Data Processing Agreement

Data Processing Agreement

(Updated: May 26, 2025)

This Data Processing Agreement (“DPA”) is incorporated into and supplemental to the Social Snowball order form and agreement (“Agreement”) entered into between Social Snowball, Inc. (“Service Provider”) and the merchant company (“Company”) for the provision of Services by Service Provider to Company Except as modified below, the terms of the Agreement shall remain in full force and effect. This DPA governs the Processing of Personal Data as required under Applicable Data Protection Law. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Definitions

Definitions: Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings:

a."Applicable Data Protection Law" means all international, federal, national and state privacy and data protection laws that apply to the Processing of Personal Data that is the subject matter of the Agreement (including, where applicable, the CPRA, the UK GDPR and the EU GDPR).

b.“Business purpose” means the use of Personal Data for the specific purpose of providing the Services under the Agreement, consistent with Applicable Data Protection Law.

c.“CPRA” means Cal. Civil Code Section 1798.100 et seq. and related regulations (as amended by the CPRA), as amended from time to time.

d.“CJEU Decision” means the decision dated 16 July 2020 of the Court of Justice of the European Union in Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (C-311/18);

e.“Data” means the Personal Data that is the subject of this Agreement (ie which is shared between the parties or Processed by Service Provider on behalf of Company in providing the Services).

"Controller" means Company or the entity that determines the purposes and means of the Processing of Personal Data.

g.“Data Protection Losses” means any and all losses, claims, damages, liabilities, fines (including fines imposed by any regulatory body or Supervisory Authority, interest, penalties, costs (including costs of investigation, litigation, settlement, and judgment), charges, sanctions, disbursements, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex-gratia payments), demands, and other professional costs (calculated on a full-indemnity basis and in each case whether or not arising from any investigation by, or imposed by, any Supervisory Authority).

h.“Data Subject” means (i) a natural person whose Personal Data are Processed in the context of this DPA and whose rights are protected by Applicable Data Protection Law; or (ii) a “Consumer” as that term is defined in the CPRA.

“Data Subject Rights” means those rights identified in the UK and EU Data Protection Laws and the CPRA granted to Data Subjects.

“EEA” means the European Economic Area, comprising the member states of the European Union from time to time, together with Norway, Iceland and Liechtenstein.

k.“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679).

“Personal Data” means any personal data which either (i) is subject to UK and EU Data Protection Laws and defined as “personal data” under UK and EU Data Protection Laws; (ii) is subject to the CPRA and defined as “personal information” under the CPRA; or (iii) relates to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

m."Company Data" means any Personal Data which is provided by Company (directly or indirectly) to Service Provider in connection with the Agreement and includes Personal Data relating to:
Company’s employees, contractors, representatives, agents and consultants (and those of Company’s) Affiliates; and
Company’s clients.

n.“Supervisory Authority” means the relevant supervisory authority in the territories where the parties to this Agreement are established (or the Information Commissioner in the UK).

o.“Personal Data Breach” means a breach of security leading to the accidental, unauthorized or unlawful Processing, destruction, loss, alteration, damage, corruption, disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

p.“Process” and “Processing” shall have the meaning given in the UK and EU Data Protection Laws.

q."Processor" means an entity that Processes Personal Data on behalf of the Controller.

“Records” means written records regarding any Processing of the Data including, but not limited to, the access, control and security of the Data, the Processing purposes, categories of Processing, any onward transfers of personal data and related safeguards, and a general description of the technical and organizational security measures referred to in paragraph 9.

s.“Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.

“UK and EU Data Protection Laws” means:

To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Company or Provider is subject, which relates to the protection of personal data].

u.“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

v.“Service Provider Data” means any Personal Data which is provided (directly or indirectly) by Service Provider to Company, or Processed by Service

Provider on behalf of Company, in connection with Service Provider’s provision of the Services to Company and will include Personal Data relating to:
Service Provider’s employees, contractors, representatives, agents and consultants (and those of Service Provider’s Affiliates or Sub-Contractors);
Service Provider’s Affiliate Clients;
Potential Affiliates.

w.“Service Provider’s Processing” means the Processing operations to be carried out by the Service Provider acting as a Processor, as set out in Schedule A to this DPA, in accordance with clause 2.2.3(a) and clause 4 below.

Relationship of the parties

This DPA defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other when the parties share, transfer or otherwise Process Data in the course of Service Provider providing the Services to Company. This includes:
when one Controller (“Data Discloser”) discloses Data to another Controller (“Data Receiver”) (“Data Sharing”); and
Service Provider’s Processing.

In this regard the parties acknowledge and agree that:

Company will always be an independent “Controller” of the Company Data and of any Service Provider Data shared with it by Service Provider.
Service Provider is an independent Controller of any Company Data it receives from Company in the course of providing the Services.

With respect to Service Provider Data:

Service Provider is a Processor of Service Provider Data when it collects, transfers or otherwise Processes that Service Provider Data in accordance with clause 4 below and Schedule A;

Service Provider is a Controller of Service Provider Data when it collects, transfers or otherwise Processes the Service Provider Data otherwise than in accordance with clause 4 below and Schedule A.

Data Sharing

Wherever the parties are acting as independent Controllers under this Agreement:

Each party shall ensure that it Processes the Data received from the other Controller fairly and lawfully in accordance with clause 3.1.2 during the Term of this Agreement.

Each party shall ensure that it has legitimate grounds under the Applicable Data Protection Law for the Processing of the Data.
The Data Discloser shall ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Applicable Data Protection Law, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by the Applicable Data Protection Law.

The Data Receiver undertakes to inform the Data Subjects, in accordance with the Applicable Data Protection Law, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by the Applicable Data Protection Law.

Service Provider’s Processing

Schedule A describes the subject matter, duration, nature and purpose of Service Provider’s Processing and the Personal Data categories and Data Subject types in respect of which Service Provider is appointed to Process Data on behalf of Company;

Wherever Service Provider engages in Service Provider’s Processing on behalf of Company:

Service Provider shall Process the Data only as necessary to perform the Services for Company under the Agreement, and strictly in accordance with the documented instructions of Company (including those in this DPA and the Agreement);

Company shall only give lawful instructions to Service Provider that comply with Applicable Data Protection Law. Service Provider will notify the Company if, in its opinion, the Company’s instructions do not comply with Applicable Data Protection Law; and

Company retains control of Service Provider’s Processing and the data it concerns and remains solely responsible for its compliance obligations under the Applicable Data Protection Law. Company shall comply with Applicable Data Protection Law, including but not limited to providing notices to Data Subjects and obtaining Data Subjects’ consent, wherever required by Applicable Data Protection Law.

Compliance with Applicable Data Protection Law

Each party will comply with all Applicable Data Protection Law in relation to Data Sharing and the Processing of Data disclosed by the other party during the Term of the Agreement

The parties must notify one another of any changes to the Applicable Data Protection Law that may reasonably be interpreted as adversely affecting their ability to perform this DPA or the Agreement.

Company discloses Data subject to the CPRA to Service Provider solely for a valid business purpose and for Service Provider to perform the Services. Pursuant to the CPRA, Service Provider is prohibited from: (i) selling the Data; (ii) retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services or as permitted by the CPRA; and (iii) retaining, using, or disclosing the Data outside of the Agreement with Company.
Service Provider is a “service provider” as defined in CPRA Section 1798.140(v). Service Provider shall comply with Applicable Data Protection Law and understands the prohibitions on service providers set forth in CPRA Section 1798.140(t)(2)(C)(ii).

Transfers of Data by a Data Controller:

For the purposes of this Agreement, transfers of Personal Data shall mean any sharing of Personal Data by a party with a third party, and shall include, but is not limited to, the following:

6.1.1.subcontracting the Processing of Data;

6.1.2.granting a third party controller access to the Data.

Where the Data Receiver is a Controller of the Data:

6.2.1.If the Data Receiver appoints a third party Processor to Process the Data it shall comply with the relevant provisions of the Applicable Data Protection Law and shall remain liable to the Data Discloser for the acts and/or omissions of the Processor.

6.2.2.The Data Receiver may not transfer Data to a third party located outside the UK or EEA unless;

the Data is transferred to a country, territory, or jurisdiction which is subject to adequacy regulations under the UK or EU Data Protection Laws (as applicable) that the territory provides adequate protection for the privacy rights of individuals; or appropriate safeguards have been provided in relation to such Processing, transfer, or disclosure in accordance with Article 46 of the UK GDPR; or one of the derogations for specific situations set out in Article 49 of the UK GDPR applies to such Processing, transfer, or disclosure); and

the Data Subjects have enforceable rights and effective legal remedies; and

the Data Receiver complies with its obligations under UK and EU Data Protection Laws by providing an adequate level of protection to any Data that is so Processed, disclosed, or transferred.

Transfers of Data by Service Provider acting as Processor

When engaging in Service Provider’s Processing, Service Provider (and any Sub-Processor) may only Process, transfer or otherwise disclose the Data outside the    and/or EEA subject to obtaining Company’s prior written consent and the following conditions having been fulfilled:

the Data is transferred to a country, territory, or jurisdiction which is subject to adequacy regulations under the UK or EU Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or appropriate safeguards have been provided in relation to such Processing, transfer, or disclosure in accordance with Article 46 of the UK GDPR; or one of the derogations for specific situations set out in Article 49 of the UK GDPR applies to such Processing, transfer, or disclosure); and

the Data Subjects have enforceable rights and effective legal remedies; and

Service Provider complies with its obligations under UK and EU Data Protection Laws by providing an adequate level of protection to any Data that is so Processed, disclosed, or transferred.

For the purpose of Service Provider’s Processing, Company acknowledges that Service Provider is located in the United States of America and hereby consents to transfers of and Processing of Data by Service Provider in the United States of America, subject always to Service Provider’s full compliance with the provisions of Schedule B, which contain the Standard Contractual Clauses (“SCCs”) and, if relevant, Schedule C (which contains the UK addendum thereto) constituting, under Article 46(2)(c) of the UK GDPR and EU GDPR, the appropriate safeguards required under paragraph 7.1.1 above, and subject to the parties taking all further actions required to legitimize the transfer in light of the CJEU Decision.

Confidentiality of Service Provider’s Processing

When engaging in Service Provider’s Processing:

Service Provider shall ensure that any person it authorizes to Process Data (including Service Provider's staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality.

Service Provider will not disclose the Data to third parties unless the Company or this Agreement specifically authorizes the disclosure, or as required by domestic law, a court or regulator.

If a domestic law, court or regulator requires Service Provider to Process or disclose Data to a third party, Service Provider must first inform Company of such legal or regulatory requirement and give Company an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

Security

The parties shall each implement appropriate technical and organizational measures intended to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified in Schedule A. The parties shall keep such security measures under review and shall carry out such updates as they agree are appropriate throughout the Term.

It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and Process the Data in accordance with the technical and organizational security measures set out in Schedule A together with any other Applicable Data Protection Law and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data.

Subcontracting of Service Provider’s Processing

In relation to Service Provider’s Processing only:

Subject to the conditions set forth in this DPA, Company authorizes Service Provider to continue to use and disclose Data to Sub-Processors currently engaged by Service Provider in the context of providing Service Provider Services as laid out here:https://help.socialsnowball.io/en/articles/11452398-social-snowball-sub-processors-page

Notwithstanding paragraph 10.1 above, when acting as a Processor on behalf of Company, Service Provider shall not subcontract any Service Provider’s Processing of the Data to a third party Sub-Processor unless:

such Sub-Processor is subject to an agreement with Service Provider which contains the   same data protection terms as those provided for by this DPA;
Service Provider maintains control over all of the Data it entrusts to Sub-Processor;

Sub-Processor's contract terminates automatically on termination of this Agreement for any reason; and

10.2.4   Service Provider shall maintain and make available an up-to-date Sub-Processor list.

Company shall notify Service Provider within ten [10] business days after receipt of Service Provider’s notice, if it objects to the addition or replacement of a Sub-Processor. Company’s objection should be sent to security@skilljar.com and should explain the reasonable grounds for the objection. If Company objects to Service Provider's appointment of a third party Sub-Processor on reasonable grounds relating to the protection of the Data, and Service Provider is unable to adequately address the reasonable grounds, then Service Provider will either not appoint the Sub-Processor, or Company may elect to suspend or terminate the Agreement without penalty.

Service Provider shall remain fully liable for any breach of this DPA that is caused by an act, error or omission of its Sub-Processor for Service Provider’s Processing.

Cooperation and Data Subject Rights

11.1 The Data Controller is responsible for responding to Data Subject requests relating to Data in their  possession or control. Each Controller is responsible for maintaining a record of Data Subject requests received by it, the decisions made and any information that was exchanged.

11.2. The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Data Subject requests within the time limits imposed by Applicable Data Protection Law.

      11.3.  In relation to Service Provider’s Processing:

11.3.1.Company is responsible for responding to Data Subject requests using Company’s own access to the relevant Personal Data.

11.3.2.Service Provider must not disclose the Data to any Data Subject or to a third party other than in accordance with Company’s written instructions, or as required by domestic law.

11.3.3.Taking into account the nature of the Service Provider’s Processing and the information available, upon Company’s request, Service Provider shall provide all reasonable and timely assistance to enable Company to comply with: (i) any request from an individual to exercise any Data Subject Rights under Applicable Data Protection Law; and (ii) information or assessment notices or any other correspondence from or reporting to a regulator or public authority in connection with the Processing of the Data under Applicable Data Protection Laws and Company shall pay Service Provider’s reasonable costs of providing such assistance.

11.3.4.In the event that any such communication in paragraph 11.3.3 above is made directly to Service Provider, Service Provider shall promptly and without undue delay (and in any event, no later than within forty-eight (48) hours of receiving such communication) provide Company full details of the same and shall not respond to the communication unless specifically required by law or authorized by Company, and Company shall pay Service Provider’s reasonable costs of providing any such assistance.
Warranties

3.1.Each party warrants and undertakes that it will:

3.1.1.Process the Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its Personal Data Processing operations.

Make available on request to the Data Subjects who are third party beneficiaries a copy of this Agreement, unless the Agreement contains confidential information in which case an extract can be provided.

3.1.3.Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Data.

3.1.4.Respond to Subject Rights Requests in accordance with Applicable Data Protection Law.

3.1.5.Where applicable, maintain registration with the relevant Supervisory Authorities to Process all Data.

The Data Discloser warrants and undertakes that it is entitled to provide the Data to the Data Receiver.
Each party warrants, represents and undertakes that it shall provide the required fair Processing information and obtain all necessary consents from Data Subjects in accordance with Applicable Data Protection Law in respect of Data over which it is a Controller, in advance of sharing that Data with the other party.

Company warrants, represents and undertakes that all instructions given by it to the Service Provider in respect of Service Provider’s Processing shall at all times be in accordance with Applicable Data Protection Law;

Company warrants, represents and undertakes that Company has undertaken due diligence in relation to the Service Provider’s Processing (including without limitation its data scraping methods), and it is satisfied that:

Service Provider’s Processing operations are suitable for the purposes for which the Company proposes to use such services and engage the Service Provider to Process the Data; and

Service Provider has sufficient expertise, reliability and resources to implement technical and organizational measures that meet the requirements of Applicable Data Protection Law.

Indemnity

13.1.The Data Discloser and Data Receiver undertake to indemnify each other and hold each other harmless from any Data Protection Losses which they cause each other as a result of their breach of any of the provisions of this Agreement, except to the extent that any such liability is excluded in the Agreement.

Data Protection Impact Assessment

14.1.Taking into account the nature of the Processing and the information available to Service Provider, upon Company’s request, Service Provider shall provide Company with reasonable and timely assistance as required by UK and EU Data Protection Laws with any data protection impact assessments and, where necessary, consultations with data protection authorities.

Personal Data Breach

15.1.The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority without delay, and in any case within 72 hours of discovering such a breach, and (where applicable) Data Subjects under Applicable Data Protection Law and shall each inform the other party of any Personal Data Breach affecting the Data irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject(s).

15.2.The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

15.3.Notwithstanding the foregoing, upon becoming aware of a Personal Data Breach affecting or arising out of Service Provider’s Processing:

15.3.1. Service Provider shall inform Company without undue delay and shall provide sufficient available information and cooperation to enable Company to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.

15.3.2.Service Provider shall further reasonably co-operate with Company in Company’s handling of the matter, including but not limited to: (i) assisting with any investigation; and (ii) taking such reasonable measures and actions as are necessary to remedy and mitigate the effects of the Personal Data Breach and shall keep Company informed of all material developments in connection with the Personal Data Breach.

15.3.3.Service Provider shall not notify any third parties of a Personal Data Breach affecting the Data unless and to the extent that: (a) Company has agreed to such notification, and/or (b) notification is required to be made by Service Provider under Applicable Data Protection Laws.
Deletion or return of Data

16.1 Upon termination or expiry of the Agreement, Service Provider shall (at Company's election) securely delete, destroy or return all Company Data, in its possession or control. This requirement shall not apply to the extent that Service Provider is required by Applicable Data Protection Laws to retain some or all of the Data, in which event Service Provider shall notify Company of that retention requirement and isolate and protect the Data from any further Processing except to the extent required by such law.

Records of Processing

17.1. Each party will keep detailed, accurate and up-to-date Records.

In respect of any Processing carried out by Service Provider acting as Processor on behalf of Company, Service Provider will ensure that the Records are sufficient to enable the Company to verify the Service Provider's compliance with its obligations under this Agreement and the Service Provider will provide the Company with copies of the relevant Records upon request.Audit of Service Provider’s Processing

18.1 Service Provider uses an external auditor to verify the adequacy of its security measures and controls for Services. The audit is conducted annually by an independent third-party in accordance with AICPA SOC2 standards and results in the generation of a SOC2 report (“Audit Report”) which is Service Provider’s confidential information. Upon written request, Service Provider shall provide Company with a copy of the Audit Report subject to the confidentiality obligations of the Agreement or a non-disclosure agreement covering the Audit Report.

If Service Provider’s Processing involves Processing the Personal Data of Data Subjects located in the UK and/or EEA and the Audit Report and other information and documentation Service Provider has otherwise provided to Company does not meet the relevant requirements of UK and EU Data Protection Laws, including Article 28(3)(h), then Service Provider shall permit Company (or its independent appointed representatives) to audit Service Provider's compliance with its obligations as a Processor on behalf of Company under this DPA and shall make available all such information, systems and staff reasonably necessary to conduct such audit as required to meet the relevant requirements of UK and EU Data Protection Laws.

Company shall not exercise its audit rights more than once per year except following a Personal Data Breach or following an instruction by a regulator or public authority.

Unless Company reasonably believes that a Personal Data Breach has occurred or is occurring, or Service Provider is in breach of any of its obligations as a Processor on Company’s behalf under this DPA or any Applicable Data Protection Law, Company shall give Service Provider thirty (30) days prior written notice of its intention to audit.

Company shall conduct its audit during normal business hours and take all reasonable measures to prevent unnecessary disruption to Service Provider's operations. Company and Service Provider shall mutually agree in advance on the date, scope, duration, and security and confidentiality controls applicable to an audit. Company shall reimburse Service Provider for actual expenses and costs incurred to allow for and contribute to any audit.

 Miscellaneous

The obligations placed upon Service Provider as a Processor under this DPA shall survive so long as Service Provider and/or its Sub-Processors Process Personal Data on behalf of Company.

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

The Schedules form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.
In the case of conflict or ambiguity between:

any provision contained in the body of this DPA and any provision contained in the Schedules, the provision in the body of this DPA will prevail; and
any of the provisions of this DPA and any executed SCC, the provisions of the executed SCC will prevail.

If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.

SCHEDULE A

DETAILS OF SERVICE PROVIDER’S PROCESSING

This Schedule A includes certain details of Service Provider’s Processing of Data as required by Article 28(3) UK GDPR and EU GDPR.

Subject matter and duration of the Processing

Please see Annex I.B to the SCCs at Schedule B to this DPA in relation to Module B Controller – Processor Transfers.

The nature and purpose of the Processing

Please see Annex I.B to the SCCs at Schedule B to this DPA in relation to Module B Controller – Processor Transfers.

The types of Data to be Processed

Please see Annex I.B to the SCCs at Schedule B to this DPA in relation to Module B Controller – Processor Transfers.

The following types of Special Categories of Personal Data will be Processed by Service Provider as part of Service Provider’s Processing during the Term of this Agreement:

Please see Annex I.B to the SCCs at Schedule B to this DPA in relation to Module B Controller – Processor Transfers.

The categories of Data Subject to whom the Data relates

Please see Annex I.B to the SCCs at Schedule B to this DPA in relation to Module B Controller – Processor Transfers.

ANNEX I to the Standard Contractual Clauses

LIST OF PARTIES DESCRIPTION OF TRANSFER

MODULE ONE:

Categories of data subjects whose personal data is transferred

Social Snowball’s Affiliate Clients and potential Affiliate Clients

MODULE TWO:

Categories of data subjects whose personal data is transferred

Company’s clients (Affiliates) under a written services Agreement who are designated by Company to use the services under the Agreement

Potential Company clients (Affiliates)

Categories of personal data transferred (Module 1)

Identification and contact data (name, title, address, phone number, email address, social media handles)

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous during the term of the Agreement

Nature of the processing

Module 1: Service Provider will provide access to its database of Potential Affiliates

Module 2: Service Provider will provide services to Company under the Agreement

Purpose(s) of the data transfer and further processing

To enable Service Provider to provide the Services to Company under the terms of the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Module 1: Data retained until no longer needed per the terms of the Company’s data retention policies

Module 2: Data retained until instructed by Company to remove, or until the Agreement or DPA is terminated, whichever is earliest.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

See above

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

We maintain and adhere to an internal, written Information Security Policy. You can visit the Social Snowball Trust Center(https://social-snowball.trustshare.com/home), which provides an overview of our security standards.

Authentication: We implement a uniform password policy for our customÍer products. Customers who interact with the products via the user
interface must authenticate before accessing Customer Personal Data in their Social Snowball account.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and
application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization
model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and
customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with
each data set.

Data encryption In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every
customer site hosted on the Social Snowball products. Our HTTPS implementation uses industry standard algorithms and certificates.
Data encryption At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered
approach of at-rest encryption technologies to ensure Customer Data and Customer-identified Permitted Sensitive Data are appropriately
encrypted.

Vulnerability Remediation Schedule: We maintain a vulnerability remediation schedule aligned with industry standards. We take a risk-based
approach to determining a vulnerability’s applicability, likelihood, and impact in our environment.

ANNEX III TO THE STANDARD CONTRACTUAL CLAUSES

LIST OF SUB-PROCESSORS

Service Provider’s list of its current Sub-Processors is located at: https://help.socialsnowball.io/en/articles/11452398-social-snowball-sub-processors-page (“Sub-Processor List”)

SCHEDULE B

EU STANDARD CONTRACTUAL CLAUSES

Located at: Standard Contractual Clauses (SCC)
SCHEDULE C

UK Agreement to the EU Commission Standard Contractual Clauses

Located at: UK Addendum to the EU SCCs