Data Protection Addendum

1 Definitions

1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the Contract. In addition in this Data Protection Addendum the following definitions have the meanings given below: Applicable Law means applicable laws of the European Union or any of its member states from time to time together with applicable laws in the United Kingdom; Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time; Data Controller has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws; Data Processor has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws; Data Protection Laws means as applicable and binding on the Client, PIA and/or the Services: (a) in the United Kingdom: (i) the Data Protection Act 1998 and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive); and/or (ii) the GDPR, and/or any corresponding or equivalent national laws or regulations; (b) in member states of the European Union: the Data Protection Directive or the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and (c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time; Data Protection Losses means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and (b) to the extent permitted by applicable law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority; Data Subject has the meaning given to that term in Data Protection Laws; Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; GDPR means the General Data Protection Regulation (EU) 2016/679; GDPR Date means from when the GDPR applies on 25 May 2018; International Organisation means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries; International Recipient means: (a) any countries outside the United Kingdom and/or the European Economic Area; or (b) any International Organisation(s); List of Sub-Processors means the latest version of the list of Sub-Processors used by CC, as Updated from time to time, which as at Order Acceptance is available at [Insert URL]; Personal Data has the meaning given to that term in Data Protection Laws; Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; Processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings); Processing Instructions has the meaning given to that term in paragraph 3.1.1; Protected Data means Personal Data in the Client Data; Sub-Processor means another Data Processor engaged by PIA for carrying out processing activities in respect of the Protected Data on behalf of the Client; and Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other bod responsible for administering Data Protection Laws. Supplier Personnel means all employees, officers, staff, agents and consultants of PIA, who are engaged in the performance of the Services from time to time;

2 Data Processor and Data Controller

2.1 The parties agree that, for the Protected Data, the Client shall be the Data Controller and PIA shall be the Data Processor. 2.2 To the extent the Client is not sole Data Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Data Controllers to instruct PIA to process the Protected Data in accordance with Contract. 2.3 PIA shall process Protected Data in compliance with: 2.3.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its and their obligations under Contract; and the terms of Contract. 2.4 The Client shall ensure that it, its Affiliates and each Authorised User shall at all times comply with: 2.4.1 All Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under Contract, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of Contract. 2.5 The Client warrants, represents and undertakes, that at all times: 2.5.1 all Protected Data (if processed in accordance with Contract) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 2.5.2 all Protected Data shall comply with clause [7.2] of the Conditions; 2.5.3 fair processing and other information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by PIA and its Sub- Processors in accordance with Contract; 2.5.4 the Protected Data is accurate and up to date; 2.5.5 it shall establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and copying and maintain complete and accurate backups of all Protected Data provided to PIA (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by PIA or anyone acting on its behalf; 2.5.6 all instructions given by it to PIA in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 it has undertaken due diligence in relation to PIA’s processing operations and commitments and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) PIA’s processing operations are suitable for the purposes for which the Client proposes to use the Services and engage PIA to process the Protected Data; (b) the technical and organisational measures set out in the Information Security Addendum and Contract (each as Updated from time to time) shall (if PIA complies with its obligations under such Addendum) ensure a level of security appropriate to the risk in regards to the Protected Data; and (c) PIA has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

3 Instructions and details of processing

3.1 Insofar as PIA processes Protected Data on behalf of the Client, PIA: 3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.3 and 3.4, as Updated from time to time (Processing Instructions); 3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and 3.1.3 shall promptly inform the Client if PIA becomes aware of a Processing Instruction that, in PIA’s opinion, infringes Data Protection Laws, provided that: (a) this shall be without prejudice to paragraphs 2.4 and 2.5; (b) to the maximum extent permitted by mandatory law, PIA shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Client’s Processing Instructions following the Client’s receipt of that information; and (c) this paragraph 3.1.3 shall only apply from the GDPR Date. 3.2 The Client shall be responsible for ensuring all Authorised Affiliates’ and Authorised User’s read and understand the Privacy Policy (as Updated from time to time). 3.3 The Client acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). The Client shall ensure that Authorised Users do not execute any such command unless authorised by the Client (and by all other relevant Data Controller(s)) and acknowledge that if any Protected Data is deleted pursuant to any such command PIA is under no obligation to seek to restore it. 3.4 Subject to the applicable terms set out in the Order Form the processing of the Protected Data by PIA under the Contract shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the Schedule.

4 Technical and organisational measures

4.1 Taking into account the nature of the processing, PIA shall implement and maintain, at its cost and expense, the technical and organisational measures: 4.1.1 such that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects; 4.1.2 from the GDPR Date, to assist the Client insofar as is possible in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Client’s cost on a time and materials basis in accordance with [PIA’s standard rates]. 4.1.3 so that reasonable steps have been taken to ensure the reliability of Supplier Personnel with access to the Protected Data; and 4.1.4 so as to ensure a level of security in respect of Protected Data processed by it that is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.’

5 Using staff and other processors

5.1 PIA shall not engage any SubProcessor for carrying out any processing activities in respect of the Protected Data except in accordance with the Contract without the Client’s written authorisation of that specific Sub- Processor (such authorisation not to be unreasonably withheld, conditioned or delayed). 5.2 The Client authorizes the appointment of each of the Sub- Processors identified on the List of Sub-Processors as Updated from time to time. 5.3 PIA shall: 5.3.1 prior to the relevant Sub- Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) that is enforceable by PIA; 5.3.2 ensure each such Sub- Processor complies with all such obligations; and 5.3.3 remain fully liable for all the acts and omissions of each Sub- Processor as if they were its own. 5.4 From the GDPR Date, PIA shall ensure that all persons authorised by it (or by any Sub- Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case PIA shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).

6 Assistance with compliance and Data Subject rights

6.1 PIA shall refer all Data Subject Requests it receives to the Client without undue delay. The Client shall pay PIA for all work, time, costs and expenses incurred in connection with such activity, calculated [on a time and materials basis] at PIAs [standard rates] 6.2 From the GDPR Date, PIA shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to PIA) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to: 6.2.1 security of processing; 6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws); 6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and 6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach, provided the Client shall pay PIA for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated [on a time and materials basis] [at PIA’s standard rates].

7 International data transfers

7.1 Subject to paragraph 7.2, PIA shall not transfer, or otherwise directly or indirectly disclose, any Protected Data to any International Recipient without the prior written consent of the Client except where PIA is required to transfer the Protected Data by Applicable Law (and shall inform the Client of that legal requirement before the transfer, unless those laws prevent it doing so). 7.2 The Client agrees that PIA may transfer any Protected Data for the purposes referred to in paragraph 3.4 to any International Recipient, provided all transfers by PIA of Protected Data to an International Recipient (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of Contract shall constitute the Client’s instructions with respect to transfers in accordance with paragraph 3.1.1. 7.3 The Appropriate Safeguards employed by PIA in connection with the Contract shall be as follows: [You should note that if PIA processes personal data other than on instructions from the controller (unless required to do so by Union or Member State law) it would itself be in breach of the GDPR. The client also has broad obligations under the GDPR to be accountable for the data. It is therefore in the interests of both parties to be as clear as possible in the agreement as to where data will be transferred to and to document the appropriate safeguards that will be employed. Those safeguards might include, for example, binding corporate rules (in respect of transfers to affiliates) and would include the Privacy Shield (in respect of transfers to the US)]. 7.4 PIA (or its Sub-Processors) may process Protected Data in the following locations:[EU, UK and United States] 7.5 The Client acknowledges that due to the nature of cloud services, the Protected Data may also be transferred to other geographical locations in connection with use of the Service further to access and/or computerized instructions initiated by Authorised Users. The Client acknowledges that PIA does not control such processing and the Client shall ensure that Authorised Users (and all others acting on its behalf) only initiate the transfer of Protected Data to other geographical locations if Appropriate Safeguards are in place and that such transfer is in compliance with all Applicable Laws.

8 Information and audit

8.1 PIA shall maintain, in accordance with Data Protection Laws binding on PIA, written records of all categories of processing activities carried out on behalf of the Client. 8.2 The Client may by written notice to PIA request information regarding PIA’s compliance with the obligations placed on it under this Data Protection Addendum. On receipt of such request PIA shall provide the Client (or auditors mandated by the Client) with a copy of the latest third party certifications and audits to the extent made generally available to its customers. Such copies are confidential to PIA and shall be PIA’s Confidential Information for the purposes of the Contract. 8.3 PIA shall, on request by the Client, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate CC’s compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose provided: 8.3.1 such audit, inspection or information request is reasonable, limited to information in PIA’s (or any Sub- Processors) possession or control and is subject to the Client giving PIA reasonable prior notice of such audit, inspection or information request; 8.3.2 the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Client or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure PIA is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3); 8.3.3 all costs of such audit or inspection or responding to such information request shall be borne by the Client, and PIA’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Client on a time and materials basis in accordance with PIA’s Standard Pricing Terms; 8.3.4 such audits, inspections or information requests shall be limited to one in any consecutive [12] month period, unless otherwise required by a Supervisory Authority or if the Client (acting reasonably) believes PIA is in breach of this Data Protection Addendum; 8.3.5 the Client shall promptly (and in any event within [one] Business Day) report any non- compliance identified by the audit, inspection or release of information to PIA; 8.3.6 the Client shall ensure that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Applicable Law); 8.3.7 the Client shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of PIA and each Sub-Processor; and 8.3.8 the Client shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of PIA or any SubProcessor whilst conducting any such audit or inspection.

9 Breach notification

9.1 In respect of any Personal Data Breach involving Protected Data, PIA shall, without undue delay (and in any event within 48 hours): 9.1.1 notify the Client of the Personal Data Breach; and 9.1.2 provide the Client with details of the Personal Data Breach. 10 Deletion of Protected Data and copies Following the end of the provision of the Services (or part) relating to the processing of Protected Data PIA shall dispose of Protected Data in accordance with its obligations under this Agreement. PIA shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the Contract.

11 Compensation and claims

11.1 PIA shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with Contract: 11.1.1 only to the extent caused by the processing of Protected Data under Contract and directly resulting from PIA’s breach of Contract; and 11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of Contract by the Client (including in accordance with paragraph 3.1.3(b)). 11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with Contract or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall: 11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and 11.2.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under Contract for paying the compensation. 11.3 The parties agree that the Client shall not be entitled to claim back from PIA any part of any compensation paid by the Client in respect of such damage to the extent that the Client is liable to indemnify or otherwise compensate PIA in accordance with Contract. 11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except: 11.4.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and 11.4.2 that it does not affect the liability of either party to any Data Subject.

12 Survival This Data Protection Addendum

(as updated from time to time) shall survive termination (for any reason) or expiry of Contract and continue until no Protected Data remains in the possession or control of PIA or any SubProcessor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely. 13 Data protection contact PIA’s Data Protection Officer is Hammad Khan who may be contacted at Duration of the processing: Until the earlier of final termination or final expiry of Contract, except as otherwise expressly stated in Contract; Nature and purpose of the processing: Processing in accordance with the rights and obligations of the parties under Contract; Processing as reasonably required to provide the Services; Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Client, in each case in a manner consistent with Contract; and Type of Personal Data: Legal and other names, titles, positions, e-mail addresses, phone numbers, professional history, and any other data that the client stores within PIA. Categories of Data Subjects: Authorised Users, employees, customers or other Data Subjects Special categories of Personal Data: Personal data related to the Clients Services as reasonably required to provide the services. THE SCHEDULE DATA PROCESSING DETAILS Subject-matter of processing: Performance of respective rights and obligations under Contract and delivery and receipt of the