Data protection addendum

This Data Processing Addendum ("DPA") sets out the GDPR obligations governing the processing of personal data by VibeMarketing Inc. dba Fibr.ai ("Data Processor") on behalf of the Customer/Partner ("Data Controller") who has signed a Subscription Services Agreement with VibeMarketing Inc.

Regulatory basis: GDPR Regulation (EU) 2016/679 — Articles 28, 32, and 82

1.  DEFINITIONS

The following terms have the meanings set out below throughout this Addendum.

1.1 Personal Data

Any information relating to an identified or identifiable natural person ('Data Subject'). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data:

• Name

• Identification Number

• Location data

• An online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person

• IP Address

• Cookie Identifiers

• Radio Frequency ID (RFID) tags

1.2 Natural Person / Data Subject

An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to their Personal Data.

1.3 Processing

Any operation or set of operations performed on Personal Data or on sets of Personal Data by automated means, including but not limited to:

• Collection

• Recording

• Organisation

• Structuring

• Storage

• Adaptation or alteration

• Retrieval / Downloading data

• Consultation

• Use

• Disclosure by transmission

• Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

1.4 Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1.5 Data Processor

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

1.6 Data Sub-Processor

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Processor.

1.7 GDPR

The General Data Protection Regulation (EU) 2016/679 — a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).

1.8 Profiling

Any form of automated processing of Personal Data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person — in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

1.9 Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.10 Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

1.11 Data Protection Impact Assessment (DPIA)

An activity carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.

1.12 Security Breach

Means:

• any actual or reasonably suspected unauthorized use of, loss of, access to, or disclosure of Subscriber Data; provided that an incidental disclosure to an Authorized Party or VibeMarketing Inc. where no reasonable suspicion of theft, fraud, criminal or malicious conduct exists shall not constitute a Security Breach unless such incidental disclosure triggers a notification obligation under applicable Law; and

• any security breach (or substantially similar term) as defined by applicable Law.

1.13 Supervisory Authority

An independent public authority established by an EU Member State. A Supervisory Authority is 'Concerned' by the processing of personal data because:

1. The Data Controller or Processor is established on the territory of the Member State of that Supervisory Authority;

2. Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or

3. A complaint has been lodged with that Supervisory Authority.

2.  OBLIGATIONS OF VIBEMARKETING INC. AS DATA PROCESSOR

As a Data Processor, VibeMarketing Inc. agrees to:

1. Shall process Customer Data only:

• on Customer's behalf for the purpose of providing and supporting VibeMarketing Inc.'s services (including insights, reporting, analytics, and platform abuse, trust and safety monitoring);

• in compliance with written instructions received from Customer; and

• in a manner that provides no less than the level of privacy protection required under applicable Data Protection Laws;

2. Promptly inform Customer in writing if VibeMarketing Inc. cannot comply with the requirements of this DPA;

3. Not provide Customer with any remuneration in exchange for Customer Data. The parties acknowledge and agree that Customer has not "sold" (as defined under applicable data protection laws, including CCPA where applicable) Customer Data to VibeMarketing Inc.;

4. Not "sell" or "share" Personal Data as defined under applicable data protection laws;

5. Inform Customer promptly if, in VibeMarketing Inc.'s opinion, any instruction from Customer violates applicable Data Protection Laws;

6. Ensure that persons employed by VibeMarketing Inc. and other persons engaged to perform services on its behalf are subject to appropriate confidentiality obligations with respect to Customer Data and comply with the data protection obligations applicable under this DPA;

7. Engage sub-processors only as necessary to fulfill its obligations under this DPA, and ensure that such sub-processors are bound by data protection obligations that are no less protective than those set out in this DPA. A list of sub-processors is maintained and made available in Annex 2.

3.  APPLICABILITY

This DPA is applicable under the following conditions:

1. If the Data Controller entity signing this Addendum is a party to the MSA, this DPA is an addendum to and forms part of the MSA. The entity that is party to the Agreement is party to this DPA.

2. If the Data Controller entity signing this DPA has executed an Order Form with VibeMarketing Inc. or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms.

3. If the Data Controller entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Data Controller entity who is a party to the Agreement executes this DPA.

4. If the Data Controller entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with VibeMarketing Inc., but is instead a Data Controller indirectly via an authorized reseller of VibeMarketing Inc.'s services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Data Controller Data contained in Data Controller's Agreement (including any existing data processing addendum to the Agreement).

5. The Data Controller and VibeMarketing Inc. each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this GDPR Addendum in accordance with the provisions of the GDPR from time to time in force.

6. The parties acknowledge that for the purposes of GDPR, the Data Controller/Partner is the Data Controller for the Personal Data and that the performance of the services will require the processing of Personal Data by VibeMarketing Inc. for the Data Controller.

4.  SCOPE

The parties acknowledge that for the purposes of GDPR:

1. VibeMarketing Inc. shall process Personal Data provided by the Data Controller, limited to Name, Phone, E-Mail and Job Title, for the escalation and communication that is used to send notifications/alerts during business operations to the Data Subjects whose personal data is shared by the Data Controller.

2. VibeMarketing Inc. implements controls to obtain Consent from users of the platform without disrupting Data Controller's operations. The Data Controller is responsible for ensuring the respective Data Controllers and users accept the user consent.

3. VibeMarketing Inc. may use various software tools/Cloud Services for storing such Personal Data in their repositories.

4. VibeMarketing Inc. may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/notifications sent to the Data Subject.

5. The Data Controller/Partner shall be responsible to notify and obtain Consent from their Employees/Data Controllers/Contractors on how the Personal Data is processed by VibeMarketing Inc. and their Data Sub-Processor.

6. VibeMarketing Inc. shall bring to the Data Controller's/Partner's attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.

7. VibeMarketing Inc. shall not process Personal Data other than for the purposes documented in the Agreement.

5.  WARRANTY BY VIBEMARKETING INC.

VibeMarketing Inc. warrants to the Data Controller to comply with the following:

1. It shall fully comply with the provisions of GDPR in carrying out its obligations under this Agreement;

2. It has all provisions for data protection necessary for carrying out its obligations under this Agreement and shall maintain such provisions throughout the term;

3. It shall immediately advise the Data Controller in writing if it receives or learns of any:

1. Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;

2. Request from one or more individuals seeking to access, correct, or delete Personal Data;

3. Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and

4. Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data.

6.  REPRESENTATIONS BY VIBEMARKETING INC.

VibeMarketing Inc. shall:

1. Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach;

2. Ensure that Data Sub-Processors process Personal Data as per the instructions provided by VibeMarketing Inc. in accordance with the requirements of GDPR;

3. Not collect Personal Data more than is required by VibeMarketing Inc. for processing;

4. Maintain a current list of Sub-processors on its website at https://www.fibr.ai, including for each Sub-processor: (i) name, (ii) geographic location, and (iii) a description of the processing activities performed. Data Controller specifically authorises the engagement as Sub-processors of those entities listed at the URL mentioned herein. In case VibeMarketing Inc. intends to add a new Sub-processor, it shall update the website/send a communication email ten (10) days prior to authorising any new Sub-processor to process Data Controller Content. If the Data Controller objects on reasonable grounds related to data protection, the parties shall work together in good faith to resolve the concern. If no resolution is reached, the Data Controller shall have the right to terminate the agreement;

5. Before the Sub-processor first processes Data Controller Information, ensure that the Sub-processor is capable of providing the level of protection required by this Exhibit;

6. Remain fully liable to the Data Controller in respect of any failure by the Sub-processor to fulfil its data protection obligations;

7. Allow Data Subjects to keep the contents of their Personal Data accurate;

8. On reasonable written notice by the Data Controller, make available all such information as is necessary to demonstrate compliance with GDPR, including where such information is requested as part of an assessment/compliance check. VibeMarketing Inc. shall provide reasonable assistance to the Data Controller in relation to data subject requests, DPIAs, and regulatory inquiries, at no additional cost where such requests are standard and proportionate. For requests that are excessive, repetitive, or require significant additional effort, VibeMarketing Inc. reserves the right to charge reasonable fees based on the effort involved, subject to prior notice to the Data Controller;

9. On termination of the Agreement, at the Data Controller's sole requisition, provide all Personal Data to the Data Controller and shall provide confirmation of erasure;

10. Keep records of the processing activities carried out on behalf of the Data Controller;

11. Assist the Data Controller in meeting its GDPR obligations to notify Personal Data Breaches to the Supervisory Authority, along with the process and information required;

12. Provide commercially reasonable cooperation to the Data Controller in responding to:

    1. Regulatory or supervisory authority requests;

    2. Data subject complaints or inquiries; and

    3. Investigations relating to any Personal Data Breach or suspected breach.

Such cooperation shall include providing relevant information and support necessary for the Data Controller to meet its obligations under applicable Data Protection Laws, provided that such cooperation does not require VibeMarketing Inc. to disclose confidential information of other customers or violate applicable law. VibeMarketing Inc. shall ensure appropriate prioritization and escalation of requests relating to security incidents or Personal Data Breaches.

13. Not use Personal Data for activities like analytics and profiling unless required for business operations to provide subscribed services;

14. Inform the Data Controller if, in VibeMarketing Inc.'s opinion, a processing instruction infringes applicable legislation or regulation;

15. Where shared Personal Data is transferred outside the Data Processor's territorial boundaries, ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and applicable Data Protection Laws;

16. Regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice, and ensure that all Personal Data is kept strictly confidential.

7.  AUDIT RIGHTS

VibeMarketing Inc. shall engage independent third-party auditors to assess the adequacy of its security and data protection measures at least annually, including in accordance with ISO 27001 and SOC 2 requirements.

Upon written request and subject to a mutually agreed Non-Disclosure Agreement (NDA), VibeMarketing Inc. shall provide the Data Controller with relevant audit reports, including SOC 2 Type II reports, ISO 27001 certifications, and related security documentation, sufficient to demonstrate compliance with applicable Data Protection Laws.

Audit rights of the Data Controller shall primarily be satisfied through such third-party audit reports and documentation.

Any additional audit requests (including on-site or detailed assessments) shall be permitted only where:

• required by applicable law or regulatory authority; or

• following a material security incident affecting Customer Personal Data.

Any such audits shall:

• be conducted with reasonable prior notice;

• occur during normal business hours;

• not unreasonably interfere with VibeMarketing Inc.'s operations; and

• be at the Data Controller's expense.

VibeMarketing Inc. may reasonably limit the scope of any audit to protect confidentiality, security, and obligations owed to other customers.

8.  RIGHT TO TERMINATE

If VibeMarketing Inc. contravenes the provisions mentioned in Clause 7 (Audit), the Data Controller shall have the right to terminate this Data Processing Addendum (DPA) and the Master Services Agreement (MSA).

9.  MECHANISM OF DATA TRANSFERS

9.1 Standard Contractual Clauses

Where Personal Data is transferred outside the European Economic Area ("EEA") or to a country that has not been recognized by the European Commission as providing an adequate level of protection, the Parties agree that such transfers shall be governed by the Standard Contractual Clauses (EU) 2021/914 ("SCCs").

The SCCs are hereby incorporated by reference into this DPA and form an integral part of the Agreement. For the purposes of the SCCs:

• The Customer shall act as the data exporter

• VibeMarketing Inc. shall act as the data importer

• The applicable module shall be Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable

In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to international data transfers.

9.2 Restricted Transfers — EU GDPR

The parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates (as exporter) to VibeMarketing Inc. (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, which shall be deemed incorporated into and form part of this Addendum as follows:

In relation to Customer Personal Data protected by the EU GDPR and processed by VibeMarketing Inc. on behalf of and under the instruction of Customer, the EU SCCs will apply completed as follows:

• Module Two will apply (controller to processor transfers);

• In Clause 7, the optional docking clause will apply;

• In Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 4.2(d) of this Addendum;

• In Clause 11, the optional language will not apply;

• In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

• In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland;

• Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and

• Annex II of the EU SCCs shall be deemed completed with the information set out in Section 4 of Annex 1 to this Addendum.

9.3 Restricted Transfers — Swiss DPA

In relation to Customer Personal Data protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 9.2, but with the following modifications:

• Any references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;

• Any references to "EU", "Union", "Member State", and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be;

• Any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and

• The Controller to Processor SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss Courts.

9.4 Restricted Transfers — UK GDPR

In relation to Customer Personal Data protected by the UK GDPR, the EU SCCs shall apply as set out in Section 9.2, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this Addendum. Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum.

In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I of this Addendum, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting both "Importer" and "Exporter".

9.5 AI Processing

VibeMarketing Inc. shall process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany, in accordance with the terms of this Addendum and applicable Data Protection Laws, including GDPR.

The purpose of such AI processing is limited to the services provided by VibeMarketing Inc. VibeMarketing Inc. shall ensure that any AI processing of Personal Data is conducted only to the extent necessary to achieve the specified purposes.

VibeMarketing Inc. shall not participate in any other Restricted Transfers of Customer Personal Data unless the Restricted Transfer is made in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses.

9.6 Transfer Mechanism

"Transfer Mechanism" refers to any lawful means of transferring personal data from the EEA or any adequate country to a third country in compliance with applicable data protection laws. This may include, but is not limited to:

• Standard Contractual Clauses (SCCs) approved by the European Commission Decision of 4 June 2021 (as amended from time to time) for the transfer of personal data from the EEA or adequate countries to a third country;

• International Data Transfer Agreement issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022;

• International Data Transfer Addendum issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.

9.7 Additional Measures

If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard required under Data Protection Laws.

9.8 Disclosures to Public Authorities

Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

• challenge the request and promptly notify the data exporter about it; and

• only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

Customer should routinely review all international transfers of Personal Data on a case-by-case basis in order to monitor new risks and implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks.

10.  DATA INCIDENT MANAGEMENT

VibeMarketing Inc. maintains security incident management policies and procedures and shall notify the Data Controller without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach — including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data Controller Data transmitted, stored or otherwise processed by VibeMarketing Inc. or its Sub-processors (a "Data Controller Data Incident").

VibeMarketing Inc. shall make reasonable efforts to identify the cause of such Data Controller Data Incident and take those steps it deems necessary and reasonable in order to remediate the cause to the extent the remediation is within VibeMarketing Inc.'s reasonable control.

Such notification shall, to the extent available at the time of notification, include:

• the nature of the Personal Data Breach;

• categories and approximate number of affected Data Subjects;

• likely consequences of the breach; and

• measures taken or proposed to address and mitigate the breach.

The obligations herein shall not apply to incidents caused by the Data Controller or the Data Controller's Users.

The Data Processor shall immediately notify the Data Controller with full details of:

1. Any Personal Data Breach in relation to this Addendum;

2. Processing of Personal Data which is contrary to GDPR or would require the Processor to act in a way contrary to GDPR; and

3. Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data.

11.  RETURN AND ERASURE OF DATA CONTROLLER DATA

Upon termination or expiration of the Agreement, VibeMarketing Inc. shall, at the choice of the Data Controller, return or delete all Personal Data processed on behalf of the Data Controller, unless retention is required by applicable law. Such deletion or return shall be completed within a reasonable period not exceeding sixty (60) days from the date of termination.

VibeMarketing Inc. shall, upon written request, provide written confirmation of deletion of such Personal Data.

Notwithstanding the foregoing, Personal Data may be retained in secure backup systems for a limited period in accordance with standard backup retention practices, after which such data shall be securely deleted or overwritten.

12.  GENERAL

1. Nothing in this Agreement shall relieve VibeMarketing Inc. of its own direct responsibilities and liabilities under GDPR.

2. The Clauses in this document shall be governed by the law of the Member State of the EEA (European Economic Area) in which the data processing is established.

3. In assessing the appropriate level of security, VibeMarketing Inc. shall conduct a Data Protection Impact Assessment (DPIA) on a periodic basis to evaluate the risks presented by processing, in particular from a Personal Data Breach perspective.

13.  DATA PROCESSING

1. Scope and Roles.  This DPA applies when Customer Data is processed by VibeMarketing Inc. In this context, VibeMarketing Inc. will act as processor to Customer, who can act either as controller or processor of Customer Data.

2. Customer Controls.  Customer can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that VibeMarketing Inc. would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if VibeMarketing Inc. becomes aware that Customer Data transferred under the SCCs is inaccurate or outdated, it will inform Customer without undue delay. VibeMarketing Inc. will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data by providing the Service Controls that Customer can use to erase or rectify Customer Data.

14.  DETAILS OF DATA PROCESSING

1. Subject matter.  The subject matter of the data processing under this DPA is Customer Data.

2. Duration.  As between VibeMarketing Inc. and Customer, the duration of the data processing under this DPA is determined by Customer.

3. Purpose.  The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.

4. Nature of the processing.  Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.

5. Type of Customer Data.  Customer Data uploaded to the Services under Customer's accounts with VibeMarketing Inc.

6. Categories of data subjects.  The data subjects could include Customer's customers, employees, suppliers and end users.

15.  COMPLIANCE WITH LAWS

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.

16.  INDEMNITY

Each Party (the "Indemnifying Party") shall defend, indemnify, and hold harmless the other Party and its Affiliates (the "Indemnified Party") from and against any third-party claims, damages, liabilities, fines, penalties, and expenses (including reasonable legal fees) arising out of or related to:

4. Any breach of this Data Processing Addendum by the Indemnifying Party; or

5. Any violation of applicable Data Protection Laws by the Indemnifying Party.

Customer Indemnity — Customer shall indemnify VibeMarketing Inc. for claims arising from:

• unlawful or improper collection of Personal Data;

• failure to obtain required consents or provide required notices; or

• instructions that violate applicable Data Protection Laws.

Fibr Indemnity — VibeMarketing Inc. shall indemnify Customer for claims arising from:

• breach of its obligations under this DPA;

• failure to implement appropriate technical and organizational security measures; or

• acts or omissions of its Sub-processors, to the extent VibeMarketing Inc. is responsible.

Each Party may participate in the defense of any claim with counsel of it choosing at its own expense.

This Section shall be subject to the limitation of liability set forth in the Master Services Agreement (MSA), except in cases of gross negligence, willful misconduct, or regulatory fines directly attributable to a Party's breach.

17.  INSURANCE

17.1 During the term of this DPA and for a period of two (2) years following its expiration or termination, Fibr.ai shall maintain the following minimum insurance coverages with carriers having an AM Best rating of at least A- VII: