Data Processing Addendum

Last updated: 05/13/2020

Coordinate Inc. Data Processing Addendum ‍ This Data Processing Addendum (this “DPA”) forms a part of the Coordinate Online Terms of Service found at https://www.coordinatehq.com/legal.html, unless Customer has entered into a superseding written master subscription agreement with Coordinate Inc. (“Coordinate”), in which case, it forms a part of such written agreement (in either case, the “Agreement”).

By signing this DPA or executing (or otherwise entering into) an Agreement that explicitly states that the DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any Affiliates (defined below) who are authorized to use the Coordinate Services. If you are entering into this DPA on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or legal entity to this DPA. In that case, “Customer” or “you” will refer to that company or other legal entity. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. ‍ In the course of providing the Coordinate Services under the Agreement, Coordinate may process certain Personal Data (such terms defined below) on behalf of Customer and where Coordinate processes such Personal Data on behalf of Customer the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data. ‍ Upon the earlier of (i) the execution of (or entering into) an Agreement that explicitly states that the DPA is incorporated into the Agreement by reference; or (ii) receipt of the validly completed DPA by Coordinate at this email address, this DPA will become legally binding. ‍ HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES ‍ If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Coordinate entity that is party to the Agreement is party to this DPA. If the Customer entity signing this DPA has executed an Order Schedule with Coordinate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Schedule and applicable renewal Order Schedules, and the Coordinate entity that is party to such Order Schedule is party to this DPA. If the Customer entity signing this DPA is neither a party to an Order Schedule nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.

‍1. Definitions.

1.1 “Affiliate” means, with respect to the identified party, any entity that is directly or indirectly controlled by, controlling or under common control with such party.

‍1.2 “Applicable Data Protection Laws” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, (a) EU Data Protection Law, and (b) (b) the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199), as amended from time to time, and any related regulations and guidance provided by the California Attorney General pertaining to same (the “CCPA”.

‍1.3 “Authorized User(s)” means any person who processes Personal Data on Coordinate’s behalf, including Coordinate’s employees, officers, partners, principals, contractors and Subprocessors.

‍1.4 “Cloud Provider” means, unless specified otherwise in an Order Schedule or the Agreement, Amazon Web Services.

‍1.5 “Coordinate Group” means Coordinate Inc. and its Affiliates.

‍1.6 “Coordinate Services” means the Subscription Services and other services Coordinate provides under an Agreement.

‍1.7 “Customer Cloud Environment” means the cloud environment provided by the Cloud Provider in which Coordinate deploys the Coordinate Services.

‍1.8 “Customer Data” means the data made available by Customer and its Authorized Users for processing by, or use within, the Subscription Services, including without limitation Personal Data to the extent therein contained.

‍1.9 “Data Subject” means an individual to whom the Personal Data relates.

‍1.10 “EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.

‍1.11 “EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).

‍1.12 “Model Clauses” means the Standard Contractual Clauses (controller to processor) promulgated by the EU Commission Decision 2010/87/EU.

‍1.13 “Personal Data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes personally identifiable information.

‍1.14 “Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 dated July 12, 2016 (as may be amended, superseded, or replaced).

‍1.15 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu- us-framework.

‍1.16 “Security Breach” means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration, or access to Personal Data.

‍1.17 “Sensitive Data” means any unencrypted (i) bank, credit card or other financial account numbers or login credentials, (ii) social security, tax, driver’s license or other government-issued identification numbers, (iii) health information identifiable to a particular individual; or (iv) any “special” or “sensitive” categories of data as those terms are defined according to EU Data Protection Law or any similar category under other Applicable Data Protection Laws. For the purposes of the prior sentence, “unencrypted” means a failure to utilize industry standard encryption methods to prevent Coordinate and its personnel, including any subcontractors, from accessing the relevant data in unencrypted form.

‍1.18 “Subprocessor” means any third party (including any Coordinate’s Affiliate) engaged by Coordinate to process any Customer Data that may contain Personal Data on behalf of Customer or who may receive Personal Data provided by Customer through the Subscription Services pursuant to the terms of the Agreement.

‍1.19 “Subscription Services” means Coordinate’s cloud-based services provided pursuant to the Agreement.

‍1.20 The terms “Controller”, “Processor”, and “processing” have the meanings given to them in Applicable Data Protection Laws. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

‍2. Shared Responsibility Deployment.

2.1 Except to the extent otherwise set forth in the Agreement, Customer acknowledges and agrees that: (a) while certain Customer Data may occasionally be present within the Platform Services, the Platform Services are not designed to archive or permanently retain Customer Data, but merely to provide an environment to facilitate Customer’s processing of Customer Data within the Customer Cloud Environment; (b) Coordinate and the Coordinate Services do not provide backup services or disaster recovery to enable recovery of Customer Data; and (c) subject to any limitations under the DPA or the Agreement regarding what Customer Data may contain, the choice of which Customer Data you process within Coordinate and manner in which you choose to process it are under the control of Customer and that, accordingly, Coordinate will generally be unaware of the types of or details regarding the Personal Data you may process within the Subscription Services.

‍3. Purpose; Ownership of Data.

3.1 Customer and Coordinate have entered into the Agreement pursuant to which Customer is being provided Coordinate Services, including the Subscription Services. In using the Subscription Services, Customer may submit through the Subscription Services or otherwise provide access to Coordinate certain Customer Data. This DPA applies where and only to the extent that Coordinate Processes Customer Personal Data on behalf of Customer as a Processor in the course of providing Coordinate Services pursuant to the Agreement. Additionally, Sections 4.3, 4.4, 4.5, and 5.1 shall apply only to Personal Data within the scope of the DPA that is subject to EU Data Protection Law.

‍3.2 As between the Parties, all Customer Data processed under the terms of this DPA and the Agreement shall remain the property of Customer. Under no circumstances will any member of the Coordinate Group act, or be deemed to act, as a “Controller” (or equivalent concept) of the Customer Data processed within the Subscription Services under any Applicable Data Protection Laws. All other data processed on or through the Coordinate Services (except to the extent such other data contains Personal Data collected from Customer) (“Usage Data”), is and shall remain the property of Coordinate, provided that Coordinate will not share or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers.

‍4. Subprocessing.

4.1 Customer agrees that Coordinate may appoint Subprocessors to assist it in providing the Coordinate Services by processing Personal Data solely for the purpose of providing the Coordinate Services, provided that such Subprocessors:

‍(a) agree to act only on Coordinate’s instructions when processing the Personal Data (which instructions shall be consistent with Customer's processing instructions to Coordinate); and

‍(b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process.

‍4.2 Coordinate remains fully liable for any breach of this DPA or the Agreement(s) that is caused by an act, error or omission of such Subprocessor to the extent Coordinate would have been liable for such act, error or omission had it been caused by Coordinate.

‍4.3 Coordinate shall maintain an up-to-date list (and make it available upon written request to legal@coordinatehq.com) of all Subprocessors used in the provision of the Coordinate Services who may have access to or process: (a) Customer Data (which may contain Personal Data) or (b) other Personal Data received by Coordinate from Customer through the Subscription Services under the Agreement (the “Subprocessor List”).

‍4.4 Customer acknowledges that any third party services that may be linked to or used within the Coordinate Services (“Non-Coordinate Services”) are governed solely by the terms and conditions and privacy policies of such Non-Coordinate Services, and Coordinate does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Non-Coordinate Services, including, without limitation, their content or the manner in which they handle your Customer Data (including Personal Data) or any interaction between Customer and the provider of such Non-Coordinate Services. Coordinate is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Non-Coordinate Services, or Customer’s reliance on the privacy practices, data security processes or other policies of such Non- Coordinate Services. The providers of Non-Coordinate Services shall not be deemed Subprocessors for any purpose under this Agreement.

‍5. Cooperation.

5.1 Customer acknowledges that the Subscription Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is required to respond to a DSR (as defined below) under Applicable Data Protection Law and is unable to access the relevant Customer Data within the Subscription Services using such controls or otherwise, Coordinate shall reasonably cooperate with Customer (at Customer’s request and expense) to enable Customer (or its third party Controller) to respond to any requests, complaints or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Agreement(s), including requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (a ‘data subject request’ or “DSR”) insofar as this is possible. In the event that any such DSR, complaint or communication is made directly to Coordinate, Coordinate shall promptly pass such communication on to Customer and shall not respond to such communication without Customer’ express authorization. For the avoidance of doubt, the foregoing shall not prohibit Coordinate from communicating with a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Coordinate the DSR relates.

‍5.2 To the extent Coordinate is required under Applicable Data Protection Laws, Coordinate will assist Customer (or its third party Controller), at Customer’s request and expense, to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to Data Subjects. Because the need for a data protection impact assessment, if any, will arise from the choices made by Customer regarding what Customer to be processed and the processing activities to perform, Customer shall be responsible for any costs arising from Coordinate’s provision of such assistance.

‍5.3 At Customer’s written request, Coordinate will make reasonable efforts to provide Customer with all information necessary to demonstrate its compliance with EU Data Protection Law.

‍5.4 Customer acknowledges that Coordinate is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Coordinate is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if GDPR applies to the processing of Personal Data, Customer will, where requested, provide such information to Coordinate via the Services or other means provided by Coordinate, and will ensure that all information provided is kept accurate and up-to-date.

‍5.5 If the Applicable Data Protection Laws and corresponding obligations related to the processing of Personal Data subject to European Data Protection Law (“EEA Data”), the Parties shall discuss in good faith any necessary amendments. Additionally, if reasonably required by Customer, Coordinate shall enter into a Business Associate Agreement to enable Customer to comply with its obligations under HIPAA/HITECH ACT (“BAA”). Coordinate may charge additional fees for the entering into a Business Associate Agreement.

‍6. Data Access & Security Measures.

6.1 Coordinate shall ensure that any Authorized User is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Coordinate Services under the Agreement(s) to Customer.

‍6.2 Coordinate will implement and maintain appropriate technical and organizational security measures designed to protect against Security Breaches and to preserve the security, availability, integrity and confidentiality of Personal Data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

‍7. Security Incidents.

7.1 In the event of a Security Breach, Coordinate shall inform Customer without undue delay and provide written details of the Security Breach, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Coordinate.

‍7.2 Furthermore, in the event of a Security Breach, Coordinate shall:

‍(a) provide timely information and cooperation as Customer may reasonably require to fulfill Customer’s data breach reporting obligations under Applicable Data Protection Laws; and

‍(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Breach and shall keep Customer up-to-date about all developments in connection with the Security Breach.

‍7.3 The decision whether to provide notification, public/regulatory communication or press release (each, a “Notification”) concerning the Security Breach shall be solely at Customer’s discretion, but the content of any Notification that names Coordinate or from which Coordinate’s identity could reasonably be determined shall be subject to the prior approval of Coordinate, which approval shall not be unreasonably withheld, conditioned or delayed, except as otherwise required by applicable laws and provided that conditioning of the Notification on Coordinate’s approval shall not prevent Customer from complying with Applicable Data Protection Laws.

‍8. Security Reports & Inspections; Audits.

8.1 The Parties acknowledge that Coordinate conducts an audit to verify the adequacy of its Security Measures. This audit:

‍(a) will be performed at least annually;

‍(b) will be performed according to industry standards;

‍(c) will be performed at Coordinate’s expense; and

‍(d) will result in the generation of an audit report indicating whether Coordinate’s security infrastructure contains critical security vulnerabilities (“Report”).

‍8.2 At Customer’s written request, Coordinate will provide Customer with copies of its Report. The Report and any summaries thereof will constitute Coordinate’s Confidential Information under the confidentiality provisions of the Agreement.

‍8.3 Coordinate will respond in a commercially reasonable timeframe to any requests for additional information or clarification from Customer related to such Report.

‍9. Data Processing and Transport.

9.1 Coordinate will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Data Protection Laws. Customer acknowledges that Coordinate and its Subprocessors may maintain data processing operations in countries that are outside of the EEA and Switzerland. As such, both Coordinate and its Subprocessors may process Personal Data in non-EEA and non-Swiss countries. This will apply even where Customer has agreed with Coordinate to use cloud instances of the Subscription Services located in the EEA if such non-EEA processing is necessary to provide support-related or other services requested by Customer.

‍9.2 Coordinate shall process Customer Data containing Personal Data (i) submitted to Coordinate by Customer through the Subscription Services only as a Processor acting on behalf of Customer (whether as Controller or itself a Processor on behalf of third party Controllers); and (ii) in accordance with Customer’s documented instructions as set forth in this DPA, the Agreement(s) or as otherwise necessary to provide the Subscription Services; provided that Coordinate shall inform Customer if, in its opinion, Customer’s processing instructions infringe any law or regulation; in such event, Coordinate is entitled to refuse processing of Personal Data that it believes to be in violation of any law or regulation.

‍9.3 Customer acknowledges that the Subscription Services are data-type agnostic, and that Coordinate does not have any knowledge of the actual data or types of data contained in the Customer Data. Accordingly, Customer shall notify Coordinate prior to providing any Sensitive Data. Coordinate may impose additional requirements on Customer prior to the use of the Subscription Services by Customer to process any Sensitive Data, which may include additional fees.

‍9.4 To the extent that Coordinate processes any EEA Data on behalf of Customer, the parties agree that Coordinate makes available the transfer mechanisms listed below for any transfers of EEA Data from the EEA to Coordinate located in a country which does not ensure an adequate level of protection (within the meaning of Applicable Data Protection Law) and to the extent such transfers are subject to such EU Data Protection Law:

‍(a) (i) Coordinate will be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for EEA Data by virtue of having self-certified its compliance with the Privacy Shield; (ii) Coordinate agrees to process EEA Data in compliance with the Privacy Shield Principles; (iii) if Coordinate is unable to comply its obligations under this sub- Section, Coordinate will inform the Customer; and (iv) Coordinate will promptly cease (and procure that all Subprocessors promptly cease) processing such Personal Data if in Customer’ sole discretion, Customer determines that Coordinate has not or cannot correct any non-compliance with this sub-Section in accordance the Privacy Shield Principles within a reasonable time frame.

‍(b) To the extent the transfer mechanism identified in Section 9.4(a) does not apply to the transfer, is invalidated and/or Coordinate is no longer self-certified to the Privacy Shield, Coordinate agrees to abide by and process EEA Data in compliance with the Model Clauses, and for these purposes Coordinate agrees that it is a "data importer" and Customer and/or its Affiliates, as applicable is/are the "data exporter" under the Model Clauses (notwithstanding that Customer and/or its Affiliates may be an entity/ies located outside of the EEA).

‍9.5 Coordinate acknowledges that Customer may disclose this DPA and any relevant privacy or data protection provisions of the Agreement(s) to the US Department of Commerce, European Data Protection Authorities, or any other US or EU judicial or regulatory body with jurisdiction (each, a “Data Regulatory Authority”) upon their request, provided that for the avoidance this DPA shall remain Confidential Information subject to the restrictions in the Agreement notwithstanding any requirement to share it with a Data Regulatory Authority.

‍10. Obligations of Customer.

‍Customer acknowledges that Coordinate does not provide data backup services, and that it is Customer’s obligation to backup any Customer Data that Customer may process through the Subscription Services. As part of Customer receiving the Coordinate Services under the Agreement, Customer agrees and declares as follows: ‍ (a) that the processing of Personal Data by Customer, including instructing processing by Data Processor in accordance with this Agreement, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Laws, particularly with respect to the security, protection and disclosure of Personal Data;

‍(b) if Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer warrants to Coordinate that Customer's instructions and actions with respect to that Personal Data, including its appointment of Coordinate as another Data Processor, have been authorized by the relevant Data Controller;

‍(c) that if processing by Data Processor involves any Sensitive Data, Customer has collected such Sensitive Data in accordance with Applicable Data Protection Laws;

‍(d) that Customer will inform its Data Subjects as legally required:

‍(i) about its use of data processors to Process their Personal Data, including Data Processor; and

‍(ii) that their Personal Data may be processed outside of the European Economic Area;

‍(e) that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the processing of their Personal Data by Customer, and to give appropriate instructions to Data Processor in a timely manner; and

‍(f) that it shall respond in a reasonable time to enquiries from a Data Regulatory Authority regarding the processing of relevant Personal Data by Customer.

‍ 11. Additional Terms Applicable to CCPA.

11.1 Additional Definitions.

(a) “Contracted Business Purposes” means the Services described in the Agreement.

‍11.2 Terms defined in the CCPA, including “personal information” and “business purposes” carry the same meaning in this DPA. Coordinate is a “service provider” under the CCPA.

‍11.3 Coordinate’s CCPA Obligations.

(a) Coordinate will only collect, use, retain, or disclose personal information for the Contracted Business Purposes as set forth in the Agreement.

‍(b) Coordinate will not retain, use or disclose personal information outside of the direct business relationship between Customer and Coordinate, except as authorized in the Agreement or under the CCPA.

‍(c) Coordinate will not collect, use, retain, disclose, sell, or otherwise make personal information available or process personal information (or allow any third party to process or access personal information) for Coordinate’s own commercial purposes or in a way that does not comply with the CCPA.

‍(d) Coordinate will limit personal information collection, use, retention, processing and disclosure (including through its service providers, suppliers, contractors or subcontractors) to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes.

‍(e) Coordinate shall not engage in any activity that may be considered a sale of personal information pursuant to the CCPA.

‍11.4 Assistance with Customer’s CCPA Obligations.

(a) Coordinate will reasonably cooperate and assist Customer with meeting its CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests.

‍(b) Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, sharing or disclosing personal information.

‍11.5 Subcontracting.

(a) Coordinate may use subcontractors to provide the Contracted Business Services as set forth in the Agreement and subject to the terms of this DPA. Any such subcontractor used must qualify as a “service provider” under the CCPA and Coordinate will not make any disclosures to the subcontractor that the CCPA would treat as a sale.

‍(b) Coordinate remains fully liable to the Customer for the subcontractor’s actions or inactions.

‍11.6 Processing Purposes and Details.

(a) The Contracted Business Purposes are providing the Services and processing the Customer Data as set forth in the Agreement.

‍(b) The Agreement involves the following types of Personal Information as defined and classified in CCPA Cal. Civ. Code § 1798.140(o).

‍(i) Identifiers: First name, last name, email address, telephone number, email data, system usage data, location data (IP address), and other electronic data/UGC (reviews, photos) submitted, stored, sent, or received by or from Data Subjects.

‍(ii) Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)): same as in subsection (i), above.

‍(iii) Protected classification characteristics under California or federal law: None.

‍(iv) Commercial information: Purchased products and/or services.

‍(v) Biometric information: None.

‍(vi) Internet or other similar network activity: IP Address. Coordinate also collects the activity of the consumers on Coordinate’s website.

‍(vii) Geolocation data: Extracted from IP address.

‍(viii) Sensory data: None.

‍(ix) Professional or employment-related information: Affiliation between the consumer and his/her employer, if and to the extent that the employer is a Coordinate customer.

‍(x) Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)): None.

‍(xi) Inferences drawn from other personal information: None.

‍(c) Types of Consumers: End users of Coordinate’s website.

‍(d) List of subcontractors: Please contact Coordinate for updated information.

‍12. General.

12.1 The parties agree that DPA shall replace any existing DPA (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Coordinate Services.

‍12.2 This DPA shall be effective on the date of the last signature set forth below. The obligations placed upon the Coordinate under this DPA shall survive so long as Coordinate and/or its Subprocessors processes Personal Data on behalf of Customer.

‍12.3 This DPA may not be modified except by a subsequent written instrument signed by both Parties.

‍12.4 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

‍12.5 In the event of any conflict between this DPA and any data privacy provisions set out in any Agreements the Parties agree that the terms of this DPA shall prevail. Notwithstanding the foregoing, if there is any conflict between this DPA and a BAA applicable to any patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state laws, rules or regulations (“HIPAA Data”), then the BAA shall prevail to extent the conflict relates to such HIPAA Data.

‍12.6 Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any Order or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including annexes hereto (if any). Without limiting either of the parties’ obligations under the Agreement, Customer agrees that any regulatory penalties incurred by Coordinate in relation to the Customer Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Applicable Data Protection Laws shall count toward and reduce Coordinate’s liability under the Agreement as if it were liability to the Customer under the Agreement.

‍12.7 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

‍12.8 This DPA (and, if applicable, the Model Clauses) will terminate simultaneously and automatically with the termination or expiry of the Agreement.In Witness Whereof, the parties’ authorized representatives executed this DPA, as of the Effective Date. By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them. If the Agreement indicates that this DPA is incorporated by reference, no signature below will be required.

‍Coordinate Inc. (“Coordinate”) By: _____________________________________ Name: _____________________________________ Title: _____________________________________ Date: _____________________________________

___________________________ (“Customer”) By: _____________________________________ Name: _____________________________________ Title: _____________________________________ Date: _____________________________________