EDAA Trust Seal

EPSILON DATA PROCESSING ADDENDUM KUWAIT, KSA AND UAE

This Data Processing Addendum (DPA) applies to the Processing of Personal Data under a General Services Agreement, Service Order, Insertion Order or any other agreement that incorporates this DPA (as applicable, the Agreement) by and between Epsilon International UK Ltd or any of its Affiliates (collectively Epsilon) and your company (Client).

Epsilon and Client may be referred to herein each as a party or collectively as the parties.

The parties agree as follows:

1. In this DPA, the following terms shall have the following meanings:

1.1 Affiliates means any entity that directly or indirectly controls, is controlled by, or is under common control with the applicable party. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the applicable party.

1.2 Applicable Data Protection Laws means any and all laws and/or regulations in Kuwait, KSA and UAE relating to the protection of Personal Data Processed under the Agreement that are applicable to a party, including but not limited to the KSA PDPL and the UAE PDPL (as applicable). For the avoidance of doubt, such Applicable Data Protection Laws shall only apply to a party that is subject to the scope of such laws and/or regulations;

1.3 Controller means a party which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and includes Data Controller as defined under Applicable Data Protection Laws;

1.4 Data Subject is an identified or identifiable natural person who can be identified, directly or indirectly;

1.5 Tags means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) embedded within an advert or within Clients digital property(ies) or server(s) that enables access to or storage of information on a Data Subjects device;

1.6 KSA means the Kingdom of Saudi Arabia;

1.7 KSA PDPL means the Persona Data Protection Law in KSA implemented by Royal Decree M/19 of 9/2/1443H (corresponding to 16 September 2021) and amended by Royal Decree No. M147 of 5/9/1444H (corresponding to 27 March 2023);

1.8 Personal Data means any information relating to a Data Subject (as defined under the UAE PDPL and the KSA PDPL, as applicable) including but not limited to information such as name, identification number, location data and online identifiers;

1.9 Processing means any operation or set of operations which is performed on Personal Data;

1.10 Sensitive Personal Data means sensitive or special categories of Personal Data accorded a higher level of protection under Applicable Data Protection Laws (if any);

1.11 Supervisory Authority(ies) means a regulator, law enforcement, or other government authority in Kuwait, KSA or UAE (as applicable) which from time-to-time monitor and/or enforce compliance with any Applicable Data Protection Laws, including but not limited to for (i) UAE, the UAE Data Office established in accordance with the UAE Federal Law No. 44 of 2021, and (ii) KSA, the Saudi Data & Artificial Intelligence Authority; each as replaced from time to time.

1.12 UAE means the United Arab Emirates; and

1.13 UAE PDPL means UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection.

2. Client may disclose or otherwise permits Epsilon to collect certain Personal Data about visitors to Clients digital properties and/or about Clients customers and prospective customers, including but not limited to (i) identifiers such as name, address, email, phone number, device identifiers, advertising IDs, cookie IDs, IP-addresses, and information about the Data Subjects browser and/or device; and (ii) transactional and browsing information such as the digital property and/or content that the Data Subject engages with and information about purchases and transactions that the Data Subject has made, as well as customer IDs, transaction IDs, and order IDs; each to the extent applicable to the services provided under the Agreement (collectively, the "Data"). Epsilon will Process the Data for the purpose of performing the Services, including to create a personalized advertising and content profile, to provide Data Subjects with personalized adverts and contents, to measure advertising performance; to develop and improve its services; and as otherwise described in the relevant Service Order and/or IO (the "Permitted Purposes"). Client shall ensure that no Special Categories of Personal Data are disclosed or made available to Epsilon, nor any Personal Data relating to Data Subjects under the age of 18 or any higher age that is considered a child under applicable laws.

3. Client acknowledges that it is a Controller of the Data it discloses or otherwise permits Epsilon to collect, and Epsilon will also Process the Data as a Controller for the Permitted Purposes. Epsilon may share the Data back with Client for Client to use solely for purposes compatible with the Permitted Purposes and always in accordance with Applicable Data Protection Laws.

4. Client will comply with its responsibilities as a Controller under Applicable Data Protection Laws in respect of its Processing of the Data. Without limiting this obligation Client shall fulfil the specific data protection compliance responsibilities described below:

4.1 Client shall: (i) maintain a prominent and publicly accessible privacy notice on all its digital properties that satisfies the transparency and other requirements of Applicable Data Protection Laws; and (ii) ensure such privacy notice discloses the means by which a Data Subject can contact Client in order to exercise its data protection rights under Applicable Data Protection Laws.

4.2 Client shall ensure that, in respect of any Data that it collects and provides to Epsilon (including any Data it permits Epsilon to collect using Tags on Clients digital properties): (a) the Data is collected and disclosed fairly and lawfully and in compliance with Applicable Data Protection Laws; (b) it has provided all necessary disclosures and obtained all necessary and valid consent(s) from the Data Subjects and, where applicable, approvals from the Supervisory Authority, in accordance with Applicable Data Protection Laws, and otherwise has all necessary rights as it relates to its own Processing of the Data as well as Epsilons Processing of the Data for the Permitted Purposes prior to sharing the Data with Epsilon and/or permitting Epsilon to collect the Data; (c) it offers Data Subjects the ability to opt-out of its own and Epsilons Processing of the Data; (d) it will not disclose or make available to Epsilon any Data relating to Data Subjects that have opted-out of Processing for the Permitted Purposes; (e) if any Data is transferred by Client to Epsilon outside the country of origin, such Data is transferred in compliance with Applicable Data Protection Laws; and (f) it has provided all necessary information notices to Data Subjects in accordance with Applicable Data Protection Laws, including Epsilons privacy policy, at the time of collecting personal data from the Data Subjects; in each case as may be required by Applicable Data Protection Laws. Upon request from Epsilon or a Supervisory Authority, Client agrees to promptly provide documentation evidencing that such consent has in fact been obtained from Data Subjects. If a Data Subject withdraws its consent, Client will notify Epsilon promptly.

4.3 Epsilon shall have the right to audit Client, including by using a third-party independent auditor, for the purpose of ensuring that 4.2 is fulfilled.

5. Epsilon will comply with its responsibilities as a Controller under Applicable Data Protection Laws in respect of its Processing of the Data. Without limiting this obligation Epsilon shall fulfil the specific data protection compliance responsibilities described below:

5.1 Epsilon shall: (i) maintain a prominent and publicly accessible privacy notice on its digital properties that satisfies the transparency and other requirements of Applicable Data Protection Laws; and (ii) ensure such privacy notice discloses the means by which a Data Subject can contact Epsilon in order to exercise its data protection rights under Applicable Data Protection Laws.

5.2 Upon request Epsilon shall provide Client with such information as Client may reasonably require about Epsilons Processing of Data under this DPA (including the use of Tags) so that Client can ensure that such information is presented to Data Subjects.

6. Epsilon may also make available to Client certain Personal Data about visitors to third party digital properties on which adverts are served (the "Metrics Data"). Client will Process the Metrics Data solely for the purpose of measuring advertising performance, or as otherwise agreed between the Parties in writing, and always in accordance with Applicable Data Protection Laws.

7. If Client requests and Epsilon agrees, in its sole discretion, to place Clients or a third party's (each such third party an "Attribution Third Party") Tags in Ads, Client shall (1) be solely responsible for the Attribution Third Party; (2) enter into a contract with the Attribution Third Party which : (a) meets the requirements of Applicable Data Protection Laws; (b) requires the Attribution Third Party to Process Personal Data in accordance with Applicable Data Protection Laws; and (c) guarantees at least the same level of protection of Personal Data as set out herein; (3) be solely responsible for satisfying a lawful basis to process any data (including Personal Data) collected by the Attribution Third Partys Tags (the "Attribution Data") for the permitted uses listed below; (4) use the Attribution Data and shall contractually require any Attribution Third Party to use the Attribution Data, solely for the following applicable permitted uses: (a) attribution analysis, (b) click and impression tracking; (c) campaign measurement; (d) customization of creatives; and/or (e) any other purpose approved in writing by Epsilon. For the avoidance of doubt, Attribution Data cannot be used by Client, any Attribution Third Party and/or any other third party for any other purposes including but not limited to retargeting or audience creation. Notwithstanding any contrary provision in the Agreement, Client shall and shall procure that Attribution Third Party complies with the obligations set out in this Section 7 of this DPA, and shall indemnify Epsilon, its affiliates, and their respective employees, officers, directors (each an Indemnitee) against all liabilities, damages, costs, expenses, actions, proceedings, judgments, fines, penalties, settlement costs, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by an Indemnitee arising out of or in connection any breach and/or omission by Client and/or Attribution Third Party which violates Section 7 of this DPA.

8. Each party shall, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to protect the Data and Metrics Data from and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with Applicable Data Protection Laws.

9. Each party shall be individually responsible for responding to lawful data protection requests that it receives from Data Subjects in respect of Data and/or Metrics Data that it Processes. To the extent that either party (the "Receiving Party") receives a request relating to Processing performed by the other party (the "Other Party") the Receiving Party shall direct the Data Subject to the Other Party and shall, upon request, provide such information and assistance to the Other Party as is reasonably necessary to enable the Other Party to respond to such request in accordance with Applicable Data Protection Laws.

10. The Parties agree that they may transfer Personal Data to countries outside the country where the Personal Data was collected. In the event the disclosure of Personal Data by one party (the data exporter) to the other party (the data importer) under this DPA is considered a transfer of Personal Data outside the country of origin under Applicable Data Protection Laws, and where required by such Applicable Data Protection Laws, the transfer shall subject to the following:

10.1 The data importer agrees to comply with the same obligations the data exporter has under Applicable Data Protection Laws in connection with the protection of Personal Data;

10.2 The transfer shall be subject to the relevant Standard Contractual Clauses adopted under Applicable Data Protection Laws. The Standard Contractual Clauses shall be completed with the data exporter being the Exporter, the data importer the Importer and with the information set out in this DPA and the Agreement, and shall be deemed signed by the parties when this DPA is signed; and

10.3 Each party shall, upon the other partys reasonable request, cooperate reasonably with the other in carrying out any assessment of such transfer that may be required under Applicable Data Protection Laws.

11. In the event that either party receives any correspondence, enquiry or complaint from a Supervisory Authority ("Correspondence") directly related to the Data and/or Metrics Data Processed under this DPA it shall promptly inform the other party giving details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Laws.

12. If Epsilon received a lawful request relating directly to the Data (i) it will use commercially reasonable efforts to provide notice to Client of the request if such request references Client, unless Epsilon is legally prohibited from doing so; and (ii) if Epsilon becomes aware that any Supervisory Authority wishes to obtain access to the Data, Epsilon will only make available the Data to the extent Epsilon is legally required to do so.

13. This DPA shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement each party may continue to Process the Data or Metrics Data under its control provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.

14. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Agreement to the extent such data processing agreement relate to Personal Data within the scope of this DPA.