Common use of DATA PROCESSING TERMS Clause in Contracts

DATA PROCESSING TERMS. 2.1 The Parties acknowledge that the Customer is the Data Controller and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal Data. 2.2 This Data Processing Addendum only applies to the processing of Customer Personal Data by Blue Yonder in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in an Annex to the Letter. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in the 'Processing activities' section of the Annex to the Letter. Blue Yonder shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by applicable law). 2.3 Each party warrants that in relation to this Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only in accordance with the Customer's instructions as established in the Agreement or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits this; 2.4.2 ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement); 2.4.5 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of processing and the information available to Blue Yonder, assist the Customer with its obligations under Articles 32 to 36 of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Law. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge In relation to the Processing of any Personal Data in the User Data, the parties agree that the Customer is Client and/or its user(s) is/are the Data Controller and Blue Yonder the Supplier is a the Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal DataProcessor. 2.2 This Data Processing Addendum only applies to Schedule 4 sets out the subject matter, duration, nature and purpose of the processing by the Supplier, as well as the types and categories of Customer Personal Data by Blue Yonder in connection with and the Services under the Agreement. The categories of Data Subjects obligations and types of Customer Personal Data processed are set out in an Annex to the Letter. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in the 'Processing activities' section rights of the Annex to the Letter. Blue Yonder shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by applicable law)Client. 2.3 Each party warrants The Supplier shall in respect of such Personal Data: (i) process that in relation Personal Data only on the documented written instructions of the Client unless the Supplier is required by Applicable Laws to this Data Processing Addendum, it otherwise process that Personal Data. Where the Supplier is compliant with and will remain compliant with all relying on Applicable Laws. 2.4 Notwithstanding anything to Laws as the contrary in the Agreement, in relation to Customer basis for processing Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only in accordance with the Customer's instructions as established in Supplier shall promptly notify the Agreement or as provided in writing Client of this before performing the processing required by the Customer Applicable Laws unless those Applicable Laws prohibit the Supplier from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should notifying the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits thisClient; 2.4.2 (ii) ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth that it has in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing place appropriate technical and organisational measures, insofar as this is possiblereviewed and approved by the Client, to assist with the Customer's obligation to respond to requests from Data Subjects protect against unauthorised or unlawful processing of Customer Personal Data seeking to exercise their rights under European Data Protection Law (and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the extent harm that might result from the Customer unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data is not accessible to be protected, having regard to the Customer through state of technological development and the Services provided under the Agreement)cost of implementing any measures; 2.4.5 (iii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (iv) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the Client has provided appropriate safeguards in relation to the transfer; (v) assist the Client, at the Customer’s reasonable request and at the CustomerClient’s cost, taking into account the nature of processing in responding to any request from a Data Subject and the information available to Blue Yonder, assist the Customer in ensuring compliance with its obligations under Articles 32 the Data Protection Legislation with respect to 36 security, breach, notifications, impact assessments and consultations with supervisory authorities or regulators; (vi) notify the Client without undue delay on becoming aware of a Personal Data breach; (vii) at the written direction of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the CustomerClient, delete or return Personal Data and copies thereof to the Customer any such Customer Personal Data within the agreed period of time after the end Client on termination of the provision Contract unless required by Applicable Laws to store the Personal Data; and (viii) maintain complete and accurate records and information to demonstrate its compliance with this Schedule 4 and allow for audits by the Client on reasonable notice and immediately inform the Client if, in the opinion of the Services as set out in Supplier, an instruction infringes the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection LawLegislation. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge that By executing the Customer Principal Agreement: a) BlackLine will comply with all obligations applicable to it as a Service Provider or Processor under U.S. Data Protection Laws. BlackLine will provide Consumer Personal Information with the same level of privacy protection as is the required by U.S. Data Controller and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal DataProtection Laws. 2.2 This Data Processing Addendum only applies to the processing of Customer b) BlackLine will not Sell or Share Consumer Personal Data by Blue Yonder in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Information. c) BlackLine will not retain, use, or disclose Consumer Personal Data processed are set out in an Annex to the Letter. Customer Personal Data is processed Information for any purpose other than for the Business Purposes specified in the DPA and the Principal Agreement, including retaining, using, or disclosing Consumer Personal Information for a Commercial Purpose other than the Business Purposes specified in the DPA and the Principal Agreement, or as otherwise permitted by Applicable Law. d) BlackLine will not retain, use, or disclose Consumer Personal Information outside of the direct business relationship between BlackLine and Customer, unless otherwise permitted by Applicable Law. e) Except as otherwise permitted by Applicable Law, BlackLine will not combine Consumer Personal Information with other personal information that it receives from other sources, including the information collected from BlackLine’s independent interaction with a Consumer. This does not include combining Consumer Personal Information in the context of the business purpose of providing the Services and other purposes as identified in the 'Processing activities' section of the Annex to the Letter. Blue Yonder shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by applicable law)Hosted Service. 2.3 Each party warrants f) BlackLine will ensure that it has a written agreement in relation to place with all Sub-processors which contains obligations on the Sub-processor which are no less protective of Consumer Personal Information than the obligations on BlackLine under this Data Processing U.S. Addendum. g) If BlackLine makes a determination that it can no longer meet its obligations under this U.S. Addendum, it is compliant with shall notify Customer of that determination within the time period required under U.S. Data Protection Laws and will remain compliant with all Applicable Lawscease the Processing of Consumer Personal Information or take other reasonable and appropriate steps to remediate. 2.4 Notwithstanding anything h) Customer has the right to the contrary in the Agreement, in relation to Customer Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only take reasonable and appropriate steps in accordance with the DPA and the Principal Agreement (e.g., Section 9 – Certification and Audits) to help ensure that BlackLine uses Consumer Personal Information in a manner consistent with Customer's instructions as established in ’s obligations under U.S. Data Protection Laws. i) Upon notice, Customer will have the Agreement or as provided in writing by the Customer from time right to time, provided such instructions are take reasonable and subject appropriate steps in accordance with the DPA and Principal Agreement to Blue Yonder's right stop and remediate unauthorized use of Consumer Personal Information. j) BlackLine certifies that it has read and understands this U.S. Addendum and will abide by it. k) Customer is responsible for ensuring that it has complied, and will continue to charge additional sums at comply, with the requirements of U.S. Data Protection Laws in its current rates should the scope use of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Hosted Service and its own Processing of Consumer Personal Information. l) Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits this; 2.4.2 ensure only specifically acknowledges that its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature use of the Customer Hosted Service will not violate the rights of any Consumer that has opted-out from Sales, Sharing or other disclosures of Consumer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s costInformation, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided applicable under the Agreement); 2.4.5 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of processing and the information available to Blue Yonder, assist the Customer with its obligations under Articles 32 to 36 of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Law. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European U.S. Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:.

DATA PROCESSING TERMS. 2.1 1.1 The Parties parties acknowledge that for the Customer purposes of the Data Protection Legislation, the Academic Partner is the Data Controller and Blue Yonder the Fundable Body is a the Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal Data. 2.2 This Data Processing Addendum only applies in relation to the processing activity set out in Section 3 of Customer Annex A (“the Services”). Section 3 of Annex A sets out the scope, nature and purpose of processing by the Fundable Body, the duration of the processing and the types of Shared Personal Data and categories of Data Subject. 1.2 Without prejudice to the generality of paragraph 1.1, the Academic Partner will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Shared Personal Data to the Fundable Body and/or lawful collection of the Shared Personal Data by Blue Yonder the Fundable Body on behalf of the Academic Partner for the duration and purposes of this Agreement. 1.3 Without prejudice to the generality of paragraph 1.1, the Fundable Body shall, in relation to any Shared Personal Data processed in connection with the Services under performance of the Agreement. The categories of Data Subjects and types of Customer Services: (a) process that Shared Personal Data processed are set out in an Annex to only on the Letter. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in the 'Processing activities' section documented written instructions of the Annex Academic Partner unless the Fundable Body is required by Data Protection Legislation to otherwise process that Shared Personal Data. Where the Letter. Blue Yonder shall process Customer Personal Fundable Body is relying on Data Protection Legislation as the basis for the duration of the Agreement (or longer to the extent permitted by applicable law). 2.3 Each party warrants that in relation to this Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreement, in relation to Customer processing Shared Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only in accordance with the Customer's instructions as established in Fundable Body shall promptly notify the Agreement or as provided in writing Academic Partner of this before performing the processing required by the Customer Data Protection Legislation unless those Data Protection Legislation prohibit the Fundable Body from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should so notifying the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits thisAcademic Partner; 2.4.2 (b) ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth that it has in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing place appropriate technical and organisational measures, insofar as this is possiblereviewed and approved by the Academic Partner, to assist with the Customer's obligation to respond to requests from Data Subjects protect against unauthorised or unlawful processing of Customer Shared Personal Data seeking to exercise their rights under European Data Protection Law (and against accidental loss or destruction of, or damage to, Shared Personal Data, appropriate to the extent harm that might result from the Customer unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data is not accessible to can be restored in a timely manner after an incident, and regularly assessing and evaluating the Customer through effectiveness of the Services provided under the Agreementtechnical and organisational measures adopted by it); 2.4.5 at (c) ensure that all personnel who have access to and/or process Shared Personal Data are obliged to keep the Customer’s reasonable request and at Personal Data confidential; and (d) not transfer any Shared Personal Data outside of the Customer’s cost, taking into account UK unless the nature prior written consent of processing the Academic Partner been obtained and the information available following conditions are fulfilled: (i) the Academic Partner or the Fundable Body has provided appropriate safeguards in relation to Blue Yonder, assist the Customer transfer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Fundable Body complies with its obligations under Articles 32 to 36 the Data Protection Legislation by ensuring any such transfer meets the requirements of Chap V of the UK GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request (iv) the Fundable Body complies with reasonable instructions notified to it in advance by the CustomerAcademic Partner with respect to the processing of the Shared Personal Data; (e) assist the Academic Partner, at the Academic Partner’s cost (with the Fundable Body acting reasonably in this regard), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with the Information Commissioner or regulators; (f) notify the Academic Partner without undue delay on becoming aware of a Personal Data Breach; (g) at the written direction of the Academic Partner delete or return the (h) maintain complete and accurate records and information to demonstrate its compliance with this Annex C and allow for audits at the Customer any such Customer Personal Data within the agreed period of time after the end cost of the provision Academic Partner by the Academic Partner or the Academic Partner’s designated auditor and immediately inform the Academic Partner if, in the opinion of the Services as set out in Fundable Body, an instruction infringes the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection LawLegislation. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge In relation to the Processing of any User Data which constitutes Personal Data, the parties agree that the Customer is Client and/or its user(s) (including the Client Entities) is/are the Data Controller and Blue Yonder the Supplier is a the Data Processor Processor.‌ 2.2 This Schedule 2 sets out the subject matter, duration, nature and purpose of Customer the processing by the Supplier, as well as the types and categories of Personal Data and the obligations and rights of the Client. 2.3 The Supplier shall in respect of such Personal Data:‌ (i) process that Personal Data during the term of this Contract only on the documented written instructions of the Client (which include this Contract) unless the Supplier is required by Laws to otherwise process that Personal Data. As between Where the Customer and Blue YonderSupplier is relying on Laws as the basis for processing Personal Data, the Customer remains Supplier shall promptly notify the owner Client of all Customer this before performing the processing required by the Laws unless those Laws prohibit the Supplier from notifying the Client; (ii) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. 2.2 This Data Processing Addendum only applies , appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of Customer the Personal Data by Blue Yonder to be protected, having regard to the state of technological development and the cost of implementing any measures; (iii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (iv) not transfer any Personal Data outside of the UK and/or European Economic Area unless (i) there is an Adequacy Regulation in connection relation to the relevant country or organisation or (ii) the prior written consent of the Client has been obtained and there are appropriate safeguards in relation to the transfer; (v) assist the Client, at the Client’s cost, in responding to any request from a Data Subject and in ensuring compliance with the Services its obligations under the Agreement. The categories Data Protection Legislation with respect to security, breach, notifications, impact assessments and consultations with supervisory authorities or regulators; (vi) notify the Client without undue delay on becoming aware of Data Subjects and types of Customer a Personal Data processed breach; (vii) ensure that provisions which are equivalent to those set out in an Annex this paragraph 2.3 are imposed upon any sub processor engaged by the Supplier (acknowledging that the Supplier shall remain primarily liable to the Letter. Customer Client for the sub-processor’s compliance with such provisions);‌ (viii) inform the Client of any intended additions to or‌ replacements of the Supplier’s sub-processors; (ix) subject to Clause 8.2(d) of the Contract, at the written direction of the Client, delete or return Personal Data is processed and copies thereof to the Client on termination of the Contract unless required by Laws to store the Personal Data; and (x) maintain complete and accurate records and information to demonstrate its compliance with this Schedule 2 and allow for audits by the purpose Client on reasonable notice and (but without thereby assuming the primary liability of providing the Services and other purposes as identified Client to only issue lawful instructions) immediately inform the Client if, in the 'Processing activities' section opinion of the Annex Supplier, an instruction infringes the Data Protection Legislation. 2.4 Client consents to the Letter. Blue Yonder shall process Customer Personal Data for Supplier appointing the duration of third parties set out in the Agreement (or longer to the extent permitted by applicable law). 2.3 Each party warrants that in relation Annex to this Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, Blue Yonder shall: 2.4.1 process Customer Schedule as third-party sub processors of Personal Data only in accordance with the Customer's instructions as established in the Agreement or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits this; 2.4.2 ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement); 2.4.5 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of processing and the information available to Blue Yonder, assist the Customer with its obligations under Articles 32 to 36 of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal DataContract. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Law. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge that the Customer is the Data Controller and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal Data. 2.2 This Data Processing Addendum only applies to the processing of Customer Personal Data by Blue Yonder in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in an Annex Appendix to the LetterAgreement. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in the 'Processing activities' section of the Annex Appendix to the LetterAgreement. Blue Yonder shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by applicable law). 2.3 Each party warrants that in relation to this Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only in accordance with the Customer's instructions as established in the Agreement or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits this; 2.4.2 ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement); 2.4.5 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of processing and the information available to Blue Yonder, assist the Customer with its obligations under Articles 32 to 36 of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex Appendix to the LetterAgreement, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Sub- Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer Customers at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor Sub- Processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Sub-Processor list by clicking this link: ▇link ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.htmlnotifications, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Law. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the LetterData Processing Information in the Agreement) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Sub-Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 2 is in addition to, and does not relieve, remove or replace a party’s obligations under the Data Protection Legislation. 2.2 In relation to the Processing of any Personal Data in the User Data, the parties agree that the Customer C lient and/or its user(s) (including the C lient Entities) is/are the Data C ontroller and the Supplier is the Data Controller and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal DataProcessor. 2.2 2.3 This Data Processing Addendum only applies to Schedule 4 sets out the processing of Customer Personal Data by Blue Yonder in connection with the Services under the Agreement. The categories of Data Subjects scope, nature and types of Customer Personal Data processed are set out in an Annex to the Letter. Customer Personal Data is processed for the purpose of providing processing by the Services and other purposes as identified in the 'Processing activities' section of the Annex to the Letter. Blue Yonder shall process Customer Personal Data for Supplier, the duration of the Agreement (or longer to processing and the extent permitted by applicable law). 2.3 Each party warrants that in relation to this types of Personal Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Lawscategories of Data Subject. 2.4 Notwithstanding anything The Supplier shall in respect of such Personal Data: (i) process that Personal Data only on the documented written instructions of the C lient unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the contrary in Supplier is relying on Applicable Laws as the Agreement, in relation to Customer basis for processing Personal Data, Blue Yonder shall: 2.4.1 process Customer Personal Data only in accordance with the Customer's instructions as established in Supplier shall promptly notify the Agreement or as provided in writing C lient of this before performing the processing required by the Customer Applicable Laws unless those Applicable Laws prohibit the Supplier from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should notifying the scope of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits thisC lient; 2.4.2 (ii) ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth that it has in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing place appropriate technical and organisational measures, insofar as this is possiblereviewed and approved by the C lient, to assist with the Customer's obligation to respond to requests from Data Subjects protect against unauthorised or unlawful processing of Customer Personal Data seeking to exercise their rights under European Data Protection Law (and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the extent harm that might result from the Customer unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data is not accessible to be protected, having regard to the Customer through state of technological development and the Services provided under the Agreement)cost of implementing any measures; 2.4.5 (iii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (iv) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the C lient has been obtained and the C lient has provided appropriate safeguards in relation to the transfer; (v) assist the C lient, at the Customer’s reasonable request and at the CustomerC lient’s cost, taking into account the nature of processing in responding to any request from a Data Subject and the information available to Blue Yonder, assist the Customer in ensuring compliance with its obligations under Articles 32 the Data Protection Legislation with respect to 36 security, breach, notifications, impact assessments and consultations with supervisory authorities or regulators; (vi) notify the C lient without undue delay on becoming aware of a Personal Data breach; (vii) at the written direction of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the CustomerC lient, delete or return Personal Data and copies thereof to the Customer any such Customer Personal Data within the agreed period of time after the end C lient on termination of the provision C ontract unless required by Applicable Laws to store the Personal Data; and (viii) maintain complete and accurate records and information to demonstrate its compliance with this Schedule 4 and allow for audits by the C lient on reasonable notice and immediately inform the C lient if, in the opinion of the Services as Supplier, an instruction infringes the Data Protection Legislation. 2.5 C lient consents to Supplier appointing the third parties set out in Paragraph 4 as third-party processors of Personal Data under this C ontract. Supplier confirms that it has entered or (as the Agreement case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business. As between Supplier and C lient, Supplier shall remain fully liable for all acts or omissions of any third-party processor appoint by it pursuant to this Paragraph 2. 2.6 For the purposes of paragraph 2.5 and 2.4 (or within a reasonable period of time if the Agreement is silent on this pointiv), unless Applicable Laws requires storage C lient consents to the transfer of Personal Data outside of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors EEA for the purposes of providing the Services or other purposes identified in the 'Processing activities' section appointment and utilisation by Supplier of the Annex to the Letterthird parties set out in paragraph 4. 2.7 Supplier may, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time on not less than seven (7) days’ notice, revise the list of third parties set out in paragraph 4 by removing, adding and/or replacing such third parties in its absolute and without justification make changes or additions sole discretion. In the event that client, acting reasonably and on good faith, objects to the Sub-Processor list provided that the Customer is given fifteen appointment of such third party sub processors, C lient may terminate this C ontract by providing not less than thirty (1530) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide ’ notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection LawSupplier in writing. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:

DATA PROCESSING TERMS. 2.1 The Parties acknowledge that 5.1. Processor shall: 5.1.1. Process the Customer is the Data Controller and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the Customer remains the owner of all Customer Personal Data. 2.2 This Data Processing Addendum only applies to the processing of Customer Personal Data by Blue Yonder in connection with solely on the Services under the Agreement. The categories documented instructions of Data Subjects and types of Customer Personal Data processed are set out in an Annex to the Letter. Customer Personal Data is processed Controller, for the purpose purposes of providing the Services and other purposes as identified in otherwise necessary to perform its obligations under the 'Processing activities' section Terms including with regard to transfers of the Annex to the Letter. Blue Yonder shall process Customer Controller Personal Data for to a third country outside the duration of the Agreement European Union or an international organization (unless required by Union or longer Member State law to the extent permitted by applicable law). 2.3 Each party warrants that in relation to this Data Processing Addendum, it which Processor is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreementsubject, in relation which case Processor shall inform Controller, if applicable, of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest). Processor shall immediately inform Controller if, in Processor’s opinion, an instruction infringes applicable Data Protection Laws; 5.1.2. ensure that persons authorized to Customer Personal Data, Blue Yonder shall: 2.4.1 process Customer Process the Controller Personal Data only in accordance with the Customer's instructions as established in the Agreement have committed themselves to confidentiality or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should the scope under an appropriate statutory obligation of the agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits thisconfidentiality; 2.4.2 ensure only its (or its Sub-Processors) personnel who are contractually bound to respect 5.1.3. implement and maintain the confidentiality of Customer Personal Data shall have access to the same; 2.4.3 implement appropriate technical and organizational measures set out in the Terms [Annex 2 hereto], which the Parties have mutually agreed pursuant to protect against unauthorized Article 32 of the GDPR, having regard to the assessment of the appropriate level of security for Controller Personal Data and the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised unauthorized disclosure of, or access or damage to Customer such Personal Data; 5.1.4. These measures be expressly and specifically authorized by Controller to engage another Processor to Process the Controller Personal Data ("Sub-Processor"), and specifically the Sub-Processors listed in Annex 3 hereto, subject to Processor: a. notifying Controller of any intended changes to its use of Sub-Processors listed in Annex 3 by emailing notice of the intended change to Controller at least 30 days in advance. Controller shall be appropriate have 14 days from the date of such notice to object in writing to the harm use of the proposed Sub-Processor. If Controller objects, the Parties will, within the subsequent 14-day period, work together in good faith to find a commercially reasonable solution that avoids the use of the objected-to Sub-Processor. If no commercially reasonable solution is found within these 14 days, Controller shall have the right to terminate the affected Services by providing written notice within the remaining period until the new Sub-Processor is engaged. If Controller does not terminate the affected Services within this period, Processor may proceed to engage the new Sub-Processor; b. including data protection obligations in its contract with each Sub-Processor which might result are materially the same as those set out in this Addendum; and c. remaining liable to Controller for any failure by each Sub-Processor to fulfill its obligations in relation to the Processing of the Controller Personal Data; 5.1.5. to the extent legally permissible, promptly notify Controller of any communication from a Data Subject regarding the Processing of Controller Personal Data, or any unauthorised or unlawful processing, accidental loss, destruction, damage or theft other communication (including from a supervisory authority) relating to any obligation under the Data Protection Laws in respect of Customer the Controller Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures through the adoption of new or enhanced security technologies and authorises Blue Yonder to make such changes provided that they do not materially diminish the level of protection. Blue Yonder shall make information about the most up to date security measures applicable to the Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the Customer’s reasonable request and at the Customer’s costand, taking into account the nature of the processingProcessing, assist the Customer Controller by implementing appropriate technical and organisational organizational measures, insofar as this is possible, to assist with for the Customer's fulfillment of Controller’s obligation to respond to requests from Data Subjects for exercising the data subject's rights laid down in Chapter III GDPR; 5.1.6. Processor shall notify Controller without undue delay and in any event within 48 hours upon becoming aware of Customer any Personal Data seeking Breach affecting Controller Personal Data, providing sufficient details to exercise their rights enable Controller to meet its obligations under European applicable Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement)Laws; 2.4.5 at 5.1.7. assist Controller with its obligations pursuant to Articles 32 to 36 of the Customer’s reasonable request and at the Customer’s cost, GDPR taking into account the nature of processing the Processing and the information available to Blue Yonder, assist the Customer with its obligations under Articles 32 to 36 Processor; 5.1.8. upon termination or expiry of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeableAgreement, as incurredProcessor shall, at Blue Yonder’s then current rates; and 2.4.6 upon request by the Customeroption of Controller, delete or return to the Customer any such Customer all Controller Personal Data and delete existing copies, unless applicable law requires retention. Such deletion shall occur no later than within 90 days following termination or expiry, during which period the agreed period of time after Processor shall maintain the end security and confidentiality of the provision of the Services as set out in the Agreement Controller Personal Data; 5.1.9. no more than once a year (or within unless requested by a reasonable period of time if the Agreement is silent on this pointsupervisory authority), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right make available to charge for such deletion or return of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access Controller all information necessary to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the 'Processing activities' section of the Annex to the Letter, provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by. Controller shall bear the cost for audits or inspections, including, without limitation, reasonable Processor time, out of this Data Processing Addendum. Blue Yonder shall ensure that any Sub-Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time pocket expenses and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub-processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub- Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign-up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Lawconsultancy fees. 2.6 The Customer acknowledges that as part of the Services the Customer 5.1.10. Processor shall not directly or indirectly sell or share any Controller Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its AffiliatesData, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by Annex 1 of the Letter) will apply in addition to the terms of this Data Processing Addendum. For other Sub- Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European by applicable US Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:.