DASH SOCIAL DATA PROCESSING AGREEMENT

1. Scope. This DPA applies only to Customer Personal Data and the subject matter, duration, nature and purposes of processing, and the types of Personal Data and categories of Data Subjects to be Processed are described in Annex 1 of this DPA.
2. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Dash Social is acting as the Processor on behalf of and under the Instructions of Customer and Customer is acting as the Controller and has the sole and exclusive authority to determine the purposes and means of the Processing of Customer Personal Data under this DPA.
3. Permitted Affiliates. The parties agree that, to the extent Customer enters into the Agreement for the benefit of its named permitted group of companies (each a “Permitted Affiliate”): (i) solely Customer may exercise any right or seek any remedy that any Permitted Affiliate may have under this DPA; and (ii) Customer shall exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. Customer is responsible for coordinating all Instructions, authorizations and communications with Dash Social under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
4. Customer’s Obligations. Customer shall: (i) comply with its obligations as a Controller under all Data Protection Laws in respect of its use of the Services and any Processing Instructions it issues to Dash Social; (ii) have sole responsibility for the accuracy, legality, and quality of Customer Personal Data; (iii) ensure that Customer has the right to transfer, or provide access to, Customer Personal Data to Dash Social for processing pursuant to the Agreement and this DPA; and (iv) not disclose (nor permit any Data Subject to disclose) any Sensitive Information (as defined in the Agreement), to Dash Social or through the Services. Customer will inform Dash Social without undue delay if Customer is not able to comply with its responsibilities under this paragraph d) or Data Protection Laws.
5. Dash Social’s Obligations. Dash Social shall (i) process Customer Personal Data only for the purposes described in the Agreement and on behalf of and in accordance with Customer’s Instructions and Annex 1 of this DPA, except where and to the extent otherwise required by Data Protection Laws or other applicable laws, in which case Dash Social shall immediately notify Customer of such a requirement, unless such applicable law prohibits such notification on important grounds of public interest; and (ii) notify Customer promptly if Dash Social determines that it can no longer meet its obligations under Data Protection Laws or this DPA. If Dash Social becomes aware or believes that Customer’s Instructions infringe on Data Protection Laws, Dash Social will: (a) to the extent permitted by Data Protection Laws, promptly notify Customer in writing; and (b) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new Instructions with which Dash Social is able to comply. If this provision is invoked, Dash Social will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing. Notwithstanding the foregoing, Customer acknowledges that Dash Social is not obligated to evaluate whether an Instruction issued by Customer complies with Data Protection Laws.

1. Data Subject Rights. Dash Social shall promptly inform Customer if it receives a request from a Data Subject regarding Customer Personal Data, including a request to exercise a right under Data Protection Laws, and shall not respond to such requests unless instructed by Customer in writing to do so. Taking into account the nature of the Processing of Customer Personal Data, Dash Social shall provide reasonable assistance to Customer, at the Customer's expense, through appropriate technical and organizational measures, insofar as possible, to help fulfill Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to Customer Personal Data.
2. Customer Compliance. Taking into account the nature of the Processing and the information available to Dash Social, Dash Social shall provide such assistance as Customer reasonably requests, at the Customer's expense, in relation to Customer's obligations under Data Protection Laws with respect to: (i) data protection impact assessments; (ii) consulting with the relevant supervisory authority in relation to those data protection impact assessment; and (iii) security of the Processing of Personal Data.

1. Customer grants a general authorization to Dash Social to appoint its Affiliates or third parties as Sub-processors to support the performance of the Services. Dash Social shall maintain a list of Sub-processors available at https://www.dashsocial.com/subprocessors, and shall provide Customer with 30 calendar days prior written notice in the event that Dash Social proposes to add any additional Sub-processors. If Customer has a reasonable objection to any new Sub-processor, it shall notify Dash Social in writing to compliance@dashsocial.com within 15 calendar days of the notification and the Parties shall seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the Sub-processor meets the security and privacy protection requirements of Data Protection Laws, and Dash Social is unable to make alternative arrangements within 30 calendar days of the Customer's objection to avoid Processing of Customer Personal Data by that Sub-processor, then Customer may, as its sole remedy, terminate the Agreement prior to the end of the 30 calendar day notice period.
2. Dash Social shall ensure that any Sub-processor it engages to provide an aspect of the Services on its behalf in connection with this DPA does so in accordance with terms substantially no less protective of Personal Data than those imposed on Dash Social under this DPA. Dash Social will be responsible for any breach of this DPA caused by a Sub-processor.

1. Roles of the Parties. When Processing Customer Personal Data in accordance with Customer’s Instructions, Dash Social and Customer acknowledge and agree that Customer is a Business and Dash Social is a Service Provider for the purposes of the CCPA.
2. Responsibilities. Dash Social confirms that Dash Social will Process Customer Personal Data as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA. Further, Dash Social certifies that Dash Social will not: (i) Sell or Share Customer Personal Data; (ii) Process, retain, use, or disclose Customer Personal Data for any purpose other than for the specific Business Purpose, or as otherwise permitted by the Agreement or Data Protection Laws; (iii) Process, retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Dash Social; and (iv) combine Customer Personal Data received pursuant to the Agreement with Personal Data that Dash Social collects or receives from another source, except as otherwise permitted by the Agreement or Data Protection Laws.
3. Compliance. Dash Social will comply with obligations applicable to Dash Social as a Service Provider under the CCPA and will provide Customer Personal Data with the same level of privacy protection as is required by the CCPA. Dash Social will notify Customer if it determines that it can no longer meet its obligations as a Service Provider under the CCPA.
4. Audits. Customer has the right (i) to take reasonable and appropriate steps to help ensure that Dash Social uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (ii) upon reasonable prior notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
5. Not a Sale. The parties acknowledge and agree that the disclosure of Customer Personal Data by the Customer to Dash Social does not form part of any monetary or other valuable consideration exchanged between the parties.

1. Restricted Transfers. The parties agree that when the transfer of Customer Personal Data from Customer to Dash Social is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfers shall be subject to Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA as described further in this Section.
2. EU GDPR Transfers. In relation to Restricted Transfers of Customer Personal Data that are protected by the EU GDPR, the Parties agree that the EU SCCs shall apply completed as follows:
   
   1. Module Two will apply;
   2. in Clause 7, the optional docking clause will not apply;
   3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4(a) of this DPA;
   4. in Clause 11, the optional language will not apply;
   5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
   6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
   7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
   8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.
3. UK GDPR Transfers. In relation to Restricted Transfers of Customer Personal Data that are protected by the UK GDPR:
   
   1. the EU SCCs shall apply as completed in accordance with paragraph 6(b) above and shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA; and
   2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information set out in Annex I and Annex II of this DPA and the options “the importer” shall be deemed checked in Table 4.
4. FADP Transfers. In relation to Restricted Transfers of Customer Personal Data that are subject to the FADP, the Parties agree that the EU SCCs will apply completed as provided in paragraph 6(b) above, with the following changes:
   
   1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the FADP;
   2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section the FADP;
   3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;
   4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
   5. in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Switzerland; and
   6. with respect to transfers to which the FADP applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
5. To the extent that the performance of this DPA and/or the Agreement involves Dash Social transferring any Personal Data to a Sub-processor and, without prejudice to Section 4, where such Sub-processor will process Personal Data outside the UK, Switzerland or the EEA (except if in an Adequate Country), the Customer is deemed to have consented to such transfer to the Sub-processors and Dash Social shall, in advance of any such transfer, take steps to put in place a legal mechanism to achieve adequacy in respect of that Processing, such as the requirement for Dash Social to execute the EU SCCs and/or UK Addendum with the Sub-processor.

1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Dash Social shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in the processing of Customer Personal Data, as set forth in Annex 2. Dash Social may update or modify its security measures from time to time, provided that such updates or modifications do not materially decrease the overall security of the Services provided to the Customer.
2. Dash Social Personnel. Dash Social shall ensure that access to Customer Personal Data is limited to those employees, agents, and subcontractors who are bound in writing by confidentiality obligations sufficient to protect the confidentiality of such Customer Personal Data in accordance with the terms of this DPA.
3. Data Deletion and Return. Promptly upon the expiration or earlier termination of the Agreement, Dash Social shall, at the Customer's request, return or securely destroy or render unreadable or indecipherable, each and every original and copy in every media of all Customer Personal Data in Dash Social’s, its Affiliates’, or their respective subcontractors’ possession, custody or control, unless Dash Social is required to retain a copy by the Data Protection Laws or other applicable laws.
4. Security Incident. In the event of a Security Incident, Dash Social shall (i) notify Customer without undue delay after becoming aware of the Security Incident, but where possible no longer than forty-eight (48) hours after it becomes aware of the Personal Data Breach; (ii) provide timely information relating to the Security Incident as it becomes known and as reasonably requested by Customer; (iii) promptly take all reasonable corrective actions and cooperate with Customer in reasonable and lawful efforts to prevent, mitigate, or rectify the effects of such Security Incident within its control; and (iv) at Customer’s request, provide such assistance as reasonably required to enable Customer to notify the relevant supervisory authority and/or affected Data Subjects of the Security Incident, if Customer is required to do so under Data Protection Laws.

1. Standards Audits. Dash Social will meet industry security frameworks or standards including, but not limited to, SOC 2 standards. Upon request, and no more than once per calendar year, Dash Social shall provide Customer a summary copy of Dash Social’s most recent certified audit report to Customer, provided that such report shall be subject to the confidentiality terms under the Agreement.
2. Customer Compliance. Upon Customer’s written request, Dash Social shall provide such reasonable assistance as Customer reasonably requires in ensuring compliance with Customer’s obligations under applicable Data Protection Laws.
3. Compliance Audits. Upon Customer’s written prior notice of at least 30 calendar days, and no more than once per calendar year, Dash Social shall make available for Customer’s inspection all information in Dash Social's possession necessary to demonstrate Dash Social's compliance with this DPA and Data Protection Laws and, at the Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Any inspection will be of reasonable duration, will be conducted during usual business hours, will not unreasonably interfere with Dash Social’s day-to-day operations, and will be limited in scope to Dash Social’s Processing of Customer Personal Data.
4. Required Disclosure. To the extent legally permitted, Dash Social shall promptly, before producing and/or providing access to any Customer Personal Data, notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Customer Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of Dash Social. Customer may, if it so chooses, seek a protective order. Dash Social will comply with any legal hold from Customer regarding Customer Personal Data and will provide reasonable support so that Customer can comply with third party requests. Dash Social will reasonably cooperate with Customer if Customer or its regulators properly request access to Customer Personal Data for any reason.
5. Failure to Comply. Dash Social’s failure to comply with the obligations in this Section 8 shall entitle Customer to suspend the Processing of Customer Personal Data Processed by Dash Social, and to terminate any further Processing of Customer Personal Data under this DPA and/or the Agreement, if doing so is required to comply with Data Protection Laws.

1. Conflicts. In case of any conflict between this DPA and the Agreement, this DPA shall prevail with regard to the Processing of Customer Personal Data covered by it. In the event of an inconsistency between this DPA and any applicable Data Protection Laws, the applicable Data Protection Laws shall prevail.
2. Amendments. Dash Social may update this DPA from time to time, including to accommodate legislative changes and developments, provided that Dash Social may only modify the Standard Contractual Clauses to (i) incorporate any new version of the Standard Contractual Clauses (or similar model clauses) that may be adopted under European Data Protection Law or (ii) comply with applicable law, applicable regulation, a court order issued by a governmental regulator or agency. Dash Social will notify Customer of any material updates to this DPA via email or via in-app notification.
3. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
4. Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort, or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA).
5. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
6. Governing Law. This DPA shall be governed by the laws of the jurisdiction specified in the Agreement.

A. LIST OF PARTIES

Data exporter(s):

Data importer(s):

B. DETAILS OF PROCESSING AND DESCRIPTION OF TRANSFER