Data Processing Addendum

1.1 Limitations on Use

Magieva will Process Customer Personal Data for the Purpose and otherwise only: (a) pursuant to Customer's documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Customer Personal Data to a third country; and (b) as otherwise required by applicable laws, provided that Magieva will inform Customer (unless prohibited by law) of the applicable legal requirement before such Processing. Magieva will not otherwise: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the Purpose; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Magieva receives from individuals or other sources, except as permitted by Data Protection Law.

1.2 Instructions

Customer instructs Magieva to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Magieva are Customer's documented instructions regarding Magieva's Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Magieva. Customer will not instruct Magieva to Process Customer Personal Data in violation of any Data Protection Law. Magieva may suspend Processing based upon any Customer instructions that Magieva reasonably suspects violate Data Protection Law, provided Magieva will promptly inform Customer if Magieva believes an instruction infringes Data Protection Law.

1.3 Compliance

Each party will comply with its obligations under Data Protection Law. Magieva shall promptly notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Magieva has Processed Customer Personal Data without authorization, Magieva will take reasonable and appropriate steps to stop and remediate such Processing.

1.4 Confidentiality

Magieva will ensure that persons authorized by Magieva to Process any Customer Personal Data are subject to appropriate confidentiality obligations.

1.5 Security

Magieva will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Magieva may amend the technical and organizational measures, provided the new measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit).

1.6 Disposal

At the choice of Customer, Magieva will (or will enable Customer via the Services to) delete (and will delete existing copies of) all Customer Personal Data after termination of the Agreement (unless Data Protection Law requires the storage of such Customer Personal Data by Magieva, in which case Magieva will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Customers' written request.

1.7 Deidentified Data

Magieva may Process Deidentified Data to improve the Services. Magieva will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with an individual and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except as permitted by Data Protection Law.

2.1 Data Subject Rights Assistance

Customer shall be responsible for responding to requests from individuals to exercise rights under Data Protection Law relating to Customer Personal Data (each a "Data Subject Request"). Customer will inform Magieva of any Data Subject Request to which Magieva must comply and provide the information necessary for Magieva to comply with the request. Magieva will, to the extent permitted by Data Protection Law, notify Customer if Magieva receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Magieva will, on Customer's request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law.

2.2 Security Assistance

Taking into account the nature of Processing and the information available to Magieva, Magieva will provide commercially reasonable efforts to assist Customer in Customer's efforts to comply with Customer's obligations to secure Customer Personal Data by providing the information and assistance described in Section 3 (Audits).

2.3 Security Incident Notice and Assistance

Magieva will notify Customer without undue delay after becoming aware of a Security Incident. Magieva will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and assist Customer in complying with any related notification obligations under Data Protection Law.

2.4 Data Protection Impact Assessment ("DPIA") and Prior Consultation Assistance

Taking into account the nature of Processing and the information available to Magieva, Magieva will provide commercially reasonable assistance to Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities.

3.1 Magieva Audits

Magieva may procure audits by third parties to assess Magieva's adherence to the following standards or requirements: (a) SOC 2 Type II; (b) ISO 27001; (c) PCI DSS Service Provider Level 1; and/or (d) certifications or other documentation evidencing compliance with alternative standards that are substantially equivalent to the foregoing (collectively, "Audits"). Subject to the confidentiality obligations set forth in the Agreement, Magieva will provide Customer with summaries of Magieva's then-current Audit reports ("Reports") on Customer's request. The Reports will be Magieva's Confidential Information.

3.2 Customer Audits

Customer will exercise its audit rights by first requesting the Reports as described in Section 3.1 (Magieva Audits). Customer may request additional information or an on-site audit of Magieva if the Reports do not reasonably demonstrate Magieva's compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days' advance notice of its request for an on-site audit and will cooperate in good faith with Magieva to schedule any such audit on a mutually agreeable date and time during Magieva's normal business hours. Any such on-site audit must be conducted by Customer or a nationally recognized independent auditor that has agreed to confidentiality provisions reasonably acceptable to Magieva. Customer is responsible for ensuring that the audit will comply with Magieva's applicable on-site policies and procedures and will not unreasonably interfere with Magieva's business activities. Customer will provide a written summary of any audit findings to Magieva, and the results of the audit will be Magieva's Confidential Information.

4.1 Appointment of Subprocessors

Customer authorizes Magieva to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a "Subprocessor"). Customer specifically consents to Magieva's appointment of the Subprocessors identified in the Subprocessor List.

4.2 Objection Right for New Subprocessors

4.3 Liability

Where required by Data Protection Law, Magieva will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Magieva will be liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

5.1 Overview

The parties will conduct any transfers of European Economic Area, the UK, and Swiss residents' Customer Personal Data to a country not subject to an adequacy decision (a "Data Transfer") pursuant to the SCCs, which are incorporated and deemed executed by this reference. If Magieva notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to an alternative transfer mechanism such as the Data Privacy Framework, the parties will rely on the alternative mechanism to legitimize Data Transfers instead of the provisions that follow.

5.2 Standard Contractual Clauses

The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs with Customer as the "data exporter" and Magieva as the "data importer."

5.3 Transfers Subject to Swiss Data Protection Law

If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of September 25, 2020 (the "FADP") is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; references to a "Member State" and "EU Member State" will not prevent individuals in Switzerland from suing for their rights in Switzerland; and references to "GDPR" in the SCCs will be understood as references to the FADP.

5.4 Transfers Subject to the UK GDPR

Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated and deemed executed by this reference.