Common use of Retention and Destruction Clause in Contracts

Retention and Destruction. Except for Customer Data contained in a test environment, if any, C3 will ensure that the Customer Data is saved and that back-ups are regularly performed as more fully described in the C3 Hub Customer Data Policy. Such Customer Data back-ups will be kept by C3 for the said periods after which it will be automatically safely deleted. Furthermore, note that all Customer Data older than 24 months will be safely purged from the Customer’s C3 Hub production environment and thus, no longer be available for reporting. Furthermore, Users can close their accounts at any time. Upon account closure, related Personal Information will be safely deleted or made inaccessible. However, such Personal Information may still be kept in the Customer’s C3 Hub transactional logs and reports for up to two years as part of the above mentioned C3 Hub Customer Data backups. Upon termination of this Agreement, in order for the Customer to retrieve its Customer Data, C3 will grant a read only access to the C3 Hub to the Customer for 30 days. Such access will permit Customer to download Customer Data in an industry standard format supported by the C3 Hub such as an Excel file. The Customer agrees and acknowledges that C3 has no obligation to retain the Customer Data, and will permanently delete such Customer Data, 30 days after termination and, upon Customer’s request, will confirm such deletion. Location/Transfer: C3 is a Canadian company with headquarters in Montreal (Canada). The Customer and Users of the C3 Hub can access their accounts from anywhere in the world. From C3’s perspective, Customer Data will be transferred and stored by C3 in Canada. Canada is considered by the European Commission as providing an adequate level of protection of personal data transferred from the European Community to recipients (such as C3) subject to the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA). Thus, Customer Data transfers originating from the European Union, if any, are done under such adequacy decision. Thus, Personal Information transfers originating from the European Union, if any, are done under such adequacy decision. If such adequacy decision was to be revoked or deemed inapplicable, the parties hereby agree to incorporate to these Master Terms, by reference herein, the modernized Standard Contractual Clauses (from 27 September 2021), with applicable Module 2, to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR) for the transfer of personal data to a third country, or, if transfer originates from the United Kingdom, the original Standard Contractual Clauses for the UK GDPR or replacing UK International Data Transfer Agreement (IDTA) if adopted.

Retention and Destruction. Except for Customer Data contained in a test environment, if any, C3 will ensure that the Customer Data is saved and that back-ups are regularly performed as more fully described in hereafter: i) the C3 Hub database containing Customer Data Policywill be backed up every 15 minutes; ii) 15 minute backups will be kept for a period of a week; iii) daily backups will be kept for a period of two weeks; iv) weekly backups will be kept for a period of three months; and, v) monthly backups will be kept for a period of two years. Such Customer Data back-ups will be kept by C3 for the said periods after which it will be automatically safely deleted. Furthermore, note that all Customer Data older than 24 months will be safely purged from the Customer’s C3 Hub production environment and thus, no longer be available for reporting. Furthermore, Users can close their accounts at any time. Upon account closure, related Personal Information will be safely deleted or made inaccessible. However, such Personal Information may still be kept in the Customer’s C3 Hub transactional logs and reports for up to two years as part of the above mentioned C3 Hub Customer Data backups. Upon termination of this Agreement, in order for the Customer to retrieve its Customer Data, C3 will grant a read only access to the C3 Hub to the Customer for 30 days. Such access will permit Customer to download Customer Data in an industry standard format supported by the C3 Hub such as an Excel file. The Customer agrees and acknowledges that C3 has no obligation to retain the Customer Data, and will permanently delete such Customer Data, 30 days after termination and, upon Customer’s request, will and confirm such deletion. Location/Nevertheless, certain Customer Data may continue to be available to C3 for a period of more than 30 days after termination of this Agreement as a result of a C3’s disaster preparedness or data backup processes. In such instances, Customer Data may not have been permanently deleted within the said delay, but it will not be readily accessible and will be duly destroyed in the ordinary course of C3’s rotating back-up drives. Transfer: C3 is a Canadian company with headquarters in Montreal (Canada). The Customer and Users of the C3 Hub can access their accounts from anywhere in the world. From C3’s perspective, Customer Data will be transferred and stored by C3 in CanadaCanada under an adequacy decision. This means that Canada is considered by the European Commission as providing an adequate level of protection of personal data transferred from the European Community to recipients (such as C3) subject to the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA). Thus, Customer Data transfers originating from the European Union, if any, are done under such adequacy decision. Thus, Personal Information transfers originating from the European Union, if any, are done under such adequacy decision. If such adequacy decision was to be revoked or deemed inapplicable, the parties hereby agree to incorporate to these Master Terms, by reference herein, the modernized Standard Contractual Clauses (from 27 September 2021), with applicable Module 2, to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR) for the transfer of personal data to a third country, or, if transfer originates from the United Kingdom, the original Standard Contractual Clauses for the UK GDPR or replacing UK International Data Transfer Agreement (IDTA) if adopted.

Retention and Destruction. Except for Customer Data contained in a test environment, if any, C3 will ensure that the Customer Data is saved and that back-ups are regularly performed as more fully described in the C3 Hub Customer Data Policy. Such Customer Data back-ups will be kept by C3 for the said periods after which it will be automatically safely deleted. Furthermore, note that all Customer Data older than 24 months will be safely purged from the Customer’s C3 Hub production environment and thus, no longer be available for reporting. Furthermore, Users can close their accounts at any time. Upon account closure, related Personal Information will be safely deleted or made inaccessible. However, such Personal Information may still be kept in the Customer’s C3 Hub transactional logs and reports for up to two years as part of the above mentioned C3 Hub Customer Data backups. Upon termination of this Agreement, in order for the Customer to retrieve its Customer Data, C3 will grant a read only access to the C3 Hub to the Customer for 30 days. Such access will permit Customer to download Customer Data in an industry standard format supported by the C3 Hub such as an Excel file. The Customer agrees and acknowledges that C3 has no obligation to retain the Customer Data, and will permanently delete such Customer Data, 30 days after termination and, upon Customer’s request, will confirm such deletion. Location/Transfer: C3 is a Canadian company with headquarters in Montreal (Canada). The Customer and Users of the C3 Hub can access their accounts from anywhere in the world. From C3’s perspective, Customer Data will be transferred and stored by C3 in Canada. Canada is considered by the European Commission as providing an adequate level of protection of personal data transferred from the European Community to recipients (such as C3) subject to the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA). Thus, Customer Data transfers originating from the European Union, if any, are done under such adequacy decision. Cooperation and Assistance: The Customer will directly manage C3 Hub User accounts and related Personal Information will be under its control. Thus, the Customer is responsible to communicate to its Users its own privacy policy if needed. Users should then contact the Customer directly to exercise any of their privacy rights such as the right to be informed and access their Personal Information transfers originating from Information, to rectify or erase it, to transfer it, to restrict its processing, etc. However, C3 will assist the European UnionCustomer and its Users in exercising their privacy rights and promptly forward any such inquiry, access request, complaint, notice or any other related other communication to the Customer’s Data Protection Officer, if any, are done under or appropriate representative. Unless legally required to do so, C3 shall not respond to any such adequacy decisioncommunications without the prior written consent of the Customer and C3 shall, at the cost of the Customer, provide all necessary additional assistance to the Customer to enable it to respond to such communication. Furthermore, as detailed in the C3 Customer Data Policy, C3 will notify the Customer without undue delay of any security breach of Customer Data as soon as it becomes aware of it in order for the Customer and its Users to take actions to protect themselves against, or mitigate the damage from, identity theft or other possible harm. If such adequacy decision was to be revoked or deemed inapplicablea security breach concerns Personal Information, the parties hereby agree Customer will be contacted before any affected individual is notified of such. C3 will collaborate with the Customer to incorporate determine any notice requirement to these Master Termsindividuals that may be personally affected by such a security breach, and if so, the content of that notice. Unless legally required to do so, C3 shall not respond to any communication from any party (including a regulator) in respect of any breach without the prior written consent of the Customer. The costs of such collaboration shall be borne by C3 only where the reason for such collaboration is the act or omission of C3 in breach of this Agreement. Audit: If the Customer has reasonable doubts that C3 is in breach of this Section 8 – Customer Data, the Customer will inform C3 of such doubts and permit C3 to respond to such allegations in order to provide an adequate level of comfort to the Customer. If the Customer’s allegations are founded and the issue is not resolved following such procedure, the Customer shall have the right to audit, strictly as detailed hereafter, C3’s information solely related to the Customer (and its Users) and only to the extent necessary to assess such compliance. Such audit must only be conducted upon mutual agreement, within C3 Normal Business Hours and with reasonable advance notice, by reference hereina reputable third-party auditor mutually agreed to by the Parties and hired on behalf of and paid by the Customer so as to minimize any disruption to C3’s operations. C3 shall provide reasonable cooperation with such auditors and will provide reasonable access to facilities necessary to audit such compliance. Nevertheless, the modernized Standard Contractual Clauses (from 27 September 2021)Customer recognizes and agrees that C3, when providing such an audit right, will not, in any way, contravene to any other legal or contractual obligations it may have towards the Customer or any other party. Subcontractor: C3 shall not subcontract any of its material obligations under this Agreement, namely any processing of Customer Data or Personal Information of its Users, without prior notice to the Customer. C3 shall inform the Customer of any intended changes concerning the addition or replacement of any such subcontractor, thereby giving the Customer the opportunity to object to such changes and terminate this Agreement in accordance with applicable Module 2section 13. Nevertheless, any such subcontractor shall be bound to ensure compliance with C3 by the same data protection obligations as set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Regulation (EU) 2016/679 applicable Privacy and Data Protection Laws. And, where that subcontractor fails to fulfil its data protection obligations, C3 shall remain fully liable to the Customer for the performance of that subcontractor's obligations. Upon execution of the European Parliament and of C3 Hub Order Form, the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement Customer shall be informed of such data (General then current C3 Subcontractors, if any. C3 Data Protection Regulation - GDPROfficer: Any access request, inquiries, complaints or simple comments related to C3’s privacy practices and compliance to Privacy and Data Protection Laws should be addressed to C3’s Data Protection Officer. C3’s Data Protection Officer will promptly investigate the matter, act and take appropriate measures when needed. C3’s Data Protection Officer can be reached at: 0000 Xxxxxxxxxx, Suite 4408 Montreal, QC, Canada H3K 1G6 Phone: 0+ (000) for the transfer of personal data to a third country, or, if transfer originates from the United Kingdom, the original Standard Contractual Clauses for the UK GDPR or replacing UK International Data Transfer Agreement (IDTA) if adopted.000-0000 Email: xxxxxxx@x0xxxxxxxxx.xxx 9 CONFIDENTIALTY

Retention and Destruction. Except for Customer Data contained in a test environment, if any, C3 will ensure that the Customer Data is saved and that back-ups are regularly performed as more fully described in the C3 Hub Customer Data Policy. Such Customer Data back-ups will be kept by C3 for the said periods after which it will be automatically safely deleted. Furthermore, note that all Customer Data older than 24 months will be safely purged from the Customer’s C3 Hub production environment and thus, no longer be available for reporting. Furthermore, Users can close their accounts at any time. Upon account closure, related Personal Information will be safely deleted or made inaccessible. However, such Personal Information may still be kept in the Customer’s C3 Hub transactional logs and reports for up to two years as part of the above mentioned C3 Hub Customer Data backups. Upon termination of this Agreement, in order for the Customer to retrieve its Customer Data, C3 will grant a read only access to the C3 Hub to the Customer for 30 days. Such access will permit Customer to download Customer Data in an industry standard format supported by the C3 Hub such as an Excel file. The Customer agrees and acknowledges that C3 has no obligation to retain the Customer Data, and will permanently delete such Customer Data, 30 days after termination and, upon Customer’s request, will confirm such deletion. Location/Transfer: C3 is a Canadian company with headquarters in Montreal (Canada). The Customer and Users of the C3 Hub can access their accounts from anywhere in the world. From C3’s perspective, Customer Data will be transferred and stored by C3 in Canada. Canada is considered by the European Commission as providing an adequate level of protection of personal data transferred from the European Community to recipients (such as C3) subject to the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA). Thus, Customer Data transfers originating from the European Union, if any, are done under such adequacy decision. Cooperation and Assistance: The Customer will directly manage C3 Hub User accounts and related Personal Information will be under its control. Thus, the Customer is responsible to communicate to its Users its own privacy policy if needed. Users should then contact the Customer directly to exercise any of their privacy rights such as the right to be informed and access their Personal Information transfers originating from Information, to rectify or erase it, to transfer it, to restrict its processing, etc. However, C3 will assist the European UnionCustomer and its Users in exercising their privacy rights and promptly forward any such inquiry, access request, complaint, notice or any other related other communication to the Customer’s Data Protection Officer, if any, are done under or appropriate representative. Unless legally required to do so, C3 shall not respond to any such adequacy decisioncommunications without the prior written consent of the Customer and C3 shall, at the cost of the Customer, provide all necessary additional assistance to the Customer to enable it to respond to such communication. Furthermore, in accordance with the C3 Data Security Breach Response Policy, C3 will notify the Customer in writing without undue delay of any security breach of Customer Data as soon as it becomes aware of it in order for the Customer and its Users to take actions to protect themselves against, or mitigate the damage from, identity theft or other possible harm. If such adequacy decision was to be revoked or deemed inapplicablea security breach concerns Personal Information, the parties hereby agree Customer will be contacted before any affected individual is notified of such. C3 will collaborate with the Customer to incorporate determine any notice requirement to these Master Termsindividuals that may be personally affected by such a security breach, and if so, the content of that notice. Unless legally required to do so, C3 shall not respond to any communication from any party (including a regulator) in respect of any breach without the prior written consent of the Customer. The costs of such collaboration shall be borne by C3 only where the reason for such collaboration is the act or omission of C3 in breach of this Agreement. Audit: If the Customer has reasonable doubts that C3 is in breach of this Section 8 – Customer Data, the Customer will inform C3 of such doubts and permit C3 to respond to such allegations in order to provide an adequate level of comfort to the Customer. If the Customer’s allegations are founded and the issue is not resolved following such procedure, the Customer shall have the right to audit, strictly as detailed hereafter, C3’s information solely related to the Customer (and its Users) and only to the extent necessary to assess such compliance. Such audit must only be conducted upon mutual agreement, within normal business hours and with reasonable advance notice, by reference hereina reputable third- party auditor mutually agreed to by the Parties and hired on behalf of and paid by the Customer so as to minimize any disruption to C3’s operations. C3 shall provide reasonable cooperation with such auditors and will provide reasonable access to facilities necessary to audit such compliance. Nevertheless, the modernized Standard Contractual Clauses (from 27 September 2021)Customer recognizes and agrees that C3, when providing such an audit right, will not, in any way, contravene to any other legal or contractual obligations it may have towards the Customer or any other party. Subcontractor: C3 shall not subcontract any of its material obligations under this Agreement, including any processing of Personal Information, without prior notice to the Customer. C3 shall inform the Customer of any intended changes concerning the addition or replacement of any such subcontractor, thereby giving the Customer the opportunity to object to such changes and terminate this Agreement in accordance with applicable Module 2section 13. Nevertheless, any such subcontractor shall be bound to ensure compliance with C3 by the same data protection obligations as set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Regulation (EU) 2016/679 applicable Privacy and Data Protection Laws. And, where that subcontractor fails to fulfil its data protection obligations, C3 shall remain fully liable to the Customer for the performance of that subcontractor's obligations. Upon execution of the European Parliament and of C3 Hub Order Form, the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement Customer shall be informed of such data (General then current C3 Subcontractors, if any. C3 Data Protection Regulation - GDPROfficer: Any access request, inquiries, complaints or simple comments related to C3’s privacy practices and compliance to Privacy and Data Protection Laws should be addressed to C3’s Data Protection Officer. C3’s Data Protection Officer will promptly investigate the matter, act and take appropriate measures when needed. C3’s Data Protection Officer can be reached at: C3 Data Protection Officer C3 Solutions Inc. 0000 Xxxxxxxxxx, Xxxxx 0000 Xxxxxxxx, XX, Xxxxxx X0X 0X0 Phone: 0+ (000) for the transfer of personal data to a third country, or, if transfer originates from the United Kingdom, the original Standard Contractual Clauses for the UK GDPR or replacing UK International Data Transfer Agreement (IDTA) if adopted.000-0000 Email: xxxxxxx@x0xxxxxxxxx.xxx