This Data Processing Addendum (“DPA”) is between Licensor (“Controller”),and Smart Dash SF, Inc. (“Processor”) (each, a “Party” and collectively the “Parties”) and is effective as of the date (“DPAEffective Date”) that the Parties execute a Data License Agreement (“Agreement”)that incorporates this DPA by reference.


Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

1.1.    “Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of PersonalData, as they may be amended or otherwise updated from time to time.

1.3.    “Data Subject” means a natural person whose Personal Data is Processed.

1.2.    “Covered Data” means Personal Data that is: (a)provided by or on behalf of Controller to Processor in connection with theServices; or (b) obtained, developed, produced or otherwise Processed byProcessor, or its agents or subcontractors, for purposes of providing theServices.

1.4.    “Deidentified Data” means data created using CoveredData that cannot reasonably be linked to such Covered Data, directly or indirectly.

1.5.    “Personal Data” means any data or information that:(a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,”“personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.

1.6.    “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed”will be interpreted accordingly.

1.7.    “Security Incident” means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to(including unauthorized internal access to), Covered Data.

1.8.    “Services” means the services to be provided byProcessor pursuant to the Agreement.

1.9.    “Sub-processor” means an entity appointed byProcessor to Process Covered Data on its behalf.

1.10.  “US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.


2.1.  This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions)supersedes the Agreement with respect to any Processing of Covered Data.

2.2.  Any Processing operation as described in clause 4(Details of Data Processing) and Schedule 1 of the Agreement will be subject to this DPA.

3.      ROLE OF THE PARTIES. The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Processor will act as a“service provider” or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.


4.1.  The details of the Processing of Personal Data under theAgreement and this DPA (such as subject matter, nature and purpose of theProcessing, categories of Personal Data and Data Subjects) are described in theAgreement.

4.2.  Covered Data will only be Processed on behalf of and under the instructions of Controller and in accordance with Applicable DataProtection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Controller may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Processor is prohibited from:

4.2.1.   selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

4.2.2.   sharing Covered Data with any third party for cross-context behavioral advertising;

4.2.3.   retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;

4.2.4.   retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and

4.2.5.   except as otherwise permitted by Applicable DataProtection Laws, combining Covered Data with Personal Data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

4.3.  Processor will limit access to Covered Data to personnel who have a business need to have access to such Covered Data, and will ensure that such personnel are subject to obligations at least as protective of theCovered Data as the terms of this DPA and the Agreement.

4.4.  Processor will provide Controller with information to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. In addition, Processor will notify Controller promptly if Processor determines that it can no longer meet its obligations under Applicable Data Protection Laws.

4.5.  Controller will have the right to take reasonable and appropriate steps to ensure that Processor uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.


5.1.  Controller grants Processor the general authorisation to engage Sub-processors, subject to clause 5.2.

5.2.  Processor will enter into a written agreement with eachSub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor’s obligations under this DPA.

5.3.  Processor will provide Controller with at least fifteen(15) days’ notice of any proposed changes to the Sub-processors it uses toProcess Covered Data. Controller may object to Processor’s use of a newSub-processor by providing Processor with written notice of the objection within ten (10) days after Processor has provided notice to Controller of such proposed change (an “Objection”). If Controller does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Controller objects to Processor’s use of a newSub-processor, Controller and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, Processor may suspend the affected portion of the Services.


6.1.  As between the Parties, Controller will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws(each, a “Data Subject Request”).

6.2.  Processor will promptly forward to Controller without undue delay any Data Subject Request received by Processor or any Sub-processor and may advise the individual to submit their request directly to Controller.

6.3.  Processor will provide Controller with reasonable assistance as necessary for Controller to fulfill its obligation underApplicable Data Protection Laws to respond to Data Subject Requests, including if applicable, Controller’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.


7.1.  Processor will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by theProcessing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

7.2.  Controller will have the right to audit Processor’s compliance with this DPA. The Parties agree that all such audits will be conducted:

7.2.1.   upon reasonable written notice to Processor;

7.2.2.   only once per year; and

7.2.3.   only during Processor’s normal business hours.

7.3.  To conduct such audits, Controller may engage a third-party auditor subject to such auditor complying with the requirements under clause 7.3 and provided that such auditor is suitably qualified and independent.

7.4.  To request an audit, Controller must submit a detailed proposed audit plan to Processor at least two weeks in advance of the proposed audit date. Processor will review the proposed audit plan and work cooperatively with Controller to agree on a final audit plan. All such audits must be conducted subject to the agreed final audit plan and Processor’s health and safety or other relevant policies.

7.5.  Controller will promptly notify Processor of anynon-compliance discovered during an audit.

7.6.  Controller will bear the costs for any audit initiated byController, unless the audit reveals material non-compliance with the requirements of this DPA.

7.7.  Upon request, Processor will provide to Controller documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.Processor may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months ofController’s audit request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

7.8.    Processor will audit its Sub-processors on a regular basis and will, upon Controller’s request, confirm their compliance with ApplicableData Protection Laws and the Sub-processors’ contractual obligations.


8.1.    Processor will notify Controller in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Controller under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Processor will take reasonable steps to contain, investigate, and mitigate any SecurityIncident, and will send Controller timely information about the SecurityIncident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Processor’s notification of or response to a SecurityIncident under this clause 8 will not be construed as an acknowledgement byProcessor of any fault or liability with respect to the Security Incident.

8.2.    Processor will provide reasonable assistance withController’s investigation of the possible Security Incident and any notification obligation of Controller under Applicable Data Protection Laws, such as in relation to individuals or supervisory authorities.

9.      DELETION AND RETURN. Processor will, within thirty (30) days of the date of termination or expiry of theAgreement, (a) if requested to do so by Controller within that period, return a copy of all Covered Data or provide a self-service functionality allowingController to do the same; and (b) delete all other copies of Covered DataProcessed by Processor or any Sub-processors.

10.    CONTRACT PERIOD. This DPA will commence on the DPAEffective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.


If Processor receives Deidentified Data from or on behalf of Controller, then Processor will:

11.1.  take reasonable measures to ensure the information cannot be associated with a Data Subject.

11.2.  publicly commit to Process the Deidentified Data solely indeidentified form and not to attempt to reidentify the information.

11.3.  contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data ProtectionLaws.

12.    GENERAL

12.1.  The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

12.2.  The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes inApplicable Data Protection Laws.

Effective as of November 12, 2022