JOSYS DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms a part of the Josys Services Agreement or the JosysProfessional Services Terms and Conditions, each as applicable, (the “Agreement”) between Josys andthe Customer and reflects the Parties’ agreement with regard to the processing of Customer PersonalData. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. Inproviding the Services to Customer pursuant to the Agreement, Josys may process Customer PersonalData on behalf of the Customer and the Parties agree to comply with the following provisions withrespect to any Customer Personal Data. For clarity, at its sole discretion, Josys may amend this DPA,but any such amendment(s) shall not materially increase Customer’s liabilities or obligations, nor shallit materially decrease Josys’ obligations or liabilities unless required by Data Protection Laws (asdefined below).

1. Definitions.

   “Data Protection Laws” means all laws and regulations applicable to the Processing of CustomerPersonal Data under the Agreement including, without limitation: (a) the Japan Act concerning theProtection of Personal Information as amended and any binding regulations promulgated thereunder(“APPI”), (b) the California Consumer Privacy Act as amended by the California Privacy Rights Act andany binding regulations promulgated thereunder (“CCPA”), (c) General Data Protection Regulation (EU2016/679) (“EU GDPR”), (d) the UK Data Protection Act 2018 (“UK GDPR), and (e) the AustraliaPrivacy Act 1988 (Cth), in each case, as updated, amended or replaced from time to time.

   “Data Subject” means an identified or identifiable natural person, or such other similar term as may bedefined by applicable Data Protection Laws.

   “Personal Data” means any information relating to an identified or identifiable natural person asdefined under Data Protection Laws that Customer and its Tenants provides or makes available toJosys as part of the Services.

   “Process”, “Processing”, “Processor”, “Controller”, and “Data Subject” have the meanings set forthin the EU GDPR.

   “Restricted Transfer” means: (a) where the APPI applies, a transfer of Personal Data to a countryoutside Japan that is not recognized by the Personal Information Protection Commission to haveequivalent standards to that in Japan, (b) where the EU GDPR applies, a transfer of Personal Data to acountry outside the EEA that is not subject to an adequacy determination, (c) where the UK GDPRapplies, a transfer of Personal Data from the United Kingdom to any other country that is not subjectto an adequacy determination, and (d) with respect to any other country where the applicable DataProtection Laws restrict international transfers, an international transfer to a country that is not subjectto an adequacy decision or otherwise requires some form of transfer mechanism to be implemented inorder to comply with applicable Data Protection Laws (hereinafter referred to as, “Other Restricted Transfer”).

   “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss,alteration, unauthorized disclosure of, or access to, Personal Data while being processed by Josys.Security Incidents do not include unsuccessful attempts or activities that do not compromise thesecurity of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial ofservice attacks or other network attacks on firewalls or networked systems.

   “Services” means the services provided by Josys as specified in the ordering document concluded bythe Parties and governed by the Josys Services Agreement and/or the Josys Professional Terms andConditions.

   “Standard Contractual Clauses” means, as applicable, (i) with respect to restricted transfers subjectto EU GDPR, the Controller-to-Processor standard contractual clauses or the Processor-to-Processor standard clauses (as applicable) adopted by the European Commission pursuant to its Implementing Decision (EU) 2021/914 of 4 June 2021, on standard clauses for the transfer of personal data to third countries pursuant to the EU GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”) , (ii) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”), and (iii) with respect to restricted transfers subject to other applicable Data Protection Laws, such other standard contract clauses as may be required to be implemented between Josys and Customer (“Other Applicable Transfer Clauses”).

   “Subprocessor” means any third party or Josys Affiliate engaged by Josys to Process Personal Data on behalf of Josys.

2. Processing of Personal Data.

   1. This DPA applies when Personal Data is Processed by Josys on behalf of Customer. As between Customer and Josys, at all times Customer will act as the “Controller” and Josyswill act as the “Processor” with respect to the Personal Data.

   2. The subject matter of the Processing under this DPA is Personal Data provided to Josys byCustomer and its Tenants in connection with the Services. The duration of the Processing under this DPA is for the term of this DPA and the Agreement. The purpose of the Processing of Personal Data under this DPA is for Josys to provide the Services to Customer. The nature of the Processing is the provision of the Services by Josys and as more specifically described in the Agreement. The type of data is the Personal Data uploaded to the Services by Customer and its Tenants at its sole discretion. The categories of Data Subjects may include, but is not limited to employees, contractors, agents, advisors and agents (who are natural persons) of Customer, Tenant and its service providers.

   3. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of applicable Data Protection Laws, including any applicable requirement to provide notice to, or obtain the consent of, Data Subjects of the use of Josys as Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

   4. Josys shall Process Personal Data received from Customer as a Processor only for the purposes described in the Agreement and as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer except where otherwise required by any applicable Data Protection Laws.

   5. Josys agrees and certifies that it shall not collect, use, or retain Personal Data except to perform the obligations of the Agreement and will not “sell” or “share” Personal Data (as the terms “sell” and “share” are defined under the CCPA.

3. Restricted Transfers of Personal Data.

   Josys shall not make international transfers of Personal Data, unless it takes such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws.

   1. Japan Transfers. In the event of a Restricted Transfer of Personal Data from Japan, the EU SCCs will apply and form part of this DPA. For purposes of the EUSCCs, they will be deemed completed as follows:

      • Where Customer acts as a Controller and Josys acts as a Processor, Module 2 applies.

      • Where Customer acts as a Processor and Josys acts as a Subprocessor, Module 3 applies.

      • Customer is the “data exporter” and Josys is the “data importer”;

      • Where applicable the following applies as to the EU SCCs:

        • the optional docking clause in Clause 7 does not apply;

        • in Clause 9, Option 2 will apply, the minimum period for prior notice of a new Subprocessor shall be 30 days, and Josys shall fulfill its notification obligations by notifying Customer of any new Subprocessor in accordance with this DPA;

        • in Clause 11, the optional language does not apply;

        • in Clause 13, all square brackets are removed with the text meaning;

        • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Japan law;

        • in Clause 18(b), disputes will be resolved before the courts of Japan;

        • Annex A of this DPA (Subject Matter and Details of Processing) and/or the order form contains the information required in Annex 1of the EU SCCs, and,

        • Annex B of this DPA (Technical and Organization Measures) contains the information required in Annex 2 of the EU SCCs.

   2. EU Transfers. In the event of a Restricted Transfer of Personal Data from the European Economic Area, the EU SCCs will apply and form part of this DPA. For purposes of the EUSCCs, they will be deemed completed as follows:

      • Where Customer acts as a Controller and Josys acts as a Processor, Module 2 applies.

      • Where Customer acts as a Processor and Josys acts as a Subprocessor, Module 3 applies.

      • Customer is the “data exporter” and Josys is the “data importer”;

      • Where applicable the following applies as to the EU SCCs:

        • the optional docking clause in Clause 7 does not apply;

        • in Clause 9, Option 2 will apply, the minimum period for prior notice of a new Subprocessor shall be 30 days, and Josys shall fulfill its notification obligations by notifying Customer of any new Subprocessor in accordance with this DPA;

        • in Clause 11, the optional language does not apply;

        • in Clause 13, all square brackets are removed with the text meaning;

        • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

        • in Clause 18(b), disputes will be resolved before the courts of Ireland;

        • Annex A of this DPA (Subject Matter and Details of Processing) and/or the order form contains the information required in Annex 1of the EU SCCs, and,

        • Annex B of this DPA (Technical and Organization Measures) contains theinformation required in Annex 2 of the EU SCCs.

   3. UK Transfers. In the event of a Restricted Transfer of Personal Data transferred from the United Kingdom, the UK SCCs will apply and form part of this DPA. The UK SCCs willbe deemed completed as follows:

      • In Table 1 of the UK SCCs, the parties’ key contact information is in Annex A to this DPA and/or the order form;

      • In table 2 of the UK SCCs, the EU SCCs shall apply, including the Appendix Information and with only the following modules, clauses or optional provisions ofthe EU SCCs brought into effect for the purposes of this DPA:

        • The applicable Module is Controller to Processor or Processor to Processor, as applicable;

        • the optional docking clause in Clause 7 does not apply;

        • in Clause 9, Option 2 will apply, the minimum period for prior notice of anew Subprocessor shall be 30 days, and Josys shall fulfill its notification obligations by notifying Customer of any new Subprocessor in accordance with this DPA; and,

        • in Clause 11, the optional language does not apply.

      • In Table 3 of the UK SCCs:

        • the list of parties is in Annex A to this DPA;

        • the description of transfer is in Annex A to this DPA;

        • Annex II is in Annex B to this DPA; and

        • The list of Subprocessors is as set forth in Annex C to this DPA.

      • In Table 4 to the UK SCCs, neither party can terminate the DPA due to a change in law (the respective box is deemed checked).

      • Incorporated herein are Part 2 (Mandatory Clauses) of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

   4. Other Restricted Transfer. In the event of any Other Restricted Transfer, such transfer shall be governed by such Other Applicable Transfer Clauses as may be required under applicable Data Protection Laws, which shall be entered into and incorporated into this DPA by reference and:

      • Annex A and Annex B of this DPA provide details of the Restricted Transfer and Technical and Organizational Measures, respectively; and,

      • Disputes relating to the Other Restricted Transfer shall be governed by the applicable laws of the country from which the Other Restricted Transfer takesplace and resolved before the courts of such country.

4. Third Party Requests and Confidentiality

   Josys shall not disclose Personal Data to any third party other than: (i) at the request of Customer; (ii) as provided in this DPA; (iii) as necessary to provide the Services; or (iv) as required by applicable law or a valid and binding order of a law enforcement agency. Notwithstanding anything set forth herein, Josys shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. Except as otherwise required by law, Josys shall promptly notify Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“Demand”) that it receives, and which relates to the Personal Data unless prevented from doing so by law. At Customer request, Josys will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customerto respond to the Demand in a timely manner.

5. Data Subjects’ Requests.

   1. Upon Customer’s request and taking into account the nature of the applicable Processing, Josys will assist Customer by appropriate technical and organizational measures, insofar aspossible, in complying with Customer’s obligations under applicable Data Protection Laws to respond requests from Data Subjects to exercise their rights under applicable Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently, including through use of the Services.

   2. If Josys receives a request from a Data Subject in relation to the Data Subject’s Personal Data, Josys will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request exceptas may be required by applicable Data Protection Laws), and Customer will be responsible for responding to any such request.

6. Technical and Organizational Security Measures

   Josys will implement and maintain reasonable and appropriate physical, technical, organizational and administrative safeguards to preserve and protect the confidentiality, security, integrity, availability and authenticity of the Customer Personal Data against Security Incidents, including the security measures described in Annex B.

7. Security Incident Notification

   In the event of any Security Incident, Josys will notify Customer without undue delay (but no later than 72 hours) after Josys becomes aware of the Security Incident. In addition, Josys will also make reasonable efforts to identify the cause of the Security Incident and mitigate the effects to the extent within Josys’ control. Upon Customer’s request and taking into account the nature of the processing, the information available to Josys, and any restrictions on disclosing the information such as confidentiality, Josys will assist Customer by providing information reasonably necessary to meet its Security Incident notification obligations under applicable Data Protection Laws.

8. Audit Rights

   Upon 30 days’ written notice by Customer and subject to the confidentiality obligations set forth in the Agreement, Josys shall make available to Customer its procedures relevant to the protection of Customer Personal Data in the form of Josys’ third-party certifications and audit reports to the extent that Josys makes them generally available to its customers (“Audit Report”). Further, at Customer’s written request, Josys will provide written responses (on a confidential basis) to reasonable requests for information made by Customer necessary to confirm Josys’ compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year unless Customer has reasonable grounds to suspect noncompliance with the DPA. In the event of a Security Incident, Customer shall have the right to request a copy of the most recent Audit Report, a Security Incident report, a remediation plan, and upon completion, a copy of a remediation plan showing any identified root cause remediated.

9. Subprocessors

   Customer acknowledges and agrees that Josys may use the subprocessorsidentified in Annex C (“Subprocessors”) to provide the Services and provides a general authorization to Josys to use Subprocessors. Customer further agrees that Josys may engage its Affiliates as Subprocessors. Customer may subscribe to receive automated notifications from Josys regarding any proposed changes to Subprocessors and give Customer an opportunity to object. Customer will have thirty (30) days from receipt of such notice tonotify Josys of its objection to such Subprocessor by providing specific details of the objection based on reasonable data protection concerns. Josys shall respond to such objection within a reasonable time frame so long as such objections have a reasonable basis. Josys shall impose data processing and protection safeguards substantially the same as set forth in this DPA on any Subprocessor prior to the Subprocessor Processing Personal Data. Josys remains responsible for compliance with its obligations of this DPA and for any acts and omissions of a Subprocessor that cause Josys to breach any of its obligations under this DPA.

10. Deletion of Personal Data.

    1. During the Term. Josys will retain Customer audit logs for a maximum of 180 days, making them available for your use, access, and download (in CSV format). Josys may, at its sole discretion, delete Customer audit logs exceeding 180 days during the Term.

    2. Post-Termination. Josys shall delete Customer Personal Data processed in connection with its provision of the Services within 180 days after termination of the Agreement, unless otherwise required by law. Notwithstanding the foregoing, back up files will be deleted within seven months of termination.

11. CCPA

    In the event of Josys Processing the Personal Data of Data Subjects who are California consumers under the CCPA, the required contractual clauses of the CCPA, as may be amended or replaced from time to time, are incorporated herein. Customer and Josys hereby acknowledge and agree that in no event shall the transfer of Personal Data from Customer to Josys constitute a sale of Personal Data or transfer of Personal Data for valuable consideration to Josys, and that nothing shall be construed as providing for the sale or transfer for valuable consideration of Personal Data to Josys. Josys shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than, and to the extent necessary to, perform the Services or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Data for a commercial purpose that is not necessary to perform the Services unless expressly permitted by the CCPA; (d) retain, use, disclose, release, transfer, make available, or otherwise communicate Personal Data outside of the direct business relationship between Customer and Josys unless expressly permitted by the CCPA; or (e) combine Personal Data with personal information that Josys receives from or on behalf of another business or person, or that it collects from its own interactions with individuals. Furthermore, (i) the specific Business Purpose(s) for which Josys is processing Personal Data is contained in the Agreement and Josys acknowledges that Customer is disclosing the Personal Data to Josys only for the limited and specified Services set forth in the Agreement; (ii) Josys shall comply with all applicable sections of the CCPA, including (x) providing the same level of privacy protection as required of Customer by the CCPA with respect to the Personal Data as specified in Annex B (TOMs) and (y) reasonably assisting Customer in its obligations under the CCPA; (iii) to the extent required by the CCPA, and so long as there is a mutual agreement as to the scope of the monitoring in advance, Josys shall allow Customer or its designee (who shall not be a competitor of Josys and shall enter into an appropriate confidentiality agreement with Josys), upon 30-day notice during normal business hours, and at Customer’s expense, monitor Josys’ compliance with the CCPA specifically as to Customer’s Personal Data; (iv) Customer has the right, upon written notice, to take reasonable and appropriate steps to stop and remediate Josys’unauthorized use of personal information; (v) Josys shall notify the Customer, should it determine that Josys can no longer meet its obligations with respect to Customer’s Personal Data under the CCPA; and (vi) Josys and Customer shall enable each other to comply with consumer requests regarding the Personal Data which are made pursuant to the CCPA by forwarding any applicable consumer request made pursuant to the CCPA by email to Customer (in case of notice necessary to Customer) or to int-legal@josys.com if notice is necessary to Josys and provide the other party with any information necessary to comply with the request. Josys with the limitation of liability clause of the Agreement. For the avoidance of doubt, Josys’ total liability for all claims from the Customer and all of its Tenants arising out of or related to the Agreement and DPA shall apply in the aggregate for all claims by Customer and all of its Tenants under both the Agreement and DPA, and, in particular, shall not be construed to apply individually and severally to Customer and/or to any Tenant, regardless of whether or not Tenant is a contractual party to the Agreement and DPA.

12. Tenants

    Where a Tenant becomes a party to this DPA by its acceptance to the terms andconditions of the Agreement, it shall to the extent required under Data Protection Laws, be entitled to exercise its rights and seek remedies under this DPA, subject to the following: Except where Data Protection Laws require the Tenant to exercise a right or seek any remedy under this DPA against Josys directly by itself, the Parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Tenant, and (ii) Customer as the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Tenant individually but in a combined manner for all its Tenants together.

13. Limitation of Liability

    The respective liabilities of Josys and Customer and its Tenants under this DPA shall be limited in accordance with the limitation of liability clause of the Agreement. For the avoidance of doubt, Josys’ total liability for all claims from the Customer and all of its Tenants arising out of or related to the Agreement and DPA shall apply in the aggregate for all claims by Customer and all of its Tenants under both the Agreement and DPA, and, in particular, shall not be construed to apply individually and severally to Customer and/or to any Tenant, regardless of whether or not Tenant is a contractual party to the Agreement andDPA.

14. Termination

    This DPA shall continue in full force until the expiration or termination of the Agreement or until Josys is no longer Processing any Personal Data of Customer.

15. Miscellaneous

    If there is a conflict between any provision in this DPA and any provision in the Agreement, this DPA shall control with regard to the subject matterof this DPA. Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Agreement, and each of the Parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement with respect to any claim or matter arising under this DPA. In case a necessary provision is missing, the Parties shall add an appropriate one in good faith. In case of conflict, the order of precedence in respect of the Processing of Personal Data shall be this DPA and then the Agreement. If the Standard Contractual Clauses are an integral part of this DPA, then the Standard Contractual Clauses shall prevail. This DPA supersedes and replaces all previous written and oral agreements, communications and other understandings relating to the subject matter of this DPA.