Data Processing Addendum

Last revised: February 25, 2025

EX.CO Technologies Ltd. or its affiliates (“Company”) and you (“Partner”, each a “Party”, together the “Parties”), have entered into a principal agreement (“Agreement”), in the context of which Personal Data is disclosed to or processed by the Company, and are agreeing to this Data Processing Addendum, including Schedule A and Annexes I-II (“DPA”). This DPA is entered into by Company and Partner and supplements the Agreement. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from the Effective Date of the Agreement.

By accepting this DPA (personally or on behalf of Partner), you warrant that: (a) you have full legal authority to enter into this DPA; (b) you have read and understood this DPA and agree to its terms. If you do not have the legal authority to enter into this DPA on behalf of yourself or Partner, please do not accept this DPA.

  1. Introduction

    • This DPA reflects the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
    • Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
    • In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail

  2. Definitions and Interpretation

    • In this DPA:
      • Approved Jurisdiction” means a jurisdiction approved as having adequate legal protections for data by the European Commission (currently available here), the UK Information Commissioner’s Office (currently available here), or the Swiss Federal Data Protection and Information Commissioner (“FDPIC“) (currently available here), all as applicable.
      • Data Protection Laws” means, any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications; “ePrivacy Directive”), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“), the Swiss Federal Act on Data Protection (“FADP”), US Data Protection Laws, and any amendments or replacements to the foregoing.
      • Data Subject” means a natural person to whom Personal Data relates. Where applicable, the term Data Subject shall include “Consumer“, as this term is defined under US Data Protection Laws.
      • Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, to Personal Data. For the avoidance of doubt, any “Personal Data Breach” (as defined under the GDPR) or any equivalent term under Data Protection Laws will comprise a Security Incident.
      • Special Categories of Personal Data“ means personal data as defined under Article 9 of the GDPR and where applicable, “Sensitive Personal Information” or other equivalent term as defined under Data Protection Laws.
      • Standard Contractual Clauses” means the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
      • UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which entered into force on 21 March, 2022, as available here: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
      • US Data Protection Laws” means, any and all applicable laws, rules, acts, decrees, directives, regulations and binding regulatory guidance, on any state or federal level, pertaining to data privacy, data security and the protection of Personal Data, including, without limitation, in California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Florida, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, as well as any future laws, amendments, or regulations that may be enacted or promulgated governing data protection within the United States.
      • The terms “controller”, “Personal Data” “process(ing)” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed “Business“, processor shall be deemed “Service Provider“ or “Contractor”, and Personal Data shall be deemed “Personal Information” as these terms are defined under US Data Protection Laws.
      • Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

  3. Application of this DPA

    • This DPA will only apply to the extent all of the following conditions are met:
      • Company processes Personal Data that is made available by the Partner in connection with the Agreement;
      • Any of the Data Protection Laws apply to the processing of Personal Data.
    • This DPA will only apply to the services for which the parties agreed to in the Agreement (“Services”), which incorporates the DPA by reference.

  4. Roles and Restrictions on Processing

    • The duration, nature and purposes of the processing, as well as the types of Personal Data processed and categories of Data Subjects processed under this DPA are further specified in Annex I of this DPA.
    • Independent Controllers. Each Party:
      • Is an independent controller of Personal Data under the Data Protection Laws;
      • Will individually determine the purposes and means of its processing of Personal Data; and
      • Will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
    • Disclosing Personal Data. In performing its obligations under the Agreement, Partner may disclose Personal Data to the Company. Each Party shall process Personal Data only for the purposes set forth in the Agreement or as otherwise agreed to in writing by the parties. Partner shall not share with the Company any Personal Data (i) that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address), or (ii) that contains Special Categories of Personal Data or personal data relating to minors.
    • Lawful Grounds and Transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Laws. It is hereby clarified that Partner is the initial Controller of Personal Data. Where Partner relies on consent as its legal basis to Process Personal Data, it shall ensure that it obtains a proper affirmative act of consent from Data Subjects in accordance with Data Protection Law in order for itself and Company to process such Personal Data as set out herein and in the Agreement. Partner acknowledges that Company, its advertisers and service providers may use cookies and similar tracking technologies in order to provide the Services, including for the purpose of cross-site or cross-device advertising. Partner represents and warrants that it: (a) ensures that appropriate notice and consent mechanisms are displayed and implemented on all applicable Partner properties; and (b) has the applicable mechanisms in place to ensure that any opt-out signals or preferences communicated by Data Subjects are promptly transmitted to the Company. It is hereby clarified that any such consent signals, opt out signals etc. shall be obtained by Partner and conveyed to Company using IAB frameworks (such as the IAB TCF or IAB GPP, or as otherwise as confirmed to by Company). Both parties will cooperate in good faith in order to identify the information disclosure requirements and each Party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
    • Data Subject Rights. It is agreed that where either Party receives a request from a Data Subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.
    • Mutual Assistance. Each Party shall:
      • provide the other Party with such assistance as the other Party may reasonably request from time to time to enable it to comply with its obligations under the Data Protection Laws including (without limitation) with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
      • provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
    • Resolution of Disputes with Data Subjects or Supervisory Authorities.
      • If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “Data Protection Claim“), it shall promptly inform the other Party of the Data Protection Claim and provide the other Party with such information as it may reasonably request regarding the Data Protection Claim.
      • Where the Data Protection Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the Data Protection Claim.
      • Where the Data Protection Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.

  5. Personal Data Transfers

    • Transfers of Personal Data Out of the European Economic Area. Either Party may transfer Personal Data outside the European Economic Area, Switzerland, or the UK, as applicable if it complies with the provisions on the transfer of personal data to third countries in the applicable Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdictions or through the use of Standard Contractual Clauses, or other applicable frameworks).
    • To the extent that Company processes Personal Data outside the EEA, UK, Switzerland, or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses, and the UK Addendum (as applicable), subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses are incorporated herein by reference; and (ii) the Partner shall be deemed the data exporter and the Company shall be deemed the data importer (as these terms are defined therein).

  6. Protection of Personal Data

    • The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.
    • In the event that a Party suffers a confirmed Security Incident, each Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree on such measures as may be necessary to mitigate or remedy the effects of the Security Incident. In the event that a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.

  7. Priority

    • If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
    • Unless stated otherwise in the DPA, Standard Contractual Clauses or the UK Addendum, in case of a conflict between the provisions of the DPA and the provisions of the Standard Contractual Clauses and the UK Addendum, the provisions providing the more stringent protection to Personal Data and the rights of individuals shall govern.

  8. Changes to this DPA

    • Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Partner, as reasonably determined by Company.
    • Notification of Changes. If Company intends to change this DPA under this Section, and such change will have a material adverse impact on Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.

Schedule A – Standard Contractual Clauses and the UK Addendum

  1. If Partner is a controller – the Parties shall be deemed to enter into the Controller to Controller Standard Contractual Clauses (Module 1); if Partner is a processor – the Parties shall be deemed to enter into the Processor to Controller Standard Contractual Clauses (Module 4).
  2. This Schedule A sets out the Parties’ agreed interpretation of their respective obligations under Module One of the Standard Contractual Clauses.
  3. The Parties agree that for the purpose of transfer of Personal Data between the Partner (Data Exporter) and Company (Data Importer), the following shall apply:
    • Clause 7 of the Standard Contractual Clauses shall not be applicable.
    • In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
    • In Clause 13, the applicable supervisory authority shall be the Irish Data Protection Commissioner.
    • In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of Ireland.
    • In Clause 18(b) the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction.
  4. The Parties shall complete Annexes I–II below, which are incorporated in the Standard Contractual Clauses by reference.
  5. To the extent the UK Addendum applies, the following shall apply:
    • All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annex I below shall replace Annexes 1A and 1B of the UK Addendum, Annexes 2-3 shall be replaced with Annex II below.
    • In Table 4 of the UK Addendum, either party may terminate the agreement in accordance with section 19 of the UK Addendum.
    • By entering into this DPA, the Parties hereby agree to the format changes made to the UK Addendum.
  6. To the extent the FADP applies, the following shall apply:
    • References to the GDPR are to be understood as references to the FADP;
    • The competent supervisory authority shall be the FDPIC;
    • References to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’;
    • In Clause 17, Option 1 shall apply. The Parties agree that the clauses shall be governed by the law of Switzerland;
    • In Clause 18(b) the Parties choose the courts of Zurich, Switzerland as their choice of forum and jurisdiction.

Annex I – Description of Processing Activities

  1. Identification of Parties

    Data Exporter“: the Partner;
    Data Importer“: the Company.

  2. Description of Transfer

    Categories of data subject · Partner’s end-users, employees, and customers
    Categories of Personal Data · Contact information (name, telephone number, email address )
    · Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps)
    · Geo-location information (non-precise)
    Special Categories of Data/Sensitive Personal Information None
    Nature of Processing · Storage
    · Analytics
    · Advertising (including auditing related to Advertising)
    · Security, integrity and maintaining quality of the Company’s services
    Frequency of Transfer Continuous
    Purpose of the transfer and further processing As defined in the Main Agreement
    Retention period Personal Data will be retained by each Party as necessary to achieve the purpose for which it was collected, in accordance with the requirements of Data Protection Laws and subject to each party’s retention policies.

Annex II – Technical and Organizational Measures to Ensure the Security of the Data

This Annex forms part of the DPA and describes the technical and organisational security measures implemented by the data importer. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.