Encited Data Processing Addendum

1.1 "Authorized Personnel" means (a) Encited's employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable services; and (b) Encited's contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Encited to perform its obligations under the Agreement and this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.

1.2 "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 – 1798.199.100, as amended, including by the California Privacy Rights Act of 2020 and its implementing regulations.

1.3 "Customer Data" means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by you or on your behalf as a customer or a user through the Services or by or on behalf of your prospects, customers or other end users of the Services who access the Services for purposes of interacting with you and your users.

1.4 "Data Protection Laws" means all applicable federal, state, and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, all as amended from time to time, including, without limitation, the EU Data Protection Laws, UK Data Protection Laws, the Swiss Data Protection Laws, the CCPA, the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), and the Utah Consumer Privacy Act ("UCPA"), but excluding, without limitation, consent decrees.

1.5 "Data Subject" means the individual or consumer to whom Personal Data relates.

1.6 "EU Data Protection Laws" means GDPR together with any applicable implementing legislation or regulations, as well as European Union or Member State laws, as amended from time to time.

1.7 "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

1.8 "Personal Data" means any Customer Data relating to an identified or identifiable natural person that is Processed by Encited on behalf of Customer in connection with providing the Services to Customer, when such information is protected as "personal data" or "personal information" or a similar term under Data Protection Law(s).

1.9 "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.10 "Security Breach" means a confirmed breach of Encited's information security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data covered by this DPA.

1.11 "Services" means the services provided by Encited to you under the Agreement, including the Encited prerendering, cache, analytics, SEO audit, and AI mention tracking services.

1.12 "Standard Contractual Clauses" or "SCCs" means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

1.13 "Swiss Data Protection Laws" means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in Switzerland, including the Federal Act on Data Protection of June 19, 1992 and its ordinances, and the revised Swiss Federal Act on Data Protection dated 25 September 2020 (collectively, "FADP").

1.14 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "SCCs" defined above) issued by the Commissioner under S119A(1) Data Protection Act 2018, Version B1.0, in force 21 March 2022 and available at ico.org.uk/.../international-data-transfer-addendum.pdf.

1.15 "UK Data Protection Laws" means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the United Kingdom GDPR and the Data Protection Act 2018.

1.16 "UK GDPR" means the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.17 The terms "Processor" and "Controller" shall have the meanings given to them under the applicable Data Protection Law. Any capitalized terms herein that are not defined in this DPA shall have the meanings associated with them in the Agreement, and are hereby adopted by reference in this Addendum.

2.1 Customer Obligations. Customer is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Customer has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject's consent to process the Personal Data.

2.2 Encited Obligations. Encited is the Processor of Personal Data and shall (a) Process Personal Data on Customer's behalf in accordance with Customer's written instructions (unless waived in a written requirement) provided during the term of this DPA, and (b) comply with its obligations under Data Protection Laws. A description of the processing of Personal Data intended to be carried out under this DPA is set out in Annex I of Exhibit A attached hereto. The parties agree that the Agreement, including this DPA, together with Customer's use of the Services in compliance with the Agreement, constitute Customer's complete and final written instructions to Encited in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and Encited. In the event Encited reasonably believes there is a conflict with any Data Protection Law and Customer's instructions, Encited will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

2.3 Data Use. Encited shall not use Personal Data, except for usage of Personal Data pursuant to Customer's instructions, and as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data Protection Laws.

2.4 Location of Processing. The parties acknowledge and agree that Processing of Personal Data will occur in the United States and may occur in other jurisdictions outside the residence of a Data Subject, and Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Data Protection Laws.

2.5 Renderer Anonymity. The Encited rendering subsystem fetches Customer's origin without carrying any cookies, Authorization headers, or client session state. By design, the renderer cannot render or cache authenticated views, and cannot capture end-user session-bound Personal Data through the rendering pipeline.

2.6 Return or Destruction of Data. Encited shall return or securely destroy Personal Data, in accordance with Customer's instructions, upon Customer's request or upon termination of Customer's account(s) unless Personal Data must be retained to comply with applicable law.

3.1 Transfers of Personal Data. Customer acknowledges and agrees that Encited is located in the United States and that Customer's provision of Personal Data from the European Economic Area ("EU"), Switzerland, or the United Kingdom to Encited for Processing is a transfer of Personal Data to the United States. All transfers of Customer Personal Data out of the EU ("EU Personal Data"), Switzerland ("Swiss Personal Data"), or the United Kingdom ("UK Personal Data") to the United States shall be governed by the Standard Contractual Clauses, and the UK Addendum as applicable, as follows:

a. For such transfers of EU Personal Data or transfers containing Swiss Personal Data that are subject to both EU Data Protection Laws and Swiss Data Protection Laws (in this latter case, the parties shall adopt the GDPR standard for all data transfers), Module 2 of the SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (a) Clause 7 shall not apply; (b) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (c) the optional language in Clause 11(a) shall not apply; (d) the governing law shall be that of Ireland in Clause 17; (e) disputes shall be resolved by the courts of Ireland in Clause 18; and (f) the annexes are completed in Exhibit A to this DPA.

b. For such transfers of only Swiss Personal Data, Module 2 of the SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (a) Clause 7 shall not apply; (b) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (c) the optional language in Clause 11(a) shall not apply; (d) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; (e) the governing law shall be that of Switzerland in Clause 17; (f) disputes shall be resolved by the courts of Switzerland in Clause 18; (g) the annexes are completed in Exhibit A to this DPA; and (h) any references to the GDPR are to be understood as references to the FADP.

c. For transfers of Swiss Personal Data subject to Sections 3.1.a and 3.1.b of this DPA, the term "member state" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18c.

d. For such transfers of UK Personal Data, Module 2 of the SCCs shall apply as set forth in subsection 3.1.a above, and the UK Addendum as set out in Exhibit B to this DPA shall apply and is incorporated into this DPA.

3.2 GDPR and UK GDPR Obligations. Encited shall: (a) assist Customer, to a reasonable extent, in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); (b) maintain a record of all categories of Processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); and (c) cooperate, on request, with an EU or UK supervisory authority regarding the performance of the Services.

4.1 CCPA/CPRA. This subsection 4.1 applies to Encited's, and Encited acts as Customer's service provider with respect to, Processing of Personal Data subject to the CCPA. Customer discloses the Personal Data to Encited, and Encited shall Process such Personal Data only for the purposes as set out in this Agreement, including this DPA.

a. Encited shall not:

i. sell or share the Personal Data;

ii. retain, use, or disclose the Personal Data (A) for any purpose other than the business purposes as set out in the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (B) outside of the direct business relationship between the parties;

iii. combine the Personal Data that Encited receives from, or on behalf of, Customer with Personal Data that Encited receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Encited may combine Personal Data to perform any business purpose as permitted by the CCPA, including regulations thereto, or by regulations adopted by the California Privacy Protection Agency.

b. Encited shall comply with obligations applicable to it as a service provider under the CCPA, and shall provide Personal Data with the same level of privacy protection as is required by the CCPA.

c. Customer shall have the right to take reasonable and appropriate steps to help ensure that Encited uses the Personal Data in a manner consistent with Customer's obligations under the CCPA. The process for such steps shall be as set out in Section 9 below.

d. Encited shall notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA. If Encited so notifies Customer, Customer shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

e. For any sub-processors used by Encited to process Personal Data subject to the CCPA, in addition to its obligations in Section 5 below, Encited's agreement with any such sub-processor shall obligate such sub-processor to observe the requirements set forth in subsection 4.1.a above.

f. For purposes of this Section 4, the terms "consumer", "service provider", "sell" and "share" shall have the meanings given to them under the CCPA.

4.2 Virginia, Colorado, Connecticut and Utah. For the avoidance of doubt and for purposes of the VCDPA, CPA, CTDPA and UCPA, the relevant details of Processing set forth in Section B in Exhibit A shall apply.

5.1 Sub-processor List. Customer consents to Encited's use of the Sub-processors listed below as of the effective date of this DPA.

Note on AI providers (¹). OpenAI, Anthropic, Google (Gemini), and Perplexity are listed as Sub-processors out of an abundance of caution. Under normal use of the Services, Encited submits only Customer-authored brand-monitoring prompt text to these providers and receives LLM responses for analysis. Encited does not deliberately transmit Customer Personal Data to these providers. To the extent any Personal Data is incidentally included in Customer-authored prompts or appears in LLM responses, that data is Processed by these providers as Sub-processors under the terms of this DPA.

Note on Encited affiliates (²). LinkyCal and ReplyMaven are products operated by Modern Tech Solutions, LLC (the same legal entity as Encited). They are listed as Sub-processors for full transparency. The same confidentiality, security, and data-protection obligations set out in this DPA apply to Modern Tech Solutions, LLC in its capacity as operator of these affiliate products.

5.2 Notice of Changes. Encited shall notify Customer of any intended additions to or replacements of Sub-processors at least thirty (30) days in advance by updating this DPA. If Customer objects in writing to a new Sub-processor within fifteen (15) days of notice on reasonable data-protection grounds, the parties shall work together in good faith to find a workable solution. If no solution can be reached, Customer may terminate the affected portion of the Services with pro-rata refund of pre-paid fees.

7.1 Data Security. Encited will utilize commercially reasonable efforts to protect the security, confidentiality, and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Encited's current technical and organizational security measures are set out in Section 7.4 below. Notwithstanding the generality of the foregoing, Encited shall: (a) employ reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Data Protection Laws as would be appropriate based on the nature of the Personal Data; (b) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; and (c) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Encited's retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes.

7.2 Authorized Personnel. Encited shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA.

7.3 Security Breaches. After confirmation of a Security Breach, (a) Encited will promptly: (i) notify Customer of the Security Breach; (ii) investigate the Security Breach; (iii) provide Customer with necessary details about the Security Breach as required by applicable law; and (iv) take reasonable actions to prevent a recurrence of the Security Breach; and (b) Encited agrees to cooperate in Customer's handling of the matter by: (i) providing reasonable assistance with Customer's investigation; and (ii) making available relevant records and other materials related to the Security Breach's effects on Customer, as required to comply with Data Protection Laws.

7.4 Technical and Organizational Measures. Encited implements and maintains the following technical and organizational measures to protect Personal Data, as required by Article 32 of the GDPR.

Access control. Role-based access control (RBAC) limits access to Personal Data to personnel with a documented business need. Authentication to production systems requires multi-factor authentication. Production credentials are rotated periodically and on personnel departure. Personal Data is segregated by tenant identifier.

Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher. Personal Data is encrypted at rest using AES-256 or equivalent at the storage layer of each Sub-processor (Cloudflare R2, Cloudflare D1, Cloudflare KV, PlanetScale, Google Cloud).

Network security. Production systems are deployed behind Cloudflare DDoS and WAF protection. Inbound access to administrative interfaces is restricted to authorized networks. Outbound traffic from production systems is monitored.

Renderer anonymity. As described in Section 2.5, the Encited rendering subsystem fetches Customer's origin without carrying any cookies, Authorization headers, or client session state. By design, the renderer cannot render or cache authenticated views, and cannot capture end-user session-bound Personal Data through the rendering pipeline.

Logging and monitoring. Production systems generate audit logs of administrative and security-relevant events. Logs are retained for a period sufficient to support incident investigation and are protected against unauthorized modification.

Backup and disaster recovery. Production data is backed up on a routine schedule. Backups are encrypted and access-controlled. Failover and contingency rendering pipelines are maintained on Google Cloud Platform to provide service continuity in the event of degradation of primary Cloudflare infrastructure. Disaster recovery procedures are tested periodically.

Personnel. Encited Authorized Personnel are bound by written confidentiality obligations. Personnel are trained on data protection and security responsibilities at hire and on a periodic refresh basis.

Vendor management. Sub-processors listed in Section 5.0 are subject to written agreements with data-protection terms no less protective than this DPA. Sub-processors are reviewed for security posture before engagement.

Incident response. Encited maintains a documented Security Breach response process, including triage, investigation, notification, and remediation, designed to satisfy the notification obligations of Section 7.3 of this DPA and applicable Data Protection Laws.

Certifications and audits. SOC 2 certification is under evaluation. Encited will make any independent audit reports available to Customer, subject to reasonable confidentiality obligations, once finalized. Customer may request the current status by emailing privacy@encited.com.

8.1 Processor Assistance. Upon Customer's written request, Encited shall provide reasonable assistance to Customer as necessary in order to assist Customer with meeting its obligations under Data Protection Laws, including by providing information to Customer about Encited's technical and organizational security measures, and as needed to complete data protection assessments.

8.2 Data Subject Requests. Encited shall reasonably assist Customer with the fulfillment of Customer's obligations to Data Subjects exercising rights afforded by Data Protection Laws, with respect to Personal Data in the event that Customer cannot act on such request without Encited's assistance. If a Data Subject makes a request to Encited to exercise a right with respect to his or her Personal Data of which Customer is the Controller, Encited will promptly inform Customer of the request, and will advise the Data Subject to submit their request directly to Customer. Customer will be responsible for addressing such request.

10.1 Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data.

10.2 Amendments. This DPA shall not be modified except in accordance with the "Changes" section of Encited's Terms of Use or the terms set out in the Agreement for modification. To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Customer and Encited agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws.

10.3 Liability. Each Party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the "DPA" means this DPA including its exhibits and appendices.

10.4 Entire Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA, together with the Agreement, is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

Annex I

A. List of Parties

Data exporter

The data exporter is Customer.

Address: the Customer's address set out in the Agreement.

Contact person's (DPO and/or EU representative) name, position, and contact details: the Customer's contact details as set out in the Agreement / order form.

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement.

Signature and date: Customer is deemed to have signed this Annex I by accepting Encited's Terms of Use.

Data importer

The data importer is Encited.

Legal name: Modern Tech Solutions, LLC d/b/a LaunchFast.shop, operating the service known as Encited.

Address: 131 Continental Dr, Suite 305, Newark, DE 19713, New Castle County

Contact person's (DPO and/or EU representative) name, position, and contact details: Privacy team, privacy@encited.com

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement.

Signature and date: Encited is deemed to have signed this Annex I by accepting Encited's Terms of Use.

B. Description of Transfer

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Data to Encited, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: (i) the data exporter's authorized users, including employees, contractors, representatives, business partners, and collaborators; (ii) visitors to the data exporter's websites (predominantly automated crawler agents); and (iii) any individuals whose Personal Data the data exporter chooses to make publicly available on the data exporter's websites.

Categories of personal data transferred

Data exporter may submit Personal Data to Encited, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: (a) first and last name; (b) title; (c) position; (d) employer; (e) contact information (company, email, phone, physical business address); (f) IP addresses and HTTP request metadata of visitors to the data exporter's websites; (g) Personal Data, if any, embedded by the data exporter in the data exporter's publicly accessible web pages and captured in rendered snapshots; (h) prompt text provided by the data exporter for AI mention tracking, which may incidentally contain Personal Data if the data exporter chooses to include it; and (i) other data in an electronic form used by Customer in the context of the Services.

Sensitive data transferred (if applicable)

None.

The frequency of the transfer

Continuous.

Nature of the processing

The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination, or otherwise making available data exporter's data as necessary to provide the Services in accordance with the data exporter's instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).

Purpose(s) of the data transfer and further processing

The objective of the processing of Personal Data by the data importer is the performance of the contractual services under the Agreement with the data exporter, including SPA prerendering, cache management, crawler analytics, SEO audits, and AI mention tracking.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute-of-limitations periods for the purposes of bringing and defending claims. Rendered snapshots are retained according to the cache refresh rules configured by Customer (default one (1) year retention; extended retention available on Enterprise plans).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter and nature of the processing by sub-processors is as set out in Section 5.0 of this DPA. The duration of the processing by sub-processors shall be for so long as data importer provides the Services under the Agreement to data exporter.

C. Competent Supervisory Authority

Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Encited will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of personal data transferred to Encited as described in Section 7.4 of this DPA.

Annex III: Encited's Sub-Processors

By entering into this DPA, the Customer has authorized the use of the Sub-processors listed in Section 5.0 of this DPA.

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Exporter (who sends the Restricted Transfer)

• Full legal name: As set out in Annex I of Exhibit A
• Trading name (if different): n/a
• Main address (if a company registered address): As set out in Annex I of Exhibit A
• Official registration number (if any) (company number or similar identifier): n/a
• Full Name (optional): As set out in Annex I of Exhibit A
• Job Title: As set out in Annex I of Exhibit A
• Contact details including email: As set out in Annex I of Exhibit A
• Signature: Exporter is deemed to have signed this Addendum by accepting Encited's Terms of Use.

Importer (who receives the Restricted Transfer)

• Full legal name: Modern Tech Solutions, LLC d/b/a LaunchFast.shop, operating the service known as Encited
• Trading name (if different): Encited
• Main address (if a company registered address): As set out in Annex I of Exhibit A
• Official registration number (if any) (company number or similar identifier): 4328650 (Delaware)
• Full Name (optional): As set out in Annex I of Exhibit A
• Job Title: As set out in Annex I of Exhibit A
• Contact details including email: privacy@encited.com
• Signature: Importer is deemed to have signed this Addendum by accepting Encited's Terms of Use.

Table 2: Selected SCCs, Modules, and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

• Date: As set out in the DPA
• Reference: n/a
• Other identifier (if any): n/a

Table 3: Appendix Information

"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set out in Annex I of Exhibit A

Annex 1B: Description of Transfer: As set out in Annex I of Exhibit A

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in Annex II of Exhibit A

Annex III: List of Sub-processors (Modules 2 and 3 only): As set out in Annex III of Exhibit A

Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19:

• Importer
• Exporter

Part 2: Mandatory Clauses

Mandatory Clauses

• Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.