Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Master Subscription Agreement (the “Agreement”) entered into between Spiky.AI (referred to as “Spiky” or “Provider”) and the subscriber identified below (“Subscriber” and its derivatives) (each a “Party”, and collectively the “Parties”).

Except as modified below, the terms of the Agreement shall remain in full force and effect.  Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions

The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:

1. 1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Provider or Subscriber, respectively.  

1. 2. “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Provider is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018 (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”), (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) any other applicable law with respect to any Personal Data in respect of which the Provider is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

1. 3. “Data Subject” shall mean an identified or identifiable natural person.

1. 4. “EEA” means the European Economic Area.

1. 5. “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Provider, on behalf of Subscriber, in connection with Provider’s performance of the Services.

1. 6. “Provider Entity” shall mean Provider and/or any Provider Affiliate.

1. 7. “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulators with responsibility for privacy or data protection matters in the jurisdiction of the Provider.

1. 8. “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

1. 9. “Security Breach” means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody, or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1. 10. “Services” shall mean the services as described in the Agreement or any related order form or statement of work.

1. 11. “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same has been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), and (b) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”).

1. 12. “Sub-processor” shall mean any subcontractor (including any third party and/or Provider Affiliate) engaged by Provider to Process Personal Data on behalf of Subscriber.

1. 13. “Supervisory Authority” shall mean: (a) in the context of the UK GDPR the UK Information Commissioner’s Office; and (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.

2. Processing Requirements

2. 1. Provider shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Subscriber’s instructions, and as may subsequently be agreed between the Parties in writing. Provider shall promptly inform Subscriber if (a) in Provider’s opinion, an instruction from Subscriber violates Applicable Privacy Law; or (b) Provider is required by the applicable law to otherwise Process Personal Data unless Provider is prohibited by that law from notifying Subscriber under applicable law.

2. 2. Provider shall implement and maintain reasonable and appropriate technical measures that will ensure that Subscriber’s reasonable and lawful instructions can be complied with.

2. 3. Provider acknowledges that (a) Subscriber discloses Personal Data to Provider solely for the business purpose of Subscriber, and (b) Provider has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data and that any consideration paid by Subscriber to Provider under the Agreement relates only to Provider’s provision of the Services.  Provider shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Subscriber, or (ii) outside of the direct business relationship between Provider and Subscriber.  In addition, Provider shall not ‘sell,’ as defined under Applicable Privacy Law (including, without limitation, CCPA), or otherwise disclose any Personal Data except to authorized Sub-processors needed to render the Services. 

2. 4. Provider shall provide to Subscriber such co-operation, assistance, and information as Subscriber may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Subscriber’s provision of the Services, and (b) within such reasonable time as would enable Subscriber to meet any time limit imposed by the Privacy Authority.

3. Security of Personal Data.  

3. 1. Provider shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure, or access, as set forth in Exhibit B.

3. 2. Provider shall ensure the reliability of any employees who Process Personal Data.  

4. Subscriber Obligations

4. 1. Subscriber’s Security Responsibilities. Subscriber agrees that, without limitation of Provider’s obligations under Section 3 (Security of Personal Data), Subscriber is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems, and devices Subscriber use to access the Services; (c) securing Subscriber’s systems and devices that Provider uses to provide the Services, and (d) backing up Personal Data.

4. 2. Prohibited Data. Subscriber represents and warrants to Provider that Personal Data provided to Provider under the Agreement does not and will not, without Provider’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children; or any information that falls within any special categories of data (as defined in GDPR).

5. Sub-processors

5. 1. Provider shall not, without Subscriber’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Sub-processor; provided that Subscriber shall not unreasonably withhold or delay consent to Provider’s appointment of any Sub-processor. Without limiting the foregoing, the Subscriber authorizes the Provider to engage the Sub-processors specified in Exhibit C of this Addendum.

5. 2. Provider shall remain liable for any Processing of Personal Data by such Sub-processor as if it had undertaken such Processing itself.

5. 3. The provider will contractually impose data protection obligations on its Sub-processors that are no less onerous than those imposed on the Provider under this Addendum.

6. Breach Notification

6. 1. Notification to Subscriber.  Unless otherwise prohibited by applicable law, Provider shall notify Subscriber without undue delay upon Provider discovering a Security Breach.  Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach, and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned).  In addition, the Provider shall communicate to the Subscriber (i) the process for obtaining more information regarding the Security Breach, (ii) a description of the likely consequences of the Security Breach, and (iii) a description of the measures taken or proposed to be taken by Provider to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.  

6. 2. Investigation. Provider shall take prompt action to investigate the Security Breach and shall use industry-standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder. 

7. Privacy Impact Assessment

Provider shall, promptly upon receipt of a written request by Subscriber (a) make available to Subscriber such information as is reasonably necessary to demonstrate Subscriber’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Subscriber in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Provider.  Provider shall reasonably cooperate with Subscriber to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment.  Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, the Subscriber shall not make any such request more than once in any 12-month period.

8. Audit Rights

Subscriber may audit Provider’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Subscriber’s Supervisory Authority.  The Provider will contribute to such audits by providing the Subscriber or Subscriber’s Supervisory Authority with the information and assistance that Provider considers appropriate in the circumstances and reasonably necessary to conduct the audit. To request an audit, the Subscriber must submit a proposed audit plan to the Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof.  The proposed audit plan must describe the proposed scope, duration, and start date of the audit.  The Provider will review the proposed audit plan and provide the Subscriber with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment, or other relevant policies).  The Provider will work cooperatively with the Subscriber to agree on a final audit plan.  Nothing in this Section 8 shall require the Provider to breach any duties of confidentiality.  If the controls or measures to be assessed in the requested audit are addressed in a SOC 

2 Type 

2, ISO, NIST, or similar audit report performed by a qualified third-party auditor within twelve (12) months of the Subscriber’s audit request and the Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Subscriber agrees to accept such report in lieu of requesting an audit of such controls or measures.  The audit must be conducted during regular business hours, subject to the agreed final audit plan and the Provider’s safety, security, or other relevant policies, and may not unreasonably interfere with Provider's business activities. Any audits are at Subscriber’s sole expense.  Subscriber shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 8 at Provider’s then-current professional services rates, which shall be made available to Subscriber upon request.  Subscriber will be responsible for any fees charged by any auditor appointed by Subscriber to execute any such audit.  

9. Deletion of Personal Data

Provider shall, promptly and in any event within 90 days of expiration or termination of the Agreement, or following receipt of written notice from the Provider, (a) return a complete copy of all Personal Data to Subscriber by secure file transfer in such format as is reasonably notified by Subscriber to Provider, and (b) delete and procure the deletion of all other copies of Personal Data Processed by Provider.

10. Third Party Disclosure Requests

10. 1. Unless prohibited by applicable law, Provider shall promptly notify Subscriber of any inquiry, communication, request, or complaint, to the extent relating to Provider’s Processing of Personal Data on behalf of Subscriber, from:

1. any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
2. any Data Subject, and shall taking into account the nature of the Processing, provide reasonable assistance to enable Subscriber to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.  Provider shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.

10. 2. In the event that Provider is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Subscriber, including any national security authority or other government body, Provider shall attempt to redirect the government request to Subscriber. If Provider is unable to redirect the request, Provider shall, unless prohibited by applicable law, notify Subscriber promptly and shall provide all reasonable assistance to Subscriber to enable Subscriber to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines.  If Provider is prohibited by applicable law from providing notice to Subscriber of a Legal Request, Provider shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Provider shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 10.2.

11. Transfers out of the EEA

If the Subscriber transfers Personal Data out of the EEA to Provider in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this Addendum.  Provider shall provide a copy of the signed version of the EU SCCs to Subscriber upon request. In furtherance of the foregoing, the parties agree that:

11. 1. Subscriber will act as the data exporter and the Provider will act as the data importer under the EU SCCs;

11. 2. for purposes of Appendix 1 to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;

11. 3. for purposes of Appendix 2 to the EU SCCs, the technical and organizational measures shall be the Security Measures;

11. 4. data importer will provide the copies of the Sub-processor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the EU SCCs upon the data exporter’s request, and that data importer may remove or redact all commercial information or clauses unrelated the EU SCCs or their equivalent beforehand;

11. 5. the audits described in Clause 5(f) and Clause 12(2) of the EU SCCs shall be performed in accordance with Section 8 of this Addendum;

11. 6. Subscriber’s authorizations in Section 5 (Sub-processors) of this Addendum will constitute Subscriber’s prior written consent to the subcontracting by Provider of the Processing of Personal Data if such consent is required under Clause 5(h) of the EU SCCs; and

11. 7. certification of deletion of Personal Data as described in Clause 12(1) of the EU SCCs shall be provided upon the data importer’s request.

12. Transfers out of the UK

12. 1. If Subscriber transfers Personal Data out of the UK to Provider in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum. Provider shall provide a copy of the signed version of the UK SCCs to Subscriber upon request.  In furtherance of the foregoing, the parties agree that Tables 1 through 4 of the UK SCCs shall be satisfied by the following information:

1. Table 1: Reference to Table 1 shall be satisfied by the information in Section A of Exhibit A.
2. Table 2: For Table 2, the version of the Approved EU SCCs shall be the EU SCCs, Controller to Processor module.
3. Table 3: Reference to Table 3 shall be satisfied by the information in Exhibit A.
4. Table 4: For Table 4, the Exporter and Importer shall have the rights outlined in Section 19 of the UK SCCs.

12. 2. Provider shall provide a copy of the signed version of the Standard Contractual Clauses to Subscriber upon request.

13. Claims

Any claims brought under, or in connection with, this Addendum shall be subject to the exclusions and limitations of liability set forth in the Agreement.

[Signature Page Follows.]

IN WITNESS WHEREOF, the Parties have caused this Data Processing Addendum to be executed by their duly authorized representatives.

SPIKY. AI                                         SUBSCRIBER: [INSERT ENTITY NAME]

Name:__________________________                 Name:______________________________

Signature:_______________________                Signature:___________________________

Title: __________________________                  Title:_______________________________

Date:___________________________                 Date:_______________________________

EXHIBIT A

1.  LIST OF PARTIES

Data Exporter(s): The Subscriber identified in the Agreement, which is sharing Personal Data with Data Importer in order for Data Importer to perform its Services.

Data Importer(s):

1. DESCRIPTION OF TRANSFER

1. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter (i.e. Controller).

EXHIBIT B

The data importer/Provider has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:

• Organizational management and dedicated staff responsible for the development, implementation, and maintenance of the Provider’s information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with the Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Data security controls include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry-standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e. laptop computers).
• Logical access controls are designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls are designed to manage and control password strength, expiration, and usage including prohibiting users from sharing passwords and requiring that the Provider’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in a readable format on the Provider’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.
• System audit or event logging and related monitoring procedures to proactively record user access and system activity.
• Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
• Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider’s possession.
• Change management procedures and tracking mechanisms are designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
• Incident management procedures are designed to allow the Provider to investigate, respond to, mitigate, and notify of events related to the Provider’s technology and information assets.
• Network security controls are designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management, and threat protection technologies, and scheduled monitoring procedures are designed to identify, assess, mitigate and protect against identified security threats, viruses, and other malicious code.
• Disaster recovery procedures are designed to maintain service and/or recovery from foreseeable emergencies or disasters.

EXHIBIT C

The data importer/Provider has authorized the use of the following Sub-processors:

83144366.2