Common use of Data Processing Instructions Clause in Contracts

Data Processing Instructions. Purposes Specify all purposes for which the Personal Data will be processed by the Data Processor. Marketing data reporting and analytics. Categories of Data Specify the different types of Personal Data that will be processed by the Data Processor The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Email Address ● Name (on a voluntary basis) Data Subjects Specify the categories of data subjects whose personal data will be processed by the Data Processor. The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Users of the Application Services Processing Operations Specify all processing activities to be conducted by the Data Processor Collect, harmonize, store, and analyze data. Sub-processor(s) Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor Applicable in case of Application Services hosting by Data Processor: 1. Amazon Web Services EMEA SARL (0 xxx Xxxxxxx, X-0000 Xxxxxxxxxx); or Google Ireland Limited (Xxxxxx Xxxxx, Xxxxxx Street, Dublin 4, Ireland); or Microsoft Ireland Operations Ltd, (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, X00 X000, Xxxxxxx). Purpose: Hosting infrastructure for server and databases. 2. Adverity Inc. (980 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Applicable in case of Application Services hosting by Data Controller: 1. Adverity Inc. (980 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Location of Processing Operations Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable) Applicable in case of Application Services hosting by Data Processor: ● If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU. ● If the Data Controller is located outside the EU, the data might be hosted on servers inside or outside the EU. At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of Application Services hosting by Data Controller: ● Austria and Data Processing Service Center of Data Controller. Appendix 2 - Technical and Organizational Measures (“TOMs”) The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing. General Description of Measures Description of Measures Implemented Access Control (premises) Preventing unauthorized persons from gaining access to data processing systems ● Used hosting provider complies: ● with ISO 27018 which is based on ISO 27000 ● Access control systems (smart cards, biometric control) ● Security personnel at entrances (backgrounds checked) ● Right to access generally limited ● List of authorized people (manager approval required) ● Surveillance systems (alarm system, door prop alarm, motion detectors, 24x7 CCTV) ● Visitor logbook (time and purpose of entry, time of exit) Access Control (systems) Preventing data processing systems from being used without authorization ● Database security controls restrict access ● Access rights based on roles and need to know ● Password policy ● Automatic blocking of access (e.g. password, timeout) ● Protocol of failed log-in attempts Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization ● Access rights based on roles and need to know ● Approval process for access rights; periodical reviews and audits ● Signed confidentiality undertakings ● Optional restricted to Office IPs Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data ● Encrypted transfer (HTTPS, SSL, SSH; XXX, 0000-xxx keys) ● Log files Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed ● Access rights based on roles and need to know ● Approval process for access rights ● Log files Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions ● Diligently selecting (Sub-)processors and other service providers ● Documenting selection procedures (privacy and security policies, audit reports, certifications) ● Backgrounds of service providers are checked, subsequent monitoring ● Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from data controller ● Signed confidentiality undertakings Availability Control ● Redundant uninterruptible power supply (UPS) Ensuring that Personal Data is protected from accidental destruction and loss ● Air-conditioning, temperature and humidity controls (monitored 24x7) ● Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system) ● Electrical equipment monitored and logged, 24x7 support ● Daily backup procedures ● Disaster recovery plan ● Routinely test-running data recovery Separation Control Ensuring that data collected for different purposes can be processed separately ● Separate processing possibilities in the Application Services for HR data, production data, supplier data, customer data ● Separation between productive and test data ● Detailed management of access rights Document Information Document Owner Head of Legal Version V2.0

Data Processing Instructions. Purposes Specify all purposes for which the Personal Data will be processed by the Data Processor. Marketing data reporting and analytics. Categories of Data Specify the different types of Personal Data that will be processed by the Data Processor The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Email Address ● Name (on a voluntary basis) Data Subjects Specify the categories of data subjects whose personal data will be processed by the Data Processor. The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Users of the Application Services Processing Operations Specify all processing activities to be conducted by the Data Processor Collect, harmonize, store, and analyze data. Sub-processor(s) Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor Applicable in case of Application Services hosting by Data Processor: 1. Amazon Web Services EMEA SARL (0 xxx Xxxxxxx, X-0000 Xxxxxxxxxx); or Google Ireland Limited (Xxxxxx XxxxxHouse, Xxxxxx Street, Dublin 4, Ireland); or Microsoft Ireland Operations Ltd, (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, X00 X000, XxxxxxxIreland). Purpose: Hosting infrastructure for server and databases. 2. Adverity Inc. (980 000 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Applicable in case of Application Services hosting by Data Controller: 1. Adverity Inc. (980 000 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Location of Processing Operations Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable) Applicable in case of Application Services hosting by Data Processor: ● If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU. ● If the Data Controller is located outside the EU, the data might be hosted on servers inside or outside the EU. At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of Application Services hosting by Data Controller: ● Austria and Data Processing Service Center of Data Controller. Appendix 2 - Technical and Organizational Measures (“TOMs”) The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing. General Description of Measures Description of Measures Implemented Access Control (premises) Preventing unauthorized persons from gaining access to data processing systems ● Used hosting provider complies: ● with ISO 27018 which is based on ISO 27000 ● Access control systems (smart cards, biometric control) ● Security personnel at entrances (backgrounds checked) ● Right to access generally limited ● List of authorized people (manager approval required) ● Surveillance systems (alarm system, door prop alarm, motion detectors, 24x7 CCTV) ● Visitor logbook (time and purpose of entry, time of exit) Access Control (systems) Preventing data processing systems from being used without authorization ● Database security controls restrict access ● Access rights based on roles and need to know ● Password policy ● Automatic blocking of access (e.g. password, timeout) ● Protocol of failed log-in attempts Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization ● Access rights based on roles and need to know ● Approval process for access rights; periodical reviews and audits ● Signed confidentiality undertakings ● Optional restricted to Office IPs Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data ● Encrypted transfer (HTTPS, SSL, SSH; XXXRSA, 00004096-xxx bit keys) ● Log files Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed ● Access rights based on roles and need to know ● Approval process for access rights ● Log files Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions ● Diligently selecting (Sub-)processors and other service providers ● Documenting selection procedures (privacy and security policies, audit reports, certifications) ● Backgrounds of service providers are checked, subsequent monitoring ● Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from data controller ● Signed confidentiality undertakings Availability Control ● Redundant uninterruptible power supply (UPS) Ensuring that Personal Data is protected from accidental destruction and loss ● Air-conditioning, temperature and humidity controls (monitored 24x7) ● Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system) ● Electrical equipment monitored and logged, 24x7 support ● Daily backup procedures ● Disaster recovery plan ● Routinely test-running data recovery Separation Control Ensuring that data collected for different purposes can be processed separately ● Separate processing possibilities in the Application Services for HR data, production data, supplier data, customer data ● Separation between productive and test data ● Detailed management of access rights Document Information Document Owner Head of Legal Version V2.0

Data Processing Instructions. Purposes Specify all purposes for which the Personal Data will be processed by the Data Processor. Marketing data reporting and analytics. Categories of Data Specify the different types of Personal Data that will be processed by the Data Processor The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Email Address ● Name (on a voluntary basis) Data Subjects Specify the categories of data subjects whose personal data will be processed by the Data Processor. The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Users of the Application Services Processing Operations Specify all processing activities to be conducted by the Data Processor Collect, harmonize, store, and analyze data. Sub-processor(s) Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor Applicable in case of Application Services hosting by Data Processor: 1. Amazon Web Services EMEA SARL (0 xxx Xxxxxxx, X-0000 Xxxxxxxxxx); or Google Ireland Limited (Xxxxxx Xxxxx, Xxxxxx Street, Dublin 4, Ireland); or Microsoft Ireland Operations Ltd, (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, X00 X000, Xxxxxxx). Purpose: Hosting infrastructure for server and databases. 2. Adverity Inc. (980 0xx XxxSupportYourApp, 0xx XxxxxInc., Xxx 0000 Xxxxxxx Xxxx, XX Xxxxx 000, Xxxxxxxxxx, XX, 00000, XXX) XXX Purpose: Support services related to functionality, technical issues of internal business operationsthe Data Processors’ Application Services and how-to- explanations as well as all actions that technically cannot be performed by Data Controller. Applicable in case of Application Services hosting by Data Controller: 1. Adverity Inc. (980 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operationsNone. Location of Processing Operations Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable) Applicable in case of Application Services hosting by Data Processor: ● If the Data Controller is based in the EUUnited States of America, the data will be hosted on servers located in a data center in the EU. United States of America ● If the Data Controller is located outside the EUUnited States of America, the data might be hosted on servers inside or outside the EUUnited States of America. At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of Application Services hosting by Data Controller: ● Austria United States and Data Processing Service Center of Data Controller. Appendix 2 - Technical and Organizational Measures (“TOMs”) The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing. General Description of Measures Description of Measures Implemented Access Control (premises) Preventing unauthorized persons from gaining access to data processing systems ● Used hosting provider complies: ● with ISO 27018 which is based on ISO 27000 ● Access control systems (smart cards, biometric control) ● Security personnel at entrances (backgrounds checked) ● Right to access generally limited ● List of authorized people (manager approval required) ● Surveillance systems (alarm system, door prop alarm, motion detectors, 24x7 CCTV) ● Visitor logbook (time and purpose of entry, time of exit) Access Control (systems) Preventing data processing systems from being used without authorization ● Database security controls restrict access ● Access rights based on roles and need to know ● Password policy ● Automatic blocking of access (e.g. password, timeout) ● Protocol of failed log-in attempts Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization ● Access rights based on roles and need to know ● Approval process for access rights; periodical reviews and audits ● Signed confidentiality undertakings ● Optional restricted to Office IPs Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data ● Encrypted transfer (HTTPS, SSL, SSH; XXX, 0000-xxx keys) ● Log files Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed ● Access rights based on roles and need to know ● Approval process for access rights ● Log files Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions ● Diligently selecting (Sub-)processors and other service providers ● Documenting selection procedures (privacy and security policies, audit reports, certifications) ● Backgrounds of service providers are checked, subsequent monitoring ● Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from data controller ● Signed confidentiality undertakings Availability Control ● Redundant uninterruptible power supply (UPS) Ensuring that Personal Data is protected from accidental destruction and loss ● Air-conditioning, temperature and humidity controls (monitored 24x7) ● Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system) ● Electrical equipment monitored and logged, 24x7 support ● Daily backup procedures ● Disaster recovery plan ● Routinely test-running data recovery Separation Control Ensuring that data collected for different purposes can be processed separately ● Separate processing possibilities in the Application Services for HR data, production data, supplier data, customer data ● Separation between productive and test data ● Detailed management of access rights Document Information Document Owner Head of Legal Version V2.0

Data Processing Instructions. Purposes Specify all purposes for which the Personal Data will be processed by the Data Processor. Marketing data reporting and analytics. Categories of Data Specify the different types of Personal Data that will be processed by the Data Processor The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Email Address ● IP Address ● Name (on a voluntary basis) Data Subjects Specify the categories of data subjects whose personal data will be processed by the Data Processor. The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded. ● Users of the Application Services Processing Operations Specify all processing activities to be conducted by the Data Processor Collect, harmonize, store, and analyze data. Sub-processor(s) Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor Applicable in case of Application Services hosting by Data Processor: 1. Amazon Web Services EMEA SARL (0 xxx Xxxxxxx, X-0000 Xxxxxxxxxx); or Google Ireland Limited (Xxxxxx Xxxxx, Xxxxxx Street, Dublin 4, Ireland); or Microsoft Ireland Operations Ltd, (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, X00 X000, Xxxxxxx). Purpose: Hosting infrastructure for server and databases. 2. Adverity Inc. (980 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Applicable in case of Application Services hosting by Data Controller: 1. Adverity Inc. (980 0xx Xxx, 0xx Xxxxx, Xxx Xxxx, XX 00000, XXX) Purpose: Support of internal business operations. Location of Processing Operations Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable) Applicable in case of Application Services hosting by Data Processor: ● If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU. ● If the Data Controller is located outside the EU, the data might be hosted on servers inside or outside the EU. At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of Application Services hosting by Data Controller: ● Austria and Data Processing Service Center of Data Controller. Appendix 2 - Technical and Organizational Measures (“TOMs”) The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing. General Description of Measures Description of Measures Implemented Access Control (premises) Preventing unauthorized persons from gaining access to data processing systems ● Used hosting provider complies: ● with ISO 27018 which is based on ISO 27000 ● Access control systems (smart cards, biometric control) ● Security personnel at entrances (backgrounds checked) ● Right to access generally limited ● List of authorized people (manager approval required) ● Surveillance systems (alarm system, door prop alarm, motion detectors, 24x7 CCTV) ● Visitor logbook (time and purpose of entry, time of exit) Access Control (systems) Preventing data processing systems from being used without authorization ● Database security controls restrict access ● Access rights based on roles and need to know ● Password policy ● Automatic blocking of access (e.g. password, timeout) ● Protocol of failed log-in attempts Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization ● Access rights based on roles and need to know ● Approval process for access rights; periodical reviews and audits ● Signed confidentiality undertakings ● Optional restricted to Office IPs Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data ● Encrypted transfer (HTTPS, SSL, SSH; XXX, 0000-xxx keys) ● Log files Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed ● Access rights based on roles and need to know ● Approval process for access rights ● Log files Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions ● Diligently selecting (Sub-)processors and other service providers ● Documenting selection procedures (privacy and security policies, audit reports, certifications) ● Backgrounds of service providers are checked, subsequent monitoring ● Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from data controller ● Signed confidentiality undertakings Availability Control ● Redundant uninterruptible power supply (UPS) Ensuring that Personal Data is protected from accidental destruction and loss ● Air-conditioning, temperature and humidity controls (monitored 24x7) ● Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system) ● Electrical equipment monitored and logged, 24x7 support ● Daily backup procedures ● Disaster recovery plan ● Routinely test-running data recovery Separation Control Ensuring that data collected for different purposes can be processed separately ● Separate processing possibilities in the Application Services for HR data, production data, supplier data, customer data ● Separation between productive and test data ● Detailed management of access rights Document Information Document Owner Head of Legal Version V2.0V2.1