Last updated: June 6, 2023

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Artie Technologies Inc. (“Artie”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1. In this DPA:

“Data Protection Law” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.

“Data Subject” means a natural person whose Personal Data is Processed.

“Deidentified Data” means data created using Personal Data that cannot reasonably be linked to such Personal Data, directly or indirectly.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR” or, where applicable, the “UK GDPR” as defined in section 3 of the DPA 2018.

“Personal Data” means any information that relates, directly or indirectly, to an identified or identifiable natural person that Artie may Process on Customer’s behalf in performing the services under the Agreement.

“Processing” (including its cognate "Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.

“Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).

"Swiss Data Protection Laws" means the Swiss Federal Act Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force for time to time.

1.2 Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Scope and Roles

2.1 The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.

2.2 Artie agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Artie will Process Personal Data as a “processor” or “service provider” and Customer shall act as a “controller” or “business”, as such terms are defined under applicable Data Protection Law.

3. Data Protection

3.1 When Artie Processes Personal Data, it will:

(a) Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. The Agreement and this DPA will generally constitute instructions for the Processing of Personal Data. Customer may issue further written instructions in accordance with this DPA. Artie will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law;

(b) provide reasonable assistance to Customer, taking into account the nature of the Processing and the information available to Artie, in complying with Customer's obligations to respond to requests concerning Personal Data from Data Subjects under applicable Data Protection Law;

(c) implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;

(d) only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and

(e) upon termination of the Agreement, to the extent that Artie retains Personal Data, delete any copies of such Personal Data, provided that Artie shall permit Customer to obtain any copies of such Personal Data consistent with the functionality of the Services for a period of [30] days after termination of the Agreement.

3.2 Artie certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than for the business purposes set out in this DPA and the Agreement; (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement (d) except as otherwise permitted by applicable Data Protection Law, combine Personal Data provided by the Customer or otherwise disclosed in connection with the Agreement and this DPA with Personal Data that Artie receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject; or (e) share Personal Data with any third party for cross-context behavioral advertising.

4. Customer Responsibilities

4.1 Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Artie to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Artie; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

5. Subprocessing

5.1 Customer agrees that Artie may use the third-party suppliers listed on its website at https://docs.artie.so/legal/subprocessors to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).

5.2 Artie will maintain a list of Subprocessors and will provide at least 10 days’ prior notice of the addition or removal of any subprocessor, which may be given by posting detail of such addition or removal at the following URL: https://docs.artie.com/legal/subprocessors. If Customer objects to the appointment of such Subprocessor within ten (10) days, it may terminate the portion of the services that cannot be provided without such Subprocessor on written notice to Artie that includes Customer’s legitimate and documented grounds for non-approval.

5.3 Artie will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Artie requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.

5.4 Artie will remain liable for each Subprocessor’s compliance with the obligations under this DPA.

6. Restricted Data Transfers

6.1 The Standard Contractual Clauses shall apply to, and be incorporated by reference into this DPA in respect of, any transfers of Personal Data from the Customer (as “data exporter”) to Artie (as “data importer”) to the extent that:

(a) the Customer’s Processing of Personal Data is subject to the GDPR or Swiss Data Protection Laws when making that transfer; or

(b) the transfer is an “onward transfer” referred to in the Standard Contractual Clauses.

6.2 The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.

6.3 The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified at Clause 5.2 of this DPA; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1 shall refer to Annex 1 of this DPA, Annex 1 (c) shall refer to the Irish Data Protection Commissioner, Annex 2 shall refer to Annex 2 of this DPA.

6.4 The UK SCCs shall form part of this DPA and apply to the transfer of Personal Data from the Customer (as data exporter) to Artie (as data importer) to the extent that:

(a) the Customer’s Processing of Personal Data is subject to the UK GDPR when making that transfer; or

(b) the transfer is an "onward transfer" as defined in the UK SCCs.

6.5 For the purposes of the UK SCCs:

(a) the Addendum EU SCCs shall refer to the Standard Contractual Clauses as incorporated into this DPA;

(b) Table 1 of the UK SCCs shall be completed with the details in paragraph A of Annex I;

(c) the "Appendix Information" shall refer to the information set out in Annex I and Annex II;

(d) for the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the data importer.

6.6 Annex III shall apply to the extent that Swiss Data Protection Laws apply to the Customer's Processing of Personal Data.

7. Assistance and Notifications

7.1 Upon Customer’s request, Artie will provide Customer with reasonable cooperation and assistance to the extent required to fulfill Customer’s obligation under applicable Data Protection Law, including to:

(a) reply to investigations and inquiries from data protection regulators; and

(b) carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment.

7.2 Unless prohibited by applicable law, Artie must inform Customer without undue delay if Artie:

(a) receives a request, complaint or other inquiry regarding the Processing of Personal Data;

(b) receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;

(c) is subject to a legal obligation that requires Artie to Process Personal Data in contravention of Customer’s instructions; or

(d) can no longer meet its obligations under Data Protection Law or this DPA.

7.3 Upon becoming aware of a Security Incident, Artie will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable Data Protection Law.

8. Audit

8.1 Artie will make available to Customer at Customer’s reasonable request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer, provided that (a) such audits shall be carried out no more than once per year (unless otherwise required under applicable law) (b) on reasonable prior written notice and (c) during Artie’s normal business hours.

8.2 Customer may take reasonable and appropriate steps to:

(a) ensure that Artie uses Personal Data in a manner consistent with Customer's obligations under Data Protection Law; and

(b) upon reasonable notice, stop and remediate unauthorized use of Personal Data.

9. Deidentified Data

9.1 If Artie receives Deidentified Data from or on behalf of Customer, then Artie will:

(a) take reasonable measures to ensure the information cannot be associated with a Data Subject.

(b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.

(c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and applicable Data Protection Law.

10. General

10.1 If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.

10.2 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

10.3 The parties hereby certify that they understand the requirements in this DPA and will comply with them.

10.4 The parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in application Data Protection Laws.

11. Limitation of Liability

Other than any liability arising out of a breach of the Standard Contractual Clauses, each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement, including this DPA.

ANNEX I

1. LIST OF PARTIES

Customer is the controller and the data exporter and Artie is the processor and the data importer, in each case in relation to Processing of Personal Data in connection with the provision and receipt (as applicable) of the Services.

2. DESCRIPTION OF TRANSFER

ANNEX II

Artie shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.

Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers.

Virtual access control

Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and

automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media.

Data access control

Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.

Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on

storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.

Entry control

Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

Control of instructions

Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.

Availability control

Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.

Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal Customer” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.

ANNEX III

This Annex III applies as set out in Clause 6.6 of this DPA.

1. Interpretation

1.1 Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

"Addendum" means this Annex III;

"Clauses" means the Standard Contractual Clauses as incorporated into this DPA in accordance with Clause 6.1 and as further specified in Clause 6.3; and

"FDPIC" means the Federal Data Protection and Information Commissioner.

1.2 This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties' obligation to provide appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

1.3 This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

1.4 Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.

1.5 In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:

(a) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and

(b) to provide appropriate safeguards for the transfers in accordance with Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

2. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

3. Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws

To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this paragraph 3.3(a)) the following amendments are made to the Clauses:

(a) References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.

(b) Clause 6 Description of the transfer(s) is replaced with:

"The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."

(c) References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

(d) References to Regulation (EU) 2018/1725 are removed.

(e) References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".

(f) Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;

(g) Clause 17 is replaced to state

"These Clauses are governed by the laws of Switzerland".

(h) Clause 18 is replaced to state:

"Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

(i) Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

4. Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws

4.1 To the extent that the data exporter's Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" under both the Clauses and the Clauses as amended by paragraph 3.3(c) of this Addendum:

(a) for the purposes of Clause 13(a) and Part C of Annex I:

(i) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer, or such transfer is an "onward transfer" as defined in the Clauses (as amended by paragraph 3.3 of this Addendum; and

(ii) subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter's processing, or such transfer is an "onward transfer" as defined in the Clauses.

(b) the terms "European Union", "Union", "EU", and "EU Member State" shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses; and

(c) Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.