This Data Processing Addendum (“DPA”) forms part of the Distinct Platform Terms & Conditions between Customer and Distinct (collectively, the “Parties”) for the provision of services by Distinct (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Customer Personal Information.

In the course of providing the Distinct Platform to Customer, Distinct may Process Customer Personal Information on behalf of Customer, and in such case, the Parties agree to comply with the following provisions with respect to Customer Personal Information.

1. DEFINITIONS

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.  In this DPA, the following terms shall have the meanings set out below:

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.

“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.

“Customer Personal Information” means any Personal Information Processed by Distinct or Distinct’s Subprocessor, solely on behalf of Customer and in connection with Customer’s use of the Distinct Platform, pursuant to the express terms of an applicable statement of work or order under the Agreement.

“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, which may also be called a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.

“Data Protection Laws” means any and all applicable  data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); (d) Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”); (e) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (f) the Virginia Consumer Data Protection Act; (g) the Colorado Privacy Act; (h) the Connecticut Data Privacy Act; (i) the Utah Consumer Privacy Act; (j) the Texas Privacy and Data Security Act; (k) the Oregon Consumer Privacy Act; (l) the Montana Consumer Data Privacy Act; (m) the Iowa Consumer Data Protection Act; (n) the New Hampshire Data Privacy Act; (o) the Nebraska Data Privacy Act; (p) the Delaware Personal Data Privacy Act; (q) the New Jersey Data Privacy Act; (r) the Tennessee Information Protection Act; (s) the Minnesota Consumer Data Privacy Act; and (t) all other equivalent or similar laws and regulations relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.

“Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. The term “Data Subject” shall refer to a “Consumer” as that term is defined under Data Protection Laws.

“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.

“Personal Information” means information that is protected by applicable Data Protection Laws or that otherwise that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.

“Personnel” means officers, directors, employees, Subprocessors, agents and representatives.

“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.

“Security Breach” means any security incident that adversely impacts the security of Customer Personal Information.

“Subprocessor” means any third party appointed by Distinct to Process Customer Personal Information as a Distinct or Processor on behalf of Customer in connection with the Agreement.

The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. PROCESSING OF PERSONAL INFORMATION

2.1 Roles of the Parties. The Parties acknowledge and agree that solely with regard to the Processing of Customer Personal Information, Customer is the Controller or Business (as applicable), Distinct is the Processor or Service Provider (as applicable), and that Distinct will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law. For clarity, Distinct is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not otherwise generally applicable to Distinct. The Parties further acknowledge and agree that Distinct may Process Personal Information in connection with its products and services that is not Customer Personal Information, and with respect to such Personal Information, which is not subject to this DPA, Distinct is a Controller or Business (as applicable).

2.2 Distinct’s Processing of Personal Information. Distinct shall treat Customer Personal Information as confidential and shall only Process Customer Personal Information as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work and applicable Data Protection Laws (including without limitation, the CCPA); and/or (ii) as applicable, if initiated by Data Subjects in their use of the Distinct Platform. Distinct shall not (A) Sell, Share, or otherwise make available Customer Personal Information to any third party in exchange for monetary or other valuable consideration, and (B) retain, use, or disclose Customer Personal Information outside of the direct business relationship with the Customer or for any other purpose than what is specified in the Agreement and/or this DPA. When acting as a Service Provider under the CCPA, Distinct shall not combine Customer Personal Information with Personal Information it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as expressly permitted by Data Protection Laws. Distinct shall promptly notify Customer after it determines that it can no longer meet its obligations under applicable Data Protection Laws. Nothing herein shall limit or restrict Distinct’s right to use Aggregate Data and/or Deidentified Data or limit Distinct’s right to use Customer Personal Information in any manner that is not restricted by specific Data Protection Laws.

2.2.1 To the extent Distinct is authorized by Customer to act as a Third Party or is deemed to be a Third Party (in each case as defined under the CCPA), Distinct is not required to comply with the obligations described in Section 2.2 with respect to combining Customer Personal Information or with the obligations set forth in Section 2.2(A) and (B) (but, for the avoidance of doubt, solely when acting as a CCPA Third Party, it being understood such obligations shall still apply when Distinct is acting as a Service Provider under CCPA); however, when acting as a Third Party, Distinct shall only be required to comply with the following obligations:

(a) Distinct’s use of the Customer Personal Information is limited to the specific purposes identified in the Agreement and Distinct shall not exceed such specific purposes;

(b) Distinct shall comply with the same level of privacy protection as required of a business pursuant to the CCPA with respect to the Customer Personal Information;

(c) Distinct grants Customer the right to take reasonable and appropriate steps to ensure that Distinct uses the Customer Personal Information in a manner consistent with this Agreement and applicable Data Protection Laws;

(d) Distinct grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of Customer Personal Information made available to Distinct; and

(e) Distinct shall notify Customer after it makes a determination that it can no longer meet its obligations under applicable Data Protection Laws.

For clarity, (i) Customer hereby informs Distinct that all applicable Data Subjects have been provided with the necessary notices and opt-out rights and consented to and not opted-out from the Sale or Sharing of their Personal Information to the extent required by CCPA and (ii) when acting in the capacity of a Processor or Service Provider under applicable Data Protection Laws (but not as a Third Party under the CCPA), Distinct shall comply with all other obligations in this DPA applicable to Processors or Service Providers under applicable Data Protection Laws.

2.3 Customer’s Processing of Personal Information. Customer shall, in its use of the Distinct Platform, Process Personal Information in accordance with the requirements of Data Protection Laws. Customer’s instructions to Distinct related to the Processing of Customer Personal Information shall comply with Data Protection Laws. Customer instructs Distinct (and authorizes Distinct to instruct each Subprocessor) to Process Customer Personal Information, and in particular, transfer Customer Personal Information to any jurisdiction, as necessary for the provision of the Distinct Platform and consistent with the Agreement and this DPA. Distinct shall inform Customer if, in its opinion, an instruction violates Data Protection Laws. Customer represents and warrants that it shall (i) not provide Distinct with (or instruct Distinct to Process) any Personal Information unless it shall first have given and received the necessary notices and consents (and honored any opt-out rights) under Data Protection Laws; and (ii) comply with any other requirements under applicable Data Protection Laws.

2.4 Details of the Processing. The subject matter of Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Information, and categories of Data Subjects Processed under this DPA are specified in Annex I attached hereto.

3. RIGHTS OF DATA SUBJECTS

3.1 Taking into account the nature of the Processing and the Customer Personal Information, Distinct shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to assist the Customer in responding to Data Subject rights requests (“Data Subject Request”) and complying with requirements of Data Protection Laws in relation thereto. To the extent legally permitted, Customer shall be responsible for any costs arising from Distinct’s provision of such assistance.

3.2 If a Data Subject Request is made directly to Distinct, Distinct will promptly inform Customer and will advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Personal Information.

4. DISTINCT PERSONNEL

4.1 Confidentiality. Distinct shall ensure that its Personnel engaged in the Processing of Customer Personal Information are informed of the confidential nature of the Customer Personal Information, and have received appropriate training regarding the Processing of Customer Personal Information.

4.2 Reliability. Distinct shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Personnel engaged in the Processing of Customer Personal Information.

4.3 Limitation of Access. Distinct shall ensure that Distinct’s access to Customer Personal Information is limited to those Personnel performing the services in accordance with the Agreement.

5. SUBPROCESSORS

5.1 Appointment of Subprocessors. With respect to the Processing of Customer Personal Information, Customer authorizes Distinct to appoint Subprocessors to Process Customer Personal Information for a business purpose on behalf of Customer, and consistent with the business purpose set forth herein, pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws.

5.2 Notification of New Subprocessors and Customer’s Right to Object. Customer authorizes Distinct’s engagement of Subprocessors from the list provided at https://distinct.so/sub-processors/. Distinct shall notify Customer of the appointment of any new Subprocessor. With the exception of commonly engaged vendors over whom Distinct exercises little control (such as Google, Amazon, or Facebook), if, within fifteen (15) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies Distinct in writing of any objections to the appointment, Distinct shall cease disclosing any Customer Personal Information to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer. Distinct remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessors.

6. SECURITY

6.1 Controls for the Protection of Customer Personal Information. Distinct shall maintain appropriate physical, technical and organizational measures designed to protect the security, confidentiality, and integrity of Customer Personal Information. In the event of any (i) unauthorized acquisition, alteration, or disclosure of Customer Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under Data Protection Laws, or (ii) breach of Data Protection Laws with respect to Customer Personal Information, Distinct shall notify Customer promptly. Distinct shall, taking into account the nature of processing and the information available to Distinct, assist Customer in meeting Customer’s obligations in relation to the security of processing Customer Personal Information. Distinct shall, at a minimum, implement and maintain the security measures specified in Annex II attached hereto.

6.2 Data Security Incident Management and Notification. Distinct shall maintain security incident management policies and procedures, and if at any time Distinct determines that there has been a Security Breach, Distinct shall promptly: (i) notify Customer in writing of such Security Breach; (ii) investigate and take steps to remediate the Security Breach, and (iii) provide information regarding the specific Customer Personal Information adversely impacted by the Security Breach as reasonably requested by Customer.

7. INFORMATION PROVISION AND COOPERATION

7.1 Demonstration of Distinct’s Compliance. Distinct shall, upon Customer’s reasonable request and to the extent required by Data Protection Laws, make available to Customer all information in Distinct’s possession necessary to demonstrate Distinct’s compliance with its obligations under Data Protection Laws.

7.2 Audits and Assessments. If required of Distinct under applicable Data Protection Laws, Distinct shall reasonably cooperate with Customer at Customer’s expense, in relation to any audit of Distinct reasonably necessary to enable Customer to comply with its obligations under Data Protection Laws (“Audit”), and shall seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) subject to a mutually agreed upon scope; (ii) conducted by an independent third party who has signed a nondisclosure agreement with Distinct or the Subprocessor, as the case may be; and (iii) subject to the confidentiality obligations set forth in the Agreement. Customer shall use reasonable endeavours to minimize any disruption caused to the Distinct’s (or, Subprocessor’s, as the case may be) business activities as a result of an Audit. Audits shall take place no more than once in any calendar year except as otherwise required of Distinct under applicable Data Protection Laws. In addition, if required of Distinct under applicable Data Protection Laws, Distinct shall allow Customer to take reasonable and appropriate steps to (a) ensure that Distinct’s use of Customer Personal Information is consistent with Customer’s obligations under applicable Data Protection Laws, and (b) stop and remediate unauthorized use of Customer Personal Information. Any information disclosed in connection with an Audit shall be the Confidential Information of Distinct (and/or Subprocessor, as the case may be).

7.3 Data Protection Assessments. Upon Customer’s request and to the extent required of Distinct under applicable Data Protection Laws, Distinct shall provide Customer, at Customer’s reasonable expense with the reasonably necessary information needed for Customer to carry out a Data Protection Assessment related to Customer’s use of the Distinct Platform, to the extent that Customer does not otherwise have access to the relevant information and that such information is reasonably available to Distinct. To the extent required under the GDPR or UK GDPR, Distinct shall provide reasonable assistance to Customer in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this Section 7.

8. RETURN AND DELETION OF CUSTOMER PERSONAL INFORMATION

Distinct shall, on the written request of Customer, return all Customer Personal Information to Customer and/or at Customer’s request delete the same from its systems, except as otherwise permitted by applicable Data Protection Laws.

9. TRANSFER MECHANISMS FOR CROSS-BORDER DATA TRANSFERS

9.1 Transfers of EEA, Swiss, or UK Personal Information. If the Processing of Customer Personal Information includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties shall: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Customer Personal Information to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.

9.2 EU SCCs Modules. The Parties agree that for transfers of Customer Personal Information from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA.

Where Distinct Processes Personal Information as a Processor for Customer pursuant to the terms of the Agreement, Distinct and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.

9.3 EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

9.3. In Clause 7 (Docking Clause) – the Optional provision shall NOT apply;

9.3.2 In Clause 9(a) (Use of sub-processors) – Option 1 shall apply (and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors);

9.3.3 In Clause 11(a) (Redress) – the Optional provision shall NOT apply;

9.3.4 In Clause 17 (Governing Law) – Option 1 shall apply, and the courts of Ireland shall govern; and

9.3.5 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2, 3, or 4) – the courts of Ireland shall have jurisdiction.

9.4 UK Model Clauses. The Parties agree that for transfers of Customer Personal Information from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the Parties agree that the Exporter may end the UK Addendum as set out in Section 19.

9.5 Swiss Data Transfers. The Parties agree that for transfers of Customer Personal Information from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

10. GOVERNING LAW

Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 9 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA is governed by the laws of the country or territory stipulated for this purpose in the Agreement.

11. LIMITATION OF LIABILITY

THE “LIMITATION OF LIABILITY” SECTION OF THE AGREEMENT (OR THE EQUIVALENT THEREOF) SHALL APPLY TO ALL CLAIMS, DEMANDS, SUITS, CAUSES OF ACTION, AWARDS, JUDGMENTS AND LIABILITIES, INCLUDING REASONABLE ATTORNEYS' FEES AND COSTS, ARISING OUT OF OR ALLEGED TO HAVE ARISEN OUT OF DISTINCT’S BREACH OF ITS OBLIGATIONS UNDER THIS DPA. WITHOUT LIMITING THE FOREGOING, IF THE AGREEMENT DOES NOT INCLUDE A LIABILITY CAP, DISTINCT’S AGGREGATE LOSSES OR LIABILITY UNDER THIS DPA, INCLUDING WITH RESPECT TO LIABILITY RELATING TO A SECURITY BREACH, BREACH OF THIS DPA, OR ALLEGED OR ACTUAL VIOLATION OF DATA PROTECTION LAWS, SHALL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER TO DISTINCT UNDER THE AGREEMENT IN THE 12 MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH LOSSES.

12. CHANGE IN DATA PROTECTION LAWS

In the event of any change to or new Data Protection Law(s), the Parties shall mutually agree upon any reasonably necessary amendments or revisions to this DPA.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: See Order Form executed by the Parties.

Address: See Order Form executed by the Parties.

Contact person’s name, position and contact details: See Order Form executed by the Parties.

Activities relevant to the data transferred under these Clauses:  See Order Form executed by the Parties.

Signature and date: See Order Form executed by the Parties.

Role (controller/processor): Controller

Data importer:

Name: DISTINCT Technologies, Inc.

Address: 220 Wakeman Lane, Southport, CT 06890

Contact person’s name, position and contact details: Head of Security; [email protected]

Activities relevant to the data transferred under these Clauses:  Processing Customer Personal Information in connection with the Distinct Platform.

Signature and date: See Order Form executed by the Parties.

Role (controller/processor): Processor

B. DESCRIPTION OF THE TRANSFER

Categories of Data Subjects whose Personal Information is transferred: Customer’s clients, prospective clients, and attendees and participants at Customer’s activations.

Categories of Personal Information transferred: Names, addresses, email addresses, phone numbers, dates of birth, gender, and/or other contact and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Biometric information.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous basis.

Nature of the Processing: Distinct will Process Customer Personal Information as necessary to provide, operate, maintain, secure, and support the Services in accordance with the Agreement. Such Processing may include the collection, storage, organization, access, transmission, analysis, and deletion of Customer Personal Information, as well as any other Processing activities reasonably required to perform the Services or ensure their proper functioning and security.

Purpose(s) of the data transfer and further Processing: Customer Personal Information is transferred and Processed for the purpose of enabling Distinct to provide the Services and related support, including:

• Delivery and operation of the Services and its functionalities;
• Monitoring, troubleshooting, and improving system performance and security;
• Providing customer support and communications; and
• Compliance with applicable legal obligations and audit requirements.

Distinct will not Process Customer Personal Information for any purpose other than as set out in the Agreement or as otherwise instructed by the Customer in accordance with the DPA.

The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period: For the duration of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: See https://distinct.so/sub-processors/

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority in accordance with Clause 13: Ireland Data Protection Commission.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Distinct maintains leading industry-standard technical security controls designed to protect personal data against accidental or unlawful access, disclosure, alteration, loss, and destruction, including the following:

• SOC 2 Certification: Distinct maintains a robust SOC 2 Type II compliance program, and renews its certification annually.

• Access Controls: Authorization within the Distinct platform is limited to appropriate individuals and is managed and audited via an industry-standard proxy solution. Users are required to be initially connected via VPN, which requires multi-factor authentication, in order to connect to sensitive IT infrastructure resources via the proxy gateways. Distinct also adheres to the principle of ‘least privilege’ and implements key technological controls.

• Encryption: Data in transit is typically encrypted via HTTPS (i.e., HTTP over TLS/SSL). For data at rest, sensitive data, such as API keys, and other personal identifiers, is secured using hashing algorithms.

• Data Backup: Automatic data backups are performed daily, leveraging AWS’s native backup solutions.

• Data Retention: Distinct has established controls and mechanisms designed to protect personal data at each stage of the data lifecycle, from collection / creation through to disposal. At the end of any retention period, Distinct deletes Customer Personal Information from its systems and databases, in accordance with its policies and procedures. 

• Event logging: Access logs and object read and write logs are continuously recorded, with active reviews conducted in the event of suspicious activity or detection of a security event or incident.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

This Data Processing Addendum (“DPA”) forms part of the Distinct Platform Terms & Conditions between Customer and Distinct (collectively, the “Parties”) for the provision of services by Distinct (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Customer Personal Information.

In the course of providing the Distinct Platform to Customer, Distinct may Process Customer Personal Information on behalf of Customer, and in such case, the Parties agree to comply with the following provisions with respect to Customer Personal Information.

1. DEFINITIONS

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.  In this DPA, the following terms shall have the meanings set out below:

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.

“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.

“Customer Personal Information” means any Personal Information Processed by Distinct or Distinct’s Subprocessor, solely on behalf of Customer and in connection with Customer’s use of the Distinct Platform, pursuant to the express terms of an applicable statement of work or order under the Agreement.

“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, which may also be called a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.

“Data Protection Laws” means any and all applicable  data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); (d) Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”); (e) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (f) the Virginia Consumer Data Protection Act; (g) the Colorado Privacy Act; (h) the Connecticut Data Privacy Act; (i) the Utah Consumer Privacy Act; (j) the Texas Privacy and Data Security Act; (k) the Oregon Consumer Privacy Act; (l) the Montana Consumer Data Privacy Act; (m) the Iowa Consumer Data Protection Act; (n) the New Hampshire Data Privacy Act; (o) the Nebraska Data Privacy Act; (p) the Delaware Personal Data Privacy Act; (q) the New Jersey Data Privacy Act; (r) the Tennessee Information Protection Act; (s) the Minnesota Consumer Data Privacy Act; and (t) all other equivalent or similar laws and regulations relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.

“Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. The term “Data Subject” shall refer to a “Consumer” as that term is defined under Data Protection Laws.

“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.

“Personal Information” means information that is protected by applicable Data Protection Laws or that otherwise that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.

“Personnel” means officers, directors, employees, Subprocessors, agents and representatives.

“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.

“Security Breach” means any security incident that adversely impacts the security of Customer Personal Information.

“Subprocessor” means any third party appointed by Distinct to Process Customer Personal Information as a Distinct or Processor on behalf of Customer in connection with the Agreement.

The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. PROCESSING OF PERSONAL INFORMATION

2.1 Roles of the Parties. The Parties acknowledge and agree that solely with regard to the Processing of Customer Personal Information, Customer is the Controller or Business (as applicable), Distinct is the Processor or Service Provider (as applicable), and that Distinct will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law. For clarity, Distinct is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not otherwise generally applicable to Distinct. The Parties further acknowledge and agree that Distinct may Process Personal Information in connection with its products and services that is not Customer Personal Information, and with respect to such Personal Information, which is not subject to this DPA, Distinct is a Controller or Business (as applicable).

2.2 Distinct’s Processing of Personal Information. Distinct shall treat Customer Personal Information as confidential and shall only Process Customer Personal Information as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work and applicable Data Protection Laws (including without limitation, the CCPA); and/or (ii) as applicable, if initiated by Data Subjects in their use of the Distinct Platform. Distinct shall not (A) Sell, Share, or otherwise make available Customer Personal Information to any third party in exchange for monetary or other valuable consideration, and (B) retain, use, or disclose Customer Personal Information outside of the direct business relationship with the Customer or for any other purpose than what is specified in the Agreement and/or this DPA. When acting as a Service Provider under the CCPA, Distinct shall not combine Customer Personal Information with Personal Information it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as expressly permitted by Data Protection Laws. Distinct shall promptly notify Customer after it determines that it can no longer meet its obligations under applicable Data Protection Laws. Nothing herein shall limit or restrict Distinct’s right to use Aggregate Data and/or Deidentified Data or limit Distinct’s right to use Customer Personal Information in any manner that is not restricted by specific Data Protection Laws.

2.2.1 To the extent Distinct is authorized by Customer to act as a Third Party or is deemed to be a Third Party (in each case as defined under the CCPA), Distinct is not required to comply with the obligations described in Section 2.2 with respect to combining Customer Personal Information or with the obligations set forth in Section 2.2(A) and (B) (but, for the avoidance of doubt, solely when acting as a CCPA Third Party, it being understood such obligations shall still apply when Distinct is acting as a Service Provider under CCPA); however, when acting as a Third Party, Distinct shall only be required to comply with the following obligations:

(a) Distinct’s use of the Customer Personal Information is limited to the specific purposes identified in the Agreement and Distinct shall not exceed such specific purposes;

(b) Distinct shall comply with the same level of privacy protection as required of a business pursuant to the CCPA with respect to the Customer Personal Information;

(c) Distinct grants Customer the right to take reasonable and appropriate steps to ensure that Distinct uses the Customer Personal Information in a manner consistent with this Agreement and applicable Data Protection Laws;

(d) Distinct grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of Customer Personal Information made available to Distinct; and

(e) Distinct shall notify Customer after it makes a determination that it can no longer meet its obligations under applicable Data Protection Laws.

For clarity, (i) Customer hereby informs Distinct that all applicable Data Subjects have been provided with the necessary notices and opt-out rights and consented to and not opted-out from the Sale or Sharing of their Personal Information to the extent required by CCPA and (ii) when acting in the capacity of a Processor or Service Provider under applicable Data Protection Laws (but not as a Third Party under the CCPA), Distinct shall comply with all other obligations in this DPA applicable to Processors or Service Providers under applicable Data Protection Laws.

2.3 Customer’s Processing of Personal Information. Customer shall, in its use of the Distinct Platform, Process Personal Information in accordance with the requirements of Data Protection Laws. Customer’s instructions to Distinct related to the Processing of Customer Personal Information shall comply with Data Protection Laws. Customer instructs Distinct (and authorizes Distinct to instruct each Subprocessor) to Process Customer Personal Information, and in particular, transfer Customer Personal Information to any jurisdiction, as necessary for the provision of the Distinct Platform and consistent with the Agreement and this DPA. Distinct shall inform Customer if, in its opinion, an instruction violates Data Protection Laws. Customer represents and warrants that it shall (i) not provide Distinct with (or instruct Distinct to Process) any Personal Information unless it shall first have given and received the necessary notices and consents (and honored any opt-out rights) under Data Protection Laws; and (ii) comply with any other requirements under applicable Data Protection Laws.

2.4 Details of the Processing. The subject matter of Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Information, and categories of Data Subjects Processed under this DPA are specified in Annex I attached hereto.

3. RIGHTS OF DATA SUBJECTS

3.1 Taking into account the nature of the Processing and the Customer Personal Information, Distinct shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to assist the Customer in responding to Data Subject rights requests (“Data Subject Request”) and complying with requirements of Data Protection Laws in relation thereto. To the extent legally permitted, Customer shall be responsible for any costs arising from Distinct’s provision of such assistance.

3.2 If a Data Subject Request is made directly to Distinct, Distinct will promptly inform Customer and will advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Personal Information.

4. DISTINCT PERSONNEL

4.1 Confidentiality. Distinct shall ensure that its Personnel engaged in the Processing of Customer Personal Information are informed of the confidential nature of the Customer Personal Information, and have received appropriate training regarding the Processing of Customer Personal Information.

4.2 Reliability. Distinct shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Personnel engaged in the Processing of Customer Personal Information.

4.3 Limitation of Access. Distinct shall ensure that Distinct’s access to Customer Personal Information is limited to those Personnel performing the services in accordance with the Agreement.

5. SUBPROCESSORS

5.1 Appointment of Subprocessors. With respect to the Processing of Customer Personal Information, Customer authorizes Distinct to appoint Subprocessors to Process Customer Personal Information for a business purpose on behalf of Customer, and consistent with the business purpose set forth herein, pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws.

5.2 Notification of New Subprocessors and Customer’s Right to Object. Customer authorizes Distinct’s engagement of Subprocessors from the list provided at https://distinct.so/sub-processors/. Distinct shall notify Customer of the appointment of any new Subprocessor. With the exception of commonly engaged vendors over whom Distinct exercises little control (such as Google, Amazon, or Facebook), if, within fifteen (15) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies Distinct in writing of any objections to the appointment, Distinct shall cease disclosing any Customer Personal Information to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer. Distinct remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessors.

6. SECURITY

6.1 Controls for the Protection of Customer Personal Information. Distinct shall maintain appropriate physical, technical and organizational measures designed to protect the security, confidentiality, and integrity of Customer Personal Information. In the event of any (i) unauthorized acquisition, alteration, or disclosure of Customer Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under Data Protection Laws, or (ii) breach of Data Protection Laws with respect to Customer Personal Information, Distinct shall notify Customer promptly. Distinct shall, taking into account the nature of processing and the information available to Distinct, assist Customer in meeting Customer’s obligations in relation to the security of processing Customer Personal Information. Distinct shall, at a minimum, implement and maintain the security measures specified in Annex II attached hereto.

6.2 Data Security Incident Management and Notification. Distinct shall maintain security incident management policies and procedures, and if at any time Distinct determines that there has been a Security Breach, Distinct shall promptly: (i) notify Customer in writing of such Security Breach; (ii) investigate and take steps to remediate the Security Breach, and (iii) provide information regarding the specific Customer Personal Information adversely impacted by the Security Breach as reasonably requested by Customer.

7. INFORMATION PROVISION AND COOPERATION

7.1 Demonstration of Distinct’s Compliance. Distinct shall, upon Customer’s reasonable request and to the extent required by Data Protection Laws, make available to Customer all information in Distinct’s possession necessary to demonstrate Distinct’s compliance with its obligations under Data Protection Laws.

7.2 Audits and Assessments. If required of Distinct under applicable Data Protection Laws, Distinct shall reasonably cooperate with Customer at Customer’s expense, in relation to any audit of Distinct reasonably necessary to enable Customer to comply with its obligations under Data Protection Laws (“Audit”), and shall seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) subject to a mutually agreed upon scope; (ii) conducted by an independent third party who has signed a nondisclosure agreement with Distinct or the Subprocessor, as the case may be; and (iii) subject to the confidentiality obligations set forth in the Agreement. Customer shall use reasonable endeavours to minimize any disruption caused to the Distinct’s (or, Subprocessor’s, as the case may be) business activities as a result of an Audit. Audits shall take place no more than once in any calendar year except as otherwise required of Distinct under applicable Data Protection Laws. In addition, if required of Distinct under applicable Data Protection Laws, Distinct shall allow Customer to take reasonable and appropriate steps to (a) ensure that Distinct’s use of Customer Personal Information is consistent with Customer’s obligations under applicable Data Protection Laws, and (b) stop and remediate unauthorized use of Customer Personal Information. Any information disclosed in connection with an Audit shall be the Confidential Information of Distinct (and/or Subprocessor, as the case may be).

7.3 Data Protection Assessments. Upon Customer’s request and to the extent required of Distinct under applicable Data Protection Laws, Distinct shall provide Customer, at Customer’s reasonable expense with the reasonably necessary information needed for Customer to carry out a Data Protection Assessment related to Customer’s use of the Distinct Platform, to the extent that Customer does not otherwise have access to the relevant information and that such information is reasonably available to Distinct. To the extent required under the GDPR or UK GDPR, Distinct shall provide reasonable assistance to Customer in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this Section 7.

8. RETURN AND DELETION OF CUSTOMER PERSONAL INFORMATION

Distinct shall, on the written request of Customer, return all Customer Personal Information to Customer and/or at Customer’s request delete the same from its systems, except as otherwise permitted by applicable Data Protection Laws.

9. TRANSFER MECHANISMS FOR CROSS-BORDER DATA TRANSFERS

9.1 Transfers of EEA, Swiss, or UK Personal Information. If the Processing of Customer Personal Information includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties shall: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Customer Personal Information to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.

9.2 EU SCCs Modules. The Parties agree that for transfers of Customer Personal Information from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA.

Where Distinct Processes Personal Information as a Processor for Customer pursuant to the terms of the Agreement, Distinct and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.

9.3 EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

9.3. In Clause 7 (Docking Clause) – the Optional provision shall NOT apply;

9.3.2 In Clause 9(a) (Use of sub-processors) – Option 1 shall apply (and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors);

9.3.3 In Clause 11(a) (Redress) – the Optional provision shall NOT apply;

9.3.4 In Clause 17 (Governing Law) – Option 1 shall apply, and the courts of Ireland shall govern; and

9.3.5 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2, 3, or 4) – the courts of Ireland shall have jurisdiction.

9.4 UK Model Clauses. The Parties agree that for transfers of Customer Personal Information from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the Parties agree that the Exporter may end the UK Addendum as set out in Section 19.

9.5 Swiss Data Transfers. The Parties agree that for transfers of Customer Personal Information from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

10. GOVERNING LAW

Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 9 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA is governed by the laws of the country or territory stipulated for this purpose in the Agreement.

11. LIMITATION OF LIABILITY

THE “LIMITATION OF LIABILITY” SECTION OF THE AGREEMENT (OR THE EQUIVALENT THEREOF) SHALL APPLY TO ALL CLAIMS, DEMANDS, SUITS, CAUSES OF ACTION, AWARDS, JUDGMENTS AND LIABILITIES, INCLUDING REASONABLE ATTORNEYS' FEES AND COSTS, ARISING OUT OF OR ALLEGED TO HAVE ARISEN OUT OF DISTINCT’S BREACH OF ITS OBLIGATIONS UNDER THIS DPA. WITHOUT LIMITING THE FOREGOING, IF THE AGREEMENT DOES NOT INCLUDE A LIABILITY CAP, DISTINCT’S AGGREGATE LOSSES OR LIABILITY UNDER THIS DPA, INCLUDING WITH RESPECT TO LIABILITY RELATING TO A SECURITY BREACH, BREACH OF THIS DPA, OR ALLEGED OR ACTUAL VIOLATION OF DATA PROTECTION LAWS, SHALL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER TO DISTINCT UNDER THE AGREEMENT IN THE 12 MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH LOSSES.

12. CHANGE IN DATA PROTECTION LAWS

In the event of any change to or new Data Protection Law(s), the Parties shall mutually agree upon any reasonably necessary amendments or revisions to this DPA.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: See Order Form executed by the Parties.

Address: See Order Form executed by the Parties.

Contact person’s name, position and contact details: See Order Form executed by the Parties.

Activities relevant to the data transferred under these Clauses:  See Order Form executed by the Parties.

Signature and date: See Order Form executed by the Parties.

Role (controller/processor): Controller

Data importer:

Name: DISTINCT Technologies, Inc.

Address: 220 Wakeman Lane, Southport, CT 06890

Contact person’s name, position and contact details: Head of Security; [email protected]

Activities relevant to the data transferred under these Clauses:  Processing Customer Personal Information in connection with the Distinct Platform.

Signature and date: See Order Form executed by the Parties.

Role (controller/processor): Processor

B. DESCRIPTION OF THE TRANSFER

Categories of Data Subjects whose Personal Information is transferred: Customer’s clients, prospective clients, and attendees and participants at Customer’s activations.

Categories of Personal Information transferred: Names, addresses, email addresses, phone numbers, dates of birth, gender, and/or other contact and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Biometric information.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous basis.

Nature of the Processing: Distinct will Process Customer Personal Information as necessary to provide, operate, maintain, secure, and support the Services in accordance with the Agreement. Such Processing may include the collection, storage, organization, access, transmission, analysis, and deletion of Customer Personal Information, as well as any other Processing activities reasonably required to perform the Services or ensure their proper functioning and security.

Purpose(s) of the data transfer and further Processing: Customer Personal Information is transferred and Processed for the purpose of enabling Distinct to provide the Services and related support, including:

• Delivery and operation of the Services and its functionalities;
• Monitoring, troubleshooting, and improving system performance and security;
• Providing customer support and communications; and
• Compliance with applicable legal obligations and audit requirements.

Distinct will not Process Customer Personal Information for any purpose other than as set out in the Agreement or as otherwise instructed by the Customer in accordance with the DPA.

The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period: For the duration of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: See https://distinct.so/sub-processors/

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority in accordance with Clause 13: Ireland Data Protection Commission.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Distinct maintains leading industry-standard technical security controls designed to protect personal data against accidental or unlawful access, disclosure, alteration, loss, and destruction, including the following:

• SOC 2 Certification: Distinct maintains a robust SOC 2 Type II compliance program, and renews its certification annually.

• Access Controls: Authorization within the Distinct platform is limited to appropriate individuals and is managed and audited via an industry-standard proxy solution. Users are required to be initially connected via VPN, which requires multi-factor authentication, in order to connect to sensitive IT infrastructure resources via the proxy gateways. Distinct also adheres to the principle of ‘least privilege’ and implements key technological controls.

• Encryption: Data in transit is typically encrypted via HTTPS (i.e., HTTP over TLS/SSL). For data at rest, sensitive data, such as API keys, and other personal identifiers, is secured using hashing algorithms.

• Data Backup: Automatic data backups are performed daily, leveraging AWS’s native backup solutions.

• Data Retention: Distinct has established controls and mechanisms designed to protect personal data at each stage of the data lifecycle, from collection / creation through to disposal. At the end of any retention period, Distinct deletes Customer Personal Information from its systems and databases, in accordance with its policies and procedures. 

• Event logging: Access logs and object read and write logs are continuously recorded, with active reviews conducted in the event of suspicious activity or detection of a security event or incident.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.