DATA PROCESSING AGREEMENT

Tweekaboo Limited trading as INDEEMO

BETWEEN:

(1) The Customer (“The Customer”) as defined in the Purchase Agreement and the Standard Conditions of Service; and

(2) Tweekaboo Limited trading as Indeemo (“Indeemo”) being a company registered within Ireland and having its principal office at Unit 1B The Atrium, Blackpool Retail Park, Cork, Ireland. (“The Data Processor”).

BACKGROUND

(A) This agreement is to ensure the protection and security of data passed from The Customer to The Data Processor for processing or accessed by The Data Processor on the authority of The Customer for processing or otherwise received by The Data Processor for processing on behalf of The Customer;

(B) The Data Protection Legislation places certain obligations upon a Data Controller to ensure that any data processor it engages provides sufficient guarantees to ensure that the processing of the data carried out on its behalf is secure;

(C) This agreement exists to ensure that there are sufficient security guarantees in place and that the processing complies with obligations equivalent to those of the Data Protection Legislation.

(D) This agreement further defines certain service levels to be applied to all data related services provided by The Data Processor.

IT IS AGREED

1. DEFINITIONS AND INTERPRETATION

1.1 In this agreement:

“The Data Protection Legislation” or “The Legislation” means the EU Data Protection Directive 95/46/EC, the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58/EC together with the equivalent legislation of any other applicable jurisdiction, any amending or replacement legislation to any of the above (including, without limitation Regulation (EU) 2016/679 (the “GDPR”)) and all other applicable law, regulations and codes of conduct in any relevant jurisdiction relating to the processing of personal data and privacy including the guidance and codes of practice issued by a relevant regulator;

“Data” means any information of what ever nature that, by whatever means, is provided to The Data Processor by The Customer, is accessed by The Data Processor on the authority of The Customer, or is otherwise received by The Data Processor on behalf of The Customer, for the purposes of the Processing specified in clause 3.1(a), and shall include, without limitation, any Personal Data;

“Data Subject”, “Personal Data” and “Processing” shall have the same meanings as are assigned to those terms in the Acts;

“Schedule” means the schedule annexed to and forming part of this Agreement;

“Services” means processing of the Data by The Data Processor in connection with and for the purposes of the provision of the services to be provided by The Data Processor to the Customer under the Services Agreement; and

“Services Agreement” means the agreement for the provision of services between the Customer and The Data Processor identified in the Schedule.

1.2 In this agreement any reference, express or implied, to any enactment (which includes any legislation in any jurisdiction) includes references to:

(a) that enactment as re-enacted, amended, extended or applied by or under any other enactment (before, on or after the date of this agreement);

(b) any enactment which that enactment re-enacts (with or without modification); and

(c) any subordinate legislation made (before, on or after the date of this agreement) under that enactment, as re-enacted, amended, extended or applied as described in clause 1.2(a), or under any enactment referred to in clause 1.2(b).

1.3 In this agreement:

(a) references to a person include an individual, a body corporate and an unincorporated association of persons;

(b) references to a party to this agreement include references to the successors or assignees (immediate or otherwise) of that party.

2. APPLICATION OF THIS AGREEMENT

2.1 This agreement shall apply to:

(a) all Data sent from the date of this agreement by The Customer to The Data Processor for Processing;

(b) all Data accessed by The Data Processor on the authority of The Customer for Processing from the date of this agreement; and

(c) all Data otherwise received by The Data Processor for Processing on The Customer’s behalf;

(d) all Data otherwise received the Data Processor for processing on behalf of a client of The Customer in relation to the Services.

3. CHARGES

3.1 The Customer will pay to the Data Processor a fee for the provision of the Services as set out in the Schedule hereto or in the associated Standard Conditions of Service agreement.

4. DATA PROCESSING

4.1 The Customer acknowledges that it is the Data Controller in respect of any personal data that The Data Processor processes in the course of providing Services to The Customer on its own behalf, and that Indeemo is the Data Processor

4.2 The Data Processor acknowledges that it is the Data Processor in respect of any personal data that The Customer allows access to or provides to it for the purposes of providing Services to The Customer and that, in such a context, The Customer is the Data Controller.

4.3 The Data Processor takes sole responsibility for its compliance, as data processor, with the requirements of the Data Protection Legislation and of the contract herein.

4.4 If The Data Processor processes personal data other than as instructed by The Customer, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules and legal obligations on data controllers as laid down in the Acts.

4.5 In consideration of the undertakings provided by The Customer in clause 4, The Data Processor agrees to Process the Data to which this agreement applies by reason of clause 2 in accordance with the terms and conditions set out in this agreement, and in particular The Data Processor agrees that it shall:

(a) Process the Data at all times in accordance with the Acts and solely for the purposes (connected with provision by The Data Processor of the Services) and in the manner specified from time to time by The Customer in writing and for no other purpose or in any manner except with the express prior written consent of The Customer;

(b) in a manner consistent with the Acts and with any guidance issued by the Irish Data Protection Commissioner, implement appropriate technical and organisational measures to safeguard the Data from unauthorised or unlawful Processing or accidental loss, destruction or damage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Data to be protected;

(c) in particular, ensure that appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

(d) Comply, in processing of the data, with The Customer’s information security policies and procedures as defined or as may be communicated from time to time, or specified in the context of a particular project or instance of processing.

(e) ensure that each of its employees, agents and subcontractors comply under this agreement with regard to the security and protection of the Data and shall require that they enter into and enforce binding obligations with The Data Processor in order to maintain the levels of security and protection provided for in this agreement;

(f) not divulge the Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of The Customer except to those of its employees or agents, who are engaged in the Processing of the Data and are subject to written terms substantially the same as the terms contained in this processor agreement or except as may be required by any law or regulation;

(g) not divulge the Data, whether directly or indirectly to any person, firm or company or otherwise except with the express prior written consent of The Customer, and to agents or subcontractors who are subject to written terms substantially the same as the terms contained in this processor agreement, or except as may be required by any law or regulation;

(h) To provide The Customer on demand with the text of any such written terms to which its employees, sub-contractor or agents are subject with regard to their processing of Data.

(i) upon the request of The Customer, promptly provide a written description of the technical and organisational measures employed by it and/or any of its permitted sub-contractors, detailed to such a level that The Customer can determine whether or not, in connection with personal data, the Supplier and its permitted sub-contractors are complying with their obligations under this Agreement. If, as a result of an independent audit by The Customer, it’s Agents, or the Office of the Data Protection Commissioner, the measures employed by the Data Processor and/or its permitted sub-contractors are not sufficient to ensure compliance with their obligations under this Agreement, the Data Processor shall take all steps (or procure that its permitted sub-contractors take all steps) which are reasonably required to ensure that such compliance is achieved;

(j) afford to The Customer (and procure that its permitted sub-contractors afford to The Customer) access on at least 5 working days notice, and at reasonable intervals, to any premises where the relevant personal data are being processed and to which the Supplier has the power to grant access to enable The Customer to ensure that the Supplier is complying with its obligations under this Agreement and/or that the Supplier’s permitted sub-contractors are complying with the equivalent contractual obligations imposed on them;

(k) in the event of the exercise by Data Subjects of any of their rights under the Acts in relation to the Data directed to the Data Processor, inform The Customer as soon as possible, and The Data Processor further agrees to assist The Customer with all data subject information requests which may be received from any Data Subject in relation to any Data;

(l) in the event that The Data Processor receives a request for any information contained in the Data pursuant to the acts, not to respond to the person making such request but to inform The Customer within two (2) working days, and The Data Processor further agrees to assist The Customer with all such requests for information which may be received from any person within such reasonable timescales as may be prescribed by The Customer;

(m) for the purposes of this Agreement, procure a right in favour of The Customer to enforce the obligations imposed on The Data Processor’s permitted sub-contractors directly against such sub-contractors and shall also procure that the terms of any sub-contract shall be governed by the Laws of Ireland and be subject to the jurisdiction of the Irish courts

(n) not Process or transfer the Data outside of the European Economic Area except for limited specified purpose and with the express consent of The Customer

(o) to notify all incidents of loss of control of personal data in manual or electronic form to The Customer, as soon as it becomes aware of the incident, such that the The Customer can notify the Data Protection Commissioner within 24 hours.

(p) In the event of any such breach, to take prompt action at its own expense to remedy the cause of the breach subject to the limitations set out in paragraph 19 of the of the Standard Conditions of Service.

(q) In the event of any such breach, to bear the costs of investigation into said breach subject to the limitations set out in paragraph 19 of the of the Standard Conditions of Service.

(r) In the event of any such breach, to promptly, and at its own expense provide The Customer on request with all information required to fulfil its obligations, as Data Controller, under all applicable laws, regulations and codes of practice subject to the limitations set out in paragraph 19 of the of the Standard Conditions of Service..

(s) To otherwise comply with all applicable laws and regulations and with the Personal Data Security Breach Code of Practice promulgated by the Irish Data Protection Commissioner insofar as they apply to it.

5. OBLIGATIONS OF THE CUSTOMER

5.1 In consideration of the obligations undertaken by The Data Processor in clause 4 The Customer agrees that it shall ensure that it complies at all times with any applicable enactment, and in particular with its obligations as Data Controller under the Data Protection Legislation.

5.2 In particular, The Customer shall ensure that any disclosure of Personal Data made by it to The Data Processor is made with the data subject’s consent or is otherwise lawful.

5.3 The Customer shall comply with its responsibilities under with all applicable laws, regulations and codes of practice.

6. INDEMNITY

6.1 Without prejudice to the right of The Customer to pursue any other remedies which are available to it under this contract or any applicable legal provision, in the event of loss or damage to Data while it is in The Data Processor’s possession or control, or as a result of any act or default of the Data Processor, the Data Processor shall immediately notify The Customer of same and take immediate steps to remedy the said loss or damage subject to the terms of Clauses 16, 17, 19 and 20 of the associated Standard Conditions of Service agreement .

7. DISCLAIMER OF LIABILITY

7.1 The Data Processor hereby disclaims any liability for any loss or damage suffered by The Customer in consequence of any failure by The Customer, its servants or agents, to comply with the laws, regulations and codes of practice of any jurisdiction.

8. TERMINATION

8.1 This agreement shall terminate automatically upon termination or expiry of The Data Processor’s obligations in relation to the Services, and on termination of this agreement The Data Processor shall forthwith deliver to The Customer or destroy, at The Customer’s sole option, all Data in its possession or under its control which has been provided by the Customer. Either party may terminate this contract on the same terms and by the same means as those set out in the associated Standard Conditions of Service agreement . In the event that the customer does not exercise either option, all Data in the Data Processor’s possession or control which has been provided by the Customer will be irrevocably deleted after 21 days from Termination or expiry of the basis for processing.

9. GOVERNING LAW

9.1 This agreement will be governed by the laws of the Republic of Ireland, and the parties submit to the exclusive jurisdiction of the Irish courts for all purposes connected with this agreement, including the enforcement of any award or judgment made under or in connection with it.

10. WAIVER

10.1 Failure by either party to exercise or enforce any rights available to that party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of that party’s rights under this agreement.

11. INVALIDITY

11.1 If any term or provision of this agreement shall be held to be illegal or unenforceable in whole or in part under any enactment or rule of law such term or provision or part shall to that extent be deemed not to form part of this agreement but the enforceability of the remainder of this agreement shall not be affected provided however that if any term or provision or part of this agreement is severed as illegal or unenforceable, the parties shall seek to agree to modify this agreement to the extent necessary to render it lawful and enforceable and as nearly as possible to reflect the intentions of the parties embodied in this agreement including without limitation the illegal or unenforceable term or provision or part.

12. ENTIRE AGREEMENT

12.1 This agreement and the documents attached to or referred to in this agreement, and the documents attached or referred to in those referred documents shall constitute the entire understanding between the parties and shall supersede all prior agreements, negotiations and discussions between the parties. In particular the parties warrant and represent to each other that in entering into this agreement they have not relied upon any statement of fact or opinion made by the other, its officers, servants or agents which has not been included expressly in this agreement. Further, each party hereby irrevocably and unconditionally waives any right it may have:

(a) to rescind this agreement by virtue of any misrepresentation;

(b) to claim damages for any misrepresentation whether or not contained in this agreement;

save in each case where such misrepresentation or warranty was made fraudulently or where such waiver would be in conflict with applicable laws.

13. NOTICES

13.1 Notices shall be in writing and shall be sent to the other party marked for the attention of the person at the address set out below. Notices may be sent by mail, email or facsimile transmission. Correctly-addressed notices sent by mail shall be deemed to have been delivered 72 hours after posting and correctly directed email or facsimile transmissions shall be deemed to have been delivered instantaneously on transmission providing that they are confirmed as set out as above.

SCHEDULE

THE SERVICES AGREEMENT

The Customer has engaged Tweekaboo Ltd trading as Indeemo to provide the following services which constitute or require the processing of personal or sensitive personal data, or the co-ordination of such processing. Nature of Engagement: Provision of Services as set out in the Standard Conditions of Service.

Duration: As set out in The Data Processors Standard Conditions of Service and any associated Purchase Agreement(s) that may fall within the scope of the Data Processor’s Standard Conditions of Service.

Summary Description of Services: The Data Processor will provide “Services” to the Data Controller as defined in the Data Processor’s Standard Conditions of Service.‘‘Service(s)’’ means the services ordered by the Data Controller from the Data Processor, in an order which has been accepted by the Data Controller. It includes, but is not limited to, a mobile and cloud based research technology platform that The Data Processor provides to the Data Controller to enable the Data Controller, it’s Employees and Agents to survey and interact with Respondents using the Service as part of a Research Project for the purposes of gathering market research data to produce insights. Respondents use the Service on a smartphone or tablet either as an iPhone App, Android app or a mobile optimised web app. Researchers and Observers use the Service through a web based Researcher Dashboard which is located at https://client.indeemo.com.

Services to be provided or undertakings provided in context of Information Asset Life Cycle

Plan: Understand the requirements of the Customer and prepare a Purchase Agreement that documents the scope of the Services to be provided by The Data Processor for each Project that The Data Controller wishes to undertake using the Services.

Obtain: Data will be obtained by the Data Processor on behalf of the Data Controller using the Indeemo mobile apps, mobile website or the Indeemo Dashboard.

Store/Share: Data will be stored and processed on the Indeemo Platform which is hosted and maintained on The Data Processor’s behalf by Amazon Web Services (AWS) and other permitted subcontractors as outlined in the Standard Conditions of Service. Data will be visible to the Data Processor, its nominated employees, Agents or Subcontractors for the duration of the Services in order to provide the Service. Data will be accessible to The Data Controller and the Data Controller’s Employees or Agents via the Indeemo Service.

Maintain: The Data Processor will enable the Data Controller to maintain the Data using the Indeemo Service and Dashboard for the duration of the Agreement between the Data Processor and the Data Controller.The Data will be stored and processed by The Data Controller in the manner specified in the Standard Conditions of Service.

Apply: Upon termination of the Services, Data will be exportable by The Data Controller and the Data Controller’s Employees or Agents from the Indeemo Service. Prior to the completion of the Services as outlined in the Standard Conditions of Service, the Data Processor will enable the Data Controller to export all Data from the Indeemo Service.

Dispose: Upon Completion of the Services, all Data will be deleted by the Data Processor as outlined in the Data Processor’s Standard Conditions of Service.