PROVIDER DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”), applies to the Agreement between Stellaralgo Corp. (“StellarAlgo”), a Canadian corporation (“PROVIDER”), and its customer(s) (“Customer”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality, security and protection of Personal Data (as defined below) associated with services to be rendered by PROVIDER to Customer (and no other person) pursuant to the agreement entered into between the Parties whereby the Customer subscribed for PROVIDER’s services (the “Agreement”).

1. Definitions

Applicable Law” means all applicable national, federal and state laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the California Consumer Privacy Act as amended by the California Privacy Rights Act, and its implementing regulations as amended by the California Privacy Rights Act of 2020 (“CCPA”); as well as relevant data protection and privacy laws in other jurisdictions applicable to Data Processor.

Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.

Data Subject” means an identified or identifiable natural person to which the Personal Data pertains.

Instructions” means this DPA, the Agreement and any further written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data.

Personal Data” means any information relating to an identified or identifiable natural person Processed by PROVIDER in accordance with Customer’s Instructions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

Services” means the services offered by PROVIDER and subscribed for by Customer under the Master Agreement.

Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.

2. Roles and Responsibilities of the Parties

2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data, PROVIDER is a Processor and that PROVIDER or members of the PROVIDER Group will engage Sub-processors pursuant to the requirements set forth in section 4 “Sub-processors” below.

2.2. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of their Personal Data by PROVIDER as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations.

2.3. PROVIDER shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4. The subject-matter of Processing of Personal Data by PROVIDER is the performance of the Services pursuant to the Agreement.

2.5. PROVIDER shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the Applicable Law and/or (ii) if PROVIDER is unable to follow Customer’s instructions for the Processing of Personal Data.

3. Obligation of the PROVIDER

PROVIDER agrees to and warrants that it shall:

3.1. Process Personal Data disclosed to it by Customer only in accordance with Applicable Law and on behalf of, and in accordance with, the Instructions of the Data Controller, including in order to provide the Services (as defined in the Agreement) or as otherwise, unless PROVIDER is otherwise required by Applicable Law, in which case PROVIDER shall inform Customer of that legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by law. PROVIDER shall immediately inform Customer if, in PROVIDER’s opinion, an Instruction provided infringes Applicable Law.

3.2. Ensure that any person authorised by PROVIDER to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.

3.3. Inform Customer promptly and without undue delay of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Customer in writing to do so. Taking into account the nature of the Processing of Personal Data, PROVIDER shall assist Customer, by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data.

3.4. Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data, unless informing the Customer is prohibited by law. Customer shall have the right to defend such action in lieu of and on behalf of PROVIDER. Customer may, if it so chooses, seek a protective order. PROVIDER shall reasonably cooperate with Customer in such defense.

3.5. Provide reasonable assistance to Customer, in complying with Customer’s obligations under Applicable Law available. Should PROVIDER incur costs that go beyond what may reasonably be expected from a support request, Customer and PROVIDER will cooperate in good faith to find an agreeable solution and Customer will reimburse PROVIDER accordingly.

3.6. Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by PROVIDER or to supervisory authorities upon request.

4. Sub-Processing

4.1. PROVIDER shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless PROVIDER has entered into a written agreement with each such third party that imposes obligations on the third party that are similar to those imposed on PROVIDER under this DPA. PROVIDER shall only retain third parties that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data.

4.2. PROVIDER has Customer’s general authorisation to appoint (and permit each Sub-processor appointed in accordance with this section 4 to appoint) Sub-processors.

4.3. PROVIDER shall give Customer prior written notice at least 30 (thirty) days in advance of the appointment of any new Sub-processor, including reasonable details of the Processing to be undertaken by the Sub-processor and any other information necessary to enable Customer to exercise its right to object. Customer shall have the right to object to the identity of any such alternate third-party provider and, in the event that PROVIDER continues to engage such alternate third-party provider despite such objection, to terminate this Agreement and the Master Agreement immediately on notice without any further liability to PROVIDER within sixty (60) days’ of notification of such appointment.

4.4. PROVIDER may continue to use those Sub-processors already engaged by PROVIDER as at the Effective Date.

5. Compliance with Applicable Laws

5.1. Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the provision and use (as applicable) of the Services.

5.2. Without limiting the above, (i) Customer is responsible for ensuring that it has a lawful basis for the processing of Personal Data in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) PROVIDER is not responsible for determining the requirements of laws applicable to Customer’s business or that PROVIDER’s provision of the Services meet the requirements of such laws. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.

5.3. Subject to the terms of the Agreement, Customer may claim from PROVIDER amounts paid to a Data Subject for a violation of their Data Subject rights caused by PROVIDER’s breach of its obligations under Applicable Law.

6. California Specific Provisions

6.1. In this section 6, the terms “processing”, “personal information”, “consumer”, “sell”, “selling”, “sale” and “commercial purpose” shall have the meaning given to them in the CCPA. Notwithstanding anything to the contrary in this DPA, to the extent that PROVIDER is processing any personal information of any consumer on behalf of Customer, PROVIDER shall not:

(a) provide Customer with remuneration in exchange for Personal Data from Customer, where the parties further acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to Provider;

(b) “sell” (as such term is defined by CCPA) or “share” (as such term is defined by the CCPA) Personal Data; nor

(c) retain, use or disclose the personal information that form part of the Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA, including retaining, using or disclosing the personal information for a commercial purpose other than providing the Services.

6.2. Service Provider certifies that any Subprocessors appointed in accordance with the terms of this DPA are “service providers” (as defined under the CCPA) with whom Service Provider has entered into a written contract that includes terms substantially similar to this DPA.

7. Data Security

7.1. PROVIDER shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Law and good industry practice, including without limitation compliance with ISO/IEC 27001 and ISO/IEC 27018 standards. PROVIDER’s information security program shall include appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:

a) The encryption of the Personal Data;

b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

c) The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and

d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.

7.2. PROVIDER shall supervise PROVIDER personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. PROVIDER shall provide training, as appropriate, to all PROVIDER personnel who have access to Personal Data.

7.3. Promptly (and in any event within 90 days) following the expiration or earlier termination of the Master Agreement, PROVIDER shall return to Customer or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in PROVIDER’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit PROVIDER to comply with the delivery or destruction of the Personal Data, PROVIDER warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this DPA.

8. Data Breach Notification

8.1. PROVIDER shall promptly, but in any case within 72 hours of becoming aware of occurrence, inform Customer in writing of any Personal Data Breach. The notification to Customer shall include all available information regarding such Personal Data Breach, including information on:

a) The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;

b) The likely consequences of the Personal Data Breach; and

c) The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. PROVIDER shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. PROVIDER shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.

9. Audit

9.1. PROVIDER shall on written request (but not more than once per year, other than in the event of a breach) make available to Customer all information necessary to demonstrate compliance with the obligations set forth in this DPA and, at the Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior written request by Customer (but not more than once per year, other than in the event of a breach), PROVIDER agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports (if any) and all information necessary to demonstrate PROVIDER’s compliance with the obligations laid down in this DPA; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in PROVIDER’s systems, or to the extent that any such vulnerability was detected, that PROVIDER has fully remedied such vulnerability.

10. Governing Law

10.1. This DPA shall be governed by the same laws as those that govern the Agreement.