RocketReach Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the RocketReach Terms of Service ("Agreement") between you ("Customer") and RocketReach LLC ("RocketReach"). Customer and RocketReach may be referred to herein as the "Parties" and individually as a "Party". Except as supplemented or modified below, the terms of the Agreement remain in full force and effect and will be read and construed as one document with this DPA. RocketReach and Customer agree as follows:

DEFINITIONS

1.1. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement.

1.2. The following terms have the meanings set out below for this DPA:

1.2.1. "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" have the meaning given to them in Data Protection Law;

1.2.2. "Customer Personal Data" means any Personal Data Processed by RocketReach on behalf of Customer as a result of, or in connection with, the provision of the Services, as described in Annex I;

1.2.3. "Data Protection Law(s)" means any laws and regulations, including the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., (as amended and together with any regulations relating thereto) (the "CCPA"), Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC (as amended by Directive 2009/136/EC), the UK GDPR (as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018) ("UK GDPR") and all other data protection laws of the European Union, the European Economic Area ("EEA"), and their respective member states, Switzerland the United Kingdom ("UK"), United States and other jurisdictions applicable to the Processing of Personal Data under the terms of the Agreement and this DPA, and any legal instrument for International Data Transfers, each as applicable, and as may be amended or replaced from time to time;

1.2.4. "Data Subject Request" means a request from a Data Subject to exercise any right granted by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;

1.2.5. "International Data Transfer" means (a) a transfer of Personal Data from an entity subject to applicable Data Protection Laws in respect of that Personal Data to another entity (the "Direct Receiver") that is in a territory which (but for the operation of this DPA) does not offer an adequate level of data protection as required by applicable Data Protection Law and where such transfer is not subject to any permitted derogations or conditions contained in the applicable Data Protection Laws; or (b) the onward transfer of Personal Data from a Direct Receiver to or within a territory which (but for the operation of this DPA) does not offer an adequate level of data protection as required by the applicable Data Protection Laws and where such transfer is not subject to any of the permitted derogations or conditions contained in applicable Data Protection Laws;

1.2.6. "RocketReach Personal Data" means any Personal Data which Customer accesses through the Services, as described in Annex I;

1.2.7. "Standard Contractual Clauses" means in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to Third Countries set out in Commission Decision 2021/914 of 4 June 2021, as amended from time to time;

1.2.8. "Sub-processor" means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;

1.2.9. "Third Country" means (a) in relation to Personal Data transfers subject to Chapter V of the GDPR, any country or territory outside of the EEA, excluding countries or territories approved as providing adequate protection for Personal Data by the European Commission from time to time pursuant to Article 45 of the GDPR; and (b) in relation to Personal Data transfers subject to Chapter V of the UK GDPR, any country or territory outside of the scope of the Data Protection Laws of the UK, excluding countries or territories approved as providing adequate protection for Personal Data by the UK Information Commissioner from time to time pursuant to Article 45 of the UK GDPR; and

1.2.10. "UK Standard Contractual Clauses" means in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, as amended from time to time.

ROLES OF THE PARTIES

2.1. The Parties agree that each Party acts as a separate and independent Controller in relation to RocketReach Personal Data that is Processed under the terms of the Agreement and this DPA. The Parties acknowledge and confirm that neither this DPA, nor any other aspect of the Services, creates a joint-controllership between the Parties in relation to any Personal Data. Each Party shall comply with and Process all RocketReach Personal Data in accordance with their respective obligations under Data Protection Law, and Customer, as Controller, is responsible for its own Processing activities in relation to such Personal Data, including for the Processing of RocketReach Personal Data for Customer’s own purposes.

2.2. Where RocketReach is acting as a Processor, in particular in respect of any Customer Personal Data, RocketReach will process the Customer Data only on documented instructions from Customer, unless required to do so by any applicable law to which RocketReach is subject; in such a case, RocketReach will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

CUSTOMER’S RESPONSIBILITIES

Customer warrants and represents, on behalf of itself, its employees, sub-contractors and/or agents, that (a) it will comply with and Process all RocketReach Personal Data and Customer Personal Data in accordance with its obligations under Data Protection Law; (b) it will maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Data Protection Law, including Articles 13 and 14 of the GDPR; (c) it will conduct reasonable data protection due diligence on any third party to whom it will disclose RocketReach Personal Data; (d) any sharing of RocketReach Personal Data with, or any subcontracting of the Processing of RocketReach Personal Data to, third parties will be subject to a legally binding agreement that imposes at least the same level of protection as is required by this DPA; (e) it will cooperate with RocketReach in relation to any Data Subject Requests; (f) it will notify RocketReach promptly about any enquiries from the relevant Supervisory Authority in relation to the RocketReach Personal Data and cooperate with such Supervisory Authority; and (g) in the event of a Personal Data Breach affecting the RocketReach Personal Data, Customer will notify RocketReach of the Personal Data Breach without undue delay and no later than 48 hours from becoming aware of the Personal Data Breach.

ROCKETREACH RESPONSIBILITIES

4.1. To the extent RocketReach acts as a Processor of the Customer Personal Data, RocketReach shall (a) ensure that all of its employees authorized to Process Customer Personal Data are subject to an obligation of confidentiality; (b) implement and maintain appropriate technical and organizational security measures to adequately protect the Customer Personal Data as set out in Annex II to this DPA; (c) to the extent required by Data Protection Laws, provide such reasonable assistance as Customer may request in relation to its compliance with Articles 32 to 36 of the GDPR and UK GDPR; (d) in the event of a Personal Data Breach affecting the Customer Personal Data notify Customer of the Personal Data Breach without undue delay; (e) provide Customer with such information as the Customer may reasonably request with respect to RocketReach’s compliance with the obligations under this DPA and any applicable Data Protection Law, provided that adequate notice is given to RocketReach to provide such information; and (f) delete, anonymize, or return the Customer Personal Data to the Customer after the end of the provision of the Services, and anonymize existing copies unless applicable law requires storage of the Customer Personal Data.

4.2. Customer hereby grants RocketReach general authorization to engage Sub-processors in connection with the Agreement. RocketReach will maintain a list of Sub-Processors appointed to Process Customer Personal Data which is available in RocketReach’s Trust Center.

INTERNATIONAL DATA TRANSFER

5.1. RocketReach hereby authorizes Customer to transfer RocketReach Personal Data to a Third Country, and Customer hereby authorizes RocketReach to transfer Customer Personal Data to a Third Country on the basis of appropriate safeguards in accordance with Data Protection Law or pursuant to the Standard Contractual Clauses or the UK Standard Contractual Clauses. The Parties hereby agree and declare that the Standard Contractual Clauses and the UK Standard Contractual Clauses, which are hereby incorporated into and form part of this DPA, shall be the transfer instrument applicable to such transfers, and the Parties shall comply with their respective obligations as data exporter or data importer, as applicable, under such standard clauses.

5.1.1. Where RocketReach Personal Data originating in the EEA are to be Processed by the Customer outside the EEA, then the International Data Transfer will be governed by Module One (controller-to-controller) of the Standard Contractual Clauses, and where Customer Personal Data originating in the EEA are to be Processed by RocketReach outside the EEA, then the International Data Transfer will be governed by Module Two (controller-to-processors) of the Standard Contractual Clauses, which are hereby completed as follows: with respect to Module One, the "data exporter" is RocketReach; the "data importer" is Customer; and with respect to Module Two, the "data exporter" is Customer; the "data importer" is RocketReach; the optional docking clause in Clause 7 is struck; the optional paragraph in Clause 11(a) is struck; in the case of Module Two, Clause 9(a) option 2 is implemented with a time period of five (5) calendar days, Clause 11(a) 2nd paragraph is struck, Clause 13(a) paragraph 2 is implemented; the governing law in Clause 17, option 1, is the law of the Republic of Ireland and the courts in Clause 18(b) are the courts of the Republic of Ireland; Annex 1 and 2 to the SCCs are Annex I and II to this DPA respectively.

5.1.2. Where RocketReach Personal Data originating in the UK are to be Processed by the Customer outside the UK, then the International Data Transfer will be governed by the UK Standard Contractual Clauses, which are hereby completed as follows: (a) in Table 1: the "data exporter" is RocketReach; the "data importer" is Customer; (b) in Table 2, the second option for Approved EU SCCs is selected and the Modules One table is completed as in Sec 5.1.1; (c) Table 3 is completed per Annex I/II; and (d) changes set out in Section 12 of the UK SCCs apply. England & Wales law applies.

5.1.3. Where Customer Personal Data originating in the UK are to be Processed by RocketReach outside the UK, then the International Data Transfer will be governed by the UK Standard Contractual Clauses, completed similarly to Sec 5.1.2 with exporter/importer roles reversed for Customer and RocketReach. England & Wales law applies.

5.2. Customer represents it will not breach any provision of the SCCs or UK SCCs.

5.3. Customer must inform RocketReach ≥30 days prior to any change of transfers, including country and legal basis per Sec 5.1.

5.4. If transfers compliance is affected by external events (e.g., instrument invalidation), Parties will work in good faith to resolve non‑compliance. RocketReach may amend this DPA to incorporate approved replacement SCCs.

LIABILITY

CUSTOMER EXPRESSLY UNDERSTANDS AND AGREES THAT IN NO EVENT WILL ROCKETREACH OR ITS SUBSIDIARIES, AFFILIATES, AGENTS, LICENSORS, OR THEIR EMPLOYEES, CONTRACTORS, AGENTS, OFFICERS, OR DIRECTORS, BE LIABLE FOR SPECIAL, PUNITIVE, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL DAMAGES; PROCUREMENT COSTS; INTERRUPTION, LOSS OR CORRUPTION OF DATA; LOST PROFITS; BUSINESS INTERRUPTION DAMAGES; OR AMOUNTS EXCEEDING THE FEES PAID BY CUSTOMER TO ROCKETREACH UNDER THE AGREEMENT DURING THE THREE (3) MONTH PERIOD PRIOR TO THE CAUSE OF ACTION. ROCKETREACH SHALL HAVE NO LIABILITY FOR FAILURES OR DELAYS DUE TO FORCES BEYOND OUR REASONABLE CONTROL. THIS LIMITATION DOES NOT APPLY WHERE PROHIBITED BY LAW.

INDEMNITY

Customer agrees to indemnify and hold harmless RocketReach and affiliates from any claims, damages, liabilities, losses, costs, or expenses (including attorney’s fees), arising from: (a) breaches of Data Protection Laws by Customer or its recipients of RocketReach Personal Data; and (b) breaches of obligations under this DPA.

MISCELLANEOUS

8.1. In the event of any inconsistency between this DPA and the Agreement, this DPA prevails.

8.2. This DPA is governed by the laws specified in the Agreement.

8.3. If any DPA provision is invalid or unenforceable, the remainder stays in effect.