DATA PROCESSING ADDENDUM

(1) USERLED.IO LTD, a company incorporated in England and Wales with companynumber 14334585 whose registered office is at Wilson Partners Limited, OneSuffolk Way, Sevenoaks, Kent, England, TN13 1YL (“userled.io”),

and

(2) the entity identified as the customer in the applicable Order Form or account registration details, a company incorporated in the jurisdiction stated therein, with its registered office at the address stated therein (“Customer”).

each a “party” and together the “parties”.

INTRODUCTION

(A) The Customer is either the Controller or a Processor in respect of certain PersonalData and userled.io is a Processor.

(B) The Customer requires userled.io to provide certain services under userled.io’s Termsof Service (“Master Agreement”).

(C) In providing the Services for the Customer, userled.io will process some of that Personal Data on behalf of the Customer. In order to comply with DP Laws, the parties areentering into this Data Processing Agreement on the terms contained herein.

Schedule 1: Data Processing Terms

NOW IT IS AGREED:

1. DEFINITIONS

1.1 In this Agreement, all terms used without definition have the meanings ascribed to them: first, in the Applicable Data Protection Law; second, as applicable in Schedule 2 (Jurisdiction Specific Terms); and third, in the Master Agreement.

1.2 The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.2.1 “Applicable Data Protection Law” means all applicable laws, statutes, regulations, regulatory requirement, subordinate legislation or other law or mandatory guidance or code of practice; or (b) judgement of a relevant court of law, or sanction, directive, order or requirement of any regulatory authority, from time to time in force in any applicable jurisdiction;

1.2.2 “Controller” (or data controller), “Processor” (or data processor), “Data Subject”, “international organisation”, “Personal Data” and “processing” all have the meanings given to them in DP Laws;

1.2.3 “DP Laws” means any Applicable Data Protection Law relating to the processing, privacy, and use of Personal Data, that applies to theCustomer, userled.io and/or the Services, including: (i) the General DataProtection Regulation (EU) 2016/679 (“GDPR”), (ii) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the DataProtection, Privacy and Electronic Communications (Amendments etc.)(EU Exit) Regulations 2019 (“UK GDPR”), (iii) the Data Protection Act2018 as amended by the Data Protection, Privacy and ElectronicCommunications (Amendments etc.) (EU Exit) Regulations 2019, (iv) thePrivacy and Electronic Communications Directive 2002/58/EC (asupdated by Directive 2009/136/EC) and (v) the Privacy and ElectronicCommunications Regulations 2003 (SI 2003/2426), in each case, as inforce and applicable, and as amended, supplemented or replaced from time to time;

1.2.4 “Personal Data Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data;

1.2.5 “Protected Data” means Personal Data received from or on behalf of theCustomer, or otherwise obtained or created in connection with the performance of userled.io’s obligations under this Agreement or the Master Agreement; and

1.2.6 “Services” means any and all services to be provided by the Supplier under the Master Agreement.

2. PROCESSOR/CONTROLLER

The parties agree that, in respect of Protected Data, the Customer shall be either the Controller or a Processor and userled.io shall be a Processor.

3. COMPLIANCE

3.1 Each party shall comply with DP Laws and their respective obligations under this Agreement.

3.2 The Parties to this DPA hereby agree to be bound by the applicable obligations of the Standard Contractual Clauses as set out in Appendix 3. Userled.io will comply with its obligations as Data Importer. Customer will comply with its obligations asData Exporter. Any reference to Data Importer shall be deemed to be a reference to USERLED.IO LTD. dba userled.io, or the Processor and any reference to Data Exporter or Data Controller shall be deemed to be a reference to Customer and its Affiliates. Customer hereby covenants and warrants that it has the right and authority to enter into this DPA on behalf of itself and its affiliated companies.

3.3 The Customer warrants that:

3.3.1 it will be solely responsible for ensuring the lawfulness of processing the personal data of its data subjects in order for userled.io to process thepersonal data;

3.3.2 userled.io will have no liability for failure to obtain any consents or authorisations prior to the processing of personal data in connection withthis Agreement and/or performance of the Services;

3.3.3 it has provided each data subject with appropriate information as to howuserled.io will process the personal data; and

3.3.4 that it has reviewed the technical and organisational security measuresuserled.io applies when it processes personal data and that it deems them appropriate and has taken steps to ensure that any data it or its affiliates and agents pass to userled.io are transferred securely.

4. PROCESSING INSTRUCTIONS

4.1 The details of the Protected Data processing carried out by userled.io are set out inAppendix 1 to this Agreement.

4.2 userled.io shall:

4.2.1 process the Protected Data only in accordance with the Customer’s written instructions and only as required to perform its obligations under this Agreement;

4.2.2 immediately inform the Customer: (a) of any requirement under the Applicable Data Protection Law that would require userled.io to process the Protected Data other than on the Customer’s written instructions, or (b) if the Customer’s written instructions are either unlawful or do not comply with the DP Laws;

4.2.3 implement and maintain appropriate technical and organisational measures in relation to its processing of Protected Data so as to ensure a proportionate level of security in respect of the possible risk posed to theProtected Data;

4.2.4 not engage any sub-processor for carrying out any processing activities in respect of the Protected Data without the consent of the Customer except those sub-processors set out in Appendix 1 to this Agreement which, by signature of this Agreement, the Customer authorises the appointment of;

4.2.5 if the Customer gives its consent, userled.io shall appoint such sub-processor under a binding written contract which imposes data protection obligations which are no less onerous than those set out in thisAgreement on the sub-processor.

4.2.6 be liable for the acts and omissions of its sub-processors to the extent thatuserled.io would be liable if performing the services of each sub-processor directly under this Agreement;

4.2.7 ensure that its personnel processing Protected Data have committed themselves to confidentiality obligations;

4.2.8 at all times take reasonable steps to ensure the reliability of those of its personnel who have access to the Protected Data and shall use reasonable endeavours to ensure their compliance with the obligations set out in this Agreement;

4.2.9 provide reasonable assistance as the Customer reasonably requires, information and cooperation to the Customer to ensure compliance with its obligations under the DP Laws, including with respect to (a) security of processing; (b) notification by the data controller of breaches to the appropriate supervisory authority or data subjects; (c) data protection impact assessments and prior consultation with the appropriate supervisory authority regarding high risk processing; and (d) handling of data subject rights requests

.4.2.10 refer any communications, requests or queries from data subjects or a competent regulatory authority relating to the Protected Data to theCustomer within 5 business days of receipt;

4.2.11 not transfer any Protected Data to any country outside the United Kingdom

or the European Economic Area unless the Customer’s consents to such transfer, it is on the basis of a European Commission or United Kingdom adequacy decision or appropriate safeguards are in place, in accordance with the DP Laws and shall provide details of any such transfers to the other party promptly on request;

4.2.12 maintain, in accordance with DP Laws, written records of all categories of processing activities carried out on behalf of the Customer;

4.2.13 make available to the Customer the information necessary to demonstrate its compliance with the DP Laws to the extent such information is notalready available to the Customer.

4.2.14 allow for and contribute to audits, including inspections, carried out by or on behalf of the Customer (subject to reasonable confidentiality undertakings) to determine userled.io’s compliance with its obligations under DP Laws insofar as such processing relates to Protected Data and provided that: (a) such audits/inspections shall be carried out no more than once per calendar year unless otherwise directed by a regulatory authority; (b) shall require reasonable advance written notice and shall be carried out during normal working hours on a business day in a manner that does not unreasonably disrupt the data controller’s operations; and(c) shall not entail access to information concerning other clients ofuserled.io or information that userled.io is legally prohibited from disclosing;

4.2.15 notify the Customer of any Personal Data Breach (and provide theCustomers with details of such breach) without undue delay; and

4.2.16 at the choice of the Customer, delete or return all the Protected Data to theCustomer after the termination of the Agreement, unless Applicable DataProtection Law requires continued storage of the Protected Data.

4.3 Userled.io shall not use any Protected Data for the purpose of training, fine-tuning, orimproving machine learning models in a manner that results in shared insights, behaviors, or derived models across multiple customer datasets. Any model trained using a Customer’s Protected Data shall be used solely for that Customer’s benefit and shall not be repurposed or reused across Customer environments.

5. LIABILITY

5.1 Nothing in this agreement limits any liability which cannot legally be limited, including but not limited to liability for:

5.1.1 death or personal injury caused by negligence; and

5.1.2 fraud or fraudulent misrepresentation.

5.2 The liability of the Parties shall be determined in accordance with Article 82 of the GDPR

6. TERM

6.1 This Agreement will commence on the last date of signature and shall continue in fullforce and effect until the later of:

6.1.1 the termination or expiration of the Master Agreement; or

6.1.2 the termination of the last of the Services to be performed pursuant to theMaster Agreement.

6.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order toprotect the Protected Data will remain in full force and effect.

7. GENERAL

7.1 Neither party may at any time assign, transfer, mortgage, charge, subcontract or deal in any other manner with all or any of its rights or obligations under this Agreementwithout the prior written consent of the other party (such consent not to be unreasonably withheld or delayed).

7.2 With the exception of the Master Agreement, this Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

7.3 No variation of this Agreement, including the introduction of any additional terms and conditions, shall be effective unless it is in writing and signed by the parties (ortheir authorised representatives).

7.4 A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. A delay or failure to exercise, or the single or partial exercise of, any right or remedy shall not (i) waive that or any other right or remedy, or (ii) prevent or restrict the further exercise of that or any other right or remedy.

7.5 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification toor deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.

7.6 This Agreement does not confer on any person other than the parties any right to enforce or otherwise invoke any term of this Agreement under the Contracts(Rights of Third Parties) Act 1999.

7.7 The parties shall pay their own costs in connection with the negotiation, preparation

and execution of this Agreement.

7.8 This Agreement may be executed in any number of counterparts, each of which will be deemed an original, but all of which together will constitute one and the same document.

7.9 This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English Law, and the parties hereby irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

APPENDIX 1: DATA PROCESSING DETAILS

Description of processing:

Userled processes Customer Personal Data solely to deliver and support the Userled Platform, which enables account-based marketing, sales automation, and personalised customer engagement in line with Customer’s instructions. Nature of Processing Activities:

The processing activities carried out by Userled may include:

1. Tracking and Analytics – capturing interactions of website visitors via cookies, tags, or web SDKs ,including pages visited, session duration and referral sources.

2. Identification and Enrichment – matching visitor data to company-level profiles (e.g., IP-to-company mapping) and, where Customer provides or integrates data (e.g., via CRM), associating visits with Customer’s existing prospect or account records.

3. Personalisation – dynamically adjusting website content and experiences (e.g., tailored landing pages, product recommendations, or messaging) based on visitor behaviour, segment, or Customer-defined rules.4. Notifications and Alerts – generating alerts toCustomer’s sales or marketing teams regarding high-value visitor activity, and triggering workflows inCustomer’s integrated tools (e.g., Slack, Salesforce, HubSpot).

5. Reporting and Insights – aggregating and anonymising usage data into dashboards and reports for Customer to assess performance of campaigns and account-based strategies.6. Support and Maintenance – storing and accessing Customer Data as necessary to provide technical support, resolve issues, maintain security, and improve platform functionality.

Length of processing:

Data will be held for the period in which services are provided by the userled.io to the Customer. When a contract with the Customer is terminated, userled.io will remove any data within 30 days.

Purpose of processing:

Providing a product to facilitate revenue growth using inbound and outbound strategies to convert website visitors and close deals.

Types of Personal Data being processed:

Basic information, such as:

The name of your company, and emails of Customer staff in your Userled workspace.

Visitor interaction data (IP address, browser/device metadata, pages viewed, session times).

CRM data provided by Customer (e.g., company name, contact full name, job title, business email) when CRM is connected.

Marketing interaction data (campaign engagement e.g. pages viewed, session times, meeting scheduling).

userled.io also generates auto generated IDs that link all of entities together.

Types of Data:

Current personnel / employees who have an account with Userled.

Subject: Additional instructions:

userled.io takes emails of members who sign up and shows them in the userled.io app. userled.io stores them in a managed database in the AWS platform, encrypted at rest.Access to AWS is limited to userled.io staff, and all accounts are password protected, and protected by 2FA (two factor authentication).

For sub-processors located outside the European EconomicArea, the transfer of personal data shall be done according to the regulation on transfers to third countries in Article 45 to47 and 49 of the GDPR or the UK GDPR (as applicable).

userled.io is hereby authorised to enter into the standard contractual clauses (Module Three - Processor to Processor)for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as notified under document C/2021/3972 (“Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of theEuropean Parliament and of the Council.

LIST OF AUTHORISED SUB-PROCESSORS

The list of Sub-processors set out at: https://trust.userled.io/subprocessors

APPENDIX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity forthe rights and freedoms of natural persons, userled.io shall implement the measures outlined in the Master Agreement to ensure an appropriate level of security for theprovision of the Services.

Where applicable, this Appendix 2 will serve as Annex II to the Standard Contractual Clauses.

APPENDIX 3: CROSS BORDER DATA TRANSFER MECHANISMS

1. Definitions

  • “EC” means the European Commission
  • “EEA” means the European Economic Area
  • "Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following:
    • a) UK Standard Contractual Clauses, and
    • b) 2021 Standard Contractual Clauses
  • “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), and
  • “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. Cross Border Data Transfer Mechanisms.

2.1. Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.3 (UK Standard Contractual Clauses) or Section 2.4 (2021 Standard Contractual Clauses) of this Schedule 2; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

2.2. UK Standard Contractual Clauses. The parties agree that the UK StandardContractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

The UK Controller to Processor SCCs will apply where userled.io is processing Personal Data. The illustrative indemnification clause will not apply. Appendix 1 (Data Processing Details) of this DPA serves asAppendix I of the UK Controller to Processor SCCs. Appendix 2(Technical and Organisational Security Measures) of this DPA serves asAppendix II of the UK Controller to Processor SCCs.

2.3. 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area orSwitzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providingan adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 StandardContractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference)and completed as follows:

(a) Module Two (Controller to Processor) of the 2021 StandardContractual Clauses will apply where Customer is a controller ofPersonal Data and userled.io is processing Personal Data.

(b) Module Three (Processor to Processor) of the 2021 StandardContractual Clauses will apply where Customer is a processor ofPersonal Data and userled.io is processing Personal Data.

(c) For each Module, where applicable:

(i) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;

(ii) in Clause 9 of the 2021 Standard Contractual Clauses,Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 6 (Subprocessors) of this DPA;

(iii) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;

(iv) in Clause 17 (Option 1), the 2021 Standard ContractualClauses will be governed by Irish law;(v) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

(vi) in Annex I, Part A of the 2021 Standard Contractual Clauses:

  • Data Exporter: Customer.
  • Contact Details: The email address(es) designated byCustomer in Customer’s account via its notification preferences.
  • Data Exporter Role: The Data Exporter’s role is set forth in Schedule 1 (DataProcessing Terms) of this DPA.
  • Signature and Date: By entering into the MasterAgreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the EffectiveDate of the Master Agreement.
  • Data Importer: Userled.io Ltd
  • Contact details: userled.io Privacy Team– privacy@userled.io.
  • Data Importer Role: Data Processor.
  • Signature and Date: By entering into the ServicesAgreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the EffectiveDate of the Services Agreement.(vii) in Annex I, Part B of the 2021 Standard ContractualClauses:
  • The categories of data subjects are described in Appendix 1 (Data Processing Details) of this DPA.
  • The Sensitive Information transferred is described in Appendix 1 (Data Processing Details) of this DPA.
  • The frequency of the transfer is a continuous basis forthe duration of the Master Agreement.
  • The nature of the processing is described in Appendix1 (Data Processing Details) of this DPA.
  • The purpose of the processing is described in Appendix 1 (Data Processing Details) of this DPA.

The period for which the Personal Data will be retained is described in Appendix 1 (Data ProcessingDetails) of this DPA.

For transfers to subprocessors, the subject matter, nature, and duration of the processing is set forth in Appendix 1 (Data Processing Details) of this DPA.

(viii) in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.

(ix) Appendix 2 (Technical and Organisational SecurityMeasures) of this DPA serves as Annex II of the Standard Contractual Clauses.

Schedule 2: JURISDICTION SPECIFIC TERMS

1. Australia:

1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2 The definition of “Personal Data” includes “Personal Information” as defined underApplicable Data Protection Law.

1.3 The definition of “Sensitive Information” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. Brazil:

2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteçãode Dados (LGPD).

2.2 The definition of “Security Breach” includes a security incident that may result in anyrelevant risk or damage to data subjects.

2.3 The definition of “processor” includes “operator” as defined under Applicable DataProtection Law.

3. California:

3.1 The definition of “Applicable Data Protection Law” includes the California ConsumerPrivacy Act (CCPA).

3.2 The definition of “Personal Data” includes “Personal Information” as defined underApplicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Personal Data, and Customer Usage Data.

3.3 The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 4 (Processing Instructions)of this DPA, apply to Consumer rights. In regards to data subject requests, userled.io can only verify a request from Customer and not from Customer’s end user or any third party.

3.4 The definition of “controller” includes “Business” as defined under Applicable Data

Protection Law.

3.5 The definition of “processor” includes “Service Provider” as defined under ApplicableData Protection Law.

3.6 userled.io will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Master Agreement, which constitutes a business purpose.userled.io agrees not to (a) sell (as defined by the CCPA) Customer’s Personal Data orCustomer end users’ Personal Data; (b)retain, use, or disclose Customer’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s Personal Data outside of the scope of the MasterAgreement. userled.io understands its obligations under Applicable Data Protection Law and will comply with them.

3.7 userled.io certifies that its subprocessors, as described in Section 4 (Processing Instructions) of this DPA, are Service Providers under Applicable Data Protection Law, with whom userled.io has entered into a written contract that includes terms substantially similar to this DPA. userled.io conducts appropriate due diligence on its subprocessors.

3.8 userled.io will implement and maintain reasonable security procedures and practicesappropriate to the nature of the Personal Data it processes as set forth in Section 4 (Processing Instructions)) of this DPA.

4. Canada:

4.1 The definition of “Applicable Data Protection Law” includes the Federal PersonalInformation Protection and Electronic Documents Act (PIPEDA).

4.2 userled.io’s subprocessors, as described in Section 4 (Processing Instructions)) of thisDPA, are third parties under Applicable Data Protection Law, with whom userled.io has entered into a written contract that includes terms substantially similar to this DPA.userled.io has conducted appropriate due diligence on its subprocessors.

4.3 userled.io will implement technical and organisational measures as set forth in Section 4 (Processing Instructions) of this DPA.

5. European Economic Area (EEA):

5.1 The definition of “Applicable Data Protection Law” includes the General DataProtection Regulation (EU 2016/679) (“GDPR”).

5.2 When userled.io engages a subprocessor under Section 4 (Processing Instructions) of this DPA, it will:(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection

obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR, and(b) require any appointed subprocessor to (i) agree in writing to only process PersonalData in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

5.3 Notwithstanding anything to the contrary in this DPA or in the Master Agreement(including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

6. Israel:

6.1 The definition of “Applicable Data Protection Law” includes the Protection of PrivacyLaw (PPL).

6.2 The definition of “controller” includes “Database Owner” as defined under ApplicableData Protection Law.

6.3 The definition of “processor” includes “Holder” as defined under Applicable DataProtection Law.

6.4 userled.io will require that any personnel authorised to process Personal Data comply with the principle of data secrecy and have been duly instructed about Applicable DataProtection Law. Such personnel sign confidentiality agreements with userled.io in accordance with Section 4 (Processing Instructions) of this DPA.

6.5 userled.io must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 4 (ProcessingInstructions) of this DPA and complying with the terms of the Master Agreement.

6.6 userled.io must ensure that the Personal Data will not be transferred to a subprocess or unless such subprocessor has executed an agreement with userled.io pursuant to Section 4 (Processing Instructions) of this DPA.

7. Japan:

7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

7.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

7.3 The definition of “controller” includes “Business Operator” as defined under ApplicableData Protection Law. As a Business Operator, userled.io is responsible for the handling of Personal Data in its possession.

7.4 The definition of “processor” includes a business operator entrusted by the BusinessOperator with the handling of Personal Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, userled.io will ensure that the use of the entrusted Personal Data is securely controlled.

8. Mexico:

8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

8.2 When acting as a processor, userled.io will:(a) treat Personal Data in accordance with Customer’s instructions set forth in Section 4 (Processing Instructions) of this DPA;

(b) process Personal Data only to the extent necessary to provide the Services;

(c) implement security measures in accordance with Applicable Data Protection Law and Section 4 (Processing Instructions) of this DPA;

(d) keep confidentiality regarding the Personal Data processed in accordance with theMaster Agreement;

(e) delete all Personal Data upon termination of the Master Agreement; and(f) only transfer Personal Data to subprocessors in accordance with Appendix 1 (Data Processing Details) of this DPA.

9. Singapore:

9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

9.2 userled.io will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organisational measures as set forth in Section 4 (Processing Instructions) of this DPA and complying with the terms of the MasterAgreement.

10. Switzerland:

10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act

on Data Protection.

10.2 When userled.io engages a subprocessor under Section 4 (Processing Instructions)of this DPA, it will:

(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protectionobligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such amanner that the processing will meet the requirements of the GDPR, and (b) require any appointed subprocessor to (i) agree in writing to only process Personal Data in a countrythat the European Union has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses orpursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

11. United Kingdom (UK):

11.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data ProtectionAct 2018).

11.2 When userled.io engages a subprocessor under Section 4 (Processing Instructions)of this DPA, it will:(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR; and(b) require any appointed subprocessor to (i) agree in writing to only process Personal Data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.

11.3 Notwithstanding anything to the contrary in this DPA or in the Master Agreement(including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.