This Addendum supplements the Master Purchase and Services Agreement (the “Service Agreement”) between the Company and CYWAREX, outlining the terms related to the purchase and use of Products and Services. In case of any discrepancies between this Addendum and the Service Agreement, the terms of this Addendum shall prevail.

1.1 This Addendum pertains to the processing of Personal Data under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). It outlines the types of data, data subjects, and the purposes of processing (as detailed in Annex 2).

1.2 This Addendum integrates the EU Model Clauses, addressing the transfer of Personal Data from the European Economic Area (EEA) to jurisdictions that do not provide adequate protection.

1.3 Personal Data processing will be governed by the Company’s instructions, with CYWAREX processing such data solely as needed to fulfill the Services.

The following key terms are defined according to the GDPR, CCPA, and the Service Agreement:

• Personal Data: As defined under the GDPR and “Personal Information” under the CCPA.
• Subprocessor: Any third party engaged by CYWAREX to process Personal Data.
• EU Model ClausesStandard contractual clauses approved by the European Commission.

3.1 The Company is responsible for determining the purpose and scope of Personal Data processing. CYWAREX will only process Personal Data based on the Company’s written instructions.

3.2 CYWAREX may only use Subprocessors that are specifically approved (as listed in Annex 4).

3.3 Both parties agree to implement adequate technical and organizational measures (as outlined in Annex 3) to protect Personal Data from risks.

4.1 CYWAREX’s approved Subprocessors including: Amazon Web Services, Google.

4.2 CYWAREX will notify the Company of any changes or additions to the Subprocessors, and the Company will have 30 days to raise any objections.