Demandbase Data Processing Addendum (Customers) Updated April 14, 2023 This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA“) is incorporated into and forms part of the terms and conditions of the Demandbase Master Subscription Agreement, or other written or electronic agreement under which Demandbase provides its services to Customer (“Agreement“), between the party identified as the “Customer” or “you” in the Agreement and Demandbase to reflect the parties’ agreement with respect to the processing of Personal Data. Capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates. This DPA shall replace any comparable or additional rights or terms relating to the processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement). 1. Definitions “Applicable Data Protection Law” means any law applicable to a party’s processing of Personal Data made available under the Agreement. “CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code section 1798.100 et seq. and its implementing regulations, as may be amended, superseded or replaced from time to time. References to the CCPA include the amendments from the CPRA. “Controller Data” means Personal Data that Demandbase collects from Customer in connection with the Service or the relationship between the parties and processes as a controller under this DPA, and Personal Data that Demandbase processes as a controller and may provide to Customer under the Agreement, as more particularly described in Annex 1 of this DPA. Processor Data that is shared by a Customer with Demandbase through the Demandbase Data Co-Op becomes Controller Data once it is ingested by Demandbase for that purpose. “Contact Data” means new contacts, leads and enriched data (including but not limited to a name, email address, professional background or other Personal Data) made available by Demandbase to Customer in connection with the Service. Contact Data may include Personal Data from Demandbase customers that was Processor Data but became Controller Data for the purposes of the Demandbase Data Co-Op (see “Controller Data”). “CPRA” means California Privacy Rights Act of 2020, Cal. Civ. Code section 1798.100 et seq. and its implementing regulations, as may be amended, superseded or replaced from time to time. “Demandbase” means the Demandbase entity that is a party to the Agreement, which may include Demandbase, Inc. and/or any of its Affiliates. “Europe” means for the purposes of this DPA, the European Economic Area (“EEA“) and/or their Member States, Switzerland and the United Kingdom. “European Data Protection Law” means all data protection and privacy laws enacted in Europe and applicable to a party’s processing of Personal Data under the Agreement, including (i) Regulation 2016/679 (General Data Protection Regulation) (“GDPR“); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) in respect of the United Kingdom, the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR” and together the “UK Privacy Laws“); (iv) in respect of Switzerland, the Swiss Federal Act on Data Protection (“Swiss DPA”); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time. “Permitted Affiliate” means any Affiliate of Customer which is permitted to use the Service pursuant to the Agreement, but has not signed its own Order Form with Demandbase and is not a “Customer” as defined under the Agreement. “Personal Data” means any information which is protected as “personal data,” “personally identifiable information,” “personal information” or other similar term under Applicable Data Protection Law. “Processor Data” means any Personal Data that Demandbase processes as Customer Data on behalf of Customer, as more particularly described in Annex 1 of this DPA. When Customer agrees to share Processor Data for the purpose of the Demandbase Data Co-Op, that Processor Data becomes Controller Data once it is ingested by Demandbase for the Demandbase Data Co-Op. Only the copy(ies)/version(s) of the data ingested by Demandbase for the Demandbase Data Co-Op becomes Controller Data and the source copy(ies)/version(s) of Processor Data remain Processor Data. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner. “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Processor Data transmitted, stored or otherwise processed by Demandbase and/or its Sub-processors in connection with the provision of the Service. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Processor Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. “Standard Contractual Clauses” or “EU SCCs” means: (i) the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. “Sub-processor” means any third-party processor engaged by Demandbase to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Demandbase Affiliates but shall exclude any Demandbase employee. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time. The terms “controller“, “data subject“, “processor“, “processing” and “supervisory authority” shall have the meaning given to them in European Data Protection Law and “process“, “processes” and “processed” shall be interpreted accordingly. The terms “business“, “commercial purpose”, “consumer“, “cross-context behavioral advertising”, “personal information”, “sale”, (including the terms “sell,” “selling,” “sold,” and other variations thereof), “service provider“, “share” (including the terms “sharing”, “shared” and other variations thereof) and “third party” shall have the meaning given to them in the CCPA. 2. Scope and Applicability of this DPA 2.1 Scope. This DPA applies where and only to the extent that either party processes or transfers Personal Data that is subject to Applicable Data Protection Law in connection with the Agreement. 2.2 Role of the Parties. The parties agree that in connection with the Service: (a) Customer is the controller or business (as applicable) of Processor Data and Demandbase shall process Processor Data as a processor or a service provider (as applicable) on behalf of Customer; and (b) each party shall process any other Personal Data it processes under the Agreement, including Controller Data and Contact Data, as a controller or business (as applicable). 3. Processor Terms 3.1 Processor Obligations: The terms in this Section 3 (Processor Terms) will apply to the extent Demandbase processes any Processor Data on behalf of Customer in the provision of the Service, as further described in Annex 1 (as applicable to Processor Data) of this DPA. 3.2 Processing Instructions: Demandbase shall process Processor Data only as described in this DPA and in accordance with Customer’s lawful instructions and Applicable Data Protection Law. By entering into this DPA, Customer instructs Demandbase to process Processor Data for the purposes described in Annex 1 (as applicable to Processor Data) of this DPA and agrees that Demandbase may process Controller Data for the purposes described in Annex 1 (as applicable to Controller Data). If Customer agrees to participate in the Demandbase Data Co-Op and later decides to withdraw from participation in the Demandbase Data Co-Op, that withdrawal will apply on a go-forward basis and Processor Data that has already become Controller Data will remain Controller Data. Where the CCPA applies, in no event shall Demandbase (a) “sell” any Processor Data unless Demandbase has obtained Customer’s express prior written approval in each instance; (b) retain, use, or disclose Processor Data outside of the parties’ direct business relationship; (c) combine the Processor Data with personal information that it receives from another person, or collects from its own interactions with a consumer, unless permitted by the CCPA, or (d) share any Processor Data for the purposes of Cross-Context Behavioral Advertising by any party other than Customer unless Demandbase has obtained Customer’s express prior written approval. 3.3 Authorized Sub-processors: Customer provides a general prior authorization for Demandbase to engage Sub-processors to process Processor Data on Customer’s behalf. The Sub-processors currently engaged by Demandbase are listed at https://support.demandbase.com/hc/en-us/articles/360000384823-Demandbase-Sub-Processor-List (or such other successor URL as may be notified by Demandbase from time to time) (“Sub-processor List“). Demandbase shall update that Sub-Processor List at least 10 days prior to any addition of a new Sub-Processor. Demandbase may remove Sub-Processors from the list effective as of the date of the change. Demandbase will remain responsible for any acts or omissions of its Sub-processors that cause Demandbase to breach any of its obligations under this DPA. 3.4 Deletion on Termination. Upon termination or expiry of the Agreement, Demandbase shall as soon as reasonably practicable, delete all Processor Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Demandbase is required by Applicable Data Protection Law or other law to retain some or all of the Processor Data, or to Processor Data it has archived on back-up systems, which Processor Data Demandbase shall protect from any further processing other than storage and delete in accordance with its deletion practices, except to the extent required by applicable law. 3.5 Europe: The additional processor terms in this Section only apply where and to the extent the Processor Data is subject to European Data Protection Law. (a) Prohibited Processing Instructions: Demandbase shall notify Customer in writing, unless prohibited from doing so under European Data Protection Law, if it becomes aware or believes that any data processing instruction from Customer violates applicable European Data Protection Law. Customer acknowledges that it is Customer’s responsibility to ensure its instructions comply with European Data Protection Law, and Demandbase shall not have a duty to review and assess Customer’s instructions against applicable European Data Protection Law. (b) Sub-processor Obligations. Demandbase will enter into a written agreement with each Sub-processor imposing data protection obligations consistent with the protections in this DPA and to the extent applicable to the nature of the services provided by such Sub-processor. (c) Objection to Sub-processors. Customer may object in writing to Demandbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Demandbase promptly in writing within five (5) calendar days of an update to the Sub-processor List referenced in Section 3.3 and the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Demandbase will, at its sole discretion, either (i) not appoint Sub-processor; or (ii) permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). In such case, Demandbase shall refund Customer for any prepaid unused portion of the fees for the affected Service. (d) Data Protection Impact Assessment. To the extent Demandbase is required under European Data Protection Law and Customer does not already have access to the relevant information, Demandbase shall provide reasonably requested information regarding Demandbase’s processing of Processor Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by European Data Protection Law. 3.6 Customer Responsibilities. Customer is responsible for the accuracy, quality and legality of the Processor Data. Customer warrants and represents to Demandbase that it has provided notice and obtained all consents, permissions and rights necessary for Demandbase and its Sub-processors to lawfully process Processor Data for the purposes contemplated by the Agreement (including this DPA). 4. Website/Controller Data 4.1 For clarity and without prejudice to the Customer Obligations section in the Agreement, Customer shall ensure that its privacy notices: (a) clearly identify the controller(s) of the Website Data (which is Controller Data as defined in this DPA), including details of Demandbase; (b) provide required notice applicable to Customer’s participation in the Demandbase Data Co-Op, if applicable; (c) provide a conspicuous link to or description of how to access a relevant choice mechanism, including how to opt-out of Demandbase Tags; and (d) include any other information required to comply with the transparency requirements of Applicable Data Protection Law. 4.2 For further clarity, where Customer is required to obtain consent on behalf of Demandbase to the collection and processing of Website Data and/or the use of Demandbase Tags, Customer represents and warrants that it shall at all times maintain and make operational on Customer Properties a mechanism (a) for obtaining and recording such consent; and (b) that enables such consent to be withdrawn, in accordance with Applicable Data Protection Law. Customer agrees to provide such consent records to Demandbase promptly upon request. 5. Contact Data 5.1 Compliance with law. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller or a business (as applicable under Applicable Data Protection Law) of the Controller Data or Contact Data and neither party shall be responsible for the other party’s compliance with Applicable Data Protection Law. In particular, each party shall be individually responsible for ensuring that its processing of Controller Data or Contact Data is lawful, fair and transparent, and shall make available to data subjects a privacy notice that fulfills the requirements of Applicable Data Protection Law. 5.2 Purpose Limitation. Without prejudice to Section 5.1 (Compliance with law), Customer shall process Contact Data solely and exclusively for its own business to business marketing purposes and for other purposes contemplated by and in accordance with the Agreement, including to source relevant professional contacts in order to support the Customer’s strategic business objectives (“Permitted Purpose“). 5.3 Restrictions. Except as may be expressly stated in the Agreement or applicable order form, permitted in writing by Demandbase or where required or necessary under applicable law, Customer will not sell, disclose, or share Contact Data (or any part or derivative thereof) with any third party (except for any third parties, including service providers or processors, required to provide the services to Customer). Customer shall (a) refrain from using Contact Data to send communications to individuals who have unsubscribed or opted-out from receiving communications for any purpose, including direct marketing; (b) maintain appropriate suppression lists of individual contacts who unsubscribe from or opt-out from receiving communications; (c) regularly review the contacts’ preferences and any suppression lists or notices before sending any communications; and (d) adopt and implement policies, procedures and systems to enable individual contacts to unsubscribe or opt-out from receiving communications. 6. Security Measures 6.1 Security. Demandbase shall implement appropriate technical and organizational security measures as required by Applicable Data Protection Law to protect the Processor Data from Security Incidents and to preserve the security and confidentiality of the Processor Data in accordance with the Security Documentation, including those as set out in Annex 2 to this DPA (“Security Measures”). Demandbase shall confirm that any person who is authorized by Demandbase to process Processor Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). 6.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Demandbase may update or modify its Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer. 6.3 Security Audits. Customer acknowledges that Demandbase is audited against System and Organization Controls (SOC) 2 or similar recognised information security audit standards. Upon written request, Demandbase shall supply to Customer (on a confidential basis, which may require Customer to execute a non-disclosure agreement) a summary of its current audit report(s) (“Report”), so that Customer can verify Demandbase’s compliance with the audit standards against which it has been assessed and this DPA. In addition, Demandbase shall make available for Customer’s inspection (on a confidential basis) artifacts pertaining to the operation of its security program. Should Customer require additional information related to Demandbase’s technical and organizational security measures (including information necessary to confirm Demandbase’s compliance with this DPA), beyond what is covered in such artifacts, Demandbase shall provide written responses (on a confidential basis) to reasonable written requests for such supplemental information made by Customer, provided that Customer shall not exercise this right more than once in any 12 month rolling period. 6.4 Security Incident Response. Upon becoming aware of a Security Incident, Demandbase shall notify Customer without undue delay and shall provide further information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Demandbase will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident. 7. International Transfers 7.1 Processing Locations. Each party acknowledges and agrees that the other party may transfer and process Personal Data to and in the United States and other locations in which that party, its Affiliates or its Sub-processors maintain data processing operations. The transferring party shall at all times ensure such transfers are made in compliance with the requirements of European Data Protection Law. 7.2 Application of Standard Contractual Clauses. Where transfer of Personal Data between the parties under this DPA is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfers shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA, as follows: (a) In relation to Controller Data or Contact Data that the party acting as a data importer processes as a controller, the EU SCCs shall apply as follows: (i) Module One (Controller to Controller) will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA (as applicable to the Restricted Transfer in question); and (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA; (b) In relation to Processor Data that Demandbase, acting as a data importer processes as a processor, the EU SCCs shall apply as follows: (i) Module Two (Controller to Processor) will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.3 of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA (as applicable to the Restricted Transfer in question); and (viii) Subject to sections 6.1 and 6.2 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA; (c) UK Transfers: In relation to transfers of Personal Data that are protected by UK Privacy Laws, the EU SCCs: (i) shall apply as completed in accordance with paragraphs (a) and (b) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex 1 and 2 of this DPA and table 4 in Part 1 shall be deemed completed by selecting “neither party”. (d) Swiss Transfers: In relation to transfers of Personal Data protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraph (a) and (b) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland. (e) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict. 7.3 Alternative transfer arrangements. To the extent Demandbase adopts an alternative recognized lawful mechanism for the transfer of Personal Data not described in this DPA (“Alternative Transfer Mechanism“), Demandbase will provide written notice to Customer and upon such notice the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Personal Data is transferred). 8. Rights of Data Subjects and Cooperation 8.1 Correspondences. The parties shall, on request, provide each other with all reasonable and timely assistance and cooperation (at their own expense) to enable the other party to comply with its obligations under Applicable Data Protection Law, including in order to enable the other party to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, data portability, and right to opt-out from the sale or sharing of their Personal Data as applicable) in relation to Personal Data processed hereunder; and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Personal Data processed or transferred under this DPA (collectively “Correspondence“). 8.2 Data subject requests. Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in connection with the processing of Personal Data, where the Correspondence relates to the processing conducted by the other party and that party has been identified from the request; provided however, that where Demandbase is acting as a processor or a service provider (as applicable) under this DPA, it shall not respond directly to any Correspondence except to confirm Demandbase has forwarded the request to Customer and/or where failure to respond may result in liability for Demandbase under Applicable Data Protection Law. For requests made by consumers invoking their rights under the CCPA, where good faith efforts to contact and involve the Customer have failed, Demandbase shall inform the requestor that the request cannot be acted upon because the request has been sent to a service provider. 8.3 Demandbase cooperation. Customer further acknowledges that the Service provides Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Personal Data processed by Customer within the Service, which Customer may use to assist it in connection with its obligations under Applicable Data Protection Law. Demandbase shall provide assistance and co-operation to the extent that Customer is unable to independently access the relevant Personal Data within the Service. To the extent legally permitted, Customer shall be responsible for any costs related to Demandbase’s provision of such services. 8.4 Law enforcement requests. As a matter of general practice, Demandbase does not voluntarily provide government agencies or authorities (including law enforcement) with access to Processor Data. If a law enforcement agency sends Demandbase a demand for Processor Data (for example, through a subpoena or court order), Demandbase will attempt to redirect the law enforcement agency to request that Processor Data directly from Customer. As part of this effort, Demandbase may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Processor Data to a law enforcement agency, then Demandbase will give Customer reasonable notice of the demand per Clause 15 of the Standard Contractual Clauses, where applicable, to allow Customer to seek a protective order or other appropriate remedy unless Demandbase is prohibited from doing so. 8.5 General cooperation. Each party will reasonably cooperate with the other in any activities contemplated by this DPA and to help enable each party to comply with its respective obligations under Applicable Data Protection Law at their own expense. 9. Permitted Affiliates 9.1 When a Permitted Affiliate becomes a party to the DPA, then such Permitted Affiliate shall be entitled to exercise its rights and remedies available under this DPA to the extent required under Applicable Data Protection Law. However, if Applicable Data Protection Law requires the Permitted Affiliate to directly exercise a right or remedy against Demandbase directly by itself, the parties agree that to the extent permitted under law: (a) only the Customer that is the contracting entity to the Agreement shall exercise any such right or seek any such remedy on behalf of the Permitted Affiliate; and (b) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA in a combined manner for all of its Permitted Affiliates together, instead of doing so separately for each Permitted Affiliate. The Customer that is the contracting entity is responsible for coordinating all communication with Demandbase under the DPA and is entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates. 10. Miscellaneous 10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent that the conflict relates to the processing of Personal Data. For Processor Data shared by Customer that becomes Controller Data, if there is a conflict between the Processor Terms and the terms for Controller Data, the Processor Terms continue to apply to the source copy(ies)/version(s), and the Controller Data terms apply and take precedence over the Processor Terms with respect to the copy(ies)/version(s) ingested by Demandbase for the Demandbase Data Co-Op. 10.2 This DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to “Agreement” shall be interpreted to include this DPA. 10.3 Each party acknowledges that the other party may disclose this DPA (including the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to any judicial or regulatory body upon their request. 10.4 Notwithstanding anything to the contrary in the Agreement, Demandbase may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Laws. 10.5 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law. Annex 1 Description of the Processing Activities / Transfer ANNEX 1 (A) LIST OF PARTIES: Processor Data and Controller Data Data Exporter Data Importer Name: Demandbase, with respect to Contact Data and the party identified as the "Customer" in the Agreement with respect to Controller Data and Processor Data. Name: Customer, with respect to Contact Data, and Demandbase with respect to Controller Data and Processor Data Address: Customer: the address associated with the Customer’s Demandbase account or as otherwise specified in the Agreement. Demandbase: 680 Folsom Street, #400, San Francisco, CA 94107, USA Address: Customer: the address associated with the Customer’s Demandbase account or as otherwise specified in the Agreement. Demandbase: 680 Folsom Street, #400, San Francisco, CA 94107, USA Contact Person's Name, position and contact details: Customer: the contact details associated with the Customer's account, or as otherwise specified in the Agreement. Demandbase: privacy@demandbase.com Contact Person's Name, position and contact details: Customer: the contact details associated with the Customer's account, or as otherwise specified in the Agreement. Demandbase: privacy@demandbase.com Activities relevant to the transfer: See Annex 1(B) below Activities relevant to the transfer: See Annex 1(B) below Signature and date: The parties’ execution of this DPA shall constitute execution of the Standard Contractual Clauses by both parties. Role: Controller Role: Processor (for the purposes of Module 2) and Controller (for the purposes of Module 1) ANNEX 1 (B) DESCRIPTION OF TRANSFER Controller Data: Module 1 (Controller to Controller) Categories of data subjects The personal data transferred concern the following categories of data subjects Clients, customers and prospects of Customer (each a "Client") Visitors to Customer Digital Properties Users Contacts whose personal data is in Demandbase’s sales/account intelligence services Purposes of the transfer(s) The transfer is made for the following purposes: Clients: To allow Demandbase to augment, create and validate Controller Data and derive data and business intelligence insights. Visitors: To enable Demandbase to process Website Data as a controller for the purposes permitted by the Agreement. Users: Account administration, billing and other legitimate business purposes related to the provision, support and maintenance of the Service. Contacts: To enable Demandbase customers to identify and contact data subjects for business-to-business sales. For further information, please review the Demandbase Privacy Notice located here: https://www.demandbase.com/privacy/ Categories of personal data The personal data transferred concern the following categories of data: Clients: first and last name, company name, title, email address(es), phone number(s), business address. Visitors: website traffic data collected via Demandbase Tag, which may include: IP address, cookie ID and HTTP header. Users: Account registration, usage and login data. Contacts: first and last name, company name, title, email address(es), phone number(s), business address, employment history, compensation information, demographic information. Sensitive data (if appropriate) The personal data transferred concern the following categories of sensitive data: N/A Frequency of the transfer Whether continuous or one off. Continuous Nature of the Processing: Personal data transferred will be transferred and processed for the purposes described above and contemplated by this DPA. Retention period (or, if not possible to determine, the criteria used to determine that period): Demandbase will not retain Personal Data for longer than the period during which Demandbase has a legitimate need to retain Personal Data for purposes it was collected or transferred Processor Data: Module 2 (Controller to Processor) Categories of data subjects The personal data transferred concern the following categories of data subjects Customer may submit Processor Data to Demandbase, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to: (i) Clients; and (ii) Users. Purposes of the transfer(s) The transfer is made for the following purposes: Processing: (i) to provide the Service in accordance with the Agreement; and (ii) initiated by Customer and its Users in its use of the Service; (iii) to perform data science and train models to improve the Service; and (iv) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose"). Categories of personal data The personal data transferred concern the following categories of personal data: Customer may submit Processor Data to Demandbase, the extent of which is determined and controlled by Customer in its sole discretion and may vary depending on the Service but which may include, but is not limited to identification and contact data (name, address, title, contact details); employment details (employer, job title, geographic location, area of responsibility, employer financial information); or any other Personal Data elements contained within Customer Data that Customer chooses to input into or otherwise provide to the Service. Frequency of the transfer (e.g., whether continuous or one off). The Processor Data will be transferred on a continuous basis in accordance with the Customer's instructions as described in this DPA. Sensitive data (if appropriate) The personal data transferred concern the following categories of sensitive data: N/A. Customer is prohibited under the Agreement from submitting Prohibited Data (which includes special category data) to the Service. Duration of processing: Term of the Agreement plus the period from the expiry of the Agreement until deletion of Processor Data in accordance with Section 3.4 of the DPA or as otherwise instructed by Customer. Subject matter of the processing: The subject matter of the processing is the Processor Data. Nature of the Processing: Processor Data transferred will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Service (as applicable) provided to Customer; and/or (ii) disclosures in accordance with the Agreement and/or as compelled by applicable laws. Retention period (or, if not possible to determine, the criteria used to determine that period): Demandbase will retain Processor Data for the term of the Agreement and any period after the termination or expiry of the Agreement during which Demandbase processes Processor Data. ANNEX 1 (C): COMPETENT SUPERVISORY AUTHORITY The data exporter’s competent supervisory authority will be determined in accordance with the GDPR. Annex 2 – Technical and Organisational Measures Demandbase uses reasonable and appropriate technical and organizational measures as set forth in the Agreement and described in further detail at https://www.demandbase.com/security-policy/ (or such other successor URL).