INFRASCALE DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into the Infrascale Customer Agreement available at https://www.infrascale.com/legal/customer-agreement/, as updated from time to time between You and Infrascale, or other agreement between You and Infrascale governing Your use of the Services (the “Agreement”). This DPA is applicable when Applicable Data Protection Laws apply to Your use of the Services to Process Personal Data. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA shall have the meanings given to them in Section 16 of this DPA.

1. Data Processing.

1.1 Scope and Roles. This DPA applies when Personal Data is Processed by Infrascale. In this context, Infrascale will act as a Processor to You, and You may act either as a Controller or Processor (as each term is defined in Applicable Data Protection Laws) with respect to Personal Data.

You are responsible for complying with Your obligations as a Controller under Applicable Data Protection Laws with respect to Your provision of Personal Data to Infrascale for provision of the Services, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis and responding promptly to any inquiries from a Supervisory Authority. Unless specified in the Agreement, You will not provide Infrascale with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA.

Infrascale is the Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case Infrascale is a sub-processor. Infrascale is responsible for complying with its obligations under Applicable Data Protection Laws to the extent Applicable Data Protection Laws apply to Processing of Personal Data by Infrascale under the Agreement and this DPA.

1.2 Details of Data Processing.

1.2.1 Subject matter. The subject matter of the data Processing under this DPA is Personal Data.

1.2.2 Duration. As between You and Infrascale, the duration of the data Processing under this DPA is determined by You.

1.2.3 Purpose. The purpose of the data Processing under this DPA is the provision of the Services initiated by You from time to time. Infrascale may also Aggregate Personal Data as part of the Services in order to provide, secure and enhance Infrascale products and services.

1.2.4 Nature of the Processing. Compute and storage of the Personal Data and such other services as initiated by You from time to time.

1.2.5 Categories of data subjects. The data subjects may include Your customers, employees, suppliers, agents, contractors, and end-users.

1.3 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws.

2. Your Instructions and Providing Information & Assistance. The parties agree that the Agreement and this DPA constitute Your documented instructions (“Documented Instructions”) regarding Processing of Personal Data by Infrascale. Infrascale will Process Personal Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Infrascale and You, including agreement on any additional fees payable by You to Infrascale for carrying out such instructions.

Infrascale will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation obligations of Infrascale under Applicable Data Protection Laws to implement appropriate data security measures, carry out a data protection impact assessment and consult the competent Supervisory Authority (taking into account the nature of Processing and the information available to Infrascale), and as further specified in this DPA.

3. Confidentiality of Personal Data. Infrascale will not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Services, as set forth herein or in the Agreement, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). Infrascale will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law. Infrascale will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. Infrascale may provide Personal Data to Affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.

4. Confidentiality Obligations of Infrascale Personnel. Infrascale restricts its personnel from Processing Personal Data without authorization by Infrascale. Infrascale imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

5. Security

Infrascale shall implement and maintain appropriate technical and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are described at https://www.infrascale.com/security/. Infrascale seeks to continually strengthen and improve its security practices and therefore reserves the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services.

Infrascale employees are bound by appropriate confidentiality agreements and required to engage in regular data protection training as well as comply with Infrascale corporate privacy and security policies and procedures.

You are responsible for (i) properly configuring the Services, (ii) using the controls available in connection with the Services to allow You to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident (e.g., backups and routine archiving of Personal Data), and (iii) taking such steps as You consider adequate to maintain appropriate security, protection, and deletion of Personal Data, which includes use of encryption technology to protect Personal Data from unauthorized access and measures to control access rights to Personal Data.

6. Sub-processing.

6.1 Authorized Sub-processors. Subject to the terms of this DPA, You authorize Infrascale to engage sub-processors for the Processing of Personal Data. These sub-processors are bound by written agreements that require them to provide at least the level of data protection for Personal Data required of Infrascale by the Agreement and this DPA. Infrascale will remain responsible for the sub-processors’ compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause Infrascale to breach any of its obligations under this DPA. Except as set forth in this Section, or as You may otherwise authorize, Infrascale will not permit any sub-processor to carry out Processing activities on Personal Data on Your behalf.

A list of sub-processors who has or will have access to or Process Personal Data is available at https://www.infrascale.com/legal/data-processing-subprocessors/. At least thirty (30) calendar days before authorizing any new sub-processor to access or Process Personal Data (the “Notice Period”), Infrascale will inform You via email about such change. Where Infrascale is a Processor (and not a sub-processor), the following terms apply:

• If, based on reasonable grounds related to the inability of such sub-processor to protect Personal Data, You do not approve of a new sub-processor, then You may terminate any subscription for the affected Service without penalty by providing, before the end of the Notice Period, written notice of termination that includes an explanation of the grounds for non-approval.

• If the affected Service is part of a suite (or similar single purchase of Services), then any such termination will apply to the entire suite.

7. Data Subject Rights

Infrascale will make available to You the Personal Data of Your Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights pursuant to Applicable Data Protection Laws in a manner consistent with the role of Infrascale as a Processor. Infrascale will provide reasonable assistance to You in connection with Your response. If Infrascale receives a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, Infrascale will use commercially reasonable efforts to direct the Data Subject to You unless prohibited by law.

8. Security Breach Notification.

8.1 Security Incident. Infrascale will (i) notify You without undue delay after becoming aware of a Security Incident involving Personal Data in the possession, custody or control of Infrascale, and (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

8.2 Infrascale Assistance. To assist You in relation to any Personal Data breach notifications You are required to make under Applicable Data Protection Laws, Infrascale will include in the notification under Section 8.1(i) such information about the Security Incident as Infrascale is reasonably able to disclose to You, taking into account the nature of the Services, the information available to Infrascale, and any restrictions on disclosing the information, such as confidentiality. You will consult with Infrascale the content of any public statements or required notices to individuals and/or supervisory authorities.

9. Audits.

In the event the information You request of Infrascale under Section 2 above does not satisfy Your obligations under Applicable Data Protection Laws, You may carry out an audit of Processing of Your Personal Data by Infrascale up to one time per year or as otherwise required by Applicable Data Protection Laws. To request an audit, You must provide Infrascale with a proposed detailed audit plan three weeks in advance, and Infrascale will work with You in good faith to agree on a final written plan. Any such audit shall be conducted at Your own expense, during normal business hours, without disruption to Infrascale business, and in accordance with the security rules and requirements of Infrascale. Prior to any audit, Infrascale undertakes to provide You reasonably requested information and associated evidence to satisfy Your audit obligations, and You undertake to review this information prior to undertaking any independent audit. If any of the requested scope of the audit is covered by an audit report issued to Infrascale by a qualified third-party auditor within the prior twelve months, then the parties agree that the scope of Your audit will be reduced accordingly.

You may use a third-party auditor with agreement of Infrascale, which will not be unreasonably withheld. Prior to any third-party audit, such auditor shall be required to execute an appropriate confidentiality agreement with Infrascale. If the auditor is Your Supervisory Authority that’s enabled by applicable law to audit Infrascale directly, Infrascale will cooperate with and provide reasonable assistance to the Supervisory Authority in accordance with Applicable Data Protection Laws.

You will provide Infrascale with a copy of any final report unless prohibited by Applicable Data Protection Laws, will treat the findings as Confidential Information in accordance with the terms of the Agreement (or confidentiality agreement entered into between You and Infrascale), and use it solely for the purpose of assessing compliance by Infrascale with the terms of the Agreement, this DPA and Applicable Data Protection Law.

10. Transfers of Personal Data.

10.1 Data center locations. You acknowledge that Infrascale may transfer and Process Personal Data to and in the United States and in any other location where Infrascale, its Affiliates or its sub-processors maintain data processing operations, and You appoint Infrascale to perform any such transfer in order to Process Personal Data as necessary to provide the Services. We will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

10.2 Privacy Shield. In light of the ruling issued by the Court of Justice of the European Union on the invalidation of the EU-U.S. Privacy Shield, and the opinion provided by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland on the inadequacy of the Swiss-U.S. Privacy Shield Framework, Infrascale is no longer relying on these frameworks when transferring personal information from the European Union, EEA and Switzerland to the United States. Nonetheless, to the extent Infrascale Processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, EEA and/or their member states and Switzerland (“EU Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws, Infrascale will adhere to no less than the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. We are closely monitoring development of international data transfer mechanisms under Applicable Data Protection Laws and will update our policies accordingly.

10.3 Alternative transfer mechanism. To the extent Infrascale adopts an alternative data transfer mechanism (including any new version of or successor to Privacy Shield or the Standard Contractual Clauses) for the transfer of EU Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Laws and extends to the countries to which EU Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or Supervisory Authority orders that the measures described in this DPA cannot be relied on to lawfully transfer EU Data (within the meaning of Applicable Data Protection Laws), Infrascale may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of EU Data.

11. Data Protection Officer. You may contact Infrascale’s Data Protection Officer at privacy@infrascale.com. If You have appointed a Data Protection Officer, You may include their contact information in Your order for Services.

12. Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”). Termination of the Agreement does not relieve either party of its obligations under this DPA.

13. Return or Deletion of Personal Data. Infrascale will return or provide an opportunity for You to retrieve all Personal Data following the Termination Date. You shall have ninety (90) days following termination of an Order or the Agreement, whichever occurs first, to download Your Personal Data after the Termination Date, subject to the terms and conditions in the Agreement; provided, the foregoing shall not apply to the extent prohibited by law or the order of a governmental or regulatory body, or if it could subject Infrascale to liability. Following the stated data retrieval period, Infrascale shall delete Your Personal Data with the exception of retention of the Personal Data as required by applicable law. In such event, Infrascale will continue to comply with the relevant provisions of this DPA until such data has been deleted. We will provide written confirmation of deletion upon request.

14. Duties to Inform. Where Personal Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being Processed by Infrascale, Infrascale will inform You without undue delay after becoming aware of such action. Infrascale will, without undue delay, notify all relevant parties in such action (e.g., creditors and bankruptcy trustee) that any Personal Data subjected to those proceedings is Your property and area of responsibility and that Personal Data is at Your sole disposition.

15. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control, provided that the Terms of Service will control over this DPA.

16. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

“Affiliate” means any parent company or subsidiary of Infrascale, Inc. that may assist Infrascale in the Processing of Your Personal Data under this DPA.

“Aggregate” means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual subject to Applicable Data Protection Laws and cannot be considered as Personal Data.

“Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective that apply to the Processing of Personal Data under this DPA.

“Customer Content” means any data that Infrascale accesses or receives, or that is uploaded for storage or Processing under Your Infrascale account to which Infrascale is provided access to perform Services. It also includes proprietary technical information associated with Your environment, such as Your system or network configurations and the controls You select.

“EEA” means the European Economic Area.

“Personal Data” means any Customer Content Processed in connection with the performance of Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals or as such information may be otherwise defined under Applicable Data Protection Laws.

“Processing” has the meaning given to it in Applicable Data Protection Laws and “Process”, “Processes” and “Processed” will be interpreted accordingly.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed in order to perform the Services.

“You” means you or the entity you represent.

Terms used but not defined in this DPA shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

Revision Date: 27 March, 2023.