MSA Appendix
Cleverbridge Solution Specific Terms: Service Provider Payment Routing

Click here to download this document as a PDF. 

These Solution Specific Terms apply to Client’s subscription for Cleverbridge’s payment routing services, and incorporate and become a part of the Master Subscription Agreement (MSA) found at Capitalized terms not defined within these Terms shall have the meaning set forth in the MSA or corresponding subscription schedule.

1. Base Services

1.1 Overview. Unless otherwise agreed, the Services described in this section are mandatory and any associated fees are set
     forth in the Subscription Schedule.

1.2 Definitions. Cleverbridge’s Internet storefront used by Client to sell Products to Customers under this Agreement shall be
       considered the “Online Store”. Any Client-supplied item that Client offers for sale using the Online Store shall be considered
       a “Product”. An Order shall be either (a) a new purchase request from a Customer for a Product, or (b) the renewal of an
       existing Order. Any entity or person placing an Order on the Online Store shall be considered a “Customer”.

1.3 Payment Routing. Client may procure payment routing services from Cleverbridge to enable a payment for an Order toa
       Client-owned bank account using a third-party supplier selected by Cleverbridge to process an Order and charge it to a
       Customer (such supplier being a “Payment Provider”). Upon Client’s request, Cleverbridge shall disable a payment method
       offered by a Payment Provider or payment routing service.

1.4 Order Management. For Order processing, Provider shall exchange Customer data with third-party systems (e.g., for tax
       calculation purposes) and store transaction data.

1.5 PCI-DSS Compliance. Cleverbridge is certified as compliant with the Payment Card Industry Data Security Standards (PCI
       DSS) and processes Orders in a PCI-DSS compliant manner.

1.6 Chargeback Notifications. Cleverbridge shall notify Client about Chargeback alerts if received from the respective Payment

1.7 Revenue Reporting. Client has access to standard Online Store revenue reports.

1.8 Access to Interfaces. Client shall have access to Cleverbridge’s API and webhook notifications (hereinafter “Interfaces”) for
       the purpose of using the Services. Client may use the Interfaces solely as provided and documented by Cleverbridge. Client
       acknowledges that the Interfaces are subject to regular updates. Cleverbridge shall notify Client of any material Interface
       changes or deprecations.

1.9 Customer Experience Funnels. Cleverbridge’s solution includes localized websites for specific business use cases, including
       checkout funnels, signup funnels, A/B testing, and Customer profiles enabling Customers to store Payment Methods. Any
       non-standard customizations occurring after the signing of this Agreement are subject to additional fees to be mutually

1.10 Service Availability. Time-periods during which Cleverbridge is technically unable to deliver an Online Store webpage to a
        Customer to place an Order shall be considered “Downtime”. Downtime commences when Cleverbridge detects an incident
        or when Cleverbridge receives notice from Client of an incident, whichever is earlier. Downtime ends when Customer’s ability
        to place an Order is restored or a reasonable workaround has been implemented. Planned maintenance, events outside of
        Cleverbridge’s (and its subcontractors) reasonable control as well as Force Majeure events shall not be considered
        Downtime. Cleverbridge shall calculate the uptime of the Online Store as follows: ((hours of operation – Downtime) ÷ hours of
        operation), all in minutes per calendar month (“Uptime”).

1.11 Service Credits. For each month during which the Uptime is below 99,90% on a rolling three-month basis, Client may claim
        from Cleverbridge a payment in the amount of 5% of the net Order-related Fees received by Cleverbridge within the last
        month under this Subscription Schedule during which Cleverbridge adhered to the above-mentioned service level (the
        “Service Credit”). Cleverbridge shall not be obliged to pay any Service Credit that Client claims more than six months after it
        became due. The Service Credits defined in this section shall constitute Client’s full and final settlement for any Online Store
        performance degradation.

1.12 Service Suspension. If (a) a third party announces legal measures or other proceedings against Cleverbridge, or (b) Client              breaches this Agreement or its agreement with Customer, or (c) Cleverbridge reasonably determines that the provision of the
        Services bears any legal or commercial risk, Cleverbridge is permitted, in its sole discretion, to suspend the Services
       (including subscription renewals) in full or in part at any given time without incurring any liability to Client.

1.13 Embargoed Countries and Sanctions Screening. Cleverbridge screens each transaction under this Agreement against
        various sanctions and denied parties list. Cleverbridge is unable to process any transaction with an embargoed country.
        Client agrees to provide Cleverbridge with the information Cleverbridge needs to perform such screenings.

2. Optional Services

2.1 Overview. The Services described in this section are optional and payable by Client at the agreed rates as set forth in the
       Subscription Schedule, or as later agreed by the Parties at the time of procuring the Optional Services. Optional Services are
       subject to mutually agreed additional fees.

2.2 Fraud Monitoring. Before processing an Order, Cleverbridge uses its fraud detection solution to determine the fraud risk.
       Client acknowledges that not all payment methods are subject to fraud monitoring and that the determination of a potential
       fraud is based on automatic processes driven by algorithms and block lists per payment type. Client acknowledges that
       Cleverbridge’s solution cannot prevent all fraudulent Orders from being executed. Cleverbridge shall be entitled to deny any
       Order that it reasonably deems fraudulent.

2.3 Tax Calculation. Cleverbridge may use Client’s tax calculation provider account for any required sales-tax related calculation

2.4 Product Price Conversion. If the Product retail price is not defined in the currency used to place an Order (the “Order
), Cleverbridge shall convert the Product Price from US-Dollars if Client is contracting with Cleverbridge Inc. or Euro
        in all other cases (the “Product Base Currency”) to the Order Currency using, at its discretion, use either (a) the lowest bid
        rate published (by a publicly available market data Cleverbridge), either on the day before the Order date or on the last day of
        the clearing period, or (b) the average rate published (by a publicly available market data Cleverbridge) during the timespan
        between the Order date and the last day of the clearing period (
the “FX-Rate”).

2.5 Storefront Design Services. Client may procure from Cleverbridge design and development services that Cleverbridge
        requires to operate the Online Store as requested by Client.

2.6 Customer Tracking Consent. Client may procure from Cleverbridge integration of Client's tracking consent service, subject
        to Cleverbridge’s approval.

2.7 Customer Communication Automation. Cleverbridge offers to automate Client’s email communication with Customers
Order-related events (such as an upcoming Order renewal). As part of this service, Cleverbridge shall send up to three
        payment reminders to any Customers by email who did not pay their Order. Cleverbridge shall not provide any dunning or
        other regulated services.

2.8 Cleverbridge Integrations. At Client’s option, Client may connect its account to certain platforms and applications using
        Cleverbridge's integrations. These platforms may take certain actions on Client’s behalf and access data available through
        Client's account, including Customer data. Client therefore authorizes Cleverbridge to share data with any platform or
        application that is configured in Client's Cleverbridge account (
e.g., through a control panel or APIs). Client may withdraw its
        authorization by removing the platform or application from Client's account. Client waives the right to bring any claims
        against Cleverbridge for losses Client incurs due to any actions or use of data by any platform or application connected to
        Client's account. Client will fully reimburse Cleverbridge for any loss Cleverbridge incurs that result from Client's actions or
        use of such data by any platform or application.

2.9 Subscription Management. Cleverbridge offers recurring billing support for subscription Products.

2.10 Global Invoice Generation. Cleverbridge offers to generate Client-branded invoices and pro-forma invoices for global
         Customers in PDF format. Client shall provide all information requested by Cleverbridge for global invoice compliance.

2.11 U.S. Tax Exemption Document Handling. Cleverbridge offers a process that allows United States Customers to submit their
        VAT exemption certificate to the Online Store for review by Client. Client can accept or reject the certificate. Cleverbridge
        shall consider any VAT exemption accepted by Client when processing an Order.

2.12 EU Reverse Charge Procedure. Cleverbridge offers a validation service of Customer EU VAT numbers through either the
         German or the European Union database. Cleverbridge shall utilize only an EU VAT identification number contained in either
         database when processing an Order. If the relevant database is unavailable, Cleverbridge has the right to suspend Order
         processing at its sole discretion. Valid EU VAT numbers shall be processed using the reverse charge principle (without VAT
         calculated on the invoice issued by Cleverbridge).

2.13 Chargeback Dispute Management. In case of an attempted or completed Order payment reversal for any payment method
        (including credit card and direct debit payments) that a Customer requested directly from his bank (a “Chargeback”),
        Cleverbridge shall attempt to resolve such Chargeback by providing the documentation required and further engaging in its
        resolution process with supported Payment Processors.

2.14 Chargeback Mitigation Service. Cleverbridge shall provide a service to process actual or potential Chargebacks in a
         manner that does not count against Client’s Chargeback rate with the respective Payment Processor. Cleverbridge does not
         warrant that it can prevent all Chargebacks.

2.15 Data Export. Upon Client’s request, Cleverbridge shall export to Client (and/or to Client’s PCI-DSS certified replacement
         Cleverbridge) all Customer payment data, that it legally can provide in compliance with global privacy laws, PCI-DSS
         requirements, and other applicable law or regulations. Client must provide Cleverbridge ninety calendar days notice to
         complete such export.

2.16 Consulting Services. For work that is outside of the scope of this Agreement, Cleverbridge offers various Consulting
         Services, subject to hourly fees.

3. Excluded Services

3.1  No Product Fulfillment. Client shall be solely responsible for, and Cleverbridge shall not engage in, any delivery or fulfillment
        of Products to Customers.

3.2 No Legal, Tax, or Customs Advice. Client acknowledges and agrees that Cleverbridge does not provide legal, tax, or
        customs advice or calculations. Client is solely responsible for its own legal, compliance, and tax policies, including any
        contract negotiations with Customers regarding an Order.

4. Client Cooperation Obligations

4.1 Setup Services. Client shall cooperate with Cleverbridge to integrate the mandatory and optional Client platform integrations
       stipulated in Sections 1 and 2, including, but not limited to, granting to Cleverbridge: (a) continuous access to all required
       integrations with third parties, including providing all required credentials, and (b) all approvals necessary for Cleverbridge to
       engage with such third parties. Cleverbridge disclaims all liability for any failures due to Client’s platform or third-party

4.2 Service Contributions. Client shall use its best commercial efforts to contribute to the Services as required by Cleverbridge,
        including, but not limited to, providing reasonably requested information for the purpose of Cleverbridge or Client complying
        with any law or regulation.

4.3 Intellectual Property Rights License. Client shall provide to Cleverbridge a royalty-free license to all its present and future
        worldwide copyrights, trademarks, trade secrets, patents, patent rights, moral rights, and other proprietary rights of any
        nature, to the extent required to provide the Services. Cleverbridge may sublicense this right to members of the Cleverbridge
        group of companies.

4.4 No Charges to Cleverbridge. Client shall fulfill, provide, and manage all Client Cooperation Obligations to Cleverbridge free
        of charge. Cleverbridge shall not be responsible for any delays or damages resulting from Client’s failure to fulfill its Client
        cooperation obligations or from any unavailability of Client’s platform integrations.

4.5 Information Obligation. Client shall regularly notify Cleverbridge of any changes in Products that may impact Cleverbridge’s
        provision of the Services. Client must also notify Cleverbridge of any geographic trade restrictions or license requirements it
        may be or become subject to.

4.6 Press Release. Client agrees to issue a joint press release with Cleverbridge no later than fourteen days after the Effective
        Date, announcing the appointment of Cleverbridge as Client’s eCommerce Services Cleverbridge. Client agrees to be a
        reference client of Cleverbridge and that Cleverbridge may disclose in its advertising, promotion, and similar public
        disclosures that Client is Cleverbridge’s client.

5. Refunds

5.1 Cleverbridge-induced Refunds. Cleverbridge shall be entitled, in its sole discretion, to cancel an Order and grant Customers
      an Order reversal that is no Chargeback (a “Refund”) if (a) Cleverbridge determines that an Order is fraudulent or likely to
      cause a Chargeback, or (b) if required by applicable law.

5.2 Refund Policy. Client shall communicate its Order Refund policy to Cleverbridge.

5.3 No Fee Refund. For the avoidance of doubt, Client shall not receive a Fee credit for any Refund.

5.4 Limitation of Duties. Except as expressly agreed, Cleverbridge shall not be obligated to process returns, warranty claims,
        Refund claims, or other claims for Client.

6. Warranties

6.1 Proper Business Conduct. Client warrants that he will refrain from using illegal, false, deceptive, or otherwise misleading
       business practices when (directly or indirectly, including through marketing affiliates) promoting Products.

6.2 Customer Tracking. Client warrants that it shall not invoke any marketing tracking or analytics tool by using the Online Store
        that has not been authorized by Cleverbridge. Client also warrants that it will not use any Customer Information received
        from Cleverbridge in breach of any applicable data privacy laws.

6.3 Sanction Screening. Client warrants that unless Cleverbridge performs sanction screening as stated in this Agreement,
        Client diligently performs all necessary denied party screening activities as required by all applicable laws and regulations
        and that it will deny the fulfillment of any Order from a sanctioned person or entity.

7. Data Protection

7.1 Data Processing Agreement. Cleverbridge’s provision of the Services is contingent upon the Parties acceptance of and
      adherence to the attached Data Processing Addendum.
The indemnification obligation under section 6 of the Agreement also
      applies to Client’s breaches of the Data Processing Addendum.

8. Product Terms for SEPA Direct Debit

8.1 Processing. Cleverbridge shall support Client in creating and maintaining a SEPA Direct Debit Transaction mandate to be
       used in a Customer invoice and in the Online Store (containing the creditor ID, the mandate reference ID, and the direct debit
       date when the Customer will be debited). Client is aware that during this process, the creditor ID of another Cleverbridge’s
       entity (Cleverbridge Financial Services GmbH, hereinafter “PSP”) will be used and communicated to the Customer with the
       pre-notification. In case of a recurring Transaction under an existing SEPA Direct Debit mandate, Client shall refrain from
       disabling Cleverbridge’s pre-notification functionality in the Online Store.

8.2 Termination of PSP Agreement. Cleverbridge shall stop processing any SEPA Direct Debit Transactions upon termination for
        any reason of the agreement between Client and PSP.

9. Product Terms for Full Liability Submitter (Payment Routing in US-only)

9.1 Overview. The terms in this section apply only if Client utilizes Cleverbridge’s Full Liability Submitter (“FLS”) model.

9.2 Geographic Restrictions. FLS is available for use only in conjunction with payment processing services offered in the United
        States by Paymentech, Inc. with the help of Cleverbridge, Inc.

9.3 Agreement with Payment Provider. To utilize FLS, Client must execute a separate agreement with the Payment Provider
        required by Cleverbridge.

9.4 Chargeback Notifications. Client shall pay to Cleverbridge the agreed Fee for Chargeback alerts.

9.5 Establishment of Rolling Reserve. The Parties agree that Client will fund a security deposit managed by Cleverbridge to
        cover for charges (including Chargeback fees, interchange fees, service provider or “scheme” fees, fines, payment fees, and
        penalties, whether disputable or not) from any Payment Provider to Cleverbridge under this Subscription Schedule (the
        “Rolling Reserve”). Upon execution of the Agreement, Client shall (a) provide the agreed amount for the Rolling Reserve, if
        applicable and (b) during the first year (and unless otherwise agreed), Client shall fund the Rolling Reserve with 3,5% of the
        transaction volume (including VAT) of all Orders. Alternatively, Client shall be entitled to fund the Rolling Reserve by
        furnishing a first-demand bank guarantee.

9.6 Adjustment of Rolling Reserve. Upon expiration of the first year of the Term of this Agreement, Cleverbridge shall
        recalculate the Rolling Reserve at the end of each calendar quarter at its discretion based on the actual risk of the Service to
        Cleverbridge so that the rolling reserve amounts covers this risk as assessed by Cleverbridge. The minimum rolling reserve
        shall be the equivalent of €50,000, and the maximum shall be 1% of the aggregated gross revenue during the preceding
        twelve months plus the Reserve Security Deposit. If the bank guarantee deviates by more than 15% from the required rolling
        reserve, Client will change the amount of such bank guarantee to reflect the agreed amount.

9.7 Currency Conversion. For all Customer payments processed in a currency other than the Product Base Currency,
        Cleverbridge shall convert the Customer payment currency to the Product Base Currency using the FX-Rate. Cleverbridge
        shall charge the currency conversion fee agreed in the relevant Subscription Schedule.

9.8 Additional Indemnification. In addition to Client’s indemnification obligations elsewhere in the Agreement, Client further
        agrees to indemnify Cleverbridge for all fines, fees, penalties, liabilities, charges, and other amounts which may be imposed
        or assessed by the card networks or other payment scheme on Cleverbridge as a result of Client’s actions, omissions,
        including, but not limited to, its engagement in prohibited business activities, merchant categories, or transaction types;
        payments by or to Customers; Chargebacks; Client’s failure to comply with the Card Network Rules, Payment Provider Rules,
        this Agreement, or any agreed security standards.

9.9 Federal Income Tax Reporting. Client authorizes Cleverbridge to share with Payment Provider certain required taxpayer
        information in connection with Customer transactions processed under this Agreement. Cleverbridge shall provide only that
        information which Payment Provider represents is necessary to fulfill Payment Provider’s reporting obligations imposed by
        the United States Internal Revenue Service. Client agrees to provide Cleverbridge with its Form W-9 or Form W-8 BEN-E and to
        cooperate with Cleverbridge’s reasonable requests in connection with collecting the information referenced in this section.

9.10 Right of Termination or Suspension. Cleverbridge has the right to immediately terminate the Agreement for cause if
          Cleverbridge, in its sole discretion, deems Client’s Chargeback Rate excessive. Cleverbridge further has the right to suspend
          Client’s right to transact if, in Cleverbridge’s sole discretion, Client engages in fraudulent, unusual, or otherwise prohibited
          transactions; Client is no longer in good standing; or Cleverbridge’s continued association with Client would damage
         Cleverbridge’s reputation.

Ex. 1
Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered by Client (hereinafter referred to as “Controller”) and Cleverbridge (hereinafter referred to as “Processor”) and it covers all data processing activities by Processor for Controller under the Master Subscription Agreement (“MSA” or “Agreement”).

1. Processing of Customer Data

1.1 Role of the Parties. The Parties agree that Client is the Controller and Cleverbridge is the Processor with respect to all
     Customer Data Processed in connection with the Services provided under the Agreement. Cleverbridge is acting as Processor
     on Client’s behalf.

1.2 Processor Obligations. Processor will process Customer Data only in accordance with (a) this DPA, (b) Controller’s
       documented instructions, or (c) applicable Data Protection Legislation. Processor will not modify or alter the Customer Data
       and will respect the confidentiality of the Customer Data in its role as Processor. Processor will ensure that any Sub
       Processor is bound to the same confidentiality and data handling obligations as Processor under this DPA. Processor will not
       disclose Customer Data to or permit access to unauthorized third parties.

1.3 Controller Obligations. Controller warrants that it has the required Customer consent to instruct Processor to process
       Customer Data. Controller warrants that any Processing instructions provided to Cleverbridge comply with all applicable Data
       Protection Legislation, and that Cleverbridge’s Processing of Customer Data in accordance with Controller’s instructions will
       not cause Cleverbridge to be in breach of this DPA or the GDPR.

1.4 Processing Description. The purpose of the processing is to provide Controller with payment routing, an ecommerce
       platform, and various ecommerce services to support Controller’s sale of its Products to Customers. The nature of the
       processing is to perform payment routing whereby Processor passes payment data from Customer to the clearing and
       settlement system of a Payment Service Provider so that Customer’s purchase of Client’s Product may be completed.
       Furthermore, the purpose of the processing is to provide payment processing services necessary to complete a transaction
       whereby Customer purchases a Controller Product. The nature of the processing is to manage Customer transactions, which
       includes but is not limited to payment matching, reporting, and reconciling for payment methods used, consolidated payouts
       and settlements, as well as payment routing.

1.5 Type of Personal Data. Processor shall process the following types of personal Information from visitors to Processor’s Online
       Store or Customers: (a) name, (b) email address, (c) postal code, (d) postal address, (e) payment method including credit card
       information, (f) IP address, (g) website tracking information, (h) Internet service Cleverbridge information, (i) device
       information (including device ID and site-visit behavior), (j) Order number, (k) browser information (type, language, version,
       screen size, etc.). Processor will not solicit Sensitive Data from visitors or Customers and will not knowingly process such
       Sensitive Data.

1.6 Sub-Processors. Processor may engage Sub-Processors as is necessary to perform the Agreement. Controller agrees that
       (a) Processor’s Affiliates may be retained as Sub-Processors; and (b) Processor and/or its Affiliates may engage third-party
       Sub-Processors in connection with the provision of the Agreement.

1.7 Sub-Processor Obligations. Processor warrants that for any Sub-Processor it engages, it will enter into a written agreement
       with the Sub-Processor containing data protection obligations like and no less protective than those contained in this DPA. If
       a Sub-Processor fails to comply with its data protection obligations under such written agreement, Processor will remain
       liable to Controller for the Sub-Processor’s performance. A current list of Sub-Processors can be found at

1.8 Requests from Data Subjects. Processor will inform Controller of any formal requests by Data Subjects exercising their
       rights under applicable Data Protection Legislation and will not respond to such requests unless instructed otherwise in
       writing by Controller.

1.9 Breach Notification. Should Processor become aware of a Personal Data Breach affecting Customer Data, Processor shall
       notify Controller without undue delay, and it shall take reasonable steps to provide Controller with information to allow
       Controller to comply with any obligations to inform Data Subjects under applicable Data Protection Legislation.

1.10 Data Retention. Processor is required to comply with global regulations, some of which require Processor to retain
        Customer Data for as long as is necessary to perform the Agreement. In general, Processor deletes Customer Data as soon
        as it is no longer required under statutory retention periods or other applicable law, as set forth in its own Privacy Policy here: Processor shall, however, follow Controller’s data retention policy, which
        Controller shall make available to Processor. In the event Controller does not provide Processor with such policy, Processor
        shall use its own, as set forth above.

1.11 Data Deletion. As soon as is reasonably practicable upon termination of this DPA, Processor will return or destroy any files
       containing Customer Data unless prevented from doing so by applicable law or for a justifiable business purpose.

2. Technical and Organizational Measures

2.1 PCI-DSS Measures. Processor shall (a) encrypt storage and procure masked display of credit card information, (b) maintain
       individual administrator-IDs for data processing systems and enforcement of secure passwords, (c) minimize storage of credit
       card information to a minimum, (d) maintain lists of data processing machine inventory as well as implementation of PCI
       recommended measures to prevent their tampering, credit card storage systems, public network transmission of Personal
       Data to and from Payment Providers, (e) perform data backups in accordance with PCI-DSS recommendations.

2.2 Physical Security. Processor shall (a) operate databases containing payment information in secure and datacenters, (b)
        procure that its production servers are air-conditioned, protected against fires and have a backup power (c) restrict access to
        server-rooms to authorized personnel only, (d) require visitors in a Processor building to be always escorted, (e) operate
        CCTV and/or post a security guard in selected buildings, (f) prepare emergency response procedures in case a building
        experiences an emergency.

2.3 Security Incident Prevention and Response. Processor shall (a) maintain an Incident Response Plan and a risk management
        process, (b) conduct regular vulnerability scans and penetration tests; (c) deploy and regularly update intrusion detection or
        prevention systems on all systems and workstations, (d) specify criteria for secure development of in-house applications,
        including a dual control principle security risk review, (e) report all security incidents through appropriate management and
        security incident reporting channels as quickly as possible, (f) make all employees and contractors aware of the procedures
        for reporting the security incidents.

2.4 User Access Management. Cleverbridge shall implement (a) restrictions to roles and access rights, using a need-to-know
        principle, (b) logging and protocol evaluation systems, (c) strong cryptography and security protocols, (d) certified processes
        and procedures to prevent disclosure or misuse of cryptographic keys, (e) access controls, alarm systems, and/or server
        rooms, and/or data centers, (f) demilitarized zones and/or firewalls to protect the internal company network against web
        based attacks, (g) separate production environment from development and test environments, (h) audit trails of individual
        use of systems, (i) systems to detect unauthorized changes to critical systems, configurations, and/or content files, (k)
        secure connections and mutual certificate authentication requirements to access all client-facing environments, (l)
        restrictions on media dissemination based on risk classification.

2.5 Record of Processing Activities. Processor shall maintain a record of all categories of processing activities carried out for              Controller’s to the extent required to enable Controller to comply with its obligations under applicable Data Protection
and require any sub-processors to do the same.

2.6 Management of Personnel and Third Parties. Processor shall (a) take reasonable steps to ensure any person authorized to
        process personal data shall maintain confidentiality, (b) maintain policies and procedures to determine whether personnel
        and third parties engaged by Processor are suitable for their roles, (c) provide appropriate security training and information,
        such as its security awareness program, which provides training and awareness on corporate security policies and
        compliance with PCI-DSS.

2.7 Business Continuity. Processor shall maintain business continuity and disaster recovery plans designed to maintain
        Processor’s delivery of the Services with minimal interruption. Each plan will detail measures to support the restoration of full
        operations as soon as possible after an emergency. The plans will address the need for failover capability and provision of an
        alternate recovery site based upon the criticality of the business functions, with input from the business owners. Plans will
        be periodically tested to make Processor’s most critical business applications readily available in the event of a declared
        disaster. Backups will be stored offsite from the primary data source to support the recoverability of data importer systems in
        the event of a disaster.

3. Miscellaneous

3.1 Audit. Upon reasonable, written request (and no more than once per year), Processor will make available to Controller or
      third-party auditor, any information that is reasonably necessary to demonstrate compliance with this DPA.

3.2 Term and Termination. This DPA terminates in accordance with the Termination clause in the Agreement.

3.3 Liability and Indemnification. Subject to GDPR, CCPA, and any other applicable law, the total liability of Processor toward
        Controller whether in contract, tort or under any other theory of liability, is subject to the applicable Limitation of Liability
        clause in the Agreement. Controller agrees to indemnify and hold harmless Processor against all claims, actions, third party
        claims, losses, damages, and expenses incurred by Processor arising directly or indirectly out of or in connection with a
        breach by Controller of this DPA.

3.4 Governing Law. The Parties agree that the Governing Law provision in the Agreement shall apply to this DPA as well.

3.5 Conflicting Provisions. If a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA
        shall prevail.

3.6 Updates to Data Privacy Regulations. In the event of change to the GDPR, CCPA, or other applicable Data Protection
        Legislation, the Parties will promptly review this DPA and proceed with good faith negotiations to agree on any changes
        necessary to comply with the law.

4. Definitions

4.1 Customer means an entity or person buying a Product on the Cleverbridge Online Store.

4.2 Customer Data means all Personal Data collected in connection with the provision of Services.

4.3 Data Protection Legislation means all laws, regulations, and governmental requirements applicable to the processing of
        Customer Data or any replacement legislation, as applicable, including, but not limited to, the General Data Protection
        Regulation 2016/679 (“GDPR”) and California Consumer Privacy Act (“CCPA”).

4.4 Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,
        trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.

4.5 Sub-Processor means any entity or person appointed by Processor to process Customer Data for Processor at the
        direction of Controller.

4.6 Data Subject”, “Processing”, “Personal Data”, and “Personal Data Breach” have the meanings given under GDPR.


Last updated November 1, 2023