Common use of Place of jurisdiction Clause in Contracts

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein and Helsinki • Drives that were in operation on canceled servers will be wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log Visitor logs • Talkwalker service personal data • Talkwalker employees personal data Affected People Those affected as a result of this additional agreement include: • The Client's Users having published information on social media or on the internet • Talkwalker customers and interested parties users • The Client's customers and Talkwalker employees • Website visitors 7 / 11 I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees IBBS Members I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes 8 / 11 • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16.03.18 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client Supplier is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16/12/2019 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Client Udine , date 05.05.2021 Gunzenhausen, date 21/02/2024 Client 05/02/2021 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Saint-Petersburg , date 12.05.2019 Client Gunzenhausen, date 21/02/2024 Client 16.03.18 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes 8 / 11 • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, cloud server, and storage box principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and Nextcloud principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 12/09/2021 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 27/02/2021 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Client , date Gunzenhausen, date 21/02/2024 Client 16.03.18 Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for dedicated root server, colocation server, and cloud server principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for managed server, web hosting, and storage box principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Oslo , date 21/2/2020 Gunzenhausen, date 21/02/2024 21/02/2020 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Nürnberg and Helsinki Xxxxxxxxxxx • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 16/05/2023 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 21/02/2024 26/10/2020 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped swiped multiple times (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.

Place of jurisdiction. The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures Cham , date 19.10.2022 Gunzenhausen, date 21/02/2024 19/10/2022 Xxxxxx XX Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Communication data (e. g. telephone, email) • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties • The Client's customers and employees • Third parties included in reports 7 / 12 I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg, Falkenstein Xxxxxxxxxxx and Helsinki • Drives that were in operation on canceled servers will be wiped (deleted) multiple times in accordance with data protection polices upon termination of the contract. After thorough testing, the wiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.