ZENITY DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Zenity Subscription Terms and Conditions (the “Agreement”) between Zenity, Inc. incorporated under Delaware law, with its principal offices located at 600 Fifth Avenue Suite 1600, New York, NY 10020 (“Zenity”) and Customer as identified in the applicable Order Form. Both parties shall be referred to as the “Parties” and each, a “Party”.

1. INTERPRETATION AND DEFINITIONS: The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
   1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   2. “Authorized Affiliate” means any of Customer’s Affiliate(s) which is permitted to use the Products (as defined in the Agreement) pursuant to the Agreement between Customer and Zenity, but has not signed its own agreement with Zenity and is not a “Customer” as defined under the Agreement.
   3. “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include the Customer and/or the Customer’s Authorized Affiliates.
   4. “Data Protection Laws” means all applicable laws, regulations, and other legally binding regulatory requirements in any jurisdiction relating to privacy, data protection, data security, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the United Kingdom General Data Protection Regulation (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act of 2018 together, as amended by the California Privacy Rights Act of 2020, with any subordinate legislation or regulations, as amended or superseded from time to time (“CCPA”), and other applicable U.S. state and federal laws governing data protection (“US Data Protection Laws”); the Act on the Protection of Personal Information of Japan (“APPI”); and the Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority, in each case, as applicable to the Processing of Personal Data under the Agreement.
   5. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
   6. “Member State” means a country that belongs to the European Union (“EU”) and/or the European Economic Area (“EEA”).
   7. “Personal Data” means any information submitted or provided by or for Customer, or at Customer’s direction, to Zenity in connection with Customer’s use of the Products under the Agreement relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under Data Protection Laws.
   8. “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   9. “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
   10. “Security Documentation” means the security measures applicable to the Products purchased by Customer, as described in Annex II of the SCCs and the summaries of the then-current SOC 2 Type II audit reports (or comparable industry-standard successor report) that Zenity generally makes available to its customers as updated from time to time, or otherwise made reasonably available by Zenity.
   11. “Sub-processor” means any Processor engaged by Zenity and/or Zenity Affiliate to Process Personal Data on behalf of Zenity and/or Zenity Affiliate as part of the Products.
   12. “Supervisory Authority” means a competent data protection regulator appointed pursuant to applicable Data Protection Laws.
   13. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as available here, as updated, amended, replaced or superseded from time to time by the European Commission, Schedule 1 and Schedule 2;
   14. “UK Addendum” means Addendum B.1.0 issued by the UK Information Commissioner's Office in accordance with s119A of the UK GDPR as available here, Schedule 1.
2. PROCESSING OF PERSONAL DATA
   1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA Zenity is the Data Processor and may engage Sub-processors pursuant to the requirements set forth in Section 5 “Authorization Regarding Sub-processors” below. For clarity, Zenity may Process data about Customer's business contact information (“Account Data”) in accordance with Zenity’s Privacy Policy available at https://zenity.io/privacy-policy (as updated from time to time). Account Data is not Personal Data.
   2. Customer’s Processing of Personal Data. Customer shall, in its use of the Products, Process Personal Data in accordance with the requirements of Data Protection Laws aand comply at all times with the obligations applicable to Data Controllers (including, without limitation, Article 24 of the GDPR).For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Zenity the Personal Data and to authorize the Processing by Zenity of the Personal Data which is authorized in this DPA.
   3. Zenity’s Processing of Personal Data. Subject to the Agreement, Zenity shall Process Personal Data in accordance with Customer’s documented instructions. If applicable law requires Zenity to Process Personal Data for other purposes, Zenity shall inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Customer instructs Zenity to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement, the DPA and applicable Order Form(s), and (ii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and this DPA. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Annex 1 of the SCCs - Description of Transfer - in Schedule 2. This DPA and the Agreement are Customer’s complete and final instructions to Zenity for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing signed by authorized representatives of both parties.
3. RIGHTS OF DATA SUBJECTS. If Zenity receives a request from a Data Subject to exercise its rights in accordance with Data Protection Laws (“Data Subject Request”), Zenity shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Zenity shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Zenity’s provision of such assistance.
4. ZENITY PERSONNEL
   1. Zenity shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   2. Zenity may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, Zenity shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
5. AUTHORIZATION REGARDING SUB-PROCESSORS
   1. General Authorization. Zenity’s current list of Sub-processors is included in Annex III of the SCCs in Schedule 2 (“Sub-processor List”) and is hereby approved by Customer. Customer hereby grants a general authorization to Zenity to appoint new Sub-processors, and Zenity shall comply with the conditions of Sections ‎5.2 to ‎5.4.
   2. New Sub-Processors. Zenity will inform Customer of any intended changes concerning the addition or replacement of Sub-processors at least ten (10) days prior to permitting any new Sub-processor to process Personal Data if Customer subscribes to receiving such notifications by sending an email to privacy@zenity.io with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION.
   3. Objection Right for Sub-processors. Customer may reasonably object to Zenity’s use of a Sub-processor for reasons related to Data Protection Laws by notifying Zenity promptly in writing within three (3) business days after receipt of Zenity’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to Data Protection Laws for objecting to Zenity’s use of such Sub-processor. Failure to object to such Sub-processor in writing within three (3) business days following Zenity’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-processor, as permitted in the preceding sentences, Zenity will use reasonable efforts to make available to Customer a change in the Products or recommend a commercially reasonable change to Customer’s use of the Products to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Zenity is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Products which cannot be provided by Zenity without the use of the objected-to Sub-processor by providing written notice to Zenity provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Zenity. Until a decision is made regarding the Sub-processor, Zenity may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Zenity due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
   4. Agreements with Sub-processors. Zenity shall (i) enter into a written agreement with Sub-processors that imposes data protection requirements for Personal Data on such Sub-processors that are consistent with this DPA; and (ii) remain responsible to Customer for the Sub-processors’ failure to perform their obligations with respect to the Processing of Personal Data.
6. SECURITY
   1. Security of Processing. Zenity will secure Personal Data by implementing appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as required under the applicable Data Protection Laws. Such measures include those set forth in the Security Documentation. Zenity will not materially decrease the overall security of the Products during the Term of the Agreement.
   2. Third-Party Certifications and Audits.
      1. Upon Customer’s written request, no more than once per calendar year, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Zenity shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Zenity) a copy or a summary of Zenity’s then most recent and available third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Zenity’s prior written approval and, upon Zenity’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Zenity in the context of the audit and/or the certification).
      2. If Customer reasonably believes it needs further information in order to confirm Zenity’s compliance with the provisions of this DPA relating to the Processing of Personal Data, Zenity will use commercially reasonable efforts to respond to written questions by Customer regarding the Security Documentation.
      3. If Customer is not satisfied with Zenity’s responses to questions provided pursuant to Section 6.2.2 and if Data Protection Laws grant Customer the right to audit Zenity’s Processing activities covered under this DPA, then Zenity shall permit Customer to audit Zenity’s compliance with the data security and data protection obligations under this DPA. No more than once per calendar year, at Customer’s cost and expense, Zenity shall allow for and contribute to such audits, including inspections of Zenity’s policies, procedures, and records, conducted by Customer or another auditor mandated by Customer (who is not a direct or indirect competitor of Zenity) provided that (i) Customer shall provide Zenity with at least thirty (30) days' prior written notice before conducting any such audit or inspection; and (ii) the parties shall agree before any such audit on the scope, methodology, timing and conditions of such audit and inspection.
      4. Notwithstanding anything to the contrary, nothing in this DPA will require Zenity either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Zenity; (ii) Zenity’s internal accounting or financial information; (iii) any trade secret of Zenity; or (iv) any information that, in Zenity’s sole reasonable discretion, could compromise the security of any of Zenity’s systems or premises or cause Zenity to breach obligations under any applicable law or its obligations to any third party.
7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION: Zenity shall notify Customer without undue delay after becoming aware of a breach of Zenity’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Zenity’s custody, possession or control (a “Personal Data Incident”). For clarity, Personal Data Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems). Zenity shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Zenity deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Zenity’s reasonable control. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws).
8. DELETION OF PERSONAL DATA: Subject to the Agreement, Zenity shall delete Personal Data and copies thereof to Customer after termination or expiration of the Agreement or upon Customer’s written request, whichever is earlier, provided, however, that Zenity shall delete backup data and operational or system log data in the ordinary course of business. In the event applicable law does not permit Zenity to delete Personal Data, Zenity warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of the Agreement, except as required by law.
9. AUTHORIZED AFFILIATES
   1. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between each such Authorized Affiliate and Zenity. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Products by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
   2. The Customer shall remain responsible for coordinating all communication with Zenity under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
10. TRANSFERS OF DATA
    1. Customer authorizes Zenity and its Subprocessors to make international transfers of Personal Data provided Zenity only engages in such transfers in accordance with this DPA and applicable Data Protection Laws.
    2. Personal Data may be transferred from the EEA, the United Kingdom (“UK”), and Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the EU, the Member States or the European Commission, the UK supervisory authority or Switzerland (“Adequacy Decisions”), without any further safeguard being necessary.
    3. To the extent that there is Processing of Personal Data which includes transfers from the EEA, Switzerland, or the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the below terms shall apply:
       1. With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Zenity on behalf of itself and each Zenity Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the SCCs set out in Schedule 1. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of this DPA, the terms of the SCCs shall take precedence.
       2. With respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Customer as a Data Exporter (as defined in the UK Addendum) and Zenity on behalf of itself and each Zenity Affiliate (as applicable) as a Data Importer (as defined in the UK Addendum), hereby enter into the UK Addendum set out in Schedule 1. To the extent that there is any conflict or inconsistency between the terms of the UK Addendum and the terms of this DPA, the terms of the UK Addendum shall take precedence.
       3. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any EEA or the UK) governs the international nature of the transfer, references to the GDPR in Clause 4 of the SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner. The term “EU Member State” as used in the SCCs shall not be interpreted in a way to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs.
11. CALIFORNIA DATA PROTECTION LAWS: To the extent that Zenity’s Processing of Personal Data is subject to the CCPA, this Section 11 also applies. Customer discloses or otherwise makes available Personal Data to Zenity for the limited and specific purpose of enabling Zenity to provide the Products to Customer in accordance with the Agreement and this DPA. Zenity shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” Personal Data (as such terms are defined by the CCPA); (v) not retain, use or disclose Personal Data for any purpose (including any commercial purpose) other than to provide the Products under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Personal Data outside of the direct business relationship between Zenity and Customer; and (vii) unless otherwise permitted by the CCPA, not combine Personal Data with personal data that Zenity (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Notwithstanding the foregoing, Zenity may use, disclose, or retain Personal Data to provide the Products to Customer and as otherwise agreed herein, in the Agreement or between the Parties. Zenity will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Zenity Processes Personal Data that is subject to this Section 11 in a manner consistent with the obligations of a “business” under the CCPA by requesting that Zenity attest to its compliance with this Section 11. Following any such request, Zenity will promptly provide that attestation or an explanation of why it cannot provide it. If Customer reasonably believes that Zenity is engaged in unauthorized Processing of Personal Data that is subject to this Section 11.1, Customer will notify Zenity of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.
12. JAPANESE DATA PROTECTION LAWS
    1. To the extent that Zenity’s Processing of Personal Data is subject to the APPI, the below terms shall apply:
       1. Notwithstanding the first sentence of Section 7 of this DPA, Zenity shall notify Customer without delay after becoming aware of (a) any actual Personal Data Incident or (b) any reasonably suspected Personal Data Incident.
       2. Zenity shall impose on Sub-processors engaged by Zenity pursuant to the requirements under Section 5 of this DPA data protection obligations that are essentially equivalent to those set out in this DPA.
13. GENERAL PROVISIONS.
    1. Liability. As permitted under applicable law, the aggregate liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with this DPA will be subject to the limitations on liability and liability caps agreed to by the parties in the Agreement.
    2. Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Products are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
    3. Conflicting Terms. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
    4. Legal Effect. Either party may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any obligation hereunder may be performed (in whole or in part), and any right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by such an Affiliate.
    5. Amendments. Zenity may update this DPA from time to time in its sole discretion. Any such modifications will be effective upon posting the updated version at https://zenity.io/legal/zenity-data-processing-agreement. It is Customer’s responsibility to regularly review the foregoing link for updates. By continuing to access or use the Products after the updated DPA is posted, Customer agrees to be bound by the revised terms.

SCHEDULE 1 - STANDARD CONTRACTUAL CLAUSES

1. STANDARD CONTRACTUAL CLAUSES: If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the SCCs as follows:
   1. The SCCs (Controller-to-Processor and Processor to Processor) as applicable, will apply, with respect to restricted transfers between Customer and Zenity that are subject to the GDPR.
   2. The Parties agree that for the purpose of transfer of Personal Data between Customer(as Data Exporter) and Zenity (as Data Importer), the following shall apply:
      1. Clause 7 of the SCCs shall be applicable.
      2. For the purposes of Clause 8.1(a) of the SCCs, the instructions by Customer to Process Personal Data are set out in Section 2.3. of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Products.
      3. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 and 16(d) of the SCCs shall be provided by Zenity to Customer only upon Customer's written request.
      4. The parties agree that if a Sub-processor suffers a personal data breach affecting Personal Data, Zenity will take commercially reasonable efforts to ensure that the Sub-processor takes appropriate measures to address the breach, including measures to mitigate its adverse effects in accordance with Clause 8.6.(c) of the SCCs.
      5. The parties agree that the audits described in Clause 8.9 of the SCCs shall be carried out in accordance with section 6.2 of this DPA.
      6. In Clause 9, option 2 shall apply and the method described in Section ‎5 of the DPA (Authorization Regarding Sub-Processors) shall apply. Customer consents to Zenity’s transfer of Personal Data to Sub-processors as described in Section 5 of the DPA, and agrees that the Customer’s consent satisfies the requirements of Clauses 9(a) and 9(b) of the SCCs.
      7. Clause 11 of the SCCs shall be not applicable.
      8. In Clause 13 of the SCCs, the relevant option applicable to the Customer, as informed by Customerto Zenity;
      9. In Clause 17, option 1 shall apply. The Parties agree that the SCCs shall be governed by the laws of Ireland.
      10. In Clause 18(b) the Parties choose the courts of Dublin, Ireland, as their choice of forum and jurisdiction.
   3. Annex I.A of the SCCs shall be completed as described in Schedule 2 (Details of the Processing) of this DPA. By entering into the Agreement, each Party is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the effective date of the DPA.
   4. Annex I.B of the SCCs shall be completed as described in Schedule 2 (Details of the Processing) of this DPA.
   5. Annex I.C of the SCCs shall be completed as follows as set forth in Schedule 2.
   6. Annex II of the SCCs shall be completed as set forth in Schedule 2.
   7. Annex III of the SCCs shall be completed as set forth in Schedule 2.
2. UK ADDENDUM If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, (i) the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018 and (ii) such transfers will be subject to the SCCs (as set forth above) and the UK Addendum.
   1. The information required for Table 1 of Part 1 of the UK Addendum is set out in Annex I.A of Schedule 2.
   2. The information required for Table 2 of Part 1 of the UK Addendum is set out above in Section 1(b) of this Schedule 1.
   3. The information required for Table 3 of Part 1 of the UK Addendum is set out in Schedule 2.
   4. For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.

SCHEDULE 2

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

1. Name: Customer

Address: As detailed in the Agreement or the applicable Order Form.

Contact person’s name, position, and contact details: As detailed in the Agreement or the applicable Order Form.

Activities relevant to the data transferred under these Clauses: As set forth in the Agreement, the Order Form and the DPA.

Signature and date: The parties agree that theexecution of the Agreement (or applicable Order Form) shall constitute execution of these clauses by both parties.

Role (controller/processor): Controller

Data importer(s):

1. Name: Zenity, Inc.

Address: 600 Fifth Avenue Suite 1600, New York, NY 10020

Contact person’s:

• Name: Legal Department
• Position: Legal Department
• Contact details: privacy@zenity.io

Activities relevant to the data transferred under these Clauses: As set forth in the Agreement, the Order Form and the DPA.

Signature and date: The parties agree that the execution of the Agreement (or applicable Order Form) shall constitute execution of these clauses by both parties.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Customer’s users authorized by Customer to use the Products
• Employees, agents, advisors, freelancers of Customer (who are natural persons)

Categories of personal data transferred

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• Full name
• Address
• Phone number
• Email address
• Hostname
• IP address
• Job title
• User Photo
• Password
• Any other Personal Data or information that the Customer decides to provide to Zenity or the Products.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Zenity does not require special categories of data to provide the Products, but it may process such special categories of data if submitted or provided to Zenity by Customer.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

Zenity’s provision of the Products to Customer.

Purpose(s) of the data transfer and further processing

Zenity will process Personal Data for the purposes of providing the Products to Customer in accordance with the Agreement, the DPA and any additional instruction agreed to in writing by the parties.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Customer Personal Data will be retained as agreed by the Parties in the Agreement and the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing is set forth in the Agreement and the DPA. For additional information, see Annex III.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of encryption of personal data; Measures for the protection of data during storage; Measures for the protection of data during transmission

• Zenity uses industry standard encryption to secure Personal Data in transit and at rest.
• Zenity uses TLS 1.2. or higher when transferring Personal Data over the internet.
• Zenity uses encryption-at-rest, which protects data with AES encryption.
• Full disk or device encryption is required for all systems that store Personal Data.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Zenity implements industry standard firewalls which manage and restrict network traffic and properly segment its network and systems storing Personal Data.
• Zenity uses an industry standard intrusion detection system to detect inappropriate, incorrect, or anomalous activity, and Zenity regularly monitors system logs for suspicious activity.
• Zenity establishes and follows commercially reasonable operational procedures to stop or mitigate any real or reasonably foreseeable potential attack or attempted attack.
• Zenity maintains vulnerability and patch management processes and tools which regularly assess software for security vulnerabilities and deploys software patches and updates.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Zenity performs daily backups of all critical systems and data.
• Zenity maintains copies of backups in a location separate from the primary data location.
• Zenity performs disaster recovery and service restoration testing on at least an annual basis to ensure that restoration can be performed in a timely manner.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

• Zenity uses external auditors to verify the adequacy of its security measures, including penetration tests conducted by a reputable independent third party on at least an annual basis. Such audits are performed in accordance with AICPA SOC 2 standards for security, availability, confidentiality, and privacy, and result in the generation of an audit report.
• Zenity maintains certification of its information security management system based on the ISO/IEC 27001 criteria.

Measures for user identification and authorisation

• Access to the Zenity systems and Personal Data located thereon requires a unique user ID, password, and multifactor authentication.
• Passwords for access to Personal Data are stored securely using industry standard encryption, not in plain text, on a separate server or file from Personal Data.

Measures for ensuring physical security of locations at which personal data are processed

• Zenity maintains industry standard physical security controls and procedures over all Zenity facilities where Personal Data is Processed, including (at a minimum): appropriate alarm systems; access controls (including off-hours controls); visitor access procedures; fire suppression; environmental controls (in each case to the extent that such security perimeters are within Zenity’s control).

Measures for ensuring events logging

• Zenity logs all application, system, and cloud console events to centralized log repositories that provide automated inspection of the logs for security issues and anomalous activity. Alerts are generated and sent to information security staff for investigation and resolution.

Measures for ensuring system configuration, including default configuration; Measures for certification/assurance of processes and products

• Zenity utilizes version-controlled repositories to manage the configuration and deployment of all production systems. Changes are deployed through controlled processes, and any unauthorized or out-of-band modifications are detected and remediated in accordance with established configuration standards.

Measures for internal IT and IT security governance and management; Measures for ensuring accountability

• Zenity maintains a compliance team dedicated to provide governance and ensure compliance with Zenity’s IT and IT security policies.
• To provide assurance of the governance process, Zenity’s policies and procedures are externally audited and attested to in Zenity’s SOC2 Type II report annually.

Measures for assisting the data exporter with data subject requests

• If Zenity receives a data subject request, Zenity will promptly notify the data exporter of such data subject request.
• If the data exporter requests Zenity’s assistance in handling the data subject request, Zenity shall provide commercially reasonable assistance to the data exporter in accordance with the executed DPA.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

• Zenity’s third-party security management program ensures all Sub-processors meet Zenity’s security and privacy standards.

ANNEX III – LIST OF SUB-PROCESSORS

In addition to the sub-processors listed above, the following entities are an affiliate of Zenity Inc., and accordingly may also function as a sub-processor.

This DPA was last updated on April 22, 2026.