This Data Processing Addendum ("DPA") forms part of the sora2ugc Services Agreement or other written agreement between sora2ugc, a brand of FUNDLAS LLC, and Customer for the purchase and use of the Services from sora2ugc (the "Agreement") to reflect the parties' agreement with regard to the Processing of Personal Data.

By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent sora2ugc processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the terms "Customer", "You" and "Your" shall include Customer and Authorized Affiliates.

In the course of providing the Services to Customer pursuant to the Agreement, sora2ugc may Process Personal Data on behalf of Customer. sora2ugc agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and processed by or for Customer through the Services.

1. Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and sora2ugc, but has not signed its own Agreement with sora2ugc and is not a "Customer" as defined under the Agreement.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Customer Data" means what is defined in the Agreement as "Customer Data" or "Your Data."

"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Customer Data.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

"Standard Contractual Clauses" means the agreement executed by and between Customer and sora2ugc and attached hereto as Attachment 1 pursuant to the European Commission's decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

"Sub-processor" means any Processor engaged by sora2ugc or a member of the sora2ugc Group.

"Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Processing of Personal Data

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, sora2ugc is the Processor, and that sora2ugc will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 sora2ugc's Processing of Personal Data. sora2ugc shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4 Details of the Processing. The subject-matter of Processing of Personal Data by sora2ugc is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 2 to this DPA.

3. Rights of Data Subjects

3.1 Data Subject Request. sora2ugc shall, to the extent legally permitted, promptly notify Customer if sora2ugc receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, sora2ugc shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, sora2ugc shall upon Customer's request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent sora2ugc is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from sora2ugc's provision of such assistance.

4. sora2ugc Personnel

4.1 Confidentiality. sora2ugc shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. sora2ugc shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability. sora2ugc shall take commercially reasonable steps to ensure the reliability of any sora2ugc personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. sora2ugc shall ensure that sora2ugc's access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.4 Data Protection Officer. sora2ugc shall have appointed, or shall appoint, a data protection officer if and whereby such appointment is required by Data Protection Laws.

5. Sub-processors

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that sora2ugc may engage third-party Sub-processors in connection with the provision of the Services. sora2ugc has or will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. sora2ugc shall make available to Customer the current list of Sub-processors for the Services identified in sora2ugc's Subprocessor List. Such Sub-processor list shall include the identities of those Sub-processors and their country of location. sora2ugc shall update the Sub-processor list at least 30 days prior to the addition or replacement of a Sub-processor.

5.3 Objection Right for New Sub-processors. Customer may object to sora2ugc's use of a new Sub-processor by notifying sora2ugc promptly in writing within ten (10) business days after receipt of sora2ugc's notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, sora2ugc will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If sora2ugc is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by sora2ugc without the use of the objected-to new Sub-processor by providing written notice to sora2ugc. sora2ugc will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

5.4 Liability. sora2ugc shall be liable for the acts and omissions of its Sub-processors to the same extent sora2ugc would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Security

6.1 Controls for the Protection of Customer Data. sora2ugc shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. sora2ugc regularly monitors compliance with these measures. sora2ugc will not materially decrease the overall security of the Services during the term of the Agreement.

6.2 Third-Party Certifications and Audits. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, sora2ugc shall make available to Customer that is not a competitor of sora2ugc (or Customer's independent, third-party auditor that is not a competitor of sora2ugc) a copy of sora2ugc's then most recent third-party audits or certifications, as applicable, or any summary thereof, that sora2ugc generally makes available to its customers at the time of such request.

7. Security Breach Management and Notification

sora2ugc shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by sora2ugc or its Sub-processors of which sora2ugc becomes aware (a "Security Breach"). sora2ugc shall make reasonable efforts to identify the cause of such Security Breach and take those steps as sora2ugc deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within sora2ugc's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.

8. Return or Deletion of Customer Data

Upon termination of the Agreement and upon Customer's request, sora2ugc shall either delete or return to Customer all Customer Data, including Personal Data in its possession. This requirement shall not apply to the extent that sora2ugc is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data sora2ugc shall securely isolate and protect from any further processing, except to the extent required by applicable law.

9. Authorized Affiliates

9.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between sora2ugc and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with sora2ugc under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with sora2ugc, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following: 9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against sora2ugc directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below). 9.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on sora2ugc and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

10. Limitation of Liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement, and such limitations apply to the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

11. California Consumer Privacy Act (CCPA)

For purposes of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., if at such time sora2ugc is deemed a "Service Provider" as such term is defined under the CCPA the parties further acknowledge and agree that:
(a) sora2ugc shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer Data for a commercial purpose other than providing the Services or as otherwise permitted by the CCPA; and
(b) sora2ugc shall not sell Customer Data.

12. GDPR Obligations

To the extent that sora2ugc Processes Customer Personal Data that is protected by the GDPR, sora2ugc acknowledges and agrees that it:

(a) shall Process Customer Personal Data only on lawful documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by EEA Laws to which sora2ugc is subject; in such a case, sora2ugc shall inform Customer of that legal requirement before Processing, unless EEA Laws prohibit such information on important grounds of public interest;

(b) shall ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) shall respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

(e) taking into account the nature of the Processing, shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

(f) shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to sora2ugc;

(g) at the choice of Customer, shall delete or return all the Customer Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless EEA Laws requires storage of the Customer Personal Data;

(h) shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

sora2ugc Data Processing Addendum