This Data Processing Addendum ("Addendum") forms part of the Principal Agreement between Okendo acting on its own behalf and as agent for each Okendo Affiliate and the Merchant as defined in the Principal Agreement, acting on its own behalf and as agent for each Merchant Affiliate.

1. Definitions

   1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      1. Applicable Laws means:

         1. European Union or Member State laws with respect to any Merchant Personal Data in respect of which any Merchant Group Member is subject to EU Data Protection Laws; and

         2. the UK Data Protection Laws in respect of which any Merchant Group Member is subject to the laws of the United Kingdom of Great Britain and Northern Ireland;

         3. the CCPA in respect of which any Merchant Group Member is subject to the laws of the State of California, United States of America; and

         4. any other Data Protection Laws that any Merchant Group Member is subject to.

      2. CCPA means the California Consumer Privacy Act of 2018, AB 375 as amended, including by the California Privacy Rights Act, and its accompanying regulations.

      3. Contracted Processor means Okendo or a Subprocessor;

      4. Data Subject means an Identifiable Natural Person about whom the Merchant or Okendo holds Personal Data and who is subject to the Data Protection Laws.

      5. Data Protection Laws means to the extent applicable:

         1. the EU Data Protection Laws;

         2. the UK Data Protection Laws;

         3. the US Data Protection Laws;

         4. any data protection or privacy laws of:

            1. The Commonwealth of Australia, or any state therein;

            2. Canada, or any province therein; and

            3. New Zealand.

      6. EU Data Protection Laws means the Privacy and Electronic Communication (EC Directive) Regulations 2003 and the EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

      7. GDPR means EU General Data Protection Regulation 2016/679;

      8. Government Access Request means any request, demand, order, subpoena, warrant or other legal process issued by any government authority, law enforcement agency, court, regulatory body or other competent authority for access to, disclosure of, or seizure of Merchant Personal Data;

      9. GDPR Zone means:

         1. The European Economic Area with respect to any Merchant Personal Data in respect of which any Merchant Group Member is subject to EU Data Protection Laws; or

         2. The United Kingdom of Great Britain and Northern Ireland in respect of which any Merchant Group Member is subject to the laws of the United Kingdom of Great Britain and Northern Ireland.

      10. Identifiable Natural Person means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

      11. Merchant Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Merchant, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

      12. Merchant Group Member means Merchant or any Merchant Affiliate;

      13. Merchant Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Merchant Group Member pursuant to or in connection with the Principal Agreement;

      14. Okendo Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Okendo, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

      15. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

      16. Personal Data means any information relating to an Identifiable Natural Person and includes, the terms 'personal data' and 'personal information' under any applicable Data Protection Laws;

      17. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

      18. Services means the services and other activities to be supplied to or carried out by or on behalf of Okendo for Merchant Group Members pursuant to the Principal Agreement;

      19. Standard Contractual Clauses means the European Commission's Standard Contractual Clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in European Commission Decision 2021/914/EU under Module Two (transfer controller to processor).

      20. Subprocessor means any person (including any third party and any Okendo Affiliate, but excluding an employee of Okendo or any of its sub-contractors) appointed by or on behalf of Okendo or any Okendo Affiliate to Process Personal Data on behalf of any Merchant Group Member in connection with the Principal Agreement; and

      21. UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as amended, updated or replaced from time to time; and

      22. UK Data Protection Laws means the UK Data Protection Act 2018 and the UK GDPR.

      23. UK GDPR means the GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419);

      24. US Data Protection Laws means the CCPA, the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the "CPA"); the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (the "PDPOM"); Iowa Consumer Data Protection Act, S.J. 708, (the "ICDPA"); the Indiana Consumer Data Protection Act, S.B. 5 (the "INCDPA"); the Montana Consumer Data Privacy Act, S.B. 384 (the "MCDPA"); the Tennessee Information Protection Act, H.B. 1181 (the "TIPA"); the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (the "UCPA"); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the "VCDPA"); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.; Section 5 of the FTC Act, 15 U.S.C. § 45 and any applicable guidance issued by the U.S. Federal Trade Commission, and any data protection or privacy laws of the United States of America and any states therein;

   2. The terms used in this Addendum shall have the meanings set forth in this Addendum, and their cognate terms shall be construed accordingly. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

   3. The terms, "Commission", "Controller", "Member State", and "Supervisory Authority" shall have the same meaning as in the GDPR or UK GDPR as context requires, and their cognate terms shall be construed accordingly.

   4. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Authority

   1. Okendo warrants and represents that, before any Okendo Affiliate Processes any Merchant Personal Data on behalf of any Merchant Group Member, Okendo's entry into this Addendum as agent for and on behalf of that Okendo Affiliate will have been duly and effectively authorised (or subsequently ratified) by that Okendo Affiliate.

3. Processing of Merchant Personal Data

   1. Okendo is a Processor of Personal Data on behalf of the Merchant.

   2. Okendo and each Okendo Affiliate shall:

      1. comply with all applicable Applicable Laws in the Processing of Merchant Personal Data; and

      2. not Process Merchant Personal Data other than on the relevant Merchant Group Member's documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Okendo or the relevant Okendo Affiliate shall to the extent permitted by Applicable Laws inform the relevant Merchant Group Member of that legal requirement before the relevant Processing of that Personal Data.

   3. Each Merchant Group Member:

      1. instructs Okendo and each Okendo Affiliate (and authorises Okendo and each Okendo Affiliate to instruct each Subprocessor) to:

         1. Process Merchant Personal Data; and

         2. in particular, transfer Merchant Personal Data to any country or territory,

         as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and

      2. warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2 on behalf of each relevant Merchant Affiliate.

4. Okendo and Okendo Affiliate Personnel

   1. Okendo and each Okendo Affiliate shall take reasonable steps to ensure that with respect to any Merchant Personal Data, access is strictly limited to those employees, agents or contractors of Okendo, or any Contracted Processor, who need to know or access the relevant Merchant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality

5. Security

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Okendo and each Okendo Affiliate shall in relation to the Merchant Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate:

      1. the pseudonymisation and encryption of personal data;

      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

   2. In assessing the appropriate level of security, Okendo and each Okendo Affiliate shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

   1. Each Merchant Group Member authorises Okendo and each Okendo Affiliate to appoint (and permit each Subprocessor appointed in accordance with this clause 6 to appoint) Subprocessors in accordance with this clause 6 and any restrictions in the Principal Agreement.

   2. Okendo and each Okendo Affiliate may continue to use those Subprocessors already engaged by Okendo or any Okendo Affiliate as at the date of this Addendum, subject to Okendo and each Okendo Affiliate in each case as soon as practicable meeting the obligations set out in clause 3.2.

   3. Okendo shall give Merchant prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 7 days of receipt of that notice, Merchant notifies Okendo in writing of any objections (on reasonable grounds) to the proposed appointment.

   4. Neither Okendo nor any Okendo Affiliate shall appoint (or disclose any Merchant Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Merchant Group Member and Merchant has been provided with a reasonable written explanation of the steps taken.

   5. With respect to each Subprocessor, Okendo or the relevant Okendo Affiliate shall:

      1. before the Subprocessor first Processes Merchant Personal Data (or, where relevant, in accordance with clause 2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Merchant Personal Data required by the Principal Agreement;

      2. ensure that the arrangement between on the one hand Okendo, or the relevant Okendo Affiliate, or the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Merchant Personal Data as those set out in this Addendum and meet the requirements of the Applicable Laws;

      3. provide to Merchant for review such copies of the Contracted Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Merchant may request from time to time.

   6. Okendo and each Okendo Affiliate shall ensure that each Subprocessor performs the obligations under clauses 3, 4, 5, 7.1, 8.2, 9.1 and 10.1, as they apply to Processing of Merchant Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Okendo.

7. Data Subject Rights

   1. Okendo and each Okendo Affiliate will make available technical and organisational measures for the fulfilment of the Merchant Group Members' obligations to respond to requests to exercise any Data Subject rights under the Applicable Laws.

   2. The Merchant authorises Okendo, each Okendo Affiliate, and each Contracted Processor to comply with any request from a Data Subject under any Data Protection Law in respect of Merchant Personal Data.

   3. Okendo shall notify the Merchant, if Okendo, any Okendo Affiliate, or any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Merchant Personal Data.

8. Personal Data Breach

   1. Okendo shall notify Merchant without undue delay upon Okendo or any Subprocessor becoming aware of a Personal Data Breach affecting Merchant Personal Data, providing Merchant with sufficient information to allow each Merchant Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws.

   2. Okendo shall co-operate with Merchant and each Merchant Group Member and take such reasonable commercial steps as are directed by Merchant to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

   3. Okendo shall maintain a register of all Personal Data Breaches provide reasonable access to such records as is necessary for the Merchant to comply with any Applicable Laws.

9. Deletion or return of Merchant Personal Data

   1. Subject to clauses 9.2 and 9.3 Okendo and each Okendo Affiliate shall

      1. in the case of any live or operational data, promptly and in any event within 7 days; and

      2. in the case of any data contained within systems logs, within 90 days; and

      3. in the case of any data contained in systems backups, within 128 days;

      of the date of cessation of any Services involving the Processing of Merchant Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Merchant Personal Data.

   2. Subject to clause 9.3, Merchant may in its absolute discretion by written notice to Okendo within 14 days of the Cessation Date require Okendo and each Okendo Affiliate to a return a complete copy of all Merchant Personal Data to Merchant by secure file transfer in such format as is reasonably notified by Merchant to Okendo or delete and procure the deletion of all other copies of Merchant Personal Data Processed by any Contracted Processor. Okendo and each Okendo Affiliate shall comply with any such written request within 90 days of the Cessation Date.

   3. Each Contracted Processor may retain Merchant Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Okendo and each Okendo Affiliate shall ensure the confidentiality of all such Merchant Personal Data and shall ensure that such Merchant Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

   4. Okendo shall provide written certification to Merchant that it and each Okendo Affiliate has fully complied with this clause 9 within 90 days of the Cessation Date.

10. Audit rights

    1. Subject to clause 10.2, Okendo and each Okendo Affiliate shall

       1. make reasonably available to each Merchant Group Member on request all information which must be made available under applicable Data Protection Law, and

       2. shall allow for and contribute to audits, including inspections of any Okendo premises, by any Merchant Group Member or an auditor mandated by any Merchant Group Member required under any Data Protection Law;

       in relation to the Processing of the Merchant Personal Data by the Contracted Processors.

    2. The Merchant or the relevant Merchant Affiliate undertaking an audit shall give Okendo or the relevant Okendo Affiliate reasonable notice of any audit or inspection to be conducted under clause 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:

       1. to any individual unless he or she produces reasonable evidence of identity and authority;

       2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Merchant or the relevant Merchant Affiliate undertaking an audit has given notice to Okendo or the relevant Okendo Affiliate that this is the case before attendance outside those hours begins; or

       3. for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any audits or inspections which a Merchant Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Merchant or the relevant Merchant Affiliate undertaking an audit has identified the relevant requirement or request in its notice to Okendo or the relevant Okendo Affiliate of the audit or inspection.

11. International Transfers of Personal Data

    1. Where Okendo or any Okendo Affiliate transfers Merchant Personal Data to any Contracted Processor located in a country which does not ensure an adequate level of protection within the meaning of the Applicable Laws, Okendo will ensure that the transfer is subject to an appropriate transfer mechanism recognised under the Applicable Laws, including (as applicable) an adequacy decision, the Standard Contractual Clauses, the UK Addendum, binding corporate rules, or any successor or replacement mechanism approved by a competent supervisory authority.

12. Government Access Requests

    1. Unless prohibited by force of law, or the terms of a Government Access Request, Okendo shall promptly notify Merchant of any Government Access Request relating to Merchant Personal Data, including details of:

       1. the Personal Data requested;

       2. the requesting authority;

       3. the legal basis for the request; and

       4. the proposed response.

    2. Where Okendo is prohibited from providing notification under this clause, Okendo shall use reasonable efforts to obtain permission to notify Merchant.

    3. Okendo shall provide reasonable assistance to Merchant in seeking to limit or challenge any Government Access Request, including supporting applications for protective orders or other legal remedies.

    4. If disclosure cannot be avoided, Okendo shall disclose only the minimum amount of Merchant Personal Data necessary to comply with the Government Access Request.

13. GDPR Specific Provisions

    1. ANNEX 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Merchant Personal Data as required by article 28(3) of the GDPR (and equivalent requirements of other Data Protection Laws). Nothing in Annex 1 (including as amended pursuant to this section 1) confers any right or imposes any obligation on any party to this Addendum.

    2. Okendo and each Okendo Affiliate shall provide reasonable assistance to each Merchant Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Merchant reasonably considers to be required of any Merchant Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Merchant Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

    3. Standard Contractual Clauses. To the extent that Okendo processes any personal data under this Addendum that originates from a GDPR Zone to a country that has not been designated by the Commission as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses, which are hereby incorporated into and form part of this Addendum. The parties hereby agree that:

       1. The details set out in ANNEX 1 of this Addendum shall apply for the purposes of Annex I of the Standard Contractual Clauses;

       2. The technical and organisational security measures set out in ANNEX 2 of this Addendum shall apply for the purposes of Annex II of the Standard Contractual Clauses;

       3. ANNEX 4 of this Addendum shall apply for the purposes of Annex III of the Standard Contractual Clauses;

       4. Okendo shall be deemed the "data importer" and the Merchant the "data exporter" under the Standard Contractual Clauses; and

       5. The following optional provisions of the Standard Contractual Clauses shall apply:

          1. Clause 7, the optional Docking clause will apply;

          2. Clause 9(a), Option 2 for General Written Authorisation will apply, with a time period for specific authorisation of 7 days;

          3. Clause 11(a), the optional redress language will not apply;

          4. Clause 17, the Standard Contractual Clauses will be governed by the law of Ireland;

          5. Clause 18, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland.

    4. UK Addendum. To the extent that Okendo processes any personal data under this Addendum that originates from the United Kingdom to a country that has not been designated as providing an adequate level of protection under UK Data Protection Laws, the parties agree to enter into the UK Addendum, which is hereby incorporated into and form part of this Addendum. The parties hereby agree that, for the purposes of the UK Addendum:

       1. Table 1, the Start Date is the date of this Addendum, and the Parties are as set out in ANNEX 1 of this Addendum;

       2. Table 2, the Approved EU SCCs are the Standard Contractual Clauses incorporated under clause 13.3 of this Addendum, with the modules, clauses and optional provisions selected in clause 13.3.5;

       3. Table 3, the following shall apply to the referenced columns:

          1. ANNEX 1 of this Addendum shall apply to the columns entitled Annex IA and Annex IB;

          2. ANNEX 2 of this Addendum shall apply to the column entitled Annex II;

          3. ANNEX 4 of this Addendum shall apply to the column entitled Annex III;

       4. Table 4, either party shall have the right to end this Addendum as set out in Section 19 of the UK Addendum.

14. US Privacy Law Specific Provisions

    1. Okendo is a "Service Provider" for the purpose of any relevant US Privacy Law. The Merchant discloses personal data to Okendo solely for:

       1. a valid business purpose; and

       2. for Okendo to perform the Services.

    2. To the extent that any US Privacy Law applies, Okendo will not, and will not authorise its sub-processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from personal data that is processed by Okendo on behalf of the Merchant, unless instructed by Merchant in writing.

15. General Terms

    1. Governing law and jurisdiction

       1. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

       2. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

    2. Order of precedence

       1. Nothing in this Addendum reduces Okendo's or any Okendo Affiliate's obligations under the Principal Agreement in relation to the protection of Personal Data or permits Okendo or any Okendo Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement.

       2. Subject to clause 3, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

    3. Changes in Data Protection Laws

       1. Merchant may propose any other variations to this Addendum which Merchant reasonably considers to be necessary to address the requirements of any Data Protection Law.

    4. Severance

       1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either

          1. amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible; or, if this is not possible

          2. construed in a manner as if the invalid or unenforceable part had never been contained therein.

ADDENDUM 1 - Details of Processing of Merchant Personal Data

This ANNEX 1 includes certain details of the Processing of Merchant Personal Data as required by Article 28(3) GDPR.

1. LIST OF PARTIES

   1. Data Exporter

      1. Name: The entity identified as the "Merchant" on this Addendum.

      2. Address: The Merchant's Billing Address specified in the Merchant's account.

      3. Contact person's name, position and contact details: The Primary Contact Name, Primary Contact Position and Primary Contact Email in the Merchant's account.

      4. Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilising the data importer's services to conduct ecommerce customer review requests.

      5. Role (controller/processor): Controller

   2. Data Importer

      1. Name: Okendo.

      2. Address: Okendo Pty Ltd, Suite 4.07, Level 4, 50 Holt Street, Surry Hills, NSW Australia.

      3. Contact person's name, position and contact details: Richard Prangell, Data Protection Officer, richard.prangell@okendo.io.

      4. Activities relevant to the data transferred under these Clauses: The data importer operates an ecommerce marketing platform and service.

      5. Role (controller/processor): Processor

2. DESCRIPTION OF TRANSFER

   1. Categories of Data Subjects

      1. Customers

      2. Merchant

   2. Categories of Personal Data to be Processed

      1. Customer data including

         1. Name
         2. Email Address
         3. Country of Residence
         4. Purchase History

      2. Review content including

         1. Reviewer Name
         2. Reviewer Email Address
         3. Review Rating
         4. Review Text
         5. Images / Videos ^2^
         6. Reviewer Social Media Profile Picture ^2^
         7. Additional review structured data ("Attributes") as configured by the Merchant ^1^
         8. Reviewer State / Zone of Residence ^1^
         9. Reviewer IP Address (for anti-fraud purposes only)
         10. Reviewer Device Fingerprint (for anti-fraud purposes only)

      3. Question content including

         1. Questioner Name
         2. Questioner Email Address
         3. Question Text
         4. Questioner Social Media Profile Picture ^2^

   ^1^ Optional at the discretion of the Merchant

   ^2^ Optional at the discretion of the End-user or Merchant

   3. Sensitive data transferred (if applicable) and applied restrictions or safeguards: Any sensitive data included by the Merchant or End Users, the extent of which is determined and controlled by the Merchant in its sole discretion.

   See Annex 2 for applied restrictions and safeguards.

   4. Frequency of the transfer

   Continuous

   5. Subject matter and duration of the Processing of Merchant Personal Data

   The subject matter and duration of the Processing of the Merchant Personal Data are set out in the Principal Agreement and this Addendum.

   6. The nature and purpose of the Processing of Merchant Personal Data

   Provision of services in accordance with the Principal Agreement by Okendo to the Merchant.

   7. The obligations and rights of Merchant and Merchant Affiliates

   The obligations and rights of Merchant and Merchant Affiliates are set out in the Principal Agreement and this Addendum.

   8. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   The personal data will be retained until termination or expiry of the Agreement

   9. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   See Annex 4.

ADDENDUM 2 - Technical and Organisational Safety Measures

Okendo maintains the technical and organisational measures set out below to ensure the security of Merchant Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, that data. These measures may be updated from time to time, provided that any update does not materially decrease the overall security of the Services during a subscription term.

Okendo's information security programme is built on the criteria of the SOC 2 Trust Services framework. Okendo maintains an active SOC 2 Type II attestation and operates its security programme on an ongoing basis through the Secureframe continuous compliance platform. A copy of Okendo's most recent SOC 2 Type II report is available to the Merchant on request, subject to reasonable confidentiality undertakings.

1. Pseudonymisation and encryption of personal data

   1. Encryption in transit using TLS 1.2 or higher for all communications between user agents, the Okendo platform and integrated systems.1. Encryption at rest for production databases and object storage containing Merchant Personal Data, using AES-256 (or equivalent), with keys managed through the AWS Key Management Service.1. Pseudonymisation or tokenisation of identifiers in logging, analytics and non-production environments where reasonably practicable.

2. Ongoing confidentiality, integrity, availability and resilience of processing systems and services

   1. Production systems are hosted on Amazon Web Services (AWS), with multi-availability-zone deployment for core services.1. Network segmentation, firewalling and security group configuration restrict ingress and egress to production infrastructure.1. Continuous threat monitoring, intrusion detection and vulnerability scanning across cloud infrastructure.1. Centralised logging with restricted access and retention controls.

3. Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident

   1. Automated daily backups of production databases, retained in accordance with Okendo's backup policy and tested periodically for restorability.1. Documented business continuity and disaster recovery plans, exercised at least annually.1. Use of AWS managed backup, snapshot and replication services to mitigate risk of data loss in the event of hardware or platform failure.1. Documented incident response process covering escalation, mitigation, customer communication and post-incident review.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures

   1. SOC 2 Type II attestation conducted annually by an independent auditor.1. Independent third-party penetration testing conducted at least annually.1. Continuous automated vulnerability scanning of infrastructure and application code.1. Continuous control monitoring through the Secureframe platform.1. Annual enterprise risk assessment, including consideration of fraud-related risks.

5. User identification and authorisation

   1. Single sign-on (SSO) and multi-factor authentication (MFA) enforced across internal systems where supported.1. Role-based access control applied on the principle of least privilege.1. Quarterly access reviews of all personnel with access to systems containing Merchant Personal Data.1. Documented joiner-mover-leaver process for provisioning and revoking access on role change or departure.1. Enforced password complexity policy and enterprise password manager for all employees.

6. Protection of data during transmission

   1. TLS 1.2 or higher for all data in transit between Merchant systems, end-users and the Okendo platform.1. APIs granting access to personal or sensitive information require authenticated and encrypted connections.1. Internal service-to-service communications within the production environment are encrypted in transit.

7. Protection of data during storage

   1. Encryption at rest for production databases and object storage as set out in section 1.1. Logical separation of Merchant Personal Data within multi-tenant infrastructure.1. Production data access is restricted to a limited number of authorised personnel on a need-to-know basis.

8. Physical security of locations at which personal data are processed

   1. Production hosting is provided by AWS, whose physical security controls are documented at https://aws.amazon.com/security/ and supported by AWS's SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS and other independent attestations.1. Okendo office facilities operate access controls and visitor management appropriate to a corporate environment. Production Merchant Personal Data is not stored on local devices in the ordinary course.1. Company-issued devices are configured with full-disk encryption, automatic screen-lock and centralised endpoint management.

9. Events logging

   1. Application, infrastructure and access logs are collected centrally and retained in accordance with Okendo's logging policy.1. Logs are monitored for security-relevant events, with alerting on anomalous or unauthorised activity.1. Privileged actions on production systems are logged and reviewable.

10. System configuration, including default configuration

    1. Production infrastructure is provisioned and managed via infrastructure-as-code, with hardened base images and standard configuration baselines.1. Default configurations follow industry-recognised hardening guidance.1. Change management requires peer code review and approval before changes are deployed to production.

11. Internal IT and IT security governance and management

    1. Written information security policies covering acceptable use, access control, change management, incident response, vendor risk, business continuity and related areas. Policies are reviewed at least annually and acknowledged by all personnel.1. Defined roles and responsibilities for security and privacy, including a designated privacy lead acting as the contact point for data protection matters.1. Mandatory security awareness training for all personnel on commencement and at least annually thereafter, covering phishing, credential hygiene and handling of personal data.1. Confidentiality obligations imposed on all personnel before access to Merchant Personal Data.1. Background checks on all new personnel, to the extent permitted by applicable local law.

12. Certification and assurance of processes and products

    1. SOC 2 Type II attestation maintained on an annual cycle.1. Production hosting on AWS leverages AWS's compliance attestations (including SOC 1, SOC 2, SOC 3, ISO 27001 and PCI DSS), as published by AWS from time to time.

13. Data minimisation

    1. Okendo collects and processes only the categories of personal data necessary to provide the Services, as described in the Principal Agreement and Annex 1.1. Optional data fields are configurable by the Merchant.1. Operational telemetry and diagnostic data are, where reasonably practicable, aggregated or pseudonymised.

14. Data quality

    1. Merchants and end-users may correct or update personal data through self-service tooling and Okendo's support function.1. Okendo provides reasonable assistance to Merchants responding to data subject requests for rectification.

15. Limited data retention

    1. Merchant Personal Data is retained for the term of the Principal Agreement and is deleted or returned on termination in accordance with this Addendum and Okendo's data retention schedule.1. Backup copies are retained for a limited period and are overwritten or expired on a rolling basis.

16. Accountability

    1. Records of processing activities are maintained sufficient to evidence compliance with this Addendum and Applicable Laws.1. A designated privacy lead is responsible for data protection matters and is the contact point for Merchants and supervisory authorities.1. Documented due diligence and risk assessment process applies to Subprocessors before engagement and on an ongoing basis.1. Documented process for handling and responding to Government Access Requests in accordance with this Addendum.

17. Allowing data portability and ensuring erasure

    1. Tooling and APIs allow Merchants to export Merchant Personal Data in commonly used, machine-readable formats.1. Documented process for deletion of Merchant Personal Data on termination of the Principal Agreement or on lawful direction of the Merchant.1. Documented process for assisting Merchants in responding to data subject access, rectification, deletion and portability requests.

18. Specific measures applicable to Subprocessors

    1. Okendo conducts due diligence on each Subprocessor before engagement, including review of the Subprocessor's security and data protection posture.1. Each Subprocessor is bound by a written agreement imposing data protection obligations no less protective than those in this Addendum, including obligations sufficient to enable Okendo to assist Merchants with data subject requests, security incidents and regulatory enquiries.1. Okendo's current list of Subprocessors is published at https://www.okendo.io/gdpr/.

ADDENDUM 3 - Standard Contractural Clauses - Supplementary Terms To Provide Additional Safeguards

This Annex is supplemental to, and should be read in conjunction with, the Standard Contractual Clauses. Any references to the 'Clauses' in this Annex should be read as references to the Standard Contractual Clauses.

The data importer agrees and warrants:

1. without prejudice to Clause 5(b) of the Clauses, that, in the event the Clauses cease to be an appropriate safeguard for the transfer of the personal data as described in Appendix 1 of the Clauses, in accordance with applicable data protection law, by virtue of a binding decision by a competent supervisory authority, or at the discretion of the data exporter as notified to the data importer, the data exporter shall be entitled to suspend the transfer of data and/or terminate the contract;

2. to assist the data exporter with the data exporter's continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law and pursuant to Clause 5(a) of the Clauses; and

3. that, in the event the data transfer and data processing activities are suspended or terminated pursuant to the Clauses or this Annex, its cessation of the data processing activities will not be prevented by, or be in breach of, and will not give rise to any third-party rights or remedies pursuant to, any binding obligation on the data importer under the Clauses or any other agreement between the data importer and the data exporter (or any of its affiliates) in relation to the personal data and data processing activities.

ADDENDUM 4 - List of Sub-processors

The Merchant has authorised the use of the sub-processors set out at: https://www.okendo.io/gdpr/