## Data Processing Addendum

### DPA

This GDPR Data Processing Addendum (“DPA”) shall be incorporated into a Master Services Agreement or TrueLoyal Terms of Service or another applicable agreement (referred to hereafter as the “Agreement”), entered into by and between the Client and TrueLoyal, pursuant to which Client has accessed TrueLoyal’s Loyalty Rewards Platform Services (“Services”) as defined in the Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of General Data Protection Legislation.

## SECTION I

### Clause 1 – Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s) transferring the personal data; and

(ii) the entity/ies in a third country receiving the personal data from the data exporter.

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

### Clause 2 – Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

### Clause 3 – Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer.

### Clause 4 – Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

### Clause 5 – Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements, these Clauses shall prevail.

### Clause 6 – Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

### Clause 7 – Optional Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time.

## SECTION II – OBLIGATIONS OF THE PARTIES

### Clause 8 – Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

### MODULE TWO: Transfer controller to processor

#### 8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter.

#### 8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer.

#### 8.3 Transparency

On request, the data exporter shall make a copy of these Clauses available to the data subject free of charge.

#### 8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, it shall inform the data exporter without undue delay.

#### 8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B.

#### 8.6 Security of processing

(a) The data importer shall implement appropriate technical and organisational measures to ensure the security of the data.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract.

(c) In the event of a personal data breach, the data importer shall notify the data exporter without undue delay.

### 8.7 Sensitive data

Where the transfer involves personal data revealing sensitive data, the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

### 8.8 Onward transfers

The data importer shall only disclose personal data to a third party on documented instructions from the data exporter.

### 8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses.

## SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

### Clause 14 – Local laws and practices affecting compliance with the Clauses

The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination prevent the data importer from fulfilling its obligations under these Clauses.

### Clause 15 – Obligations of the data importer in case of access by public authorities

### 15.1 Notification

The data importer agrees to notify the data exporter promptly if it receives a legally binding request from a public authority for the disclosure of personal data transferred.

### Clause 16 – Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses.

(b) In the event that the data importer is in breach of these Clauses, the data exporter shall suspend the transfer of personal data until compliance is ensured.

### Clause 17 – Governing law

These Clauses shall be governed by the law of one of the EU Member States.

### Clause 18 – Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

## APPENDIX

### ANNEX I

### A. LIST OF PARTIES
**Data exporter:** The Client, an organization located in the European Union.

**Data importer:** The data importer is TrueLoyal, 122 E Houston Street, Suite 105 San Antonio TX, 78205, USA.

### B. DESCRIPTION OF TRANSFER
The categories of personal data transferred include:
- Name
- Email address
- Phone Number
- Purchase data
- Address
- User tags to identify users

Sensitive data shall not be transferred. Data is retained until the end-user continues to be a member of the loyalty program.

### C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be authority in the EU Member Country.

## ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES

**Description of the technical measures implemented by the data importer:** TrueLoyal employs a detailed Information Security Policy to ensure best practices for the protection of data. TrueLoyal is SOC 2 Type 1 Compliant.

## ANNEX III – LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:
1. Name: Amazon Web Services Support
   Address: 410 Terry Avenue North Seattle, WA 98109 USA
   Description of processing: TrueLoyal uses Amazon Web Services (AWS) as a sub-processor for storing and serving data.