
ii. The Personal Data Processed may include, but is not limited to: (i) identification and contact
information (such as name, address, title and contact details) of Company’s customers,
business partners and vendors; (ii) identification and contact information of employees of
Company’s customers, business partners and vendors; (iii) identification and contact
information of Company’s employees, agents, advisors, freelancers; and/or (iv) IT information
such as IP addresses and cookies data of the Data Subjects listed in this clause.
iii. The subject matter, the nature, and duration of processing by relevant subprocessors is as set
out in this Schedule 1 and as permitted by this Addendum.

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement
 Schedule 2

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Company’s information security program implementing appropriate technical and organizational
security measures is detailed at https://newfold.com/privacy-center/information-security-policy, as
amended, updated or replaced from time to time (the “Security Policy”).

The Supplier shall meet or exceed the standards of the Company’s Security Policy. When appropriate, the
MSA will include a description of processes for regularly testing, assessing and evaluating the effectiveness
of technical and organizational measures in order to ensure the security of the processing.

Newfold Digital, Inc. and/or Affiliate and Supplier

Data Processing Addendum for Master Services Agreement