This United States Privacy Law Addendum (the “Addendum”) supplements the Master Services Agreement (the “Agreement”) by and between Customer (as defined in the Agreement) and Pursuit Markets Inc. (”Company,” and together with Customer, the “Parties”). This Addendum includes the terms of the Agreement. Any capitalized terms that are used but not defined herein shall have the definitions set forth in the Agreement. Where there is a conflict between the Agreement and this Addendum, this Addendum will control.

‍

‍

1. Definitions.

1.1 “Authorized Subprocessor” means a third-party party entity engaged by Company to process Personal Data in order to provide the Services and that has been approved by Customer in accordance with Section 6.

1.2 “Company Account Data” means personal data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

1.3 “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

1.4 “Consumer” means a natural person whose Personal Data is protected by Privacy Laws.

1.5 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes the term “Business” or equivalent term under Privacy laws.

1.6 “Personal Data” means any information provided to Company by or on behalf of Customer in connection with the Services that relates to an identified or identifiable Consumer and constitutes “personal data,” “personal information,” or equivalent term under Privacy Laws.

1.7 “Privacy Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data including, each, to the extent applicable (i) the California Consumer  Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), (ii) the Colorado Privacy Act (the “CPA”), (iii) the Connecticut Data Privacy Act (the “CTDPA”), (iv) the Delaware Personal Data Privacy Act (“DPDPA”), (v) the Iowa Consumer Data Protection Act (“ICDPA”), (vi) the Montana Consumer Data Privacy Act (“MCDPA”), (vii) the Nebraska Data Privacy Act (“NDPA”), (viii) the Oregon Consumer Privacy Act (“OCPA”), (ix) the Texas Data Privacy and Security Act (“TDPSA”), (x) the New Hampshire Privacy Act (“NHPA”), (xi) the New Jersey Privacy Act (“NJPA”), (xii) the Utah Consumer Privacy Act (the “UCPA”), and (xiii) the Virginia Consumer Data Protection Act (the “VCDPA”); in each case, as updated, amended or replaced from time to time. Each of the terms “affiliate,” “business purpose,” “Controller,” “cross-contextual behavioral advertising,” “Personal Data Breach,” “Processor,” “process” or “processing,” “sell,” “share,” “supervisory authority,” or “targeted advertising” shall have the meaning set forth for that or any equivalent term under Privacy Laws. The terms “Controller” and “Processor” include “Business” and “Service Provider,” respectively, each as defined in the CCPA.

‍

‍

2. Description of Processing.

2.1 Nature and Purpose of Processing: Except with respect to Company Account Data and Company Usage Data, Company shall Process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Such purposes shall include providing services related to government contracting.

2.2 Duration of Processing: Company shall Process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.

2.3 Categories of Consumers: Company may Process Personal Data relating to the following categories of Consumers: Customer prospects or end-users, Customer, and/or Customer employees.

2.4 Categories of Personal Data: Company may Process the following categories of Personal Data: name, location, email address, phone number, occupation, and title.

‍

‍

3. Customer’s Obligations. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Company shall immediately notify Customer if an instruction, in Company’s opinion, infringes Privacy Laws or instruction from a regulatory agency.

‍

‍

4. Use of Personal Data. Company shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Company’s direct business relationship with Customer or for any purpose other than for a business purpose under the CCPA on behalf of Customer or as necessary to perform the Services for Customer pursuant to the Agreement, except as otherwise permitted in Agreement or by Privacy Laws; and (iii) combine Personal Data received from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another party or person, except as necessary to provide the Services or as otherwise instructed by Customer.

‍

‍

5. Audit. To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (1) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer under the Agreement, or (2) if the provision of reports or certifications pursuant to (1) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of Company’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits. To the extent permitted under Privacy Laws, if Customer determines that Company is processing Personal Data in an unauthorized manner, Customer may, taking into account nature of Company’s processing and the nature of the Personal Data processed by Company on behalf of Customer, and upon providing prior written notice, take commercially reasonable and appropriate steps to stop and remediate such unauthorized processing.

‍

‍

6. Authorized Subprocessors.

6.1 A list of Company’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer.  Such List may be updated by Company from time to time.  Company may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Company will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Company within ten (10) days of receipt of the aforementioned notice to Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Company from offering the Services to Customer. If Customer does not object to the engagement of a third party within ten (10) days of notice by Company, that third party will be deemed an Authorized Subprocessor for the purposes of this Addendum.

6.2 If Customer reasonably objects to an engagement in accordance with Section 6.1, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company.  Discontinuation shall not relieve Customer of any fees owed to Company under the Agreement.

6.3 Company will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Company under this Addendum with respect to the protection of Personal Data.  In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

‍

‍

7. Confidentiality and Security of Personal Data.

7.1 Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company’s confidentiality obligations in the Agreement. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this Addendum, the Agreement, or the provision of Services to Customer.

7.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.

‍

‍

8. Personal Data Breach.

8.1 In the event of a Personal Data Breach, Company shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach, to the extent that remediation is within Company’s reasonable control.

8.2 In the event of a Personal Data Breach, Company shall, taking into account the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Privacy Laws with respect to notifying (i) the relevant regulatory agency and (ii) Consumers affected by such Personal Data Breach without undue delay.

8.3 The obligations described in Sections 8.1 and 8.2 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Company’s obligation to report or respond to a Personal Data Breach under Sections 8.1 and 8.2 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

‍

‍

9. Data Protection Assessments. Taking into account the nature of Company’s processing and the information available to Company, Company shall reasonably cooperate with Customer to conduct any data protection or privacy impact assessments as required by Privacy Laws, including by providing Customer with information and documents necessary for such assessments that Customer cannot otherwise obtain without Company’s assistance. Notwithstanding the foregoing, Customer and Company each remain responsible only for the measures respectively allocated to them under Privacy Laws pertaining to any such assessment.

‍

‍

10. Consumer Request. Company shall, to the extent permitted by Privacy Laws, notify Customer upon receipt of a request by a Consumer to exercise his or her rights under Privacy Laws with respect to his or her Personal Data (each a “Consumer Request”). If Company receives a Consumer Request in relation to Personal Data, Company will advise the Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Consumer Requests communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.

‍

‍

11. Return or Destruction of Personal Data. Upon the termination or expiration of the Agreement, at Customer’s choice, Company shall return or delete Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.