Common use of Processing Requirements Clause in Contracts

Processing Requirements. Scentsy will: a. Process Personal Data (i) only for the purpose of providing, supporting and improving Scentsy’s services (including to provide insights and other reporting), using appropriate technical and organisational security measures; and (ii) in compliance with instructions received from You. Scentsy will not use or Process Personal Data for any other purpose. Scentsy will promptly inform You in writing if it cannot comply with its requirements under this Agreement, in which case You may terminate the Agreement or take any other reasonable action, including suspending of data Processing operations; b. Inform You promptly if, in ▇▇▇▇▇▇▇’s opinion, an instruction from You violates applicable Data Protection Requirements; c. Follow Your instructions regarding Personal Data (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy; d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇’s behalf comply with the terms of this Agreement; e. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement or to delegate all or Part of the Processing activities to such Subprocessors, (i) obtain the prior written consent of You to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to You for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Scentsy’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein; g. Upon request, provide You with a summary of ▇▇▇▇▇▇▇’s privacy and security policies; and h. Inform You if Scentsy undertakes an independent security review.

Processing Requirements. Scentsy Ganttic will: a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving ScentsyGanttic’s services (including to provide insights and other reporting)services, using appropriate technical and organisational organizational security measures; and (ii) in compliance with the instructions (e.g. the purpose to use Ganttic services) received from YouCustomer. Scentsy Ganttic will not use or Process process the Customer Personal Data for any other purpose. Scentsy Ganttic will promptly inform You in writing Customer if it cannot comply with its the requirements under Sections 5-8 of this AgreementDPA, in which case You Customer may terminate the Agreement DPA or take any other reasonable action, including suspending of data Processing processing operations; b. Inform You Customer promptly if, in ▇▇▇▇▇▇▇Ganttic’s opinion, an instruction from You Customer violates applicable Data Protection Requirements; c. Follow Your instructions regarding Personal Data (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy; d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇Ganttic’s behalf comply with the terms of this Agreementthe DPA; e. d. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment; f. e. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors Ganttic maintains online, obtain the prior written consent of You Customer to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to You Customer for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on ScentsyGanttic’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;; Ganttic may make changes to the use of Subprocessors provided that the Customer is notified. Changes that entail the transfer of personal data to countries outside the EEA (third countries) must be notified no later than one month before the change takes effect. If the Customer opposes the change, Ganttic must be notified as soon as possible. The Customer may only object to the change on reasonable and justifiable grounds. g. Upon request, provide You Customer with a summary of ▇▇▇▇▇▇▇Ganttic’s privacy and security policies; and h. Inform You Customer if Scentsy Ganttic undertakes an independent security review.

Processing Requirements. Scentsy Ganttic will: a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving ScentsyGanttic’s services (including to provide insights and other reporting)services, using appropriate technical and organisational organizational security measures; and (ii) in compliance with the instructions (e.g. the purpose to use Ganttic services) received from YouCustomer. Scentsy Ganttic will not use or Process process the Customer Personal Data for any other purpose. Scentsy Ganttic will promptly inform You in writing Customer if it cannot comply with its the requirements under Sections 5-8 of this AgreementDPA, in which case You Customer may terminate the Agreement DPA or take any other reasonable action, including suspending of data Processing processing operations; b. Inform You Customer promptly if, in ▇▇▇▇▇▇▇Ganttic’s opinion, an instruction from You Customer violates applicable Data Protection Requirements; c. Follow Your instructions regarding Personal Data (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy; d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇’s behalf comply with the terms of this Agreementthe DPA; e. d. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment; f. e. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors Ganttic maintains online, obtain the prior written consent of You Customer to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to You Customer for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on ScentsyGanttic’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;; Ganttic may make changes to the use of Subprocessors provided that the Customer is notified. Changes that entail the transfer of personal data to countries outside the EEA (third countries) must be notified no later than one month before the change takes effect. If the Customer opposes the change, Ganttic must be notified as soon as possible. The Customer may only object to the change on reasonable and justifiable grounds. g. Upon request, provide You Customer with a summary of ▇▇▇▇▇▇▇’s privacy and security policies; and h. Inform You Customer if Scentsy Ganttic undertakes an independent security review.

Processing Requirements. Scentsy willIn respect of Personal Data Processed while providing the Application Services, Mixpanel: a. 1. Shall Process Personal Data Data: (i) only for in accordance with the purpose documented instructions from Customer as set out in this DPA, the Agreement, or (if applicable) the Ordering Document; (ii) shared or transmitted by Customer in connection with Customer’s use of providing, supporting and improving Scentsy’s services (including to provide insights and other reporting), using appropriate technical and organisational security measuresthe Application Services; and (iiiii) in compliance to comply with other written, reasonable instructions received from Youprovided by Customer where such instructions are consistent with the terms of this DPA, the Agreement, and Data Protection Legislation. Scentsy will not use or If Mixpanel is required to Process Personal Data for any other purpose. Scentsy purpose provided by applicable law to which it is subject, Mixpanel will promptly inform You in writing if it cannot comply with its requirements under Customer of such requirement prior to the Processing unless that law prohibits this Agreement, in which case You may terminate the Agreement or take any other reasonable action, including suspending on important grounds of data Processing operationspublic interest; b. Inform You promptly 2. Shall notify Customer without undue delay if, in ▇▇▇▇▇▇▇Mixpanel’s opinion, an instruction from You violates for the Processing of Personal Data provided by Customer through the Application Services infringes applicable Data Protection RequirementsLegislation; c. Follow Your instructions regarding 3. Shall implement and maintain Appropriate Technical and Organisational Measures designed to protect Personal Data (including with against unauthorised or unlawful Processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the provision nature of notice and exercise of choice) You have stored with Scentsythe Personal Data which is to be protected; d. Take commercially reasonable steps 4. Shall notify Customer in writing 30 (thirty) days before appointing new sub-processors or subcontractors for Processing Personal Data. Customer shall promptly review such appointment in good faith and lodge any objections to such appointment in writing to Mixpanel. If Customer does not object to the appointment within 30 days, Mixpanel shall treat such non-objection as approval of the appointment. If Customer objects to the appointment, Customer must provide written support for the objection and provide such other information as Mixpanel may reasonably request. Solely in the case Mixpanel cannot provide the Service (as defined in the Agreement) without use of the objectionable sub-processor or subcontractor, Customer may terminate the Agreement; 5. Shall ensure that (i) persons employed by it all Mixpanel personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇’s behalf comply with the terms of obligations sets out in this Agreementclause and applicable Data Protection Legislation; e. Ensure that its employees6. Shall, authorized agents at Customer’s written request, assist the Customer by implementing appropriate and any Subprocessors are required reasonable technical and organisational measures to comply assist with the Customer’s obligation to respond to requests from Data Subjects under Data Protection Legislation (including requests for information relating to the processing, and acknowledge and respect the confidentiality requests relating to access, rectification, erasure or portability of Personal Data) provided that Mixpanel reserves the right to reimbursement from Customer for the reasonable cost of any time, including after expenditures or fees incurred in connection with such assistance; 7. Shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the GDPR taking into account the nature of the processing under this DPA; provided, however, that Mixpanel reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance; 8. Shall, at the end of their respective employmentthe applicable term of the Application Services and upon Customer’s written request, contract securely destroy or assignmentreturn such Personal Data to Customer; f. If it intends to engage Subprocessors to help it satisfy its obligations 9. Agrees, where Mixpanel Processes or permits any Subprocessor, in accordance with this Agreement or to delegate all or Part letter d) of the Processing activities Data Protection Terms of this DPA, to such Subprocessors, (i) obtain the prior written consent of You to such subcontracting, such consent to Process Personal Data in any country not be unreasonably withheld; (ii) remain liable to You for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Scentsy’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them deemed to provide the same an adequate level of data protection of Personal Data by Data Protection Legislation, to transfer such Personal Data across international borders in compliance with the Standard Contractual Clauses which shall be incorporated in full by reference and information security to form an integral part of this DPA, and which are set forth in Annexes 2 and 3 below, provided that provided for hereinin the event of a conflict between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control; g. 10. Upon written request, shall either provide You with a summary information regarding its compliance in the form of ▇▇▇▇▇▇▇’s third- party certifications and audits reports on its security, privacy and security policiesarchitecture or respond with industry standard written audit questionnaires, provided that the purpose of such audit is to verify that Mixpanel is Processing Personal Data in accordance with its obligations under the DPA. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of required professional certificates or qualifications that bind said body to a duty of confidentiality. For the avoidance of doubt no access to any part of Mixpanel’s information technology systems, data hosting sites or centers, or its infrastructure will be permitted. The Parties agree that any audit described in the Standard Contractual Clauses shall be performed pursuant to this provision; and h. Inform You if Scentsy undertakes 11. Shall notify Customer within twenty-four (24) hours of becoming aware of a breach of its security leading to any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data that is Processed by Mixpanel while providing the Application Services (an independent security review“Incident”) under the Agreement. In the event of an Incident, Mixpanel will provide Customer with a description of the Incident as well as periodic updates about the Incident as such information becomes available to Mixpanel, including providing any information Mixpanel develops regarding the potential impact of such an Incident on Data Subjects. Mixpanel shall take reasonable action to investigate the Incident and take steps to reasonably mitigate the effects of the Incident and prevent its recurrence. Mixpanel shall also provide relevant information to Customer so Customer may demonstrate its compliance with Data Protection Legislation and this DPA. 12. Compliance with Article 30

Processing Requirements. Scentsy willAs a Data Processor, OpenAI agrees to: a. Process Personal process Customer Data only (i) only on Customer’s behalf for the purpose of providing, providing and supporting and improving ScentsyOpenAI’s services Services (including to provide insights insights, reporting, analytics and other reportingplatform abuse, trust and safety monitoring), using appropriate technical and organisational security measures; and (ii) in compliance with the written instructions received from You. Scentsy will not use or Process Personal Customer; and (iii) in a manner that provides no less than the level of privacy protection required of it by Data for any other purpose. Scentsy will Protection Laws; b. promptly inform You Customer in writing if it OpenAI cannot comply with its the requirements under of this Agreement, in which case You may terminate the Agreement or take any other reasonable action, including suspending of data Processing operationsDPA; b. Inform You c. not provide Customer with remuneration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to OpenAI; d. not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data; e. inform Customer promptly if, in ▇▇▇▇▇▇▇OpenAI’s opinion, an instruction from You Customer violates applicable Data Protection RequirementsLaws; c. Follow Your instructions regarding Personal Data (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy; d. Take commercially reasonable steps to ensure that f. require (i) persons employed by it and (ii) other persons engaged to perform on OpenAI’s behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to OpenAI under the Agreement and this DPA; g. engage the organizations or persons listed at ▇▇▇▇▇://▇▇▇▇▇▇▇’s behalf comply with ▇.▇▇▇▇▇▇.▇▇▇/subprocessors to process Customer Data (each a “Subprocessor,” and the terms of this Agreement; e. Ensure that its employeeslist at the foregoing URL, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors “Subprocessor List”) to help it OpenAI satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. If Customer subscribes to email notifications as provided on the Subprocessor List website, then OpenAI will notify Customer of any changes OpenAI intends to make to the Subprocessor List at least 15 days before the changes take effect (which may be via email, a posting, or notification on an online portal for our services or other reasonable means). In the event that Customer does not wish to consent to the use of such additional Subprocessor, Customer may notify OpenAI that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting ▇▇▇▇▇▇▇@▇▇▇▇▇▇.▇▇▇. In such case, OpenAI shall have the right to cure the objection through one of the following options: (i) obtain OpenAI will cancel its plans to use the prior written consent of You Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such subcontracting, such consent to not be unreasonably withheldSubprocessor; (ii) remain liable OpenAI will take the corrective steps requested by Customer in Customer objection notice and proceed to You for use the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Scentsy’s instructionsSubprocessor; and (iii) OpenAI may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the OpenAI Services or services that would involve the use of such Subprocessor; or (iv) Customer may cease providing Customer Data to OpenAI for processing involving such Subprocessor. If none of the above options are commercially feasible, in OpenAI’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of OpenAI’s receipt of Customer’s objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services that cannot be provided without the use of the new Subprocessor for cause and in such case, Customer will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor. OpenAI shall enter into contractual arrangements with such Subprocessors each Subprocessor binding them to provide the same a comparable level of data protection and information security to that provided for herein. Subject to the limitations of liability included in the Agreement, OpenAI agrees to be liable for the acts and omissions of its Subprocessors to the same extent OpenAI would be liable under the terms of the DPA if it performed such acts or omissions itself; g. Upon requesth. upon reasonable request no more than once per year, provide You Customer with a summary of ▇▇▇▇▇▇▇OpenAI’s privacy and security policiespolicies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws; i. where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to OpenAI’s business that are necessary to confirm that OpenAI is processing Customer Data in a manner consistent with this DPA. Where permitted by law, OpenAI may instead make available to customer a summary of the results of a third-party audit or certification reports relevant to OpenAI’s compliance with this DPA. Such results, and/or the results of any such assessments, audits, or other steps shall be the Confidential Information of OpenAI; j. to the extent that Customer permits or instructs OpenAI to process Customer Data subject to U.S. Privacy Laws in a deidentified, anonymized, and/or aggregated form as part of the Services, OpenAI, OpenAI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; and(ii) not attempt to reidentify the information, except that OpenAI may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes comply with Data Protection Laws or are functioning as intended; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision; h. Inform You if Scentsy undertakes an independent security review.k. where the Customer Data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement or this DPA;

Processing Requirements. Scentsy CPI will: a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving ScentsyCPI’s services (including to provide insights and other reporting), using appropriate technical and organisational organizational security measures; and (ii) in compliance with the instructions received from YouCustomer. Scentsy CPI will not use or Process process the Customer Personal Data for any other purpose. Scentsy CPI will promptly inform You Customer in writing if it cannot comply with its the requirements under Sections 5-8 of this AgreementDPA, in which case You Customer may terminate the Agreement or take any other reasonable action, including suspending of data Processing processing operations; b. Inform You Customer promptly if, in ▇▇▇▇▇▇▇CPI’s opinion, an instruction from You Customer violates applicable Data Protection Requirements; c. Follow Your If CPI is collecting Customer Personal Data from individuals on behalf of Customer, follow Customer’s instructions regarding such Customer Personal Data collection (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy); d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇CPI’s behalf comply with the terms of this the Agreement; e. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors CPI employs at commencement of the CPI Contract, obtain the prior written consent of You Customer to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to You Customer for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on ScentsyCPI’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein; g. Upon request, provide You Customer with a summary of ▇▇▇▇▇▇▇CPI’s privacy and security policies; and h. Inform You Customer if Scentsy CPI undertakes an independent security review.

Processing Requirements. Scentsy LinkedIn will: a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving ScentsyLinkedIn’s services (including to provide insights and other reporting), using appropriate technical and organisational organizational security measures; and (ii) in compliance with the instructions received from YouCustomer. Scentsy LinkedIn will not use or Process the Customer Personal Data for any other purpose. Scentsy LinkedIn will promptly inform You Customer in writing if it cannot comply with its the requirements under Sections 5-8 of this AgreementDPA, in which case You Customer may terminate the Agreement or take any other reasonable action, including suspending of data Processing processing operations; b. Inform You Customer promptly if, in ▇▇▇▇▇▇▇LinkedIn’s opinion, an instruction from You Customer violates applicable Data Protection Requirements; c. Follow Your If LinkedIn is collecting Customer Personal Data from individuals on behalf of Customer, follow Customer’s instructions regarding such Customer Personal Data collection (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy); d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇LinkedIn’s behalf comply with the terms of this the Agreement; e. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors LinkedIn and its Affiliates maintains online (currently available at ▇▇▇▇▇://▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/customer- subprocessors), the use of which Customer approves, obtain the prior written consent of You Customer to such subcontractingsubprocessing, such consent to not be unreasonably withheld; (ii) remain liable to You Customer for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on ScentsyLinkedIn’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;; and g. Upon request, provide You Customer with a summary mapping of ▇▇▇▇▇▇▇’s privacy and LinkedIn's security policies; and h. Inform You if Scentsy undertakes an independent security reviewpolicies to the controls set forth in the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001 standard.

Processing Requirements. Scentsy willAs a Data Processor, OpenAI agrees to: a. Process Personal process Customer Data only (i) only on Customer’s behalf for the purpose of providing, providing and supporting and improving ScentsyOpenAI’s services Services (including to provide insights insights, reporting, analytics and other reportingplatform abuse, trust and safety monitoring), using appropriate technical and organisational security measures;; and (ii) in compliance with the written instructions received from You. Scentsy will not use or Process Personal Customer; and (iii) in a manner that provides no less than the level of privacy protection required by Data for any other purpose. Scentsy will Protection Laws; b. promptly inform You Customer in writing if it OpenAI cannot comply with its the requirements under of this Agreement, in which case You may terminate the Agreement or take any other reasonable action, including suspending of data Processing operationsDPA; b. Inform You c. not provide Customer with remuneration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to OpenAI; d. not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data; e. inform Customer promptly if, in ▇▇▇▇▇▇▇OpenAI’s opinion, an instruction from You Customer violates applicable Data Protection RequirementsLaws; c. Follow Your instructions regarding Personal Data (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy; d. Take commercially reasonable steps to ensure that f. require (i) persons employed by it and (ii) other persons engaged to perform on OpenAI’s behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to OpenAI under the Agreement and this DPA; g. engage the organizations or persons listed at ▇▇▇▇▇://▇▇▇▇▇▇▇’s behalf comply with ▇.▇▇▇▇▇▇.▇▇▇/subprocessors to process Customer Data (each a “Subprocessor,” and the terms of this Agreement; e. Ensure that its employeeslist at the foregoing URL, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors “Subprocessor List”) to help it OpenAI satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. If Customer subscribes to email notifications as provided on the Subprocessor List website, then OpenAI will notify Customer of any changes OpenAI intends to make to the Subprocessor List at least 15 days before the changes take effect (which may be via email, a posting, or notification on an online portal for our services or other reasonable means). In the event that Customer does not wish to consent to the use of such additional Subprocessor, Customer may notify OpenAI that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting ▇▇▇▇▇▇▇@▇▇▇▇▇▇.▇▇▇. In such case, OpenAI shall have the right to cure the objection through one of the following options: (i) obtain OpenAI will cancel its plans to use the prior written consent of You Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such subcontracting, such consent to not be unreasonably withheldSubprocessor; (ii) remain liable OpenAI will take the corrective steps requested by Customer in Customer objection notice and proceed to You for use the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Scentsy’s instructionsSubprocessor; and (iii) OpenAI may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the OpenAI Services or services that would involve the use of such Subprocessor; or (iv) Customer may cease providing Customer Data to OpenAI for processing involving such Subprocessor. If none of the above options are commercially feasible, in OpenAI’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of OpenAI’s receipt of Customer’s objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services that cannot be provided without the use of the new Subprocessor for cause and in such case, Customer will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor. OpenAI shall enter into contractual arrangements with such Subprocessors each Subprocessor binding them to provide the same a comparable level of data protection and information security to that provided for herein. Subject to the limitations of liability included in the Agreement, OpenAI agrees to be liable for the acts and omissions of its Subprocessors to the same extent OpenAI would be liable under the terms of the DPA if it performed such acts or omissions itself; g. Upon requesth. upon reasonable request no more than once per year, provide You Customer with a summary of ▇▇▇▇▇▇▇OpenAI’s privacy and security policiespolicies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws; i. where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to OpenAI’s business that are necessary to confirm that OpenAI is processing Customer Data in a manner consistent with this DPA. Where permitted by law, OpenAI may instead make available to customer a summary of the results of a third-party audit or certification reports relevant to OpenAI’s compliance with this DPA. Such results, and/or the results of any such assessments, audits, or other steps shall be the Confidential Information of OpenAI; j. to the extent that Customer permits or instructs OpenAI to process Customer Data subject to U.S. Privacy Laws in a deidentified, anonymized, and/or aggregated form as part of the Services, OpenAI, OpenAI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; and(ii) not attempt to reidentify the information, except that OpenAI may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes comply with Data Protection Laws or are functioning as intended; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision; h. Inform You if Scentsy undertakes an independent security review.k. where the Customer Data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement or this DPA;

Processing Requirements. Scentsy Slaask will: a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving ScentsySlaask’s services (including to provide insights and other reporting), using appropriate technical and organisational organizational security measures; and (ii) in compliance with the instructions received from YouCustomer. Scentsy Slaask will not use or Process process the Customer Personal Data for any other purpose. Scentsy Slaask will promptly inform You Customer in writing if it cannot comply with its the requirements under Sections 5-8 of this AgreementDPA, in which case You Customer may terminate the Agreement or take any other reasonable action, including suspending of data Processing processing operations; b. Inform You Customer promptly if, in ▇▇▇▇▇▇▇Slaask’s opinion, an instruction from You Customer violates applicable Data Protection Requirements; c. Follow Your If Slaask is collecting Customer Personal Data from individuals on behalf of Customer, follow Customer’s instructions regarding such Customer Personal Data collection (including with regard to the provision of notice and exercise of choice) You have stored with Scentsy); d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on ▇▇▇▇▇▇▇Slaask’s behalf comply with the terms of this the Agreement; e. Ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment; f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement DPA or to delegate all or Part part of the Processing processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors Slaask maintains online (currently available at the end of this DPA in Annex B), obtain the prior written consent of You Customer to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to You Customer for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on ScentsySlaask’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein; g. Upon request, provide You Customer with a summary of ▇▇▇▇▇▇▇Slaask’s privacy and security policies; and h. Inform You Customer if Scentsy Slaask undertakes an independent security review.