Data Processing Addendum

Last updated March 28th, 2022.

DOUBLE ATELIER, INC., a Delaware Corporation
20 Jay St, Suite 1002, Brooklyn, NY 11201, USA

Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into by and between Double Atelier, Inc., a Delaware corporation with its primary place of business at 20 Jay St., Suite 1002, Brooklyn, NY 11201 (“Double”), and the customer using Double’s platform (“Customer”) pursuant to the Double General Terms and Conditions available at https://withdouble.com/terms, as updated from time to time, or any other agreement between Customer and Double governing Customer’s use of the Services (defined below), as applicable (the “Agreement”). Double and Customer are hereinafter referred to from time to time individually as “party” and collectively as “parties.”

The parties acknowledge that the terms of this Addendum, including the Appendices, are incorporated into and form part of the Agreement. Capitalized terms have the meaning given to them in the Agreement unless defined elsewhere in this Addendum. Where this Addendum uses terms that are defined in Applicable Data Protection Law (defined below), those terms shall have the same meaning as given to those terms (or an equivalent term) in the applicable law.

In the event and to the extent of a conflict between the provisions of the Agreement and this Addendum, this Addendum will prevail. Except as expressly set forth in this Addendum, all other provisions of the Agreement will remain in full force and effect. To the extent that the 2021 SCCs (defined below) or the 2010 SCCs (defined below) are incorporated herein, such SCCs shall take precedent over both this Addendum and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this Addendum and any SCCs incorporated herein.

1. Definitions:

1.1 “Affiliate” means any business entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with a party to the Agreement. For purposes of this definition, “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

1.2 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation (1) data protection laws and regulations of the European Union, the European Economic Area and their member states and Switzerland; (2) data protection laws and regulations of the United Kingdom; and (3) data protection laws and regulations of the United States and its individual states.

1.3 “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers (module 2), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.4 “Customer Account Data” means personal data that relates to Customer’s relationship with Double and for which Double determines the means and purposes of processing.

1.5 “Customer Information” means any personal data that is (i) provided or made available or accessible to Double or its Sub-processors by or on behalf of Customer or a controller for whom Customer acts as a processor; and/or (ii) generated by Double or its Sub-processors in the performance of the Agreement.

1.6 “Data Protection Supervisory Authority” means a supervisory authority or other government body responsible for the administration, implementation, and/or enforcement of Applicable Data Protection Law and includes, without limitation, competent supervisory authorities of the European Union (“EU”) and its member states, the Swiss Federal Data Protection Authority, and the United Kingdom (“UK”) Information Commissioner’s Office.

1.7 “Data Transfer” means any situation in which Customer Information is transferred, either directly or via onward transfer to a Third Country.

1.8 “Elections” means, with respect to the 2021 SCCs, (i) for purposes of clause 9(a), option 2 applies and the specified time period is the time period required under Section 5 (Sub-processing) of this Addendum for notice of change of a Sub-processor; (ii) for purposes of clause 11, the independent dispute resolution option does not apply; (iii) for purposes of clause 17, option 2 is selected, provided if the EU Member State in which the data exporter is established does not allow for third-party beneficiary rights, then the law of Ireland shall govern; and (iv) as pertains to clause 18(b), the courts of the EU Member State in which the data exporter is established shall be the choice of forum and jurisdiction. 1.9 “European Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.

1.10 “Europe” means, for the purposes of this Addendum, the European Union (“EU”), the European Economic Area (“EEA”), and/or their member states, Switzerland, and the United Kingdom (“UK”).

1.11 “Performance Metrics” means any data relating to Customer’s use, support, and/or operation of the Services which is used by Double in an aggregated and anonymous manner.

1.12 “Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers (module 3), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.13 “Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Information on systems managed or otherwise controlled by Double.

1.14 “Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, data relating to criminal convictions or offenses, or other information that falls within the definition of “special categories of data” (or an equivalent term) under Applicable Data Protection Law.

1.15 “Services” means the Services Double is providing pursuant to the Agreement.

1.16 “Sub-processor(s)” means any person or entity engaged by Double or its Affiliates to perform Double’s obligations under the Agreement.

1.17 “Third Country” means a country outside of Europe not recognized by the European Commission as providing an adequate level of protection for personal data under European Data Protection Law.

1.18 “UK Personal Data” means Customer Information, the processing of which is within the territorial scope of the data protection, privacy, or security laws of the UK.

1.19 “2010 SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection adopted pursuant to the European Commission’s decision of 5 February 20210 on Standard Contractual Clauses, excluding the option clauses, and on the basis that Appendix 1 of this Addendum operates as Annex I to the 2010 SCCs and Appendix 2 of this Addendum operates as Annex II to the 2010 SCCs.

1.20 “2021 SCCs” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 2.1 (Scope and Role of the Parties), including the Elections and on the basis that Appendix 1 of this Addendum operates as Annex I to the 2021 SCCs and Appendix 2 of this Addendum operates as Annex II to the 2021 SCCs.

2. Processing of Personal Data:

2.1 Scope and Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Information, Double will act as processor to Customer, who may act as either a controller or a processor. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Customer Information. When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. When Customer is acting as a processor, the Processor-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. Customer agrees that it is unlikely that Double will know the identity of Customer’s controllers, if any, because Double has no direct relationship with Customer’s controllers. Therefore, Customer agrees that it will fulfill Double’s obligations to Customer’s controllers under the Processor-to-Processor Clauses. For the avoidance of doubt, this Addendum does not apply to Performance Metrics or Customer Account Data.

2.2 Customer Instructions. Double shall process Customer Information only in accordance with Customer’s documented lawful instructions as set forth in (i) the Agreement, including this Addendum and any applicable order forms; (ii) as necessary to comply with applicable law; (ii) or as otherwise agreed in writing or as initiated by Customer in its use of the Services (including via any configuration tools and APIs made available through the Services (“Permitted Purposes”). Customer may give additional instructions throughout the term of the Agreement. Double shall immediately inform Customer if it is unable to follow those instructions.

2.3 Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Customer Information and any processing instructions it issues to Double; and (ii) it has, and will continue to have, the right to transfer, or provide access to, the personal data to Double for processing in accordance with the terms of the Agreement and this Addendum. Customer shall have the sole responsibility for the accuracy, quality, and legality of Customer Information and the means by which Customer acquired Customer Information. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Services. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject that has opted-out from the sale or other disclosure of his or her personal data.

2.4 Lawfulness of Instructions. Customer acknowledges that Double is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Double’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that its instructions comply with Applicable Data Protection Law and Double’s processing of the Customer Information in accordance with Customer’s instructions will not cause Double to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. Double will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.

2.5 Double Personnel. Double shall grant access to Customer Information to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the agreement. It will further ensure that any person it authorizes to process the Customer Information shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

2.6 Accuracy. Customer agrees that it is unlikely that Double would become aware that Customer Information it has received is inaccurate or outdated. Nonetheless, if Double does become aware that Customer Information it has received is inaccurate, or has become outdated, it shall inform Customer without undue delay and shall cooperate with Customer to erase or rectify the data.

2.7 Return or Deletion of Customer Information. Double shall only process Customer Information for the duration specified in Appendix 1.B. Upon Customer's request or upon termination or expiration of the Agreement, Double agrees, at Customer’s option, exercised by delivery to Double in writing of its instruction, to either deliver to Customer or destroy in a manner that prevents Customer Information from being reconstructed any Customer Information and any copies thereof in Double's control or possession, except that this requirement shall not apply to the extent Double is required by applicable law to retain some or all of the Customer Information or to Customer Information it has archived on back-up systems, which Customer Information Double shall securely isolate, protect from any further processing, and eventually delete in accordance with Double’s deletion policies, except to the extent required by applicable law.

2.8 No Sale of Information. Double will not sell Customer Information, nor retain, use, or disclose Customer Information for any commercial purpose other than providing the Services. Double will not disclose Customer Information outside the scope of the Agreement. Double understands its obligations under Applicable Data Protection Law and will comply with them.

3. Responding to Data Subjects and Other Requests:

3.1 Assistance Provided to Customer. To the extent Customer, in its ordinary use of the Services, does not have the ability to address a data subject request to exercise their rights under Applicable Data Protection Law, Double shall, upon Customer’s written request, provide commercially reasonable assistance to Customer in responding to such data subject request. If complying with Customer’s request for assistance will require Double to expend significant resources, such assistance shall be at Customer’s expense (scoped in advance).

3.2 Handling Requests Made Directly to Double. In the event that any request, correspondence, enquiry or complaint from a data subject, regulator, or third party, including, but not limited to law enforcement, is made directly to Double in connection with Double’s processing of Customer Information, Double shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Double shall not respond to any such request, inquiry, or complaint without Customer’s prior written consent. In the case of a legal demand for disclosure of Customer Information in the form of a subpoena, search warrant, court order or other compulsory disclosure request, Double shall attempt to redirect the requesting party or agency to request disclosure from Customer. Customer agrees that Double may provide Customer’s basic contact information for this purpose. If Double is unable to redirect the requesting party or agency, Double shall act in accordance with its obligations under the 2010 SCCs or 2021 SCCs, as applicable, incorporated herein. For the avoidance of doubt, nothing in the Agreement, including this Addendum shall restrict or prevent Double from responding to any data subject or other requests in relation to personal data for which Double is a controller.

3.3 Data Protection Impact Assessments. If Double believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, Double shall inform Customer and (taking into account the nature of the processing and the information available to Double) provide commercially reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with Data Protection Supervisory Authorities that may be required under Applicable Data Protection Law. Double shall comply with the foregoing by: (i) complying with Section 4.7 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense (scoped in advance).

4. Security:

4.1 Technical and Organizational Measures. Double has implemented and will maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of Customer Information in accordance with Double’s security standards described in Appendix 2 (“Security Measures”).

4.2 Updates to Security Measures. Customer is responsible for reviewing the information Double makes available regarding its data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations, including its legal obligations under Applicable Data Protection Law. Customer acknowledges that the Security Measures are subject to technical progress and development and that Double may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services provided to Customer.

4.3 Security Incident Response. Double shall, to the extent permitted by law, notify Customer without undue delay of any reasonably suspected or actual Security Incident which affects Customer Information. Such notification will be delivered to one or more of Customer’s business or administrative contacts by any means Double selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information in the Services and under the Agreement at all times. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by Double. Furthermore, Double shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Customer and shall promptly take reasonable steps to remedy or mitigate the effect of any Security Incident. Double’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Double of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. Unless prohibited by an applicable statute or court order, Double shall also notify Customer of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity.

4.4 Unsuccessful Security Incidents. Customer agrees that an unsuccessful Security Incident will not be subject to Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Customer Information or to any of Double’s equipment or facilities used to store or process Customer Information and could include, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-in attempts or invalid URLs, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.

4.5 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided in this Addendum, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, using the Services strictly as permitted under the Agreement, and using features and functionalities made available by Double to maintain appropriate security in light of the nature of the data processed.

4.6 Documentation and Compliance. The parties acknowledge that Customer must be able to assess Double’s compliance with its obligations under Applicable Data Protection Law and this Addendum. To facilitate such assessment, Double will keep appropriate documentation on the processing activities carried out on behalf of Customer under the Agreement, and upon written request, make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum.

4.7 Audits. To the extent that Double is unable to demonstrate its compliance with Applicable Data Protection Law and this Addendum through appropriate documentation as described in Section 4.6 (Documentation and Compliance) above, then, upon Customer’s written request and subject to the confidentiality obligations set forth in the Agreement, Double shall allow for and contribute to audits and inspections conducted by Customer (or Customer’s independent, third-party auditor that is not a competitor of Double). Audits shall occur at most annually or more frequently (i) in response to a demand from a Data Protection Supervisory Authority, (ii) following notice of a Security Incident, or (iii) as a follow-up to a duly conducted annual audit. Audits must be preceded by thirty (30) days advance written notice, must be conducted during Double’s normal business hours, and must be limited to systems and procedures within Double’s control and relevant to Double’s processing of Customer Information. Double will make its personnel, records, and similar items available upon fewer than thirty (3) days advance notice, but no less than reasonable notice if (i) requested by a Data Protection Supervisory Authority pursuant to an audit or Customer or (ii) following notice of a Security Incident. In lieu of such an audit, in the event that Double independently obtains third-party annual audits of its privacy and security program, Customer agrees that Double may satisfy its obligations under this Section 4.7 (Audits), by making available to Customer a copy of Double’s then most recent third-party audit report. Such audit reports will be made available to Customer upon Customer’s written requests, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement. If any audit reveals any material vulnerability, Double shall take commercially reasonable steps to correct such vulnerability.

5. Sub-processing:

5.1 Authorized Sub-processors. Double has Customer’s general authorization to engage third-party Sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The Sub-processors Double currently engages to carry out processing activities can be found at https://withdouble.com/sub-processors. At least ten (10) business days prior to engaging or removing any Sub- processor, Double will update this list and provide Customer with a mechanism to obtain notice of that update. Customer may object to in writing to Double's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Double will, in its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the Agreement without liability to either party, in which case, however, and notwithstanding anything to the contrary in this Addendum, the applicable SCCs or the Agreement, Double shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.

5.2 Sub-processor obligations. Double shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Information as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Double to breach any of its obligations under this Agreement.

6. International Data Transfers:

6.1 Data Center Locations. Customer understands and acknowledges that Customer Information may be transferred to and processed in the United States or in any country in which Double or its Sub-processors have operations. Double shall notify Customer at least ten (10) business days prior to adding or replacing a Sub-processor in the same manner provided for notification under Section 5.1 (Authorized Sub-processors) above. Customer may object in writing to Double’s changes as per the above, provided such objection is based on reasonable grounds relating to data protection (including, but not limited to, changes of location for processing (including access) from within Europe to the United States or another non-Europe country). In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Double will, in its sole discretion, either not proceed with the change, or permit Customer to suspend or terminate the Agreement without liability to either party in which case, however, and notwithstanding anything to the contrary in this Addendum, the applicable SCCs, or the Agreement, Double shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing. Double shall ensure that such transfers comply with the requirements of Applicable Data Protection Law.

6.2 European Data Transfers. To the extent that Double receives Customer Information protected by European Data Protection Laws, Double agrees to abide by and process such data in compliance with the 2010 or 2021 SCCs, as applicable, which are incorporated herein in full and form an integral part of this Addendum. For the purposes of such SCCs: (i) Double is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside of Europe); (ii) Appendixes 1 and 2 of this Addendum shall replace Appendixes 1 and 2 (or Annexes I and II to the Appendix, as applicable) and (iii) if the 2021SCCs apply, then they shall be applied giving effect to the Elections. For the avoidance of doubt, the 2010 SCCs shall apply to any Data Transfer pursuant to the Agreement that involves UK Personal Data.

7. Limitation of Liability:

7.1 Liability Cap. Each party and all of its Affiliates’ liability to the other party and its Affiliates, taken together arising out of or related this this Addendum, including the 2010 or 2021 SCCs, as applicable, shall be subject to the exclusions and limitations of liability set forth in the Agreement. For the avoidance of doubt, Double and its Affiliates’ total liability for all claims from Customer arising out of or relating to the Agreement or this Addendum shall apply in aggregate.

7.2 Liability to Data Subjects. Nothing in Section 7.1 (Liability Cap) shall alter the parties’ liability to data subjects as provided for in either the 2010 or 2021 SCCs (as applicable). Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation by it of Applicable Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of the responsibility for the damage. Notwithstanding the foregoing, with respect to processing of personal data subject to either the 2010 or 2021 SCCs as provided herein, the allocation of liability to data subjects as between the parties shall be governed by the applicable SCCs taking into consideration that both parties agree that Customer will be liable to data subjects for the entire damage resulting from a violation of European Data Protection Law with regard to processing of personal data for which it is a controller, and that Double will only be liable to data subjects for the damage resulting from a violation of the obligations of European Data Protection Law directed to processor where it has acted outside of or contrary to Customer’s lawful instructions or violated this Addendum. Double will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

8. Modification and Termination of this Addendum: This Addendum shall remain in effect until the later of (i) termination of the Agreement or (ii) such time as Double no longer processes any Customer Information on behalf of Customer. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, Double will return or destroy data pursuant to Section 2.7 (Return or Deletion of Customer Information). Double may update the terms of this Addendum from time to time; provided, however, Double will provide at least thirty (30) days prior written notice to Customer of any proposed update. In the event that a competent Data Protection Supervisory Authority for the UK issues alternative SCCs for Data Transfers, (i) Double may, upon giving notice in accordance with this Section 8 (Modification and Termination of this Addendum) amend this Addendum to replace the 2010 SCCs referred to herein with such alternative SCCs and any such amendments or supplemental provisions as deemed necessary by Double for the purposes of this Addendum and (ii) from the date of such notice, any reference in this Addendum to the 2010 SCCs shall be deemed to refer to such alternative SCCs. The then-current terms of this Addendum are available at http://withdouble.com/data-processing-addendum.

9. Entire Agreement; Conflict: This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Customer and Double. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the 2010 or 2021 SCCs (as applicable) and their Annexes; then (b) this Addendum and its Appendices; then (c) the Agreement.

10. Invalidity and Severability:

10.1 General. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

10.2 Invalidity of SCCs. If the SCCs cease to or do not (including due to insufficient supplementary measures) meet the requirements under European Data Protection Law or otherwise cease to or do not provide a valid legal basis to transfer personal data outside the EEA, EU, UK, or Switzerland, Double shall (i) promptly notify Customer using the email address on file; (ii) upon request (whether or not Double has provided notice to Customer) immediately stop and, as applicable procedure the cessation of the processing by its Sub-processors of the affected personal data promptly after the occurrence of any such notifiable event outside the relevant countries (except to the extent directed otherwise by Customer), and as soon as possible put in place commercially reasonable measures to mitigate the impact of such; and (iii) discuss with Customer commercially reasonable alternative measures in order to ensure an adequate level of protection with respect to the privacy rights of individuals and the lawful transfer of, or access to, personal data outside the relevant countries whilst continuing the provision of the Services with minimum disruption to Customer. If the parties cannot reach resolution, Customer may suspend or terminate the Agreement without liability to either party, in which case, notwithstanding anything to the contrary in this Addendum or the Agreement, Double shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.

APPENDIX 1

A. LIST OF PARTIES

Data exporter(s):

The data exporter is the legal entity identified as “Customer” in the Agreement. Customer may be a controller or a processor with respect to Customer Information.

Data importer(s):

The data importer is Double Atelier, Inc. located at 20 Jay St., Suite 1002, Brooklyn, NY 11201.

Alice Default, CEO, is Double’s contact person with responsibility for data protection and can be reached at privacy@withdouble.com or 2128849916.

Double Atelier, Inc. is a modern assistant service that matches busy executives with experienced part-time administrative assistants and provides a variety of tools and integrations to help executive delegate tasks and meet their goals. Double is either a processor or a sub-processor with respect to Customer Information processed pursuant to the Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may upload, submit, or otherwise provide personal data concerning the following categories of data subjects:

• Customer • Employees or other individuals affiliated with Customer’s employer/organization • Customer’s business contacts • Customers and end users of Customer’s employer/organization

Categories of personal data transferred

Customer may upload, submit, or otherwise provider certain personal data to Double, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:

• Full name and contact information • Company name and job title • Billing and payment information • Any other personal data uploaded, submitted, or otherwise provided to Double by Customer in its sole discretion.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Double does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Services. To the extent that Sensitive Data is nevertheless introduced into Customer Information, Customer agrees that it is solely responsible for ensuring that sufficient safeguards are in place to protect such Sensitive Data and Double shall have no liability whatsoever in relation to such data.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Customer Information will be transferred on a continuous basis for the duration of the Agreement.

Nature of the processing

Customer Information will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

• Computing, storage and other processing necessary to provide, maintain, and improve the service provided to Customer pursuant to the Agreement; and/or

• Disclosures in accordance with the Agreement, Customer’s instructions, and/or as compelled by applicable law.

Purpose(s) of the data transfer and further processing

Double shall only process Customer Information for the Permitted Purposes outlined in Section 2.2 (Customer Instructions).

The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period

Customer Information will be retained for the duration of the Agreement plus thirty (30) days after expiration or termination unless expressly instructed by Customer to delete or destroy Customer Information sooner or as otherwise required or permitted by law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For all transfers to Sub-processors the subject matter, nature, and duration of the processing are as follows:

• Subject matter: The subject matter of the transfer and processing is the Customer Information. • Nature of processing: The nature of the processing varies by Sub-processor. Detailed information for each Sub-processor can be found at https://withdouble.com/sub-processors. • Duration of the processing: The duration of the processing is for so long as is necessary for the purpose for which the information was transferred to the Sub-processor and in any event, for no longer than the duration of the agreement between Double and the relevant Sub-processor.

C. DATA PROTECTION SUPERVISORY AUTHORITY

The applicable Data Protection Supervisory Authority for purposes of this Addendum shall be established in accordance with any applicable SCCs incorporated herein.

APPENDIX 2 - SECURITY MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Double will, at a minimum, implement the following types of security measures: • Data is encrypted in transport between client and server, using HTTPS • Server-side Double-managed databases are encrypted at rest • File uploads are stored on AWS S3, encrypted at rest, accessed with a short-lived link • Executives and Assistants are encouraged to use a password manager to share secrets. We provide a complimentary 1Password vault to users that do not already use a similar service.