Cobrand Data Processing Addendum

Effective Date: August 26, 2025.

This Data Processing Agreement (the “DPA”) between Cobrand and Customer is incorporated into and forms part of the Agreement between Cobrand and Customer and shall be effective on: i) the effective date of the Agreement; or ii) if Customer has entered an Agreement with Cobrand prior to the DPA updated data above, the DPA shall be effective on the DPA updated date and shall replace any previously-agreed data protection and security terms (the “Effective Date”).

1. Definitions

“Account Information” means information referring to Customer and its Authorized Users (business users) that is provided or generated as part of Customer’s account creation, use, or maintenance. For avoidance of doubt, Account Information does not include Customer Personal Data.

“Applicable Data Protection Laws” means all laws, rules, regulations, or other governmental requirements, as amended, applicable to Cobrand’s processing of Customer Personal Data.

“Customer Personal Data” means Personal Data processed by Cobrand in the role of processor or service provider in connection with Customer’s use of the Services.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as defined in the Data Protection Act 2018.

“Personal Data” means any information relating to an identified or identifiable individual that is processed in connection with the Services, or as similar terms are defined in Applicable Data Protection Laws.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

“Subprocessor” means third-party processors, which may include Cobrand affiliates, appointed by Cobrand to process Customer Personal Data in connection with its provision of the Services.

“UK Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018.

“US Privacy Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Customer Personal Data, privacy and/or data protection in force from time to time in the United States.

1.2 The terms “controller”, “business”, “processor”, “data subject”, “process”, “supervisory authority” “sell”, and “service provider” shall have the same meaning as set out in the Applicable Data Protection Laws.

2. Relationship with the Agreement

2.1 This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Customer Personal Data.

3. Cobrand Processing of Personal Data

3.1 The Parties acknowledge and agree that, with regard to the processing of Customer Personal Data in connection with the Services and as between Customer and Cobrand, Customer shall act as controller or business and Cobrand shall act as processor or service provider.

3.2 Cobrand shall act as controller for Account Information, certain Personal Data collected for purposes of securing or administering the services, certain Personal Data permissibly processed for Cobrand’s independent purposes, and social media data collected and maintained by Cobrand independent of Customer’s instruction (“Cobrand Personal Data”). If Cobrand connects, enriches, or otherwise processes copies of Cobrand Personal Data in connection with Customer Personal Data, the combined data shall be considered Customer Personal Data and Cobrand shall act as processor. Cobrand shall process Cobrand Personal Data as set out in Cobrand’s privacy policy.

3.3 Cobrand shall only Process Customer Personal Data on behalf of and in accordance with Customer’s instructions according to the Agreement and in accordance with Cobrand’s role as processor or service provider under Applicable Data Protection Law. Cobrand shall treat Customer Personal Data as Confidential Information as defined in the Agreement. Customer instructs Cobrand to process Customer Personal Data to: i) provide the Services in accordance with the Agreement and applicable order form; and ii) as reasonably further instructed by Customer in accordance with this DPA. Cobrand shall immediately inform Customer if, in Cobrand’s reasonable opinion, an instruction by Customer would result in Cobrand processing Customer Personal Data in violation of Applicable Data Protection Law.

4. Subprocessors

4.1 Customer grants Cobrand general authorization to engage subprocessors as reasonably necessary for performance of the Services. Cobrand shall require all subprocessors to agree in writing to process Customer Personal Data in compliance with requirements no less protective than those set forth in this DPA. Cobrand shall be liable for the acts and omissions of its subprocessors to the same extent Cobrand would be liable if it performed such acts and omissions itself. Where required by Applicable Data Protection Law, Cobrand shall notify Customer in advance of any new or changed subprocessors and provide a reasonable opportunity to object if Customer has a reasonable basis to believe the use of a subprocessor violates Applicable Data Protection Law.

5. Data Subject Rights

5.1 As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data (“Data Subject Request”). Cobrand will forward to Customer without undue delay any Data Subject Request received by Cobrand or any subprocessor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.

5.2 Taking into account the nature of the processing, and to the extent required under Applicable Data Protection Law, Cobrand shall provide Customer reasonable assistance, including self-service functionality, insofar as necessary and possible, (i) to enable Customer to comply with Data Subject Requests; and (ii) to carry out any reasonable instruction from Customer to amend, transfer, or delete any Customer Personal Data. Cobrand reserves the right to charge a reasonable fee where such assistance requires non-trivial allocation of personnel or resources.

6. Security and Audits

6.1 Cobrand will implement and maintain appropriate technical and organizational measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction, or damage of or to it. Such technical and organizational measures include the measures set out in Schedule 2. Cobrand may update or modify these security measures from time to time, provided that such updates and/or modifications do not materially reduce the overall level of protection afforded to the Customer Personal Data by Cobrand.

6.2 Customer or an independent third-party auditor reasonably acceptable to Cobrand may audit Cobrand’s compliance with its obligations under this DPA up to once per year, or more frequently in the event a Security Incident has occurred or to the extent required by Applicable Data Protection Laws.

6.3 To request an audit, Customer must submit a detailed proposed audit plan to Cobrand at least 30 days in advance of the proposed audit date. Cobrand will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All audits must be conducted during regular business hours, subject to the agreed final audit plan and may not unreasonably interfere with Cobrand business activities.

6.4 Customer will promptly notify Cobrand of any potential non-compliance discovered during the course of an audit and provide Cobrand any audit reports generated in connection with an audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. All Cobrand information and documentation, including audit reports, produced in connection with an audit under this section are Cobrand Confidential Information. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

6.5 All audits under this section are at Customer’s expense. Customer shall reimburse Cobrand at reasonable market rates for any time expended by Cobrand or its subprocessors in connection with such audits.

6.6 Customer acknowledges and agrees that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 2 are appropriate to ensure the security of the Customer Personal Data.

7. Security Incidents

7.1 Cobrand shall promptly notify Customer of any Security Incident in the event of any breach of this DPA, Applicable Data Protection Laws or any instruction by Customer in connection with the processing of Customer Personal Data under this DPA. Cobrand shall notify Customer in writing without undue delay upon becoming aware of any Security Incident. Cobrand shall reasonably cooperate in any Customer investigation of such Security Incidents and any obligation of Customer under Applicable Data Protection Laws to notify individuals, supervisory authorities, governmental or other regulatory authority, or the public in connection with the Security Incident. Cobrand shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Customer timely information including, but not limited to, the nature of the Security Incident, measures taken to mitigate or contain the Security Incident, and the status of Cobrand’s investigation. Cobrand’s notification of or response to a Security Incident under this section will not be construed as an acknowledgement by Cobrand of any fault or liability with respect to the Security Incident.

8. Return and Deletion of Data

8.1 Upon Customer request prior to the termination of the Agreement, Cobrand shall return a copy of all Customer Personal Data or provide self-service functionality allowing Customer to do the same. Cobrand shall delete, and use reasonable efforts to cause its subprocessors to delete, all copies of Customer Personal Data within 90 days of the termination or expiry of the Agreement.

9. International Data Transfers

9.1 Where required for compliance with Applicable Data Protection Laws, the parties agree that, as appropriate to the roles of the parties, the terms of the Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) shall apply. The SCCs, as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the parties and apply to any transfers of Customer Personal Data from Customer (as data exporter) to Cobrand (as data importer).

9.2 Cobrand shall reasonably support Customer’s compliance with the requirements imposed on the transfer of Customer Personal Data to third countries with respect to the SCCs. Cobrand will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). Cobrand further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Customer’s compliance with requirements imposed on the transfer of Customer Personal Data to third countries. Cobrand may charge Customer, and Customer shall reimburse Cobrand, for any assistance provided by Cobrand with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Customer.

10. Customer Personal Data Subject to UK or Swiss Law

To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 5 shall apply.

11. Customer Personal Data Subject to US Law

To the extent that the processing of Customer Personal Data is subject to US Privacy Laws, the US Privacy Laws Addendum set out in Schedule 6 shall apply.

─────────────────

SCHEDULE 1

DETAILS OF PROCESSING

PART 1 LIST OF PARTIES

1. Data Exporter

Customer established or operating in the EEA, UK and/or Switzerland.

The contact details for data exporter’s contact person, data protection officer, and/or representative (where relevant) will be provided to Cobrand prior to data exporter transferring Customer Personal Data to Cobrand from the EEA, UK, and/or Switzerland.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter’s use of the Services as described in this Schedule 1 and in the Agreement.

2. Data Importer

Cobrand Corporation, Inc.,

36 Maplewood Ave,

Portsmouth, NH, 03801

The data importer’s contact person can be contacted at [email protected].

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes Customer Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services.

PART 2 DESCRIPTION OF TRANSFER

1. Categories of data subjects

The categories of data subjects whose Personal Data are transferred:

End Users who interact with Customer systems, the Services, and/or have subscribed to marketing communications from Customer.

2. Categories of Personal Data

The transferred categories of Customer Personal Data are:

Customer Data of End Users determined by Customer to be imported into or collected by the Services. This may include name, phone number, email address, address data, IP address, device identifiers, usage data, and/or behavioral data.

Moreover, Customer may include further Personal Data of data subjects as specified above (in particular in unstructured form) in connection with their use of the Services according to the Agreement.

3. Special categories of Customer Personal Data (if applicable)

The transferred Customer Personal Data includes the following special categories of data: N/A

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: N/A

4. Frequency of the transfer

The frequency of the transfer is: The transfer is performed on a continuous basis and is determined by Customer’s configuration of the Services.

5. Subject matter and nature of the processing

The subject matter of the processing is: to provide direct marketing, analytics, and social media marketing services to Customer.

6. Purpose(s) of the data transfer and further processing

The purpose/s of the data transfer and further processing is: to provide the Services to Customer pursuant to the Agreement so that Customer can analyze customer data, enhance its customer relationships and send marketing and other communications to its customers.

7. Duration

The period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: the duration shall be the same as the Term of the Agreement.

8. Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature, and duration of the processing: Subprocessors may have access to the Customer Personal Data for the Term of the Agreement or until the service contract with the respective subprocessor is terminated or the access by the subprocessor has been excluded as agreed between Cobrand and Customer.

PART 3 COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established within the EEA: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in the. EEA, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the member state in which the representative is established.

Where the data exporter is not established in the. EEA, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/).

─────────────────

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES

Taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons, Cobrand has implemented reasonable technical and organizational measures to ensure an appropriate level of security for Customer Data.

1. Utilization of commercially available and industry standard encryption technologies for Customer Personal Data that is: (a) being transmitted by Cobrand over public networks (i.e., the internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).

2. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

3. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Cobrand’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Cobrand’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

4. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

5. Network security controls that provide for the use of firewall systems, intrusion detection systems, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

─────────────────

SCHEDULE 3

STANDARD CONTRACTUAL CLAUSES

For the purposes of the Standard Contractual Clauses:

1. Module Two shall apply in the case of Cobrand acting as a processor of Customer and Module Three shall apply in the case of Cobrand acting as a subprocessor of Customer who is acting as a processor of Customer’s customer.

2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

3. Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in section 4 of the DPA.

4. The option in clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

5. With regard to clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The parties agree that the governing law shall be the law of the member state in which Customer is established or, if Customer is not established in a member state of the EEA, the laws of Ireland shall apply.

6. In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the member state in which Customer is established or, if Customer is not established in a member state of the EEA, the laws of the Republic of Ireland.

7. For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.

8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.

9. The specifications for Annex III of the Standard Contractual Clauses, are determined by Section 4 of the DPA. The subprocessor’s contact person’s name, position and contact details will be provided by Cobrand upon request.

─────────────────

SCHEDULE 4

SUPPLEMENTARY MEASURES

Cobrand shall implement supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Customer Personal Data in relation to the processing in a third country, as described in this Schedule 4.

1. Additional Technical Measures (Encryption)

1.1 The Customer Personal Data is transmitted (between the Parties and by Cobrand between data centers as well as to a Sub-processor and back) using strong encryption.

1.2 The Customer Personal Data at rest is stored by Cobrand using strong encryption.

2. Additional Contractual Measures

2.1 Transparency obligations

(a) Cobrand declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or Customer Personal Data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or systems, and (3) that national law or government policy does not require Cobrand to create or maintain back doors or to facilitate access to Customer Personal Data or systems or for Cobrand to be in possession or to hand over the encryption key.

(b) Cobrand will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Customer in case of any changes without delay. Clause 14(e) of the SCCs shall remain unaffected.

2.2 Obligations to take specific actions

In case of any order to disclose or to grant access to the Customer Personal Data, Cobrand commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for Cobrand.

2.3 Empowering data subjects to exercise their rights

(a) Cobrand commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her Personal Data transferred under the chosen transfer tool in violation of the commitments it contains.

(b) Notwithstanding the foregoing, Cobrand shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.

(c) Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Cobrand’s infringement of the GDPR.

3. Additional obligations in case of requests or access by public authorities

3.1 Cobrand shall promptly inform Customer:

(a) Of any legally binding requests from a law enforcement or other government authority (“Public Authority”) to disclose the Customer Personal Data shared by Customer; such notification shall include information about the Customer Personal Data requested, the requesting authority, the legal basis for the request and the response provided. Such notification shall occur prior to the disclosure of any Customer Personal Data in response to such requests.

(b) If it becomes aware of any direct access by public authorities to transfer Customer Personal Data in accordance with the laws of the country of destination, such notification shall include all information available to Cobrand.

(c) If Cobrand is prohibited from notifying Customer and/or the data subject, Cobrand agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. Cobrand agrees to document its best efforts in order to be able to demonstrate them upon request of the data exporter.

3.2 Cobrand agrees to review, under the laws of the country of destination, the legality of the public authority’s request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request if, after a careful assessment, Cobrand concludes that there are grounds under the laws of the country of destination to do so. This includes requests under section 702 of the United States Foreign Intelligence Surveillance Court or Executive Order 12333. When challenging a request, Cobrand shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. Cobrand shall not disclose or provide access to the Customer Personal Data requested until required to do so under the applicable procedural rules and, at such time, shall provide only the minimum amount of information required to comply with the request, based on a reasonable interpretation of the request.

3.3 Cobrand agrees to preserve the information required to comply with this Schedule 4 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.

─────────────────

SCHEDULE 5

UK AND SWISS ADDENDUM

1. UK ADDENDUM

With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to Cobrand (as data importer):

1.1 This UK Addendum shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the UK Addendum.

1.2 In accordance with clause 17 of the UK Addendum, the parties agree that the information in tables of Part 1 of the UK Addendum are specified in Schedule 1 of this DPA.

1.3 The selected Modules and Clauses to be determined according to Table 2 of the UK Addendum are further specified in Schedule 3 of this DPA as amended by the UK Addendum.

1.4 Annex 1 A and B of Table 3 to the UK Addendum are specified by Schedule 1 of this DPA, Annex II of the UK Addendum is further specified by Schedule 2 of this DPA, and Annex III of the UK Addendum is further specified by Schedule 1 clause B.10 of this DPA.

1.5 Cobrand (as data importer) may end this DPA, to the extent the UK Addendum applies, in accordance with clause ‎19 of the UK Addendum.

1.6 Clause 16 of the UK Addendum shall not apply.

2. SWISS ADDENDUM

This Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.

2.1 Interpretation of this Swiss Addendum

(a) Where this Swiss Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 3 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

(i) “Clauses” means The Standard Contractual Clauses as further specified in Schedule 3 of this DPA.

(ii) “Swiss Data Protection Laws” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

(b) The Swiss Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(c) The Swiss Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after the Swiss Addendum has been entered into.

2.2 Precedence

In the event of a conflict or inconsistency between the Swiss Addendum and the provisions of the Clauses or other related agreements between the Parties, the provisions which provide the most protection to data subjects shall prevail.

2.3 Incorporation of the Clauses

(a) In relation to any processing of Customer Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, the Swiss Addendum amends the DPA including as further specified in Schedule 3 of this DPA to the extent necessary so they operate:

(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and

(ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(b) To the extent that any processing of Customer Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 3 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):

(i) References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs and

(ii) Clause 6 Description of the transfer(s) is replaced with:

“The details of the transfer(s), and in particular the categories of Customer Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”

(iii) References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

(iv) References to Regulation (EU) 2018/1725 are removed.

(v) References to the “European Union”, “Union”, “EU”, “member state”, and “EEA” are all replaced with “Switzerland”.

(vi) Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;

(vii) Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws”.

(viii) Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.

2.4 To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 3 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.

2.5 Customer warrants that it has made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

─────────────────

SCHEDULE 6

US PRIVACY LAWS

This US Privacy Laws addendum shall apply to any processing of Customer Personal Data subject to US Privacy Laws.

1.1 Cobrand shall ensure that it Processes Customer Data fairly and lawfully on behalf of and in accordance with Customer’s lawful instructions, including as set forth in the Agreement and any applicable Order Form, and in compliance with applicable laws. Cobrand shall not, as defined by applicable laws, (i) sell Customer Data; or (ii) retain, use, or disclose Customer Data for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by US Privacy Law.

1.2 To the extent that the CCPA applies to the Processing of Customer Personal Data under the Agreement, Cobrand is prohibited from (i) retaining, using, or disclosing the Customer Personal Data outside of the direct business relationship between Cobrand and Customer unless expressly permitted by the CCPA; and (ii) combining the Customer Personal Data which Cobrand receives, pursuant to the written Agreement with Customer, with Customer Personal Data which it receives from another source, or collects from its own interaction with the End User, unless expressly permitted by the CCPA. Cobrand certifies that it understands the foregoing restrictions and will comply with them.