EPICA PLATFORM SERVICES AGREEMENT This EPICA Platform Services Agreement (“Platform Agreement”) forms part of the Agreement entered into by and between PODERIO, Inc. (“EPICA”) and the customer identified in an Order (“Client”). EPICA and Client may be referred to individually as a “Party” and collectively as the “Parties.” The Parties agree as follows: Definitions. Capitalized terms used in this Platform Agreement and not otherwise defined in context below will have the meanings specified in the attached Exhibit A. Scope. The Agreement applies to Client whether it uses the Platform Services: (a) via the Azure Platform pursuant to a Azure Order; or (b) directly via an EPICA-managed website or portal pursuant to an Enterprise Order. As indicated below, certain of the terms of this Platform Agreement vary in application depending upon whether Client uses the Platform Services pursuant to a Azure Order or an Enterprise Order. If Client uses the Platform Services on behalf of a third-party client (“Third-Party Client”), it will be responsible for ensuring that such Third-Party Client complies with the terms of this Agreement and references to “Client” below shall be interpreted to include that Third-Party Client. EPICA Platform. Right to Use Platform Services. Subject to the terms of this Agreement, EPICA grants Client a limited, non-exclusive, non-transferable right during the Term to use the Platform Services solely for Client to market and sell its products and services to current and prospective customers. Client may allow its subcontractors and employees to use the Platform Services solely in connection with work performed on its behalf. Client will remain liable for any use of the Platform Services by such users and any act or omission of such users will be deemed an act or omission of Client. License to EPICA Software. Subject to the terms and conditions of this Agreement, EPICA grants Client a limited, non-exclusive, non-transferable license during the Term to integrate the EPICA Software into a Client Property in accordance with any Documentation and solely as necessary for Client to enable its use of the Platform Services. If specified in an Order, this integration work may be performed by EPICA at the direction of Client. Restrictions. Client will not: (a) authorize or permit use of any aspect of the EPICA Platform by any third party other than subcontractors performing work on behalf of Client; (b) copy, distribute, frame, modify or create any derivative works of any aspect of the EPICA Platform; (c) decompile, disassemble, reverse engineer or otherwise attempt to access any underlying source code for the EPICA Platform; (d) resell, lend, lease or loan any aspect of the EPICA Platform, including by charging a fee to any third party to access any aspect of the EPICA Platform as a service bureau or otherwise; (e) perform or disclose any benchmark or performance tests relating to any aspect of the EPICA Platform; (f) perform or disclose any security testing of any aspect of the EPICA Platform, including port and service identification, vulnerability scanning, password cracking, remote access testing, or penetration testing; (g) remove or modify any program markings or any notice of EPICA’s or its licensors’ proprietary rights; (h) use any aspect of the EPICA Platform in violation of applicable laws or applicable self-regulatory advertising standards; (i) send or store infringing, obscene, threatening, or otherwise unlawful or tortious material via the Platform Services, including material that violates privacy rights; or (j) cause or permit any other party to do any of the foregoing. Suspension of Services. EPICA reserves the right to suspend Client’s (or any of its user’s) access to all or part of the Platform Services if: (a) Client fails to pay the fees in accordance with this Agreement; (b) EPICA reasonably determines that such suspension is reasonably necessary to: (i) mitigate any known or suspected security risk or vulnerability to the EPICA Platform, the Client Property, any Client Data or any property or data of any other EPICA client; (ii) Client is in breach of any of the restrictions in Section 3.3, as reasonably determined by EPICA; or (iii) EPICA reasonably determines that, as a result of a change in law (or enforcement thereof), EPICA’s provision of the Platform Services may not be permitted in accordance with applicable law; or (c) one or more EPICA suppliers have suspended or terminated EPICA’s access to or use of any third-party service that is required to enable Client to access those aspects of the suspended Platform Services. Use of the Platform Services. If Client uses the Platform Services via the Azure Platform, Client: (a) will comply with all terms applicable to the Azure Platform in connection with such use; and (b) acknowledges and agrees that EPICA will not be responsible for the acts or omissions of Azure. If Client uses the Platform Services directly via an EPICA-managed website or portal, then Client will: (a) ensure that any account registration information it provides to EPICA will be accurate and remain current and complete; (b) safeguard any account credentials it uses to access the Platform Services and promptly notify EPICA if it discovers or suspects unauthorized access or use; and (c) remain responsible for any use of the Platform Services via its account credentials. Maintenance and Support. If Client has entered into an Enterprise Order, EPICA will provide Client with the maintenance and support services set forth in that Enterprise Order in accordance with EPICA’s then-current maintenance and support terms. Third-Party Software. EPICA shall have no liability or responsibility for any Third-Party Software, including its operation or functionality or its compliance with Data Protection Laws. Client will ensure that it provides all notices and obtains all consents required by Data Protection Laws to enable use of the Third-Party Software via the Client Property. Client will further comply with all applicable terms and policies of the provider of any Third-Party Software. Third-Party Partner Services. Client acknowledges and agrees that Client is solely responsible for ensuring compliance with all applicable laws in connection with using third-party services that Client may elect to use in connection with the Platform Services. Client will use such third-party services in accordance with applicable laws, including by providing all notices, obtaining all consents and ensuring that opt-outs and other objection rights are honored. Client will provide EPICA with timely and complete access to Client’s accounts with Third-Party Partners and all other reasonably related information requested by EPICA to provide the Platform Services requested by Client. Client represents and warrants that it has all rights necessary to authorize EPICA’s access and use of such account and related information. Client will promptly provide updated account information to EPICA, so that EPICA’s access to such accounts will not be interrupted. Client authorizes EPICA to access and use such account(s) solely for the purpose of taking any actions with respect to such account(s) as EPICA deems reasonably appropriate to provide the Platform Services requested by Client. Client will promptly provide a letter of authorization to any Third-Party Partner that requires confirmation of EPICA’s authorization from Client to access such account(s) for the foregoing purposes. Client will comply with all applicable terms and policies of any Third-Party Partner and will remain solely responsible for all activities occurring under its account(s) with any Third-Party Partner except to the extent EPICA accesses such account(s) in breach of this section. Professional Services. Each Enterprise Order will set forth the scope of any Professional Services to be performed by EPICA and the associated fees. Either Party may propose changes in the scope of the Professional Services by submitting a service change request to the other Party with reasonable time prior to the date upon which the requesting Party desires the change to be implemented. Neither Party will be bound by any proposed change until both Parties have accepted the changes and any increase or other impact to the pricing in a written amendment or change order. Data. Client Data. EPICA will Process any Client Data in accordance with the terms of this Agreement, including the attached Exhibit B. Client will comply with all Data Protection Laws in connection with its Processing of Client Data. Without limiting the foregoing, Client will provide all notices and obtain all consents as may be required for: (a) EPICA to Process Client Data pursuant to the terms of this Agreement; and (b) Client to Process Client Data. No Sensitive Personal Information. Client will ensure that no Client Data includes any Sensitive Personal Information. EPICA does not make any representations or warranties that its Platform Services are suitable for Processing of Sensitive Personal Information. EPICA Data. EPICA reserves the right to use and disclose EPICA Data for its lawful business purposes; provided, however, that it does not use or disclose any EPICA Data in a way that enables a third party to determine that Client is the source of any such EPICA Data. Term and Termination. Term of Agreement. This Agreement will begin on the Effective Date and continue for the period set forth in the Order (the “Initial Term”). Following the Initial Term, this Agreement will automatically renew for successive one-year terms (each, a “Renewal Term” and together with the Initial Term, collectively, the “Term”), unless one Party provides written notice to the other at least 30 days prior to the expiration of the then-current Term of its intention not to renew this Agreement. Termination. Termination for Breach. This Agreement may be terminated by either Party for the other Party’s material breach of its obligations under this Agreement, but only if such breach is not cured within 30 days of the breaching Party’s receipt of written notice of the breach that described the breach in reasonably sufficient detail. Termination for Insolvency. A Party may terminate the Agreement without prior notice to the other if: (a) the other Party commences a voluntary case under title 11 of the United States Code or the corresponding provisions of any successor laws; (b) anyone commences an involuntary case against the other Party under title 11 of the United States Code or the corresponding provisions of any successor laws and either (i) the case is not dismissed by midnight at the end of the 60th day after commencement or (i) the court before which the case is pending issues an order for relief or similar order approving the case; (c) the other Party becomes insolvent or makes an assignment for the benefit of its creditors or an arrangement for its creditors pursuant to any bankruptcy law; (iv) the other Party discontinues its business; (d) a receiver is appointed for the other Party or its business; or (e) the other Party fails generally to pay its debts as they become due (unless those debts are subject to a good-faith dispute as to liability or amount) or acknowledges in writing that it is unable to do so. Effect of Termination. Upon the termination or expiration of this Agreement (the “Termination Date”), the rights and licenses, except where otherwise provided, that were granted to each Party under this Agreement will cease. Client will make payment to EPICA for all unpaid Services up to the Termination Date within 30 days of Client’s receipt of EPICA’s invoice. Subject to the terms of this clause, following termination, each Party will destroy all originals and copies of all Confidential Information of the other Party that it has received in connection with this Agreement. EPICA may retain copies of Confidential Information as required to comply with applicable law, provided that the terms of this Agreement will continue to apply to such Confidential Information until it is destroyed. Additionally, for a period of no less than 60 days after the end of the Term, EPICA will make Client Data available for retrieval by any Client that has entered into an Enterprise Order. Fees. Fees; Payment Terms. Client will pay EPICA the fees set forth in the Order. Client will pay invoices within 30 days from date of receipt of invoice. Past due balances are subject to interest equal to the lower of 1.5% per month or the maximum rate allowed by law, whichever is less. Client will be liable to EPICA for all reasonable costs of third-party collection activity, including attorneys’ fees, resulting from Client’s past due account. Client will be responsible for any federal, state and local sales, use, excise, ad valorem, value-added, and other similar type taxes and duties imposed on the purchases of Services. Overages. All fees based on the number of transactions processed will be calculated using EPICA’s records. In the event the applicable fees are based on usage metrics, EPICA reserves the right to charge overage fees in respect of any excess usage at the applicable overage rates set forth in the Order if Client exceeds its permitted usage in any month of a specified Term as indicated in the Order. EPICA Property. EPICA owns all right, title and interest in and to (a) the EPICA Platform, (b) any work product, concepts, inventions, information, drawings, designs, programs, or software (whether developed by EPICA, Client, either alone or with others, and whether completed or in-progress) created as part of the Services, and (c) all Intellectual Property Rights in and to any of the foregoing (collectively “EPICA Property”). This Agreement grants Client only the rights set forth herein and does not convey or transfer title or ownership of or to any EPICA Property. All rights not expressly granted herein with respect to the EPICA Platform are reserved by EPICA, and no other licenses are granted herein by EPICA by implication, estoppel or otherwise. Confidentiality. Obligations. Each Party will use the Confidential Information of the other Party solely for the purpose of exercising its rights or performing its obligations under this Agreement. Neither Party will disclose the Confidential Information of the other Party to any third party without the prior written consent of such other Party or as otherwise permitted under this Agreement. Each Party may disclose Confidential Information of the other Party to its employees, contractors and professional advisors who have a need to know such information and who are contractually bound by confidentiality obligations that are at least as protective as those in this Agreement. Exclusions. The obligations of Section 9.1 will not apply to (a) information that is or becomes, through no act or omission of the Party receiving the information, generally known to the public or in the public domain; (b) information that has been rightly acquired by the receiving Party independent of this Agreement and (c) Information that the receiving Party discloses pursuant to written permission of the disclosing Party. Required Disclosure. If Confidential Information is required to be disclosed pursuant to a requirement of a governmental authority, such Confidential Information may be disclosed pursuant to the requirement so long as the Party required to disclose the Confidential Information, to the extent not prohibited by law, provides the other Party with timely prior notice of the requirement and coordinates with such other Party in an effort to limit the nature and scope of such required disclosure. Representations and Warranties. Mutual Warranties. Each Party represents and warrants to the other Party that: (a) it has it has the power and authority to enter into and perform its obligations under this Agreement; and (b) its performance under this Agreement will not violate any agreement it has with any third party. EPICA Warranty. EPICA warrants that the Platform Services will operate in material compliance with the Documentation. Subject to Client’s termination rights under this Agreement, Client’s sole and exclusive remedy for any breach of the foregoing warranty shall be to require EPICA to correct the deficiency. Disclaimer of Warranties. Except for the limited warranty in Section 10.2, the EPICA Platform is provided strictly on an “as is” and “as available” basis without warranty of any kind. EPICA specifically disclaims all other warranties whether express, implied, or statutory, including the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Indemnification. By EPICA. EPICA will indemnify, defend and hold Client, its owners, officers, employees, agents, successors and assigns harmless from and against any and all third-party claims, actions, proceedings, judgments, losses, liabilities, costs and expenses (including reasonable attorneys’ fees) to the extent arising from claims by any third party that Client’s use of the Platform Services or EPICA Software in accordance with this Agreement infringes or misappropriates the Intellectual Property Rights of such third party, provided that EPICA will have no obligation to defend, indemnify and hold Client harmless for claims of infringement to the extent arising from (a) modifications to the Platform Services or EPICA Software made by any party other than EPICA; (b) EPICA’s compliance with the written designs or specifications supplied by Client; (c) any combination of the Platform Services or EPICA Software with materials or services of any third party; (d) Client’s breach of the Agreement. If EPICA determines, in its reasonable judgment, that the Platform Services or EPICA Software, violates or infringes any third party Intellectual Property Rights, EPICA, at its sole option and expense, may: (x) obtain for Client the right to utilize the Platform Services or EPICA Software, as applicable; (y) make the Platform Services or EPICA Software non-infringing without materially diminishing the utility to Client; or, if EPICA is unable to effect the actions in the foregoing clauses (x) and (y) despite its reasonable efforts, (z) terminate this Agreement and refund on a pro rata basis any pre-paid fees. By Client. Client will indemnify, defend and hold EPICA, its owners, officers, employees, agents, successors and assigns harmless from and against any and all third-party claims, actions, proceedings, judgments, losses, liabilities, costs and expenses (including attorneys’ fees) to the extent arising from claims by any third party in connection with (a) Client’s breach of this Agreement; (b) the Client Data; or (c) Client’s use of any Third-Party Partner services or Third-Party Software in connection with the Platform Services. Procedure. It is further agreed that (a) the Party who is obligated to provide defense and indemnification (the “Indemnifying Party”) will be notified in writing promptly by the Party seeking defense and indemnification (the “Indemnified Party”) of any such claim or demand (provided that the Indemnifying Party will only be relieved of its obligations if and to the extent that it has been actually prejudiced by the Indemnified Party’s failure to give notice as required); (b) the Indemnifying Party will have sole control of the defense of any action or such claim or demand and of all negotiations for its settlement or compromise provided that any settlement or compromise which requires any admission of liability, affirmative obligation or any contribution from the Indemnified Party must be expressly approved in advance in writing by the Indemnified Party; and (c) the Indemnified Party will use all commercially reasonable efforts to cooperate with the Indemnifying Party in a reasonable way and at the Indemnifying Party’s expense to facilitate the settlement or defense of such claim or demand. The Indemnified Party may, at its expense and option, use counsel of its choosing in connection with the defense of any such claim. Limitations on Damages. Disclaimer of certain damages. In no event will EPICA have any liability under this Agreement for consequential, exemplary, indirect, special, incidental, or punitive damages, including for any lost data regardless of the form of action, whether in contract, tort (including negligence), strict liability, or otherwise, even if EPICA has been advised of the possibility of such damages and whether or not any remedy provided should fail of its essential purposes, or for any claim by any third party. Limitation of liability. The total aggregate liability of EPICA for any reason and upon any cause of action brought under or associated with this Agreement, will be limited to the amount paid by Client to EPICA for the most recent one year period of the Agreement up to the date such liability arose. This limitation applies to all causes of action, including those based on breach of contract, breach of warranty, tort (including negligence), and strict liability. General. Non-Exclusive. The relationship created by this Agreement is non-exclusive in all respects. Modifications to this Agreement. If Client has only placed a Azure Order (and not an Enterprise Order), EPICA reserves the right to modify the terms and conditions of this Agreement (including by changing any subscription or other pricing applicable to the Platform Services) from time to time with notice to Client. Rights and Survival. Except where specifically provided, termination of this Agreement will be without prejudice to any other rights that either Party may have at law or in equity. Those provisions that by their nature are intended to survive termination or expiration of this Agreement shall so survive, including Sections 6.3 and 7-13. Notices. Notices will be given in writing and may be delivered by U.S. mail, overnight delivery service, or personal delivery to the intended recipient of the notice at the address noted in the recitals. Notice will be deemed delivered when received or one business day after deposit with an overnight delivery service for next day delivery, whichever is earlier. A Party may change a contact upon 10 days’ written notice to the other Party, which notice will contain the new contact information as set forth above. Force Majeure. If the performance of any part of this Agreement by either Party is prevented, hindered, delayed or otherwise made impracticable by reason of causes beyond the control of either Party, including flood or other natural disaster, riot, fire, judicial or governmental action, labor disputes, actions or failures of the hosting or internet service provider or of any telecommunications service providers or facilities in the chain of communication to and from EPICA’s server, sabotage or criminal interference with the server or Platform Services (a “Force Majeure Event”), other than in connection with any payment obligations, the Party experiencing the Force Majeure Event will be excused from performance to the extent that it is prevented, hindered or delayed by such causes. Each Party agrees to give the other notice as soon as possible of the existence of a Force Majeure Event affecting the Party’s performance and to give notice of the termination of the Force Majeure Event and the ability to continue performance under the Agreement. Separate Parties; No Third-Party Beneficiaries. The Parties agree that nothing in this Agreement will be construed to create a partnership, joint venture, franchise, or employee-employer relationship among EPICA, Client or any user. EPICA will perform the Services as an independent contractor. Neither EPICA nor Client is an agent of the other, and neither is authorized to make any representation, contract or commitment on behalf of the other unless specifically requested or authorized to do so in writing by the other. No person not a party to this Agreement is an intended beneficiary of this Agreement, and no user or any other person not a party to this Agreement will have any right to enforce any term of this Agreement. Entire Agreement. This Agreement, together with the attached exhibits and any document incorporated by reference, states the entire agreement between the Parties with respect to the subject matter hereof and supersedes all previous proposals, negotiations and other written or oral communications between the Parties with respect thereto. Terms in Client’s pre-printed purchase orders or order forms will have no force or effect. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to any applicable law or regulation, the Parties agree that such provision will be construed so that it can be found lawful to the fullest extent possible and the remaining provisions of this Agreement will remain in full force and effect. If such provision cannot be construed in a fashion that is lawful or is otherwise found void, then the Parties agree that the remaining provisions of this Agreement will continue in full force and effect as if said void provision never existed and as long as the removal of such void provision does not alter the intent of the Parties, including the economics of the Agreement. Assignment. Client may not assign its rights and obligations under this Agreement without the prior written permission of EPICA. This Agreement will be binding on each Party’s permitted successors and permitted assigns. Governing Law and Venue. This Agreement will be governed by, and construed and enforced in accordance with, the laws of the State of New York without regard to any principle that would require the application of the laws of another jurisdiction. Each Party hereto hereby irrevocably submits to the exclusive jurisdiction of and venue in any federal or state court located within New York City over any dispute arising out of or relating to this Agreement or any of the transactions contemplated hereby and each Party hereby irrevocably agrees that all claims in respect of such dispute or any suit, action or proceeding related thereto may be heard and determined only and exclusively in such courts. Counterparts. This Agreement may be executed in two or more counterparts, each of which will be deemed an original but all of which together will constitute one and the same instrument. Electronic signatures or signature in the form of handwritten signatures in a facsimile transmittal or scanned and digitized images of a handwritten signature (e.g., scanned document in PDF format) will have the same force and effect as original manual signatures. Headings; Interpretation. The section headings used in this Agreement are for reference and convenience only and will not enter into the interpretation of this Agreement. The term “including” shall be interpreted to mean “including without limitation.” Page Break Exhibit A Definitions “Agreement” means this Platform Agreement together with all Orders. “Client Data” means any Platform Data, Third-Party Enrichment Data, and Enterprise Data, but expressly excluding any EPICA Data. “Client Property” means any Client website, mobile app or other online service that has integrated the EPICA Software. “Confidential Information” means information that one Party discloses to the other Party under this Agreement, and that is marked as confidential or would normally be considered confidential information under the circumstances. “Data Protection Law” means any and all privacy, security and data protection laws and regulations that apply to a Party’s Processing of Personal Data under this Agreement. “Documentation” means program documentation, user manuals, product technical manuals and other information provided or made available by EPICA describing the operation and use of the Platform Services. “Effective Date” means the earlier of the date of the first Enterprise Order or first Azure Order. “End User” means any end user of a Client Property. “Enterprise Data” means any data relating to End Users that Client provides to EPICA other than Platform Data or Third-Party Enrichment Data. “Enterprise Order” means any ordering document entered into by the Parties for Client’s use of the Platform Services but excluding any Azure Order. “EPICA Data” means: (a) information that EPICA collects in connection with any use of the Platform Services by a contractor or employee of Client; and (b) Non-Personal Data. “EPICA Software” means any tracking pixel, cookie, software development kit or other software created by EPICA, which may be integrated into a Client Property and that enables certain features of the Platform Services. For clarity, the EPICA Software does not include any Third-Party Software. “EPICA Platform” means the EPICA Software, Documentation, EPICA Data and Platform Services and any other proprietary materials or software owned by EPICA that are used to perform the Services. For clarity, the EPICA Platform does not include Third-Party Software or Third-Party Enrichment Data. “Intellectual Property Right” means any patent, copyright, trade secret, trademark (registered or unregistered, including service marks), know-how, utility certificate, utility model, database right, industrial design right, circuit layout, and any other right resulting from intellectual activity in the industrial, scientific, literary and artistic fields, and all registrations, applications, renewals, extensions, combinations, divisions, continuations, or any derivative works or reissues of the foregoing, whether arising by operation of law, treaty, contract, license or otherwise. “Non-Personal Data” means: (a) any data Processed by EPICA in connection with an End User’s access to a Client Property that is not Personal Data; and (b) any Platform Data that has been aggregated, anonymized or de-identified such that it no longer includes Personal Data. “Order” means any Enterprise Order or Azure Order. “Personal Data” means information that is deemed “personal information” or “personal data” (or similar variations of such terms) under Data Protection Law. “Platform Data” means any Personal Data relating to End Users that EPICA Processes in connection with End Users’ use of the Client Property. “Platform Services” means any hosted software as a service provided by EPICA under this Agreement along with any improvements, updates, bug fixes or upgrades thereto. “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Professional Services” means any implementation or other professional services identified on any Enterprise Order. “Sensitive Personal Information” means any Personal Data that: (a) Client knows relates to children under the age of 16 or that relates to any user of a site or service offered or directed to children under the age of 16; (b) is deemed a special category of personal data pursuant to Article 9(1) of the GDPR; (c) if subject to a security breach or other incident would trigger notification obligations to either a regulator or affected individual under any U.S. state data breach notification law, such as government-issued identification numbers and financial or payment account numbers; (c) consists of “cardholder data,” as that term is defined under the Payment Card Industry Data Security Standard (PCI DSS); or (d) consists of “protected health information” under the Health Insurance Portability and Accountability Act, “non-public personal information” under the Gramm-Leach-Bliley Act, “student education records” under The Family Educational Rights and Privacy Act; or (e) consists of any other data that if Processed by EPICA via the Platform Services would require EPICA’s compliance with industry-specific data privacy or security requirements. “Services” means the Professional Services and the Platform Services. “Azure Order” means the order placed by Client through the Azure Platform for Client’s use of the Platform Services. “Azure Platform” means Azure Inc.’s proprietary e-commerce platform for online stores and retail point-of-sale systems that allows customers to implement third-party applications to use with their respective online stores. “Third-Party Enrichment Data” means any data that is provided to EPICA by a Third-Party Partner at the direction of Client that is intended to be combined with other Client Data via the Platform Services. “Third-Party Partner” means, as applicable, a third-party ad exchange, publisher, supply-side platform, ad network, demand-side platform, data management platform, ad server, Third-Party Enrichment Data provider, search engine, social media site, website on which media may be directly purchased, or other digital advertising technology vendors which are supported by the Platform Services, in all cases, other than EPICA. “Third-Party Software” means any pixel, cookie, software development kit or other technology created by a third party that is integrated with the EPICA Software at the direction of Client. Page Break Exhibit B Data Processing Addendum This Data Processing Addendum (the “DPA”) forms part of the Agreement between Client and EPICA. The terms of this DPA will control to the extent there is any conflict between terms of this DPA and the terms of the remainder of the Agreement. DEFINITIONS For purposes of this DPA, in addition to other terms defined elsewhere in the Agreement, the following terms will have the meaning ascribed below: “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended, together with applicable regulations. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The terms “data subject,” “processor,” and “personal data breach” will have the meanings given to them under the GDPR and the terms “service provider” and “sell” will have the meanings given to them under the CCPA. DATA PROCESSING AND PROTECTION Limitations on Use. EPICA will Process the Client Data as a processor and only in a manner consistent with documented instructions from Client, which will include Processing: (a) to perform the Services as authorized under the Agreement; and (b) as required by applicable law, provided that EPICA will inform Client (unless prohibited by such applicable law) of the applicable legal requirement before Processing pursuant to such legal requirement. Service Provider Commitments. EPICA will not (a) retain, use, or disclose the Client Data for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA, including not retaining, using, or disclosing the Client Data for a commercial purpose other than providing the Services to Client, or (b) sell Client Data. Confidentiality. EPICA will ensure that persons authorized by EPICA to Process any Client Data are subject to appropriate confidentiality obligations. Client Obligations. Client will not instruct EPICA to perform any Processing of Client Data that violates any Data Protection Law. Security. EPICA will protect Client Data in accordance with requirements under Data Protection Law. EPICA will use measures protect Client Data that will meet or exceed the requirements specified in Attachment 2 to this DPA. Return or Disposal. At the choice of Client, EPICA will delete or return (or will enable Client via the Platform Services to delete or retrieve) all Client Data after the end of the provision of Platform Services (unless Data Protection Law requires the storage of such Client Data by EPICA). DATA PROCESSING ASSISTANCE Data Subject’s Rights Assistance. Taking into account the nature of the Processing of Client Data by EPICA under the Agreement, EPICA will provide reasonable assistance to Client by appropriate technical and organizational measures, insofar as this is possible, to assist Client in its fulfillment of its obligations to respond to requests for exercising a data subject’s rights, including those afforded to data subjects under Chapter III of the GDPR. Further Assistance. Taking into account the nature of Processing and the information available to EPICA, EPICA will assist in Client’s efforts to ensure EPICA’s compliance with Article 32 of the GDPR by complying with Section 4 of this DPA. Personal Data Breach Notice and Assistance. EPICA will notify Client without undue delay after becoming aware of a personal data breach that affects Client Data. EPICA will provide reasonable assistance to Client as may be necessary for Client to satisfy any notification obligations imposed under Data Protection Law in connection with any such personal data breach. AUDITS EPICA will allow for and contribute to audits conducted by Client, or another auditor mandated by Client that is reasonably acceptable to EPICA, in accordance with the terms of this Section 4. Any such audit will be limited to what is reasonably necessary to verify EPICA’s compliance with this DPA and must occur during EPICA’s normal business hours. Client will only have the right to audit EPICA once per 12-month period. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by EPICA; (b) comply with reasonable and applicable on-site policies and procedures provided by EPICA; and (c) not unreasonably interfere with EPICA’s business activities. Client will provide written communication of any audit findings to EPICA, and the results of the audit will be the Confidential Information of EPICA. Client will provide no less than thirty (30) days’ advance notice of its request for any such audit, and will cooperate in good faith with EPICA to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either Party). SUBPROCESSORS Client authorizes EPICA to use subcontractors to Process Client Data in connection with the provision of Platform Services to Client (“Subprocessor”). EPICA will provide Client with notice of any intended changes concerning the addition or replacement of its Subprocessors, and provide Client with the opportunity to object to such changes. If Client objects to such changes, EPICA may terminate the Agreement immediately upon notice to Client. EPICA will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. DATA TRANSFERS EPICA may Process Client Data in a country that the European Commission has not deemed to have an adequate level of data protection, including the United States. Any transfer of Client Data originating from the European Economic Area, United Kingdom or Switzerland to such country will be conducted pursuant to the Standard Contractual Clauses (which will be deemed executed by the parties as of the effective date of this DPA), and the following terms will apply: (i) Client will be referred to as the “Data Exporter” and EPICA will be referred to as the “Data Importer” in such clauses with relevant company name and address details from the Agreement being used accordingly; (ii) details in Attachment 1 of this DPA will be used to complete Appendix 1 of those clauses; (iii) details of Attachment 2 of this DPA will be used to complete Appendix 2 of those clauses; and (iv) if there is any conflict between this DPA or the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail. “Standard Contractual Clauses” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (the text of which is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087). Page Break Attachment 1 - Scope of Processing Subject-Matter and Nature and Purpose of Processing The Platform Services include software services that Process Client Data for the purposes of enabling Client to analyze and improve its marketing and sales practices. Duration of Processing The Processing will continue so long as the Agreement is in effect. Categories of Data Subjects End Users who use a Client Property. Types of Personal Data Platform Data: Data collected about End Users, which may include device and other unique identifiers, browsing behaviour, time and date of access and similar data. Client may also configure this data to include email address, name and other contact information about End Users. Third-Party Enrichment Data. Client can integrate the Platform Services with a variety of third-party enrichment data sources. Client controls the types of information provided to the Platform Services from these third-party sources. Enterprise Data. Client can integrate the Platform Services with its internal platforms, such as Client’s CRM, to Process further data via the Platform Services. Client controls the types of internal platforms and Enterprise Data it decides to integrate with the Platform Services. Page Break Attachment 2 - Data Security Measures Program. EPICA will implement and maintain a comprehensive written information security program (“Information Security Program”), which contains appropriate administrative, technical and organizational safeguards designed to comply with this Attachment 2. Access Controls. EPICA will implement measures designed to: (a) abide by the “principle of least privilege,” pursuant to which access to Client Data by EPICA personnel will be designed to be solely on a need-to-know basis; and (b) promptly terminate its personnel’s access to Client Data when such access is no longer required for performance under the Agreement. Account Management. EPICA will use reasonable measures designed to manage the creation, use, and deletion of all account credentials used to access the EPICA’s network, including by requiring unique credentials for each user and by implementing minimum password length and format requirements designed to encourage strong passwords. Vulnerability Management. EPICA will use reasonable measures designed to: (a) periodically use automated vulnerability scanning tools to scan the EPICA’s production system for vulnerabilities; and (b) implement patch management and software update tools as made available by the providers of those tools. Security Segmentation. EPICA will use reasonable measures designed to monitor, detect and restrict the flow of information on a multilayered basis using tools such as firewalls, proxies, and network-based intrusion detection systems. Data Loss Prevention. EPICA will use reasonable data loss prevention measures designed to identify, monitor and protect Client Data in use, in transit and at rest. Such data loss prevention processes and tools will include, where appropriate: (a) automated tools designed to identify attempts of data exfiltration; and (b) use of certificate-based security. Encryption. EPICA will use measures designed to encrypt, using industry standard encryption tools, all Client Data that EPICA: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media, and (iii) stores on portable devices or within the EPICA Infrastructure. Pseudonymization. EPICA will, where possible and consistent with the Platform Services, use commercially reasonable pseudonymization techniques designed to protect Client Data. Physical Safeguards. EPICA will maintain physical access controls designed to secure the EPICA owned physical premises where the relevant EPICA computing environment used to Process any Client Data is located, including an access control system that enables EPICA to control physical access to each EPICA facility. Administrative Safeguards. Prior to providing access to Client Data to any of its employees, EPICA will take measures designed to: (a) verify the reliability of such personnel; and (b) provide appropriate security training to such personnel.