This Tray.ai Data Processing Addendum (“DPA”) is entered into between Tray.ai, Inc. (“Tray”) and the customer entity identified below. This DPA shall be incorporated by reference into the agreement between Customer and Tray that governs Customer’s use of Tray’s software-as-a-service (SaaS) integration services offerings (“Subscription Services”) (such agreement is commonly named the Tray.ai Master Subscription Agreement, and is referred to in this DPA as the “Agreement”).

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) subject to the Data Protection Laws (defined below) is Processed (defined below) by Tray under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws, and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.

Data Processing terms

The parties agree as follows:

1. Definitions

For the purposes of this DPA:

1. “Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.

2. "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and including a Business as such term is defined under the CCPA.

3. "Data Protection Laws” means the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), as amended, replaced or superseded, the applicable data protection laws of EEA Countries and Switzerland, the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”) and the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq., and its implementing regulations, as amended, replaced or superseded, including by the California Privacy Rights Act (“CCPA”).

4. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.

5. “EEA" means the European Economic Area, which constitutes the Member States of the European Union and Norway, Iceland and Liechtenstein.

6. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Data as such term is defined under the CCPA.

7. "Processor" means the entity which Processes Personal Data on behalf of the Controller and including a Service Provider under the CCPA.

8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

9. “Standard Contractual Clauses” means the agreement executed by and between Customer and Tray and attached hereto as Exhibit A pursuant to the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

10. “Sub-processor” means any entity engaged by Tray to Process Personal Data in connection with the Subscription Services.

11. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

12. “Third Country” is a country outside the European Economic Area or the UK which was not acknowledged by the EU Commission or a UK Secretary of State as providing an adequate level of protection in accordance with Article 45(3) of the GDPR or Article 45 of the UK GDPR.

13. “User” means any individual who uses the Subscription Service on Customer’s behalf or through Customer’s account or passwords.

2. Applicability and Scope of DPA

1. Applicability. This DPA applies when Personal Data is Processed by Tray as part of Tray’s provision of the Subscription Services, as further specified in the Agreement.

2. Details of Data Processing.

   1. Subject matter: The subject matter of the Processing under this DPA is the Customer’s Personal Data.

   2. Duration: As between Tray and Customer, the duration of the Processing under this DPA is the term of the Agreement, unless earlier terminated as set forth therein.

   3. Purpose and Nature of the Processing: The purpose of the Processing under this DPA is the provision of the Subscription Services to the Customer in accordance with the Agreement.

   4. Categories of Data Subjects: Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer and which may include, but is not limited to, Personal Data relating to the following categories of data subjects: agents, employees, consultants, contractors, customers, and prospective customers of Customer (who are natural persons), and Customer’s Users.

   5. Types of Personal Data: Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in Customer’s discretion, provided however, Customer shall not submit any special categories of data to the Subscription Services unless identified in Annex 1 of Exhibit A.

3. Roles and Responsibilities

1. Parties' Roles. Customer is (or represents that it is acting with full authority on behalf of) the “Controller”. Customer appoints Tray as a Processor to process the Personal Data on Customer's behalf. In some circumstances Customer may be a Processor, in which case Customer appoints Tray as Customer’s sub-processor, which shall not change the obligations of either Customer or Tray under this DPA, as Tray will remain a Processor with respect to the Customer in such event.

2. Purpose Limitation. Tray shall only Process Personal Data for the following purposes: (i) Processing as reasonably required to provide the Subscription Services and perform Tray's obligations under the Agreement and this DPA, and as otherwise agreed by the parties; (ii) Processing initiated by Customer and its Users in their use of the Subscription Services; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Data Protection Laws; and (iv) as otherwise required by applicable law. The Agreement and this DPA, along with Customer’s configuration and use of the Subscription Services as further described in Section 2.2(c) above, are Customer's complete and final instructions to Tray in relation to the Processing of Personal Data, including for purposes of the Standard Contractual Clauses, and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties.

3. Compliance. Customer will not instruct Tray to Process Personal Data in violation of applicable Data Protection Laws. Tray has no obligation to monitor the compliance of Customer’s use of the Subscription Services with Data Protection Laws, though Tray will immediately inform Customer if, in Tray’s opinion, an instruction from Customer infringes applicable Data Protection Law and will be under no obligation to follow such instruction, until the matter is resolved following a good-faith discussion between the parties. Customer, as Controller, shall ensure that, in connection with its use of the Subscription Services, transfer of Personal Data to Tray and provision of instructions to Tray as Processor:

   1. it will provide all necessary notices to Data Subjects and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Tray to process Personal Data on Customer's behalf under the terms of the Agreement and this DPA, pursuant to the applicable Data Protection Laws ; and

   2. to the extent required under the applicable Data Protection Laws, it will appropriately document the Data Subjects' notices and consents, or necessary assessment with other applicable lawful grounds of Processing.

4. Tray will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Subscription Services, or (ii) outside of the direct business relationship between Customer and Tray, except as permitted under applicable Data Protection Laws. Tray acknowledges and will comply with the restrictions set forth in this Section 3.4.

5. The parties acknowledge and agree that the Personal Data that Customer discloses to Tray is provided to Tray for a Business Purpose, and Customer does not Sell such Personal Data to Tray in connection with the Agreement.

4. Security

1. Security. Tray shall implement and maintain appropriate technical and organisational measures taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use (each a "Security Incident") and in accordance with Tray's security standards available at https://tray.ai/documentation/platform/security/statement.

2. Confidentiality of Processing. Tray shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data, and have executed written confidentiality agreements no less protective than the confidentiality obligations set forth in the Agreement.

3. Security Incidents. Tray shall notify Customer without undue delay after becoming aware of a Security Incident. Tray's notice will at least: (a) describe the nature of the Security Incident including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Tray's data protection team, which will be available to provide any additional available information about the Security Incident; (c) describe the likely consequences of the Security Incident; (d) describe the measures taken or proposed to be taken by Tray to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Tray will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Security Incident and will promptly inform Customer accordingly. Tray’s notification of or response to a Security Incident under this Section 4.3 shall not be construed as an acknowledgement by Tray of any fault or liability with respect to the Security Incident.

4. Updates to Security Measures. Tray regularly monitors compliance with the security measures and Customer acknowledges that Tray’s security measures are subject to technical progress and development and that Tray may update or modify its security program from time to time provided that such updates and modifications do not result in the material degradation of the overall security of the Subscription Services purchased by Customer.

5. Sub-processing

1. Sub-processors. Customer agrees that Tray may engage Tray Affiliates and third parties as Sub-processors to Process the Personal Data in connection with the provision of the Subscription Services as described in this Section 5. Tray shall remain liable for any breach of the DPA caused by a Sub-processor to the same extent Tray would be liable if performing the services of such Sub-processor directly under the terms of this DPA.

2. Sub-processor Obligations. Where Tray authorizes any Sub-processor described in this Section 5, Tray will enter into a written agreement with the Sub-processor imposing substantially the same data protection obligations as required by this DPA, to the extent applicable to the nature of the services provided by such Sub-processor.

3. Current Sub-processors and Changes to Sub-processors.The Sub-processors currently engaged by Tray and authorized by Customer are listed at Tray’s Sub-processor web page: https://tray.ai/sub-processors. Tray shall provide Customer with thirty (30) days’ prior notice before utilizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Subscription Services, such notification to be sent to the email address of Customer’s signatory to this DPA or such other email address for notices provided to Tray by Customer in accordance with the notice provisions of the Agreement. Customer may object in writing to Tray’s appointment of a new Sub-processor within ten (10) business days of such notice, provided that such objection is based on reasonable grounds relating to data protection and security. In such event, the parties will discuss such concerns in good faith with a view to achieving a mutually agreeable resolution. If the parties are unable to resolve the objection within a reasonable period of time, which shall not exceed the thirty (30) days’ notice period mentioned above, either party may terminate without penalty the applicable Order Form(s) with respect only to those services which cannot be provided by Tray without the use of the objected-to new Sub-processor by providing written notice to the other party.

6. Assistance

1. Data Subjects' Rights. Taking into account the nature of the Processing, Tray shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Data Protection Laws, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication or request is made directly to Tray, Tray shall, to the extent legally permitted, inform Customer without undue delay by providing the full details of the request, and unless legally compelled to do so shall not respond to such communication directly without Customer's prior authorization except to redirect the Data Subject to Customer. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability involving that Data Subject’s Personal Data. To the extent Customer, in its use of the Subscription Services, does not have the ability to address a Data Subject’s request, Tray shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such request, to the extent Tray is legally permitted to do so and the response to such request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Tray’s provision of such assistance.

2. Supervisory Authorities. To the extent legally permitted, Tray shall notify Customer without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data, and will attempt to redirect the Supervisory Authority or law enforcement agency to request that data directly from Customer. As part of this effort, Tray may provide Customer’s basic contact information to the authority. If compelled to disclose Personal Data to a Supervisory Authority or law enforcement agency, Tray will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Tray is legally prohibited from doing so. Tray will further assist Customer in ensuring compliance with Customer's obligations in connection with the security of Processing, notification of a Security Incident to supervisory authorities and affected Data Subjects.

3. Data Protection Impact Assessments and Prior Consultation. Taking into account the nature of the Processing and the information available to Tray, Tray shall, to the extent required by Data Protection Laws, provide Customer with reasonable assistance, at Customer’s expense, with data protection impact assessments and/or prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws, by providing Customer with any publicly available documentation for the Subscription Services or by complying with Section 7 below. Additional support for data protection impact assessments or relations with regulators may be available upon mutual agreement of the parties on fees, the scope of Tray’s involvement, and any other terms that the parties deem appropriate.

7. Security Reports and Audits

1. Customer acknowledges that Tray is regularly audited against SOC 2 Type 2 or equivalent standards by independent third party auditors. Upon Customer’s written request, once annually, Tray will provide a copy of the most recent SOC 2 audit report (“Report”) to Customer, which Report(s) shall be Tray’s Confidential Information subject to the confidentiality provisions of the Agreement. Tray shall also respond within a reasonable time to a reasonable written information security questionnaire submitted to it by Customer not more than once a year.

2. Customer agrees to the provision of the Report by Tray in fulfilment of any audit cooperation responsibilities that may apply to Tray under Data Protection Laws or Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses (where applicable). Notwithstanding the foregoing, if Customer reasonably believes that an audit is necessary to meet its obligations under any applicable Data Protection Laws, Tray shall allow Customer (or Customer’s independent third-party auditor) to conduct an audit of the procedures relevant to the protection of Personal Data, subject to the following terms: (i) the audit will be pre-scheduled in writing with Tray, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Tray; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Tray's business activities and information and network systems; (v) Customer will bear all costs and expenses related to the audit; (vi) the auditor will first deliver a draft report to Tray and allow Tray reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (vii) Customer will receive only the auditor's report, with Tray’s comments, without any Tray 'raw data' materials, will keep the audit results in strict confidentiality and will use it solely for the specific purposes of the audit under this DPA; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.

8. Deletion or Return of Customer Data

1. Deletion or Return of Data. Upon termination or expiration of the Agreement, Tray shall, in accordance with the terms of the Agreement, delete or make available to Customer for retrieval all Personal Data in Tray's possession, except to the extent that Tray is required by any applicable law to retain some or all of the Personal Data. In such event, Tray shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as Tray maintains the Personal Data.

9. Onward and Trans-border Transfer

1. Transfer of GDPR governed Personal Data (“EEA Transferred Data”) to a Third Country, is made in accordance with the EU Standard Contractual Clauses (“EU SCCs”) in the module specified in Exhibit A which is attached and incorporated by reference to this DPA, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and as follows:

   1. In Clause 7, the optional docking clause will apply.

   2. In Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Section 5 of this DPA.

   3. In Clause 11, the optional language will not apply.

   4. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by the Irish law.

   5. In clause 18(b), disputes will be resolved before the courts of Ireland.

2. In accordance with Article 46 of the GDPR and the Standard Contractual Clauses, and without prejudice to any provisions of this DPA, Tray undertakes the following additional safeguards to secure Personal Data transferred on the basis of the EU SCCs and in accordance with Clause 14(b)(iii) of the EU SCCs, to ensure the required adequate level of protection to the EEA Transferred Data:

   1. Tray will implement and maintain the technical and organizational measures, as specified in Annex II of Exhibit A, such as encryption, access controls, or similar technologies, as applicable, with a purpose to protect EEA Transferred Data against any processing for national security or other government purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances;

   2. For the purposes of safeguarding EEA Transferred Data when any government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Tray may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Tray will:

      1. not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;

      2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data; and

      3. upon Customer’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies Tray has received in the 6 months preceding to Customer’s request.

   3. If Tray receives a Request, Tray will notify Customer of such request to enable the Customer to take necessary actions, to communicate directly with the relevant authority and to respond to the Request. If Tray is prohibited by law to notify the Customer of such request, Tray will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.

   4. Transfer of UK GDPR-governed Customer’s Personal Data (“UK Transferred Data”) to a Third Country, is made in accordance with the EU SCCs in relation to the UK Transferred Data subject to completion of a “UK Addendum to the EU Standard Contractual Clauses (“UK Addendum”) issued by the UK Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (officially published at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), and officially published by the Information Commissioner’s Office, and as follows:

      1. the EU SCCs giving effect to the module specified in Exhibit A which is attached and incorporated by reference to this DPA, will also apply to UK Transferred Data, subject to Sections 9.1 and 9.2 above;

      2. the UK Addendum will be deemed executed between the parties, and the EU SCCs will be deemed amended as specified by the UK Addendum in relation to the UK Transferred Data.

10. Miscellaneous

1. Except as amended by this DPA, the Agreement will remain in full force and effect.

2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between this DPA and the Standard Contractual Clauses, where the Standard Contractual Clauses are applicable, the Standard Contractual Clauses will control.

3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Each party’s and all of their Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and the DPA together.

4. Customer may terminate this DPA and the Standard Contractual Clauses at Customer’s discretion upon Tray’s receipt of Customer’s written notice of termination.

Exhibit A

ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

MODULE TWO: Transfer controller to processor

or

MODULE THREE: Transfer processor to processor

The Standard Contractual Clauses are available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN

ANNEX I

A. LIST OF PARTIES

1. Data exporter(s): Customer whose details are indicated in the applicable Agreement.

   • Role (controller/processor): Controller or Processor

2. Data importer(s): Tray.ai, Inc.

   • Address: 25 Stillman Street, San Francisco CA 94107, United States.

   • DPA Contact person’s name, position and contact details: Nick Hawkins, Security & Compliance Officer, privacy@tray.ai.

   • Tray’s Contact person’s name, position and contact details: As indicated in the applicable Agreement.

   • Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred -

• Customer has sole control over the categories of Personal Data it uploads to the Subscription Services, which may include, but are not limited to: agents, employees, consultants, contractors, customers, and prospective customers of Customer (who are natural persons), and Customer’s Users.

Categories of personal data transferred -

• Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled solely by Customer in Customer’s discretion.

• Special categories of data: None anticipated, but the Subscription Services do not impose a technical restriction on the categories of Personal Data Customer may provide. Customer has sole control over the Personal Data uploaded to the Subscription Services.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) -

• Continuous basis.

Nature of the processing –

• All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

Purpose(s) of the data transfer and further processing -

• The provision of the Subscription Services in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period -

• Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing –

• The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Subscription Services under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State - the supervisory authority of such EU Member State shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) - the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) - the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Tray’s technical and organizational measures are available at: https://tray.ai/documentation/platform/security/statement/

ANNEX III

LIST OF SUB-PROCESSORS

Tray’s list of sub-processors is available at: https://tray.ai/sub-processors

Last updated: 7 Aug 2024