Data Protection

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between BELT SOFTWARE, INC., a corporation incorporated in Delaware, United States, and whose principal office is at 40 Montgomery Ave. Ardmore 19004, PA 190003, United States ("We", "Us", or "Our") and you as the recipient of the Software defined in the Agreement ("You" or "Your") and governs Our Processing of Protected Data (as defined below) when fulfilling Our obligations under the Agreement. By downloading, installing, or otherwise accessing or using the Software (including without limitation via the cloud), You hereby agree that the terms of this DPA apply.

1 Definitions and interpretation

1.1 In this DPA: (i) "Belt Security Page" means the webpage at www.belt.ai/security (as updated from time to time) that sets out the technical and organizational measures that we will implement during the term of the Agreement to ensure a level of security appropriate to the risk to protect any Protected Data; (ii) "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100, et seq. and its implementing regulations, as amended by the California Privacy Rights Act; (iii) "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", and "Processing" are each as defined in the GDPR (and "Process", "Processed", and "Processes" will be interpreted accordingly); (iv) "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time, including without limitation the GDPR and the CCPA; (v) "GDPR" means, as applicable: (A) the European Union's General Data Protection Regulation (Regulation (EU) 2016/679); and/or (B) the UK GDPR, as defined in section 3(10) (as supplemented by section 205(4)) of the United Kingdom's Data Protection Act 2018; (vi) "Protected Data" means the Personal Data provided or made available by You to Us and Processed by Us on Your behalf in the performance of Our obligations under the Agreement, which Personal Data is further described in paragraph 3 of Schedule 1 hereto; (vii) "Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, as adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum"); and (viii) "Supervisory Authority" means the competent governmental, statutory, or regulatory body in the relevant territory having regulatory or supervisory authority, jurisdiction, or control over either party in respect of the Processing of the Protected Data. Any other capitalized expression used herein but not defined herein will bear the meaning given to it in the Agreement.

1.2 A reference to "writing" or "written" includes email but not fax.

1.3 A reference to a "clause" means a clause or section of the main body of this DPA and a reference to a "paragraph" means a paragraph of a Schedule to this DPA. A reference to a "Schedule" refers to a schedule to this DPA, and, for clarity, all references herein and in the Agreement to the DPA include the Schedules.

1.4 In the case of conflict or ambiguity between:

1.4.1 any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and

1.4.2 any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.

2 Personal Data types and Processing purposes

2.1 For the purposes of the Data Protection Legislation, You are the Controller and We are the Processor of the Protected Data.

2.2 You retain control of the Protected Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the Processing instructions You give to Us.

2.3 You warrant and represent that Our expected use of the Protected Data for the provision of the Software and as specifically instructed by You will comply with the Data Protection Legislation.

2.4 The Schedules describe the subject matter, duration, nature and purpose of Processing and the Personal Data categories and Data Subject types in respect of which We may Process Protected Data to fulfil the Agreement.

3 Your obligations

3.1 You will:

3.1.1 have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Protected Data, and no less than Our measures stipulated on the Belt Security Page as at the date of the Agreement;

3.1.2 provide clear and comprehensible written instructions to Us for the Processing of Protected Data to be carried out under the Agreement; and

3.1.3 ensure that You have all the necessary licenses, permissions, and consents from Data Subjects;

3.1.4 ensure that You have an applicable legal basis, for the transfer of Protected Data to Us and to the Processing of that Protected Data by Us;

3.1.5 not unreasonably withhold, delay, or make conditional Your agreement to any change or amendment requested by Us in order to ensure that We (and each sub-Processor) comply with the Data Protection Legislation; and

3.1.6 on first demand fully indemnify Us (and keep Us fully indemnified) from and against any and all loss, liability, damages, costs, fees, claims and expenses (including without limitation any fines or penalties imposed by Supervisory Authorities) which We may incur or suffer out of, under, or in connection with any breach of this DPA or the Data Protection Legislation by You.

3.2 You additionally warrant and represent that:

3.2.1 You have and will, throughout the term of the Agreement, maintain (at Your own cost and expense) all relevant regulatory registrations and notifications as required from time to time under the Data Protection Legislation; and

3.2.2 You have undertaken appropriate due diligence in relation to Our Processing operations, and are satisfied that: (i) Our Processing operations are suitable for the purposes for which You propose to use the Software and engage Us to Process the Protected Data; and (ii) We have sufficient expertise, reliability, and resources to implement technical and organizational measures that meet the requirements of the Data Protection Legislation.

3.3 You acknowledge that We may use meta-data, statistics and anonymized information derived from the Personal Data We receive from You which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.

4 Our obligations

4.1 We will only Process the Protected Data to the extent, and in such a manner, as is necessary for the fulfilment of Our obligations under the Agreement in accordance with Your written instructions. We will not Process the Protected Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation (and We shall be entitled to cease performing the relevant services or providing access to or use of the Software until the We and You have agreed appropriate amended instructions which are not infringing).

4.2 We will promptly comply with any request or instruction from You requiring Us to amend, transfer, delete or otherwise Process the Protected Data, or to stop, mitigate or remedy any unauthorized Processing.

4.3 We will maintain the confidentiality of all Protected Data and will not disclose Protected Data to third parties unless You or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator, or Supervisory Authority requires Us to Process or disclose Protected Data, We will first use commercially reasonable efforts to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless this is prohibited under applicable laws.

4.4 We will reasonably assist You, in a manner consistent with the functionality and performance of the Services and Our role as Processor, with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. To the extent legally permitted, You shall be responsible for any costs arising from Our provision of such assistance beyond the existing functionality or performance of the Services.

4.5 We will use Our commercially reasonable efforts to notify You of any changes to Data Protection Legislation that may adversely affect Our performance of Our obligations under the Agreement.

4.6 You acknowledge that We are free to use metadata, statistics and such other information derived from the Protected Data We receive from You which cannot be identified as originating or deriving directly from such Protected Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.

4.7 We will ensure that any and all of Our employees are bound by confidentiality obligations and use restrictions in respect of the Protected Data.

5 Security

5.1 We will at all times implement appropriate technical and organizational measures against unauthorized or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data including, but not limited to, the measures stipulated on the Belt Security Page as at the date of the Agreement.

5.2 We may update the security measures from time to time, provided they do not result in a reduction in the security over the Protected Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We will provide to You on request.

5.3 We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

5.3.1 the pseudonymization and encryption of Protected Data;

5.3.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

5.3.3 the ability to restore the availability and access to Protected Data in a timely manner in the event of a physical or technical incident; and

5.3.4 a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

6 Personal Data Breach

6.1 We will promptly and without undue delay notify You of any Personal Data Breach relating to Your Protected Data.

6.2 Where We become aware of a Personal Data Breach, We shall, without undue delay, also provide You with the following information:

6.2.1 a description of the nature of such event, including the categories and approximate number of both Data Subjects and Protected Data records concerned;

6.2.2 the likely consequences of the event; and

6.2.3 a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.

6.3 We will reasonably co-operate with You in Your handling of the matter, including:

6.3.1 assisting with any investigation;

6.3.2 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation; and

6.3.3 taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.

6.4 In the event of a Personal Data Breach that was not Our fault, We will cooperate with You with reasonable costs and expenses to be covered by You.

6.5 We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.

6.6 Subject to clause 6.5 You have the sole right to determine and responsibility to action:

6.6.1 whether to provide notice of the relevant Personal Data Breach to any Data Subjects, Supervisory Authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and

6.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7 Cross-border transfers of Protected Data

7.1 If an adequate protection measure for the international transfer of Protected Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties), the Standard Contractual Clauses will be incorporated into this Agreement in the Schedules as if they had been set out in full.

7.2 We and You will ensure that whenever Protected Data is transferred outside the European Economic Area and the United Kingdom ("GDPR Territories"):

7.2.1 such Protected Data is Processed in a territory which is subject to a current finding by both the European Commission (or, as applicable, the UK government) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;

7.2.2 participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that We and You can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or

7.2.3 otherwise ensure that the transfer complies with the Data Protection Legislation.

7.3 In the case of any Processing of Protected Data outside of the GDPR Territories as at the date of this DPA, We have identified in the Schedules the relevant transfer mechanism. We will promptly inform You of any change to such mechanisms.

7.4 You authorize Us to enter into appropriate transfer mechanisms with each relevant sub-Processor on Your behalf, if required to ensure the relevant Processing of Protected Data complies with Data Protection Legislation. We will make the relevant parts of the executed agreements available to You on written request.

8 Sub-Processors

8.1 You authorize Us to use sub-Processors set out on Our dedicated sub-Processor webpage at www.belt.ai/subprocessors as at the date of the Agreement (the "Sub-Processor List"). These sub-Processors include but are not limited to the general categories of data storage, hosting (including data centers and providers of virtual software environments) and IT support. You additionally authorize us to appoint as sub-Processors any of Our Affiliates and any third party specifically engaged by Us through an employer of record (EOR) or professional employer organization (PEO) model.

8.2 We may only amend the Sub-Processor List to substitute a sub-Processor or add a new sub-Processor to Process the Protected Data if:

8.2.1 You are provided with an opportunity to object to (but not prevent) the appointment of such sub-Processor within ten (10) calendar days of Us providing You with reasonable details of the proposed changes to Our sub-Processors, with such details to be provided by way of Our updating the Sub-Processor List;

8.2.2 We enter into a written contract with the sub-Processor that contains terms similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organizational data security measures; and

8.2.3 We maintain control over all Protected Data We entrust to the sub-Processor.

8.3 You may object to the appointment of an additional sub-Processor on reasonable grounds relating to Data Protection Legislation or other relevant regulations, in which case We will have the right to cure the objection through one of the following options (to be selected at Our sole discretion):

8.3.1 We will cancel Our planned use of sub-Processor or will offer an alternative plan to provide the Services without using such sub-Processor;

8.3.2 We will take the corrective steps, if any, identified by You in Your objection as sufficient to remove Your objection, and proceed to use the sub-Processor; or

8.3.3 We may cease to provide, or You may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such sub-Processor, subject to a mutual agreement between us to adjust the remuneration for the Services considering the reduced scope of the Services.

8.4 Where the sub-Processor fails to fulfil its obligations under such written agreement, We remain fully liable to You for the sub-Processor’s performance of its agreement obligations.

9 Complaints, Data Subject requests and third-party rights

9.1 We will take such technical and organizational measures and promptly provide such information to You as required by Data Protection Legislation, at Your expense, to enable You to comply with:

9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Protected Data, object to the Processing and automated Processing of Protected Data, and restrict the Processing of Protected Data; and

9.1.2 information or assessment notices served on You by any Supervisory Authority under the Data Protection Legislation.

9.2 We will notify You immediately if We receive any complaint, notice, or communication that relates directly or indirectly to the Processing of the Protected Data or to either party's compliance with the Data Protection Legislation.

9.3 If We receive a request from a Data Subject for access to their Protected Data or to exercise any of their related rights under the Data Protection Legislation We will instruct the Data Subject to make their request directly to You. You will be responsible for responding to any such request.

9.4 We will at Your expense give Our commercially reasonable co-operation and assistance to You in responding to any complaint, notice, communication or Data Subject request.

9.5 We will not disclose the Protected Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.

10 Liability

Our limitations of liability under and pursuant to this DPA will be as set forth in the Agreement.

11 Term and termination

11.1 This DPA will remain in full force and effect for the duration of the Agreement.

11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Protected Data will remain in full force and effect.

11.3 If a change in any Data Protection Legislation prevents either We or You from fulfilling all or part of the relevant obligations under the Agreement, We and You will discuss in good faith with a view to implementing any changes necessary to ensure the Processing of Protected Data complies with the new requirements.

12 Data return and destruction

12.1 At all times during the term of the Agreement. We will give You the ability to access, extract and delete Your Protected Data stored in our systems. We will retain Your Protected Data for thirty (30) days after expiration or termination of the Agreement so that you may extract Your Protected Data. After said 60-day period ends We will disable Your account and delete all Your Protected Data, save to the extent We are required by any applicable law to retain some or all of such Protected Data. In such event We will extend the protections of this DPA to such retained Protected Data and limit any further Processing of such Protected Data only to those limited purposes for which, and only for so long as, such retention is required by applicable law.

12.2 This requirement will not apply to Protected Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Protected Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).

13 Records

13.1 We will keep detailed, accurate and up-to-date written records regarding any Processing of Protected Data We carry out for You ("Records") and provide You with copies of the Records upon request.

14 Audit

14.1 No more than once during any twelve-month (12-month) period, on Your request We will at Your expense provide You with the relevant information from Our own information security audit to evidence Our compliance with this DPA and provide the summary results to You. If such summary does not address a specific query concerning our compliance with this DPA that you had previously communicated to us in writing, You may undertake (no more than once during any twelve-month (12-month) period) a further audit or inspection of our compliance with this DPA, subject to You:

14.1.1 giving at least three (3) months’ written notice to Us of any request to conduct any such audit or inspection;

14.1.2 ensuring that all information obtained or generated by You or a professionally qualified auditor mandated by You in connection with such audits and inspections are kept strictly confidential (save for disclosure to the relevant Supervisory Authority or as otherwise required by law);

14.1.3 permitting Us or any of Our staff to accompany and escort You and/or Your mandated auditors or representatives at all times during any such audit or inspection;

14.1.4 ensuring that any such audits or inspections shall be undertaken during Our normal business hours and with minimal disruption to Our business and the respective businesses of Our affiliates and other customers; and

14.1.5 promptly (and in any event within thirty (30) calendar days of any such audit or inspection) reimbursing to Us, in full and cleared funds, the reasonable costs and expenses incurred by Us in enabling, facilitating, and contributing to such audits and inspections and assisting with the provision of information to You pursuant to such audits and inspections.

14.2 Where required by Data Protection Legislation, We will exercise relevant audit rights We have in connection with Our sub-Processors’ compliance with their obligations regarding Your Protected Data, and provide You with a summary of the audit results.

14.3 The audit rights set out at clauses 14.1 to 14.2 inclusive are Your only contractual rights (and Our only contractual obligations) in connection with the auditing of Our Processing of Protected Data. Nothing in this DPA will prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly We will submit to any audits required by a Supervisory Authority or Data Protection Legislation.

15 CCPA

This paragraph 15 shall apply only if We are Processing Protected Data within the scope of the CCPA (“CCPA Data”) pursuant to the Agreement. We will Process CCPA Data on Your behalf and will not retain, use, or disclose CCPA Data for any purpose other than for the purposes set out in this DPA and as permitted under the CCPA, including under any “sale” exemption. In no event will We “sell” or “share” (as those terms are defined in the CCPA) any CCPA Data. We: (i) will not combine CCPA Data that We receive from, or on behalf of, You with personal information that We receive from, or on behalf of, any other person, or that We collect from Our own interaction with a consumer, provided that We may combine CCPA Data to perform any business purpose as defined in regulations adopted pursuant to the CCPA; (b) grant to You the right to take reasonable and appropriate steps to help ensure that We use CCPA Data in a manner consistent with Your obligations under the CCPA; (c) will notify You in the event that We determines that We can no longer meet Our obligations under the CCPA; and (d) grant to You the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Data.

1 INCORPORATION OF THE EU SCCS

1.1 To the extent clause 7.2 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply:

1.1.1 Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection; and

1.1.2 Module 3 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a Sub-Processor and the transfer requires such additional protection.

2 CLARIFICATIONS TO THE EU SCCS

2.1 To the extent Module 2 and Module 3 of the EU SCCs apply as determined by paragraph 1.1 of this Schedule 1:

2.1.1 Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.

2.1.2 Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.

2.1.3 Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), option 2 (general) applies and the parties agree that the process for appointing sub-processors set out in clause 9 applies.

2.1.4 Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:

i. if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;

ii. where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent Supervisory Authority; and

iii. where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

2.1.5 International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer's obligations pursuant to clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.

2.1.6 Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that "best efforts" and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably

and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

2.1.7 Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law and choice of jurisdiction shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply and the courts of Ireland will have exclusive jurisdiction.

2.2 To the extent Module 3 of the EU SCCs applies as determined by 1.1 of this Schedule 1:

2.2.1 paragraphs 3.1 and 3.2 of this Schedule 1 shall be modified to reflect that the exporter is a processor and the importer is a sub-processor;

2.2.2 the exporter warrants that it has the rights necessary to transfer the personal data to the importer;

2.2.3 any request received from a data subject in connection with the personal data being processed by the importer shall be forwarded to the exporter to facilitate with the controller of such personal data; and (iv) for the purposes of clause 8.6(c) and (d) of the EU SCCs, the importer shall notify the exporter of any personal data breach.

3 PROCESSING PARTICULARS FOR THE EU SCCS

The Parties

3.1 Exporter (Controller): You (as defined in the Agreement)

3.2 Importer (Processor): Belt Software, Inc.

Description Of Data Processing

3.3 Categories of Data Subjects: (a) employees; (b) consultants; (c) contractors; and (d) subcontractors of the exporter and/or its suppliers or customers; (e) suppliers; (g) customers; and (h) any other Data Subject who sends email communications to or from a mailbox integrated with Your Belt account.

3.4 Categories of Personal Data transferred: (a) first name; (b) last name; (c) address; (d) e-mail address; (e) IP address; (f) phone number; (g) location data; (h) username; and (i) any other categories of Personal Data contained in the emails sent and received by You.

3.5 Sensitive data transferred: Given the broad nature of the categories of Personal Data, the data transferred may include special category Personal Data.

3.6 Frequency of the transfer: Continuous.

3.7 Nature of the processing: The Software analyzes information provided by You to Us in order to provide task prioritization recommendations.

3.8 Purpose of the processing: the provision of the Software as set out in the Agreement.

3.9 Duration of the processing: the term of the Agreement.

3.10 Sub-Processor Transfers: Sub-Processor transfers will occur where, and to the extent, necessary for the provision of the Software to the Sub-Processors identified in Our Sub-Processor List.

3.11 Competent Supervisory Authority: as set out at paragraph 2.2.1 of this Schedule 1.

3.12 Technical and Organizational Measures: In order to safeguard Personal Data Processed by us, we have in place the technical and organizational measures set out in Our Information Security Policy, as stipulated on the Belt Security Page as at the date of the Agreement.

BELT DATA PROCESSING ADDENDUM