Client Compliance Data Transfer Policy

DATA SHARING ADDENDUM

(including EU Standard Contractual Clauses)

This data sharing addendum (the Data Sharing Addendum) forms part of the Agreement between Guidepoint and the Client (defined below) (the Parties). Capitalised terms used in this Data Sharing Addendum shall have the meaning given to them in paragraph 1 below, or if not defined herein, shall have the meaning set out in the Agreement. If a capitalised term is neither defined herein nor in the Agreement, it shall have the meaning given to them same uncapitalised terms used in the Standard Contractual Clauses.

The Client enters into this Data Sharing Addendum for itself and for and on behalf of its Affiliates acting as Transferring Client Entities (as defined below).

1. Definitions

1.1 The following capitalised terms in this Data Sharing Addendum shall have the meaning defined below:

Advisors means individuals who are practitioners, professionals and academics in various industries that provide consulting services to Guidepoints clients through membership in Guidepoint Global Advisors.

Affiliate means in relation to any company, any direct or indirect subsidiary or holding company of that company or any direct or indirect subsidiary of any such holding company.

Client means an entity or individual who has entered into a written agreement with Guidepoint for Guidepoint to provide certain services.

Client Personal Data means Personal Data provided by the Client to Guidepoint or its Affiliates pursuant to the Agreement.

Controller means an entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Exporter means the party that transfers Personal Data from an Extended EEA Country.

Data Importer means a party that receives Personal Data from a Data Exporter in a Third Country.

Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the UK GDPR, the UK Data Protection Act 2018 (DPA 2018) GDPR and other laws and regulations of the European Union, the EEA and their member states and the United Kingdom relating to the Processing of personal data and privacy.

Data Subject means the individual to whom the Personal Data relates.

Data Subject Request means a Data Subject’s request to exercise that persons rights under Data Protection Laws in respect of that persons Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, block or delete such Personal Data.

EEA means the European Economic Area.

EU means the European Union.

Extended EEA Country means a country within the EEA; Iceland; Liechtenstein; or Norway, and Extended EEA Countries means the foregoing countries collectively.

Extended EEA Personal Data means Personal Data, the Processing of which is subject to the Data Protection Laws of the applicable Extended EEA Country.

Extended Non-EEA Country means Switzerland; or the United Kingdom.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

Guidepoint Personal Data means any Personal Data that Guidepoint provides to the Client and/or its Affiliates pursuant to the Agreement.

Guidepoint means Guidepoint Global, LLC or the applicable Guidepoint entity set forth in the Agreement.

Personal Data means any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person).

Personal Data Breach means a breach of security that has resulted in, or is reasonably likely to result in, the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, access to or encryption of Personal Data transmitted, stored or otherwise Processed.

Processing or Process means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Standard Contractual Clauses means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972 (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en&uri=CELEX:32021D0914).

Third Country means a country not deemed adequate to receive Extended EEA Personal Data under the Data Protection Laws of the applicable Extended EEA Country.

Transferring Client Entity means the Client or any of its Affiliates that transfers, or facilitates the transfer of, Extended EEA Personal Data directly to Guidepoint.

Transferred Personal Data means Client Personal Data and/or Guidepoint Personal Data, which is also Extended EEA Personal Data and which is transferred (a) by the Transferring Client Entity to Guidepoint; or (b) by Guidepoint to the Client (as applicable) pursuant to this Data Sharing Addendum.

UK Addendum means the template Addendum B1.0 issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with section s119A of the Data Protection Act 2018 on 2 February 2022, and in force on 21 March 2022, as it is revised under section 18 of the UK Mandatory Clauses (available at international-data-transfer-addendum.pdf (ico.org.uk))

UK GDPR means GDPR as amended and transposed into the laws of the United Kingdom pursuant to the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020.

UK Mandatory Clauses means the mandatory clauses of the UK Addendum, as updated from time to time and replaced by any final version published by the Information Commissioner’s Office.

2. Independent Data Controllers

2.1 The Parties acknowledge and agree that they will each be acting as independent Controllers in respect of their Processing of Transferred Personal Data.

2.2 Each Party shall be responsible for complying with the obligations imposed on a Controller by Data Protection Laws, including to maintain or make any registrations and/or obtain any authorisations required by Data Protection Laws with respect to their respective receipt and Processing of Transferred Personal Data under the Agreement.

2.3 Each Party shall be responsible for ensuring that prior to transferring Guidepoint Personal Data or Client Personal Data to the other Party, the transferring Party shall ensure that the relevant Data Subjects have been informed (where required under Data Protection Laws) as to the transfer.

2.4 The purpose of the Processing of Guidepoint Personal Data by the Client is to fulfil its obligations under the Agreement, and as otherwise specified in Appendix 1 (Data Processing Details) (collectively, the Purpose). The types of Personal Data Processed under the Agreement and categories of Data Subjects are further specified in Appendix 1 (Data Processing Details).

3. Obligations of the Client

3.1 The Client shall:

(a) only Process the Guidepoint Personal Data to fulfil the Purpose, shall do so always in accordance with Data Protection Laws, and shall not combine the Guidepoint Personal Data with any other data or use it in a way contrary to the Agreement or which may prejudice the interests, fundamental rights and freedoms of the Data Subjects;

(b) take appropriate procedural, technical and organisational measures to prevent unlawful disclosure, unauthorised Processing of or accidental loss, destruction, damage or alteration to the Guidepoint Personal Data whilst in its possession or under its control;

(c) subject to reasonable and appropriate confidentiality undertakings, permit Guidepoint (or its authorised representative) to inspect and audit its data Processing activities (and/or those of its agents, subsidiaries and/or subcontractors which Process Guidepoint Personal Data on the Client’s behalf) and comply with all reasonable requests or directions by Guidepoint to enable it to verify and/or procure that the Client is in full compliance with its data protection obligations under the Agreement and take such remedial actions as are reasonably required by Guidepoint following such audit;

(d) stop Processing the Guidepoint Personal Data where required by Guidepoint if the Client breaches the Agreement;

(e) on termination of the Agreement for whatever reason, or upon written request from Guidepoint under paragraph 3.1(d) above, forthwith cease to Process any Guidepoint Personal Data received from or on behalf of Guidepoint under the Agreement, and return to Guidepoint, or destroy (at Guidepoint’s discretion), any Guidepoint Personal Data in its possession or control (unless applicable laws require the continued storage of such Guidepoint Personal Data);

(f) immediately notify Guidepoint of any actual or potential Personal Data Breach, complaint or Data Subject Request with respect to its (or its agents or subcontractors) use of the Guidepoint Personal Data and shall promptly provide Guidepoint with details of how it is responding to the Personal Data Breach, resolving the complaint or Data Subject Request upon Guidepoint’s request; and

(g) maintain proper records of all Processing of the Guidepoint Personal Data.

4. Data transfers

Application of the Standard Contractual Clauses

4.1 Where:

(a) a Transferring Client Entity (as the Data Exporter) transfers, or facilitates the transfer of, Transferred Personal Data, directly to Guidepoint (as the Data Importer) in a Third Country; or

(b) Guidepoint transfers (as the Data Exporter), or facilitates the transfer of, Transferred Personal Data to the Client or its Affiliates (as the Data Importer) in a Third Country, the Standard Contractual Clauses will apply as set out in paragraph 4.4 below, unless another export framework or an export derogation recognised by Data Protection Laws of the relevant Extended EEA Country applies. In relation to the Standard Contractual Clauses, the parties to the Standard Contractual Clauses may each operate as Data Importer and/or Data Exporter and/or Controller, in each case as set out in paragraph 4.4 below.

4.2 Where a Transferring Client Entity transfers Transferred Personal Data to Guidepoint not located in a Third Country, the Standard Contractual Clauses do not apply. In such cases, Guidepoint shall be responsible for ensuring that any export of that Transferred Personal Data by Guidepoint to a Third Country complies with applicable Data Protection Laws.

4.3 Where Guidepoint transfers Transferred Personal Data to the Client not located in a Third Country, the Standard Contractual Clauses do not apply. In such cases, the Client shall be responsible for ensuring that any export of that Transferred Personal Data by the Client to a Third Country complies with applicable Data Protection Laws.Incorporation and interpretation of Standard Contractual Clauses (including the UK Addendum as applicable):

4.4 Further to paragraph 4.1, the Standard Contractual Clauses are hereby incorporated by reference. Where the applicable sections of the Standard Contractual Clauses require the Data Exporter and the Data Importer to select a module, the parties to the Standard Contractual Clauses acknowledge that Module One of the Standard Contractual Clauses (Transfer controller to controller) shall apply in accordance with the table below.

Data Sharing Table

Parties' Roles	Applicable module in the Standard Contractual Clauses	Description of the transfer (to complete Annex I, Part B of the Standard Contractual Clauses)
Guidepoint (Data Importer): Controller Client or Client Affiliate (Data Exporter): Controller	Module One	Part A of the Appendix of this Data Sharing Addendum
Guidepoint (Data Exporter): Controller Client or Client Affiliate (Data Importer): Controller	Module One	Part B of the Appendix of this Data Sharing Addendum

4.5 The Standard Contractual Clauses shall constitute a separate agreement between each Data Importer and Data Exporter.General provisions

4.6 If any provision or part-provision of this Data Sharing Addendum causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Data Sharing Addendum and the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

4.7 Except to the extent that the Standard Contractual Clauses or the Data Protection Law of an Extended EEA Country would require otherwise, the Standard Contractual Clauses shall be governed by the law(s) of the Republic of Ireland and subject to the jurisdiction of the courts of the Republic of Ireland.

4.8 For the purposes of Annex I, Part C (Competent Supervisory Authority) of the Standard Contractual Clauses, the supervisory authority shall be:

(i) where the Data Exporter is established in the EU, the supervisory authority of the EU member state in which the Data Exporter is established;

(ii) where the Data Exporter is established outside the EU in an Extended EEA Country, the supervisory authority of the Extended EEA Country in which the Data Exporter is established;

(iii) where the Data Exporter is established in a country that is not an Extended EEA Country and the Personal Data originated in the EU, the supervisory authority in the EU member state in which the Data Exporter has appointed an EU Representative under Article 27(2) of the GDPR. Where an EU Representative has not been appointed, the supervisory authority shall be the supervisory authority of the Republic of Ireland; and

(iv) where the Data Exporter is established in a country that is not an Extended EEA Country and the Personal Data originated in an Extended EEA Country that is not in the EU, the supervisory authority of the Extended EEA Country from which the Personal Data originated.

4.9 Subject to paragraph 4.11 below, where the applicable Extended EEA Country in which the Data Exporter is established or from where the Transferred Personal Data originated is not a member state of the EU, references in the Standard Contractual Clauses to:

(a) “European Union”, “Union”, “EU”, a “Member State”, an “EU Member State” shall refer to the applicable Extended EEA Country in which the Data Exporter is established or from where the Transferred Personal Data originated;

(b) “Regulation (EU) 2016/679” shall refer to the applicable Data Protection Laws of the Extended EEA Country in which the Data Exporter is established or from where the Transferred Personal Data originated; and

(c) “supervisory authority” shall refer to the applicable data protection authority in the Extended EEA Country.

4.10 Where the transfer of Personal Data to the Data Importer is subject to the UK GDPR, the Standard Contractual Clauses shall be supplemented by the UK Addendum and Part 1 of the UK Approved Addendum shall be populated as set out below:

(a) Table 1. The “start date” will be the date this Data Sharing Addendum enters into force. The “Parties” are the Client or the Client Affiliate and Guidepoint or the Guidepoint Affiliate.

(b) Table 2. Module One is the module of the Standard Contractual Clauses in accordance with paragraph 4.4 of this Data Sharing Addendum.

(c) Table 3. The “Appendix Information” is as set out in paragraph 4.11(a) to 4.11(d) of this Data Sharing Addendum.

(d) Table 4. The Parties may end the UK Addendum in accordance with clause 19 of the UK Mandatory Clauses.

4.11 The Annexes to the Standard Contractual Clauses shall be completed as follows:

(a) Annex I, Part A (List of Parties) of the Standard Contractual Clauses shall be completed by reference to the respective roles of the Client or the Client Affiliate and Guidepoint or the Guidepoint Affiliate as set out in the relevant entry of the “Parties’ role” column of the table at paragraph 4.4 above, and the details of such parties as set out in the Agreement;

(b) Annex I, Part B (Description of the Transfer) of the Standard Contractual Clauses shall be completed with the information set out in the relevant entry of the “Description of the Transfer” column of the table at paragraph 4.4 above;

(c) Annex I, Part C (Competent Supervisory Authority) of the Standard Contractual Clauses shall be completed by reference to paragraph 4.8 above; and

(d) Annex II (Technical and Organisational measures including technical and organisational measures to ensure the security of the data) of the Standard Contractual Clauses is hereby deemed to be completed as follows: the Data Importer shall implement and maintain technical and organisational security measures to adequately protect the Data Exporter’s Personal Data against the risks inherent in the Processing of Personal Data for the purposes identified in the Agreement, and risks from unauthorised or unlawful Processing and destruction, damage, misuse, and loss, in each case as are specified in Appendix 2 of this Data Sharing Addendum, including any relevant addendum or exhibit specifying security requirements, such as a security requirements exhibit, and any such additional technical and organisational security measures that the Data Importer notifies to the Data Exporter from time to time.

4.12 In the event of a conflict between the Standard Contractual Clauses and this Data Sharing Addendum and/or the Agreement (including any addenda) (as applicable), the Standard Contractual Clauses shall prevail.

5. General

5.1 Liability

(a) The parties agree that no limitations or exclusions of liability set out in the Agreement shall apply to any party’s liability to Data Subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent that such limitations or exclusions are prohibited by Data Protection Laws.

(b) Notwithstanding paragraph 4.12, the Parties agree that all liabilities between them and/or their Affiliates under the Standard Contractual Clauses will be subject to the limitations and exclusions of liability set out in the Agreement, except to the extent prohibited by applicable law.

5.2 Legal Effect

This Data Sharing Addendum (which shall be incorporated into the Agreement and form an integral part thereof) constitutes the entire agreement and understanding between the Parties and supersedes all prior and contemporaneous verbal and written negotiations, agreements and understandings, if any, on the specific subject matter of this Data Sharing Addendum, and this Data Sharing Addendum cannot be modified except pursuant to written agreement, signed by an authorized representative of each Party.

APPENDIX 1

Data Processing Details

PART A – Controller to Controller (Guidepoint as data importer)

Categories of Data Subjects whose personal data is transferred:
Personnel who are employed by the Transferring Client Entity.

Employees (including the self-employed)End-usersIndependent ContractorsInvestorsOwnersOther relevant individuals pertaining to the business

Categories of Personal Data transferred:
The Personal Data transferred concerns the following categories of data, each relating to personnel of the Transferring Client Entity:

1. Name
2. Contact details (including business email address, mailing address and telephone number)
3. IP addresses
4. Browser cookies
5. Device IDs
6. Other information provided at the discretion of the Transferring Client Entity
7. Other information necessary to operate the business and provide services and support to the Transferring Client Entity
8. Associated information linked to personal data

Special categories of Personal Data transferred (if applicable):
None

Nature and purpose(s) of the data transfer and further Processing:
Client has retained the services of Guidepoint for purposes of obtaining consulting services from subject matter experts from Guidepoint’s global professional network pursuant to the Agreement. The data provided relevant to the listed data subjects is used to allow Guidepoint to provide services and support to the Client or Transferring Client Entity in the ordinary course, including engaging in communications for a variety of business related purposes, legal compliance (including GDPR compliance and memorializing written instructions) and other relevant, anticipated business uses within the scope of the Agreement.

Frequency of transfer:
As regular as required to receive/provide the services under the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the crieteria used to determine that period:
Guidepoint will retain Personal Data pursuant to the terms of the Agreement and its commercially reasonable document retention policy.

PART B – Controller to Controller (Guidepoint as Data Exporter)

Categories of Data Subjects whose personal data is transferred:
Employees and Advisors of Guidepoint.

Categories of Personal Data transferred:
The Personal Data transferred concerns the following categories of data, each relating to personnel of Guidepoint and its Advisors:

1. Name
2. Contact details (including business or personal email address, mailing address and telehpone number])
3. IP addresses
4. Browser cookies
5. Device IDs
6. Other information provided at the discretion of the Transferring Client Entity
7. Other information necessary to operate the business and provide services and support to the Transferring Client Entity
8. Associated information linked to personal data

Special categories of Personal Data transferred (if applicable):
None

Nature and purpose(s) of the data transfer and further Processing:
Client has retained the services of Guidepoint for purposes of obtaining consulting services from subject matter experts from Guidepoint’s global professional network (“Advisors”) pursuant to the Agreement. The data provided relevant to the listed data subjects is used to allow Guidepoint to provide services and support to the Client or Transferring Client Entity in the ordinary course, including engaging in communications for a variety of business related purposes, legal compliance (including GDPR compliance and memorializing written instructions) and other relevant, anticipated business uses within the scope of the Agreement.

Frequency of transer:
As regular as required to receive/provide the services under the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the crieteria used to determine that period:
Client (including Client Affiliate) shall retain the Personal Data pursuant to the terms of the Agreement.

For transfers to (Sub-)Processors, also specify subject matter, nature and duration of the Processing:
N/A

APPENDIX 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer shall have in place at least the following measures:

• Written security policy or plan
• Disaster recovery plan
• Incident response plan
• Network segmentation
• Firewalls
• Intrusion prevention devices
• Encryption in transit and at rest
• Antivirus protection
• Password program
• Role-based access
• Regular patching and updating of critical systems and other systems connected to critical systems
• Training of users
• Employee handbook
• Anti-Spam controls
• Secure coding practices