TABLE OF CONTENTS:

EPSILON DATA MANAGEMENT TERMS AND CONDITIONS

CONSUMER RESEARCH SERVICES

TSP DATA LICENSE

AUDIENCE DEVELOPMENT AND ACTIVATION

CONTACT COMPLETE

ABACUS

DATA PROCESSING ADDENDUM

I. Epsilon Terms and Conditions.

These Terms and Conditions (T&Cs) between Epsilon Data Management, LLC and its affiliates (Epsilon) and the other party (Client) signing the relevant Data Services Form (defined below) is effective as of the date the last party signs the Data Services Form (Effective Date) and incorporates these T&Cs. Client and Epsilon are referred to individually as a Party and collectively as the Parties. The T&Cs and all Data Services Forms are collectively referred to herein as the Agreement.

NOW, THEREFORE, for and in consideration of the Parties agreements set forth below and intending to be legally bound, the Parties hereby agree as follows:

1. Principles of Agreement. This Agreement sets forth the terms applicable to all services provided by Epsilon to Client set forth in a Data Services Form (defined below) (Services). The Services to be provided and any service-specific terms will be agreed to by entering into one or more Data Services Forms (each, a Data Services Form). In the event of a conflict or inconsistency between the terms of a Data Services Form and these T&Cs, the terms set forth in the Data Services Form will in all cases control with respect to the Services provided pursuant to such Data Services Form.

2. Term and Termination. These T&Cs will commence on the effective date set forth in a Data Services Form and shall continue until terminated in accordance with this Section 2. If a Party breaches a material term of the T&Cs or any Data Services Form, the non-breaching Party may provide notice of such breach to the breaching Party that identifies the suspected breach with reasonable specificity. The breaching Party shall cure such breach within thirty (30) days after receipt of the breach notice. If the breach remains uncured at the end of the thirty-day period, the non-breaching Party may, upon notice to the breaching Party, immediately terminate: (a) the applicable Data Services Form for a service-related breach of a material term of such Data Services Form, or (b) the T&Cs and all outstanding Data Services Forms for a breach of a material term of these T&Cs. Further, Epsilon may terminate this Agreement immediately and without further obligation if Epsilon, in its reasonable discretion, determines that its performance: (a) could cause irreparable damage to Epsilons reputation; (b) is contrary to accepted industry practice; (c) may be in violation of Law; or (d) could result in public relations issues that are detrimental to Epsilons business.

In the event that: (i) a Party becomes insolvent; (ii) a Party admits in writing its inability to meet its debts generally as they become due; (iii) a Party makes a general assignment for the benefit of creditors; (iv) a Party suffers or permits the appointment of a receiver, trustee, liquidator, or conservator for its business or assets; (v) a Party avails itself of, or becomes subject to, any proceeding under the Federal Bankruptcy Act or any other statute of any state relating to insolvency or the protection of rights or creditors; or (vi) proceedings are commenced for dissolution, winding-up, or liquidation of a Party, then, at the option of the other Party, this Agreement will terminate immediately.

3. Fees and Taxes.

A. Fees and Invoice Schedule. Client will pay to Epsilon the fees and other charges enumerated in the applicable Data Services Form(s) as may be amended from time to time. The Data Services Form(s) will indicate when Epsilon will invoice for the Services. Should the Data Services Form fail to state a specific invoice schedule, Epsilon shall invoice fees monthly.

B. Payment. Client shall pay Epsilon the entire amount invoiced within thirty (30) days after the invoice date. In the event Client fails to pay any undisputed invoice within sixty (60) days from the invoice date, Epsilon shall be entitled to charge interest on the late balance in an amount of 1.5% per month from the due date until such invoices are paid in full. Client shall notify Epsilon within thirty (30) days of the invoice date should Client have reason to believe the invoice is inaccurate. The Parties will work in good faith to review and resolve any discrepancies, escalating to appropriate personnel as needed, to resolve any discrepancy within an additional thirty (30) days.

C. Transaction Taxes.

i. Client shall pay or reimburse Epsilon for all sales, use, value added tax, goods and services tax, or other taxes of a similar nature (Transaction Taxes) imposed on the sale of Services sold to Client under the Agreement. Epsilon will separately state the applicable Transaction Taxes on an invoice and remit the same to the relevant tax authorities. Client shall pay the amount (including Transaction Taxes) reflected on the invoice. Client shall provide Epsilon with, and Epsilon shall accept in good faith, resale, direct pay, or other exemption certificates, as applicable for exemption from Transaction Taxes. Epsilon and Client agree to reasonably cooperate with each other to minimize any Transaction Taxes in connection with the Agreement. Client shall be responsible for any Transaction Taxes applicable to work performed for Client, which may at any time be levied as a result of an audit by a taxing authority having jurisdiction.

ii. If Client is required by law to withhold from any amount payable hereunder to Epsilon, then the sum payable by Client upon which the deduction is based shall be paid to Epsilon net of such deduction or withholding. Client shall pay the applicable tax authorities any such required deduction or withholding. However, prior to the execution of a Data Services Form, Client shall notify Epsilon of its intention to withhold on any payment under such Data Services Form and shall reasonably cooperate with Epsilon to reduce such withholding. Client shall withhold at the lowest allowed rate and provide Epsilon with the receipt reflecting the payment to the tax authority.

4. Confidential Information.

A. Definition of Confidential Information. Confidential Information means all information that relates to the products, services, business or affairs of the disclosing Party, and all documents and other tangible materials and things that record such information, provided by or on behalf of a Party that is identified as confidential or proprietary, is a trade secret, or is information that a reasonable person in similar circumstances would consider it to be confidential based on industry standards or prudent business judgment. The Agreement shall be considered Confidential Information of both Parties and shall not be disclosed without the other Partys written consent or in compliance with a legal order. Confidential Information does not include information, even if designated by a Party, that: (a) is or becomes generally available to the public without breach of the Agreement; (b) can be documented was in the possession of the receiving Party prior to its disclosure by the disclosing Party; (c) becomes available from a third party not in breach of any obligations of confidentiality and without knowledge by the receiving Party of any breach of a fiduciary duty or obligation; or (d) can be documented was independently developed by the receiving Party without reference to or reliance upon the disclosing Partys Confidential Information, as demonstrated by documentary evidence.

B. Safeguards. Each Party shall hold the other Partys Confidential Information in confidence with reasonable safeguards, which in any event shall be no less stringent than those used to protect its own Confidential Information. The receiving Party shall not disclose the disclosing Partys Confidential Information to any third party unless the disclosure was at the specific written direction of the disclosing Party, or otherwise authorized in writing by the disclosing Party. An email from the disclosing Party shall satisfy as written direction of authorization.

C. Legal Obligations. A Party may disclose the Confidential Information of the other Party only to the extent required pursuant to a duly authorized subpoena, court order or government authority, provided that the disclosing Party responding to the subpoena, court order or government authority has first provided prompt notice to the other Party to allow the other Party to seek a protective order or other appropriate remedy.

D. Permitted Use. The receiving Party shall only use the Confidential Information of the disclosing Party to: (a) provide or receive Services (as the case may be) pursuant to a Data Services Form, (b) further the business relationship between the Parties, (c) evaluate a possible future relationship between the Parties, or (d) any other specific purpose, as may be agreed to in writing by the Parties.

E. Return or Destruction. Upon termination or expiration of the applicable Data Services Form, each Party shall securely delete all originals and copies of the other Partys Confidential Information (whether in electronic or hard copy form) in its possession, custody, or control in accordance with the requirements of the Agreement and Laws (as defined below), or return such Confidential Information to the other Party, except for any copies that are retained on archived backup tapes, pursuant to the Partys internal policies.

5. Data Protection and Privacy. In the event the Services involve the receipt of Personal Data (as defined by applicable law), the Parties agree to comply with the terms and conditions of the Data Processing Addendum attached hereto, which are fully incorporated herein.

6. Representations and Warranties.

A. Mutual. Each Party represents and warrants to the other that in performing its respective responsibilities and exercising its rights under the Agreement, it will comply with all federal, state and local laws, rules, regulations, ordinances and codes, including without limitation privacy laws, consumer protection laws, data security laws, advertising laws and regulations, and anti-corruption and anti-bribery laws as applicable to it (collectively, Laws). If new Laws or material changes to Laws passed after the Effective Date require changes to the Services, any such required changes are not included in the scope of Services must be addressed by mutual agreement of the Parties.

B. Client. Client represents and warrants to Epsilon that: (a) any information provided to Epsilon by Client is truthful and accurate; (b) the Client Data has been lawfully collected and complies and will comply with Laws; (c) to the best of Clients knowledge, each consumer data record contained in the Client Data is an actual customer of Client and specifically not a prospect; (d) it is not (i) an entity or person that is controlled by a foreign adversary as defined in the Protecting Americans Data from Foreign Adversaries Act of 2024 (PADFA) or (ii) a covered person as defined in the Department of Justice rule, 28 C.F.R. Part 202 (the DOJ Final Rule); and (e) it and its affiliates, subsidiaries, representatives, and subcontractors will not permit any data that is subject to PADFA and the DOJ Final Rule provided by or sourced through Epsilon to be Transferred to or Accessed by a: (i) foreign adversary country or an entity or person that is controlled by a foreign adversary, as defined under PADFA, or (ii) country of concern or covered person, as defined under the DOJ Final Rule. For purposes of this provision, Transferred means sold, licensed, rented, traded, transferred, released, disclosed, provided access to, or otherwise made available; and Accessed means logically or physically accessed, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. Whether data has been Accessed is determined without regard for the application or effect of any security requirements. Client shall immediately notify Epsilon in the event of Clients change in ownership. To the extent the Data Services Form includes Epsilon DII-Based Data, Client additionally represents and warrants that Epsilon DII-Based Data and anything derived from the Epsilon DII-Based Data will not be used in connection with: (a) any individual reference service application, skip tracing, electronic directory assistance or other e-data look-ups, verification of the accuracy of a record (unless expressly permitted in this Agreement); (b) employment or a review of employee records, including without limitation for evaluating an individual for employment or for promotions, reassignment, or retention as an employee; (c) a determination of an individuals eligibility for a license or other benefit granted by a governmental instrumentality; (d) any government run program; (e) any other type of review, analysis, or assessment of an individual record that is not expressly permitted hereunder; or (f) any factor in determining or establishing a consumers creditworthiness or eligibility for credit, insurance, employment, or for any other purpose covered by the Fair Credit Reporting Act (15 U.S.C. 1681 et seq. (FCRA)), Gramm-Leach-Bliley Act GLBA (15 U.S.C. 6801 et seq. (GLBA)), Federal Trade Commission or Consumer Financial Protection Bureau interpretations of the FCRA, and similar federal and state statutes. Client additionally represents and warrants that it will only use the Epsilon DII-Based Data in accordance with the terms of this Agreement.

7. Intellectual Property. In the event of a third party claim against either Epsilons intellectual property or right to offer any good or service, or if, in Epsilons opinion, such a claim is likely, Epsilon shall have the right, in its sole discretion and as Client sole and exclusive remedy, to: (a) secure the right to continue using the intellectual property, good, or service; (b) replace or modify the intellectual property, good, or service to make it non-infringing, provided that any such replacement or modification will have similar operating capabilities and functionalities of the allegedly infringing intellectual property, good, or service provided hereunder; or (c) terminate the affected Data Services Form or these T&Cs immediately, in whole or in part, if it is unable to secure, replace, or modify the intellectual property, good, or service as set forth in subsections (a) and (b) herein.

8. Locations. Epsilon may use its personnel located in any of its worldwide office locations, including its Canada, Argentina, and Bangalore, India office locations, in its discretion to most efficiently and effectively provide, support, or supplement the Services. In providing such support functions, Epsilons offshore resources may have access to Personal Information. The security standards referenced in this MSA shall apply to Epsilons offshore locations as well as Epsilons United States locations.

9. Provision of Client Materials.

A. With respect to any content, data, information, software, Personal Information, or other materials provided to Epsilon by Client (whether directly by Client or by a third party) (Client Materials), Client further represents and warrants to Epsilon that (a) Clients provision of such Client Materials in connection with the Services, and Epsilons use of such Client Materials to perform the Services, will conform with Laws, Clients privacy policy, and any agreement to which Client is bound; (b) Client features and will maintain an easy-to-find privacy policy on each website and mobile application and that such privacy policy provides clear and conspicuous notice to consumers that their data may be disclosed to third parties for the performance of services on Clients behalf; and (c) Client will not direct Epsilon to access, receive, store, use or disclose Client Materials on Clients behalf in a manner that would violate any of the foregoing.

B. In connection with the Services, Client must provide Epsilon with a copy of (either directly or through designated partners) creative assets, imagery and other marketing or informational content, including approved messages, offers, reviews, endorsements and/or testimonials, images, fonts, logos and other elements (any such materials created or disseminated in connection with the Services are collectively referred to as Marketing Content, whether or not Client provides such Marketing Content to Epsilon) upon request. Once reviewed by Epsilon, Client may not make material changes to the Marketing Content without resubmitting to Epsilon for further review. Client represents and warrants that all such Marketing Content: (a) will include only accurate, complete and appropriate information concerning Clients organization, products and services or those of its competitors (including product and performance data, claims and comparisons), which information, whether direct or implied, will be supportable by competent and reliable evidence, which may consist of tests or other authentic and objective data as required by Laws (which shall be provided to Epsilon upon reasonable request); (b) include any and all required labelling, product information, disclaimers, warnings, privacy notices and other legal copy as required by applicable Laws and applicable regulatory guidance; (c) will either be owned by Client or properly licensed with any required release(s) as necessary for use by Client and Epsilon in connection with the Services and will not violate the copyrights, trademarks, rights of privacy or publicity or other intellectual property rights of any person or entity; (d) will not contain or promote obscene, abusive, violent, bigoted, or hate-oriented content or conduct or otherwise encourage or promote the same; (e) not be fraudulent or deceptive; and (f) for any advertising content that promotes the availability of compounded drug products and/or services related to obtaining such products, Client further represents and warrants that such advertising content, and the products or services promoted therein, comply with all applicable provisions of the Federal Food, Drug, and Cosmetic Act, in particular Sections 503A or 503B, and state board of pharmacy regulations. Epsilon reserves the right to refuse to allow Services to be used in connection with any Marketing Content it reasonably determines does not meet applicable standards. Client will fulfill all commitments made in its Marketing Content.

C. Client remains responsible for all final legal reviews, approvals and clearance for Client use of any Marketing Content, including without limitation, ensuring that the Marketing Content complies with all Laws.

10. Warranty Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN THESE T&Cs, EPSILON MAKES NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICES HEREUNDER AND HEREBY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES REGARDING MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. EPSILON WILL NOT BE DEEMED TO BE IN BREACH OF ANY REPRESENTATION OR WARRANTY TO THE EXTENT THAT SUCH BREACH RESULTS FROM THE ACT OR OMISSION OF A THIRD PARTY THAT IS NOT A VENDOR OR A SUBCONTRACTOR OF EPSILON.

11. Intellectual Property.

A. Epsilon Technology. Client acknowledges that Epsilon will retain all right, title and interest in and to the Services, all components thereof and pre-existing content incorporated therein, and to any other code, software programs, processes, methodologies, algorithms, templates, tools and related know-how used by Epsilon in connection with the performance or delivery of Services, and all derivative works, modifications and enhancements thereto (collectively, Epsilon Technology). Epsilon Technology is considered Epsilon Confidential Information and is owned by and remains the property of Epsilon or its third-party licensor(s).

B. Epsilon DII-Based Data. Epsilon DII-Based Data is data and information generated, created, licensed, or collected by Epsilon, including all derivates thereof, that are used or intended to be used to identify a particular individual and are associated with a name, address, telephone number, and/or email address. Epsilon DII-Based Data is Epsilon Confidential Information and shall remain the property of Epsilon or its third-party licensor(s). Epsilon DII-Based Data shall only be used for marketing or analytics purposes for Clients own marketing endeavors and is not individualized credit data or consumer report information subject to the FCRA (defined below), or GLBA (defined below). Epsilon DII-Based Data shall: (i) be subject to data license terms as specified in the applicable SOW; and (ii) not be used in any artificial intelligence platform or any product or service using language learning models, unless such platform, product or service is built, managed, hosted and only used by Client for its own marketing purposes. To the extent Epsilon DII-Based Data contains Sensitive Data, Epsilon has obtained affirmative, opt-in consent for such Sensitive Data. Except as otherwise set forth in the preceding sentence, Epsilon DII-Based Data shall not contain Sensitive Data. For purposes of this section, Sensitive Data is defined as sensitive data in an applicable state privacy law.

i. Client represents and warrants that it shall not use the Epsilon DII-Based Data as follows:

1. (a) to underwrite insurance of any kind; (b) to develop any models that target a single individual; (c) for use in debt collection; (d) to advertise, sell, or exchange any products or services that involve: drug paraphernalia; sexual paraphernalia or adult films, recordings, or magazines; non-hunting weapons; credit repair services; or any illegal or illicit activities; (e) in the healthcare industry for purposes other than marketing of medical devices, healthcare provider organization, healthcare professional organizations, and health insurance or health plans, provided that Epsilon DII-Based Data may not be used (1) to develop a model that would predict the efficacy (effectiveness) of any treatment for a condition; (2) to determine the propensity for a consumer to fulfill or use a prescription drug or medical device; or (3) to determine eligibility for medical (or healthcare) insurance (underwrite), medical (or healthcare) plans, (f) in conjunction with developing a news story; (g) to assist in the determination of whether or not to file a personal lawsuit or judgment against the subject of the Epsilon DII-Based Data; or (h) for any other purpose otherwise restricted in this Agreement or not expressly permitted in a Data Services Form.

2. Client must maintain the Epsilon DII-Based Data logically separate from other data or databases, and may not in any manner: (1) merge the Epsilon DII-Based Data, or any data derived therefrom, with any data elements, products, or services that are subject to the FCRA.

ii. Disclosure of Source. Epsilon may not be advertised, or otherwise disclosed to any third party, as the source of the DII-Based Data unless Client first obtains the express, written permission of Epsilon. This restriction will not prevent Client from responding to (a) inquiries from individuals who are the subject of individual records within the DII-Based Data, or (b) a subpoena or other specific order of a court of appropriate jurisdiction. In the latter event, Client will provide written notice to Epsilon prior to such disclosure.

iii. Remedies. Epsilons sole obligation and Clients sole remedy to the extent there are any errors in DII-Based Data is the correction of any errors in the DII-Based Data which are made known to Epsilon by written notice from Client describing the errors in detail; provided, however, Client acknowledges that some corrections of errors shall be dependent on the availability of data from the source of the applicable data. No claim or cause of action arising out Epsilons licensing of DII-Based Data, regardless of form, may be brought by either Party more than one year after the date such claim or cause of action accrued.

C. No Additional License. Client acknowledges that in receiving Services hereunder, Client shall obtain no rights to the Epsilon Technology or Epsilon DII-Based Data beyond the use and duration specified in the applicable Data Services Form.

12. Limitations on Liability. EXCEPT FOR EACH PARTYS INDEMNIFICATION OBLIGATIONS IN SECTION 13.1(a) AND 13.1(c), IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR PUNITIVE DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES ARISING IN ANY WAY OUT OF THE AGREEMENT UNDER ANY CAUSE OF ACTION, WHETHER OR NOT THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR EACH PARTYS INDEMNIFICATION OBLIGATIONS IN SECTION 13.1(a) AND 13.1(c), EACH PARTYS MAXIMUM AGGREGATE LIABILITY WILL NOT EXCEED THE AGGREGATE AMOUNT OF FEES PAID OR AGREED TO BE PAID TO EPSILON UNDER THE APPLICABLE SOW DURING THE PRECEDING TWELVE (12) MONTH PERIOD. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY, AND REGARDLESS OF THE THEORY ON WHICH DAMAGES ARE SOUGHT, INCLUDING, WITHOUT LIMITATION, CONTRACT, STATUTE OR TORT. THEY SHALL NOT APPLY TO THE EXTENT THAT DAMAGES CANNOT BE LIMITED UNDER APPLICABLE MANDATORY LAW.

13. Indemnification

A. Indemnification Scope. Each Party shall indemnify, defend and hold harmless the other Party, its employees, principals (shareholders or holders of an ownership interest, as the case may be), officers, directors, and Affiliates from and against any third party allegations, claims actions, causes of action, lawsuits, damages, liabilities, obligations, costs, and expenses (including reasonable attorneys fees, court costs, and witness fees) to the extent arising out of or resulting from: (a) the indemnifying Partys breach of its representations or warranties in the Agreement; (b) the indemnifying Partys breach of its data protection and privacy obligations under the Data Processing Addendum; and (c) with respect to Clients obligation to indemnify Epsilon pursuant to this Section 13, Clients marketing or advertising of Clients products and services.

B. Procedure. To receive the foregoing indemnities, the Party seeking indemnification shall promptly notify the other in writing of a claim or suit. Failure to give such prompt notice, however, will not relieve the indemnifying Party of its obligations under this Section, except to the extent of losses that would have been avoided had such notice been given. The indemnified Party will fully cooperate with the indemnifying Party to enable the indemnifying Party to fulfill its obligations hereunder with respect to any claim. The indemnified Party, at its own expense, may participate in the defense, provided that the indemnifying Party shall control such defense and all negotiations relative to the settlement of any claim. Participation in the defense shall not waive or reduce any obligations of the indemnifying Party to indemnify or hold the indemnified Party harmless. The indemnifying Party may enter into a settlement only if it: (a) involves only the payment of money damages by the indemnifying Party; and (b) includes a complete release of the indemnified Party. Any other settlement will be subject to written consent of the indemnified Party, which consent shall not be unreasonably withheld or delayed.

14. Miscellaneous

A. Federal Subcontracting and Equal Employment Opportunity. Client shall notify Epsilon in writing should it have reason to believe that any services Epsilon will provide to Client are in support of a Client obligation to a federal government entity that may reasonably deem Epsilon a federal subcontractor. Epsilon is an equal opportunity employer. Epsilon has progressive hiring policies and practices to ensure equal hiring opportunities for persons of all races, ethnicities, and gender. Epsilon does not, however, maintain any formal federally defined affirmative action plan or quota. Epsilon considers all vendors it does business with using an objective merit-based vendor due diligence process without regard to the racial, ethnic or gender makeup of the business owners. Epsilon does not have any specific goals with respect to using vendors who are designated as a historically disadvantaged business owner. To the extent Epsilon tracks such information, it is at Epsilons discretion, and may be shared with Client upon request.

B. Marketing and Publicity. Client agrees that Epsilon may identify Client as an Epsilon client for the specified Services in client lists and in other communications and materials. Additionally, if requested by Epsilon, Client will reasonably consider participating in a written press release with Epsilon regarding the Services provided hereunder. In connection with its request, Epsilon will provide to Client a copy of the proposed press release for Client review and approval.

C. Legal Notices. Any notices required or permitted pursuant to these T&Cs or a Data Services Form shall be in writing and addressed to the relevant Party at its address set forth in a Data Services Form by overnight, second day, or certified mail, and will be deemed received upon actual receipt. Any required notice to Epsilon shall be sent to the address below with concurrent notice to the email address set forth below. The sender of the notice shall be responsible for ensuring an appropriate and reliable tracking mechanism to verify delivery and receipt of such notice to the intended Party.

D. Force Majeure. Except for Clients payment obligations, no Party to the Agreement shall be liable to the other Party by reason of any failure or delay in performance if such failure or delay arises out of causes beyond the reasonable control and without the fault of such Party. Such causes may include, but are not limited to: acts of God or of the public enemy, acts of civil or military authority, fires, floods, epidemics, quarantine restrictions, strikes, freight embargoes, unavailability of energy resources, unavailability of telecommunications or internet services, riots or war, or any unusually severe weather condition (each, a Force Majeure Event). If a Force Majeure Event occurs, the disabled Party shall promptly and in writing advise the other Party whether it is unable to perform due to the Force Majeure Event, the expected duration of such inability to perform, and of any developments (or changes therein) that appear likely to affect the ability of the disabled Party to perform any of its obligations in whole or in part.

E. Waivers. No waiver by either Party of any default hereunder by the other shall operate as a waiver of any other default or of a similar default on a future occasion. No waiver of any term or condition hereof by either Party shall be effective unless the same shall be in writing and signed by both Parties.

F. Severability. In the event that any provision of the Agreement (other than a provision that goes to the essence of the consideration for this Agreement) is declared invalid, unenforceable or void, to any extent, by a court of competent jurisdiction, the remainder of this Agreement and the application thereof shall not be affected thereby, but rather shall be enforced to the greatest extent permitted by law.

G. Choice of Law and Attorneys Fees. The plaintiff to any litigated dispute arising out of or relating in any way to the Agreement will have the option of selecting venue, and the other Party shall consent to such venue and exclusive jurisdiction, in any of the following States: New York, Delaware, Texas, or Illinois. This Agreement shall be governed by the laws of the State selected for venue without respect to its choice of law rules. The prevailing Party of any litigated dispute arising out of or relating in any way to the Agreement will receive its reasonable attorneys fees, together with its reasonable costs and expenses incurred resolving the dispute, as part of the judgment.

H. Modifications; Entire Agreement. The Agreement may not be modified except as mutually agreed upon in writing, signed by an authorized representative of each Party. The Agreement shall supersede all prior agreements, communications, representations and understandings, either oral or written, between Epsilon and Client with respect to the subject matter contained herein. All terms and conditions on any Client-issued purchase order, order acknowledgment, or other similar documents in connection with the Services herein shall be deemed deleted and of no force or effect.

I. Relationship of Parties. Epsilon is an independent contractor of Client. Nothing herein shall be construed as creating a joint venture, partnership or similar relationship.

J. Cumulative Rights. Except as otherwise expressly set forth in the Agreement, all of the rights and remedies of the Parties hereunder (whether evidenced hereby or by any other agreement, instrument or document or permitted by law) shall be cumulative but may be exercised singularly or concurrently.

K. Survival. Notwithstanding anything herein to the contrary, all terms logically construed to survive the term of the Agreement shall survive.

L. Assignment. Either Party shall have the right to assign all rights and liabilities hereunder to any person or entity that: (a) is an Affiliate of the assigning Party; (b) acquires all or substantially all of the assigning Partys operating assets; or (b) results from a merger or reorganization pursuant to any plan of merger or reorganization. Any other assignments by either Party, in whole or part, shall require the prior written consent of the other Party without which such assignments are null and void. The Agreement shall inure to the benefit of and be binding upon the Parties and each Partys respective successors, permitted assigns and legal representatives.

II. Service Specific Terms

1. Consumer Research Services. The following terms shall apply if consumer research services (Consumer Research) is set forth in the Data Services Form.

A. Authorized Uses. All results of the Consumer Research must be used (a) in a manner which gives due consideration to matters concerning privacy, confidentiality, good taste, and other issues to which individual and business consumers may be sensitive; and (b) without any indication that any party possesses any information which is derived from any data or information provided by Epsilon about the recipient other than name and address.

B. Research Results. No results of any Consumer Research performed by Epsilon for Client pursuant to any Data Services Form may be used or released outside of Clients organization without Epsilons prior written consent. At least seven days prior to any proposed release, Client will provide Epsilon with a copy of Clients proposed release, as well as any additional information related to such release as reasonably requested by Epsilons, for Epsilons review and approval. Epsilons may decline to approve such release in its sole discretion. Further, should Epsilons approve such release, Client agrees to cite Epsilons as the source of such research.

2. Data Licenses.

A. TSP Data License or Install. To the extent the Services relate to Epsilon licensing Epsilon DII-Based Data to Client as further set forth in the Data Services Form (Licensed Data) the following terms shall apply.

i. Epsilon reserves the right to make changes to the content, structure, and form of the Licensed Data, without limitation, changes to keep it current and/or to make deletions in order to comply with Laws.

ii. Authorized Uses. Client may use the Licensed Data for the specific marketing or analytics purposes as further specified in the uses expressly authorized below and as indicated in the respective Data Services Form (the Authorized Uses) during the term of the Data Services Form, and for no other purpose. Except as expressly permitted hereunder, Client may not modify, further develop, or create any derivative products from the Licensed Data. No Licensed Data may be decompiled, decoded, or reverse engineered.

iii. Termination. Upon the expiration or termination of a Data Services Form for Licensed Data, Client will and will cause any third party having access to any Licensed Data to: (i) discontinue using all Licensed Data provided in connection with a Data Services Form; (ii) within two weeks after termination, destroy all Licensed Data and provide Epsilon with a certification that such destruction is complete; and (iii) pay Epsilon all amounts due under such terminated or expired Data Services Form. Nothing herein will require Client to discontinue using an individuals contact information provided as part of the Licensed Data if such individual responds to a Client campaign and such contact information becomes part of Clients housefile. Notwithstanding anything herein to the contrary: (i) Epsilon may retain Client Data as required by law, a judicial, regulatory, or law enforcement authority, a subpoena, preservation demand, or any other legal preservation obligation, as determined by Epsilon.

B. Audience Development and Activation. If the Services set forth in the Data Services Form are for licensing a certain subset of Epsilon DII-Based Data in the form of lists (Lists) as further described in the Data Services Form, the following terms shall apply.

i. Authorized Uses. Upon request by Client for a List as described in an ordering document provided by Epsilon to Client in response to an email, purchase order, or other order request received by Epsilon from Client (an Order Confirmation), Epsilon will license Client the List. Lists may only be used by Client for direct mail or online use only, as further detailed below. Client acknowledges and agrees that: (i) the List may be seeded or otherwise monitored, and no method may be used to detect, alter, or eliminate such monitoring; and (ii) List may not be combined with any other data to create a database of any type.

ii. Direct Mail. Client may use a List for one mailing only unless otherwise specified in the Data Services Form. In addition to the one mailing authorized above and subject to its continued compliance herein, Client may, for a period of six months after receipt of a List, use such List for internal analysis of the results of the mailing, responding to consumer inquiries resulting from the mailing, and suppressing records in the List from additional direct marketing promotions. In the event that an analytically derived score (Score) is provided to Client for Clients prospecting or housefile marketing purposes, such Score, including up to three subsequent refreshes of such Score, may be used by Client for a period of 12 months from the date of the initial model build, pursuant to an Order Confirmation, by Epsilon for Client in support of Clients internal marketing efforts.

iii. Online Use. Client may use a List to deploy (a) one targeted online marketing campaign (up to three months in duration) to consumers for Clients products and/or services, or (b) one email campaign for Clients products and/or services to consumers who have opted in to receive email communications from Client, unless otherwise specified in the Order Confirmation. In connection therewith, Client may enhance and/or match, and may allow its Permitted Service Providers (defined in Section II.2.C.) to enhance and/or match, any of their cookies and other data with the Lists in connection with Clients online targeted marketing programs. If Epsilon agrees to onboard a List for Client, Epsilon will onboard such List via Epsilons preferred onboarding partner to the applicable media partner as designated by Client.

C. Nondisclosure; Permitted Service Providers. Other than disclosure to a Permitted Service Provider to whom disclosure is necessary in order for Client to exercise its rights with respect to the Licensed Data or Lists hereunder, Client agrees not to disclose to any third party all or any portion of the Licensed Data or Lists in any form whatsoever. Permitted Service Provider means (a) any Competitor of Epsilon (as defined in Section II.2.G.) who executes Epsilons standard data processor agreement for Clients engagement with such Competitor of Epsilon; or (b) if the third party is not a Competitor of Epsilon, any service provider with whom Client executes a written agreement that: (i) requires the service provider to hold the Licensed Data or Lists in confidence; (ii) only permits the service provider to use the Licensed Data or Lists to perform services on Clients behalf; and (iii) includes a right for Client to audit the service providers use of the Licensed Data or Lists, and Client will conduct such an audit upon Epsilons request and provide the results of such audit to Epsilon. Client is fully responsible to Epsilon for the acts and omissions of its contractors and agents, including, without limitation, its Permitted Service Providers.

D. Restrictions by Epsilon and Third Parties; Equitable Adjustment. Epsilon may, at any time, impose restrictions on the use of Licensed Data (a) to the extent they are imposed on Epsilon by third parties, or (b) to properly manage the integrity of the Licensed Data and/or its use in light of issues concerning privacy, confidentiality, and other issues to which consumers may be sensitive. Use of the Licensed Data is subject to compliance with all such restrictions. In the event the restrictions imposed under this Section substantially impair the value of the Licensed Data to Client, Client may request, in writing, an equitable adjustment in the license fees payable for such Licensed Data. The Parties will attempt in good faith to arrive at a mutually agreeable equitable adjustment. If such agreement is not reached within 30 days of Clients request, this Agreement may be terminated by either Party upon written notice to the other Party.

E. Additional Compliance with Laws. All Marketing Content prepared in connection with the Licensed Data, and if applicable, Contact Complete, will be devoid of any references to selection criteria or presumed knowledge concerning the intended recipient of such solicitation derived from the Licensed Data. Client is solely responsible for compliance with all do not call, do not mail, and similar legislation relating to telemarketing, privacy, and email activities, including but not limited to the CAN-SPAM Act (15 U.S.C. 7701 et seq.), the Telephone Consumer Protection Act (47 U.S.C. 227 et seq.), and the Telemarketing Sales Rule (16 C.F.R. 310 et seq.). Client shall not use auto dialers to make telemarketing calls to any telephone numbers that are provided by Epsilon to Client as part of the Licensed Data. Epsilon is not responsible for obtaining any required consumer consent under applicable law and makes no representation or warranty with respect to compliance with any legislation relating to telemarketing, privacy, or email activities. Client is responsible for subscribing to all applicable do not call lists, including, without limitation, any national do not call list, and will use any suppression lists provided by Epsilon in accordance with applicable laws, rules, and regulations, removing data as appropriate from the files provided by Epsilon.

F. Audit. The Licensed Data shall be stored and used in a manner that must be easily identifiable in the event of an Audit (defined below) and deleted upon expiration or termination of the Data Services Form. Client will maintain business and financial records for a continuing (rolling) period of three years. Such records will contain information sufficient to (a) verify the completeness and accuracy of payments made in connection with the Licensed Data, and (b) verify that the use of Licensed Data complies with this Agreement. Client will permit Epsilon or its representatives and agents to conduct periodic inspections, reviews, and/or audits (Audits) of such records. Such Audits will be conducted during Clients normal business hours with reasonable advance notice. Epsilon will pay for the cost of the Audit unless Epsilon reasonably determines from the Audit that Client has breached a material provision of this Agreement, in which case Client will be solely responsible for the cost of the Audit and any additional amounts owed as determined by the Audit.

G. Competitors of Epsilon. Client agrees that it will not provide to or perform for any Competitor of Epsilon (with the exception of a Competitor of Epsilon acting in the capacity of a Permitted Service Provider) (a) any Licensed Data or any services which make use of the Licensed Data or disclose any of the Licensed Data in any manner, or (b) any list based upon, derived from, or enhanced with the Licensed Data. For purposes of this Agreement, Competitor of Epsilon means: (i) any party owning or in possession of a list with household or individual counts that match at least 50% of the Licensed Data counts for the geographic area covered by said partys list; and/or (ii) the following parties and any other party that is, at the time in question, an affiliate of such party located at https://legal.epsilon.com/us/data-competitors.

H. Additional Data License Terms. To the extent the Licensed Data includes the following data sets as identified in a Data Services Form, the following provisions shall apply:

i. Email Addresses. If email addresses are provided as part of the Licensed Data, then notwithstanding anything to the contrary in this Agreement (including without limitation the Authorized Uses), Client represents and warrants to Epsilon that such email addresses will be used only by Client and only for internal matching and customer identification purposes, and Client will not email any such email addresses provided by Epsilon.

ii. Telephone Numbers; Notice of Potential Inaccuracies. If telephone numbers are provided as part of the Licensed Data, without limiting anything in these T&Cs, Client is responsible for obtaining any consent that may be legally required to call, text, fax or otherwise communicate with any such telephone numbers. Client represents and warrants that Client will not use the Licensed Data in connection with the initiation of a telephone call or message to any person for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, unless Client has independently verified that such use of the Licensed Data is compliant with the Telephone Consumer Protection Act (47 U.S.C. 227 et seq.). TELEPHONE NUMBERS INCLUDED AS PART OF The Licensed Data may contain inaccuracies (for example, an individual may have changed telephone numbers, or may have ported a landline number to a cellular phone) and ARE subject to change without notice. EPSILON DOES NOT WARRANT THAT THE LICENSED DATA IS FIT FOR ANY PARTICULAR USE OR WILL MEET CLIENTS NEEDS OR EXPECTATIONS.

iii. Vehicle Data. Client will not use any vehicle data, in whole or in part, to verify, confirm, enhance, audit, or update any file owned, licensed, or marketed by the following companies or any commonly owned company or alias thereof: Reed Elsevier, Lexis Nexis, TransUnion, Acxiom Corporation, Media One, LLC, M1 Data and Analytics LLC, Database 101, LSSI/Volt Delta; Neustar/Targusinfo; TLO LLC, Datamentors; V12; and Xcelerated.

iv. CCEI or Target Neighborhood Attributes

i. Data Products. (i) CCEI means Claritas consumer economic indicators; and (ii) Neighborhood Automotive Attributes are vehicle statistics aggregated to the ZIP and ZIP+2 levels.

ii. Authorized Uses. Notwithstanding anything to the contrary in this Agreement (including without limitation the Authorized Uses), CCEI and Neighborhood Automotive Attributes may be used only for the purposes specified below.

1. Data Enhancement CCEI and Neighborhood Automotive Attributes may be appended to Clients own files, to be used by Client in its own marketing programs, developing and/or implementing a predictive model.

2. Analysis Epsilon may use CCEI and Neighborhood Automotive Attributes on behalf of Client to conduct internal analysis of Clients own internal marketing programs, decision support, or information services.

3. Modeling Client may use Neighborhood Automotive Attributes to create models used to rank Clients file or prospect list, provided that Neighborhood Automotive Attributes are used in combination with at least three other variables, a score is not a one-to-one correlation with Neighborhood Automotive Attributes, and the model is used in compliance with the other terms and conditions in this Agreement.

iii. CCEI Restriction. Client will not use CCEI in a way that negatively characterizes any Zip+4, or to exclude any Zip+4 in a way that could result in a disparate impact or treatment on a prohibited basis under Regulation B under the Equal Opportunity Act (15 U.S.C. 1691 et seq.) or the Fair Housing Act (42 U.S.C. 3601 et seq.).

I. Target Neighborhood Credit Data. To the extent the Licensed Data or Lists contains any depersonalized credit information aggregated at various geographic levels (TNC Data) the following terms shall apply:

i. Authorized Use. Notwithstanding anything to the contrary in this Agreement (including without limitation the Authorized Uses), TNC Data may only be used as follows:

1. to create models used to rank Clients file or prospect list, provided that TNC Data is used in combination with at least three other variables, a score is not a one-to-one correlation with TNC Data, and the model is used in compliance with the other terms and conditions in this Agreement; and

2. in Online Advertising only as follows: (A) in generic or customized Client models developed for marketing that use a combination of the TNC Data and other Epsilon or third-party data; (B) to develop Client models for use in consumer target marketing channels, including Online Advertising; (C) in models developed exclusively for Online Advertising (except for insurance and financial services); (D) in models developed for use in multiple marketing channels; and (E) models may be loaded into Online Advertising exchanges or platforms, subject to the following restrictions. Notwithstanding the foregoing, TNC Data may not be: (1) solely loaded into any Online Advertising data platform or exchange; (2) used to develop generic models that are used exclusively for Online Advertising channels for the insurance and financial services; and (3) used in a model to determine eligibility for credit or insurance. For purposes of this Agreement, Online Advertising means any form of promotion that uses the internet or world wide web to deliver marketing messages to attract consumers, including, without limitation, any on-line consumer target marketing efforts including, but not limited to, marketing via text, online display, multimedia advertisements and other online advertising formats.

ii. Special Obligations/Restrictions. TNC Data will not be used: (i) to determine the identity of an individual consumer from whom the TNC Data or any attributes were derived; (ii) in the healthcare industry for or Charity Care; or (ii) to advertise, sell, or exchange any products or services that involve: medical services, pharmaceuticals drugs. "Charity Care" are programs where based on a consumer's income he/she may be eligible for certain programs to help pay medical bills; (iii) to support any consumer target marketing efforts in the insurance underwriting or property/casualty insurance industries; (iv) within any Boolean list select (if/and/or).

1. Further, Client must maintain the TNC Data logically separate from other data or databases, and may not in any manner take any adverse action (as such term is defined in the FCRA) that is based in whole or in part on the TNC Data or anything derived therefrom.

iii. Disclosure Restrictions. Notwithstanding anything to the contrary in this subsection, Client is expressly prohibited from sharing or making available, directly or indirectly, the TNC Data, or any information derived solely therefrom, to Experian Information Solutions, Inc., Equifax, Inc., Reed Elsevier including LexisNexis, Merkle, Inc., Acxiom Corporation, BlueKai, Datalogix, The Nielsen Company, CBClnnovis, The Polk Company, Yahoo! Inc., Google Inc., AOL Inc., Facebook, Inc., and Amazon Inc., Neustar, and any affiliates and subsidiaries of any of the foregoing entities. Notwithstanding the foregoing, nothing in this section will restrict the permitted use of the TNC Data in Online Advertising.

iv. TNC Vendors. Epsilon utilizes third party vendors to obtain TNC Data (TNC Vendors). Client agrees and acknowledges that it is subject to claims by TNC Vendors regarding Clients use of the TNC Data and compliance with this SOW. TNC Vendors are third party beneficiaries to this SOW, with the right to enforce this SOW directly against Client.

v. Representations and Warranties. Client represents and warrants that: notwithstanding anything in these T&Cs to the contrary, it will destroy the TNC Data immediately upon expiration or termination of the respective Data Services Form.

vi. Security. Client will implement and manage an information security program, compliant with ISO27002:2005 international standards, as modified from time-to-time, in connection with the operation of its business and its performance under this SOW related to TNC Data. As part of such information security program, Client will implement, and will take appropriate industry-standard measures to maintain, commercially reasonable and appropriate administrative, technical, and physical security safeguards (Safeguards) designed to: (i) ensure the security and confidentiality of TNC Data; (ii) protect against reasonably anticipated threats or hazards to the security or integrity of TNC Data; and (iii) protect against unauthorized access to or use of such TNC Data that could result in substantial harm or inconvenience to any consumer. Client will immediately (but in no event later than two business days after the occurrence of any of the following) notify Epsilon by phone and in writing in the event (A) of any changes to Clients business, or in the event any other circumstances arise which Client knows, or has reason to know, will have a material adverse impact on such Safeguards, or (B) Client becomes aware that its Safeguards are otherwise insufficient to meet its obligations under this Section. Provided that Client is not expressly prohibited by legal proceeding or judicial order, Client will notify Epsilon by phone and in writing within in 48 hours in the event Client becomes aware of any loss or unauthorized use or disclosure of TNC Data. As part of the implementation and ongoing support for Clients security policies, all designated and authorized Client personnel will be required by Client to participate in periodic training and awareness sessions (at least annually) to implement such security policies and support the importance of security for Client and Epsilon. Client will keep appropriate records evidencing such training and awareness sessions, including the attendance thereof.

In addition, Client will reasonably cooperate with Epsilon in mitigating any damages due to any loss or unauthorized use or disclosure of any TNC Data. Such cooperation will not relieve Client of any liability it may have as a result of such loss or unauthorized use or disclosure. Client agrees that, to the extent any such loss or unauthorized use or disclosure is due solely to Clients negligence, intentional misconduct, or breach of this SOW, Client will be responsible for any consumer, public, and/or other notifications required by law, and all costs associated therewith, and if law requires Epsilon to so notify, Epsilon will conduct such notifications and Client will reimburse Epsilon for the reasonable and documented expenses of such notifications; provided, however, that except to the extent required to comply with applicable law, Client will make no public notification (excluding notification to law enforcement, courts, outside counsel, consultants, and its affiliates) that includes a reference to Epsilon or any TNC Vendor, including but not limited to press releases or consumer notifications, of the potential or actual occurrence of such loss or unauthorized use or disclosure without Epsilons prior written consent, such consent not to be unreasonably withheld. Where consumer, public, and/or other notifications are required by applicable law, Client will provide Epsilon with written notice prior to issuing such notifications, and will in good faith consider Epsilons suggestions with respect to the content of such notifications. All TNC Data transferred between Epsilon and Client will be encrypted or transferred using another secure method acceptable to Epsilons Information Security group. Epsilon may require a change to, or the implementation of a different transmission method than, such secure method then being utilized by the Parties.

J. Target Neighborhood Credit Attributes. To the extent that Lists contains a database derived from credit attributes, where such credit attributes have been aggregated to a zip+4 level (Target Neighborhood Credit Attributes), the following terms shall apply.

i. Terms and Conditions. Target Neighborhood Credit Attributes, in whole or in part, and all derivatives, constitute Lists and are subject to all the terms and conditions applicable to Lists. Clients use of Target Neighborhood Credit Attributes will be limited to Client only. Client is not permitted to sublicense Target Neighborhood Credit Attributes to resellers, brokers, distributors, or otherwise for subsequent resale.

ii. Authorized Use. Notwithstanding anything to the contrary in this SOW, Target Neighborhood Credit Attributes may only be used for Modeling. Which permits Client to use Target Neighborhood Credit Attributes to create models used to rank Clients file or prospect list, provided that Target Neighborhood Credit Attributes are used in combination with at least three other variables, a score is not a one-to-one correlation with Target Neighborhood Credit Attributes, and the model is used in compliance with the Agreement.

3. Contact Complete. To the extent the Services relate to Epsilon licensing Epsilon DII-Based Data to Client in order to complete Client contact lists (Contact Complete) as set forth in the Data Services Form, the following terms shall apply.

A. Summary of Services. Client will deliver to Epsilon a compilation of records, each consisting of the first and last name (if Client possess such information), phone number, email address, and/or zip code of its current Customer base (the Customer Database). For purposes of Contact Complete, Customer means a consumer or business with an established relationship with Client, either online or offline, and specifically not a prospect. In addition to the representations and warranties set forth below, Client represents and warrants to the best of Clients knowledge, each record in the Customer Database is an actual Customer of Client and specifically not a prospect. Epsilon or its subcontractors will provide the available Contract Complete data in a manner further specified in the table below that matches to each corresponding record and will return the Customer Database to Client (the Contact Complete Services). Epsilon and its subcontractors will not use the Contact Complete Services for any other purpose other than as provided in this Agreement. Notwithstanding anything to the contrary in the Agreement, Epsilon hereby grants Client a non-exclusive, perpetual license to use the Contact Complete Services solely for Clients own marketing programs in accordance with the terms and conditions of the Agreement. Client will not transfer possession, right, or title of or to the Contact Complete Services to any third party for any purpose whatsoever. Without limiting the foregoing, Client may not broker or resell the Contact Complete Services, nor may Client use the Contact Complete Services to publish a directory in any form (including the internet). In addition to the representations and warranties, Client represents and warrants to Epsilon that to the best of Clients knowledge, each consumer data record contained in the Client Data is an actual customer of Client and specifically not a prospect. As it relates to Contact Complete Client also agrees to comply with Section II.2.E, above.

4. Abacus. To the extent the Services include Abacus Cooperative and related services (Abacus) as set forth in the Data Services Form, the following terms shall apply.

A. Epsilon Participation. Epsilon, upon request, will provide Abacus to the titles or brands for which Client contributes data under the Data Services Form. Epsilon may use subcontractors for performance of the Services. The summary of services directly below shall be referred to as Abacus Audience. A minimum order fee is required on all Abacus and Discover model orders.

(a) Client will participate in the Abacus Cooperative program by providing complete customer and transaction files as specified by Epsilon and monthly updates or other frequency as mutually agreed upon by Epsilon and Client. (collectively, the Abacus Client Data). Client will not contribute Abacus Client Data collected or processed outside of the United States.

(b) Notwithstanding anything within the Agreement to the contrary, Client grants to Epsilon a perpetual, non-exclusive, royalty-free license to use the Abacus Client Data for the purpose of creating marketing related products and services, and to use and to grant to third parties the right to use the Client Data as part of such marketing related products and services.

Client represents and warrants to Epsilon that, unless otherwise agreed to by the Parties, Client will only send one marketing communication to each household per Abacus Audience. Each household on am Abacus Audience shall only be used in the marketing channel(s) specified in an Order Confirmation.

EPSILON FULL-SERVICE DATA PROCESSING ADDENDUM

This Data Processing Addendum (DPA) applies to the Processing of Personal Data under the T&C and Data Services Forms, or any other agreement that incorporates this DPA (as applicable, the Agreement) by and between Epsilon Data Management, LLC, and your company. Unless otherwise defined in this DPA, all capitalized terms used in this DPA shall have the meanings ascribed to them in the Agreement. Epsilon and Client may be referred to herein each as a party or collectively as the parties. In exchange for the mutual consideration described in the Agreement, the parties agree as follows:

1. Definitions.

1.1. Applicable Data Protection Law means any and all laws or regulations of the United States or Canada relating to the protection of Personal Data to the extent such law or regulation is applicable to the party and to the Personal Data Processed by the party pursuant to the Agreement.

1.2. Client Data means Personal Data Processed in connection with the Services that is (a) made available or provided by Client (or a third party on Clients behalf) to Epsilon or (b) collected by Epsilon or a Sub-Processor solely on Clients behalf. Client shall not provide Epsilon any Sensitive Data.

1.3. Controller means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.4. Data Subject is a natural person or household that can be identified, directly or indirectly.

1.5. Device Tracking Technologies means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) that enables access to or storage of information on a device, including but not limited to, as embedded on Clients digital properties, servers, advertisements or creative materials.

1.6. Disclosing Controller means a Controller that discloses to or makes available (including collection digitally) of Personal Data to a Recipient.

1.7. Personal Data means any information relating to a Data Subject and includes personal data, personal information, personally identifiable information, and any substantially similar term as defined under Applicable Data Protection Law.

1.8. Personal Data Breach shall include personal data breach, data breach, breach of security safeguards, data security breach, or any substantially similar term as defined under Applicable Data Protection Law.

1.9. Processing means any operation or set of operations performed on Personal Data.

1.10. Processor means a party that Processes Personal Data solely on behalf of a Controller and in accordance with the Controllers instructions.

1.11. Recipient means a party that receives Personal Data from a Controller.

1.12. Regulator means a data protection regulator, law enforcement, or other government authority.

1.13. Sensitive Data shall have the meaning set forth in the Agreement.

1.14. "Services" means the services supplied by Epsilon to Client under the Agreement.

1.14. Sub-Processor means a Processor contracted by Epsilon, when Epsilon is a Processor of Client Data, to Process Client Data in relation to the Services provided directly by Epsilon.

2. Compliance with Applicable Data Protection Law. Each party understands and agrees that it will comply with Applicable Data Protection Law. In the event of a material change to Applicable Data Protection Law, such as any change that results in a different classification of a party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the parties will negotiate a suitable resolution in good faith, which may constitute an additional scope of Service to be detailed in a statement of work or change order. If the parties fail to reach such a resolution or if either party reasonably deems a change in Applicable Data Protection Law to present a material risk to its business or operations, either party may suspend or terminate the impacted Services. If the change pertains only to a particular jurisdiction or specific Service, the party may terminate the Service only as to that jurisdiction and/or the impacted Service specifically. Any suspension or termination under this Section shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.

3. DISCLOSURE OF PERSONAL DATA. Where a Disclosing Controller makes available Personal Data to a Recipient, the following provisions shall apply:

3.1. TOMS. The Recipient will provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Law. The Recipient will implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Law, which are at minimum such measures as identified in Schedule 1 Technical and Organizational Measures.

3.2. Permitted Purposes. The Recipient will process the Personal Data solely in accordance with the description of Processing, including the purposes identified within the specific description(s) of Processing based on the respective Services set forth in Schedule 2 Description of Processing, which may be updated by the parties in writing (email to suffice).

3.3. Additional Requirements under Applicable Data Protection Law. The parties shall adhere to the following terms if required under Applicable Data Protection Law:

(a) Attestation. Upon the request of Disclosing Controller, the Recipient will provide an attestation confirming Recipients Processing of the Personal Data is consistent with Disclosing Controllers obligations under Applicable Data Protection Law.

(b) Notice of Inability to Comply. The Recipient will notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Law related to Recipients Processing of the Personal Data, and the parties will negotiate a suitable resolution in good faith.

(c) Non-compliance. In the event that Recipient has failed to comply with these requirements, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.

(d) Deidentified Data. To the extent Recipient receives deidentified data (as defined by Applicable Data Protection Law) from Disclosing Controller, Recipient will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) will maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data.

4. PROCESSOR REQUIREMENTS. Where Epsilon Processes Client Data as a Processor, the following provisions shall apply when required by Applicable Data Protection Law:

4.1. Client Instructions. Epsilon will Process Client Data in accordance with Clients written instructions in the Agreement.

4.2. Data Subject Requests. In the event a Data Subject makes a lawful request directly to Epsilon seeking to exercise any right available to it under Applicable Data Protection Law that references Client, Epsilon shall not respond to such communication directly without Client's prior authorization, unless required by applicable law. To the extent Client does not have direct access to Client Data through its use of the Services, and therefore does not have the ability to address such Data Subject request itself, Epsilon shall, upon Client's request, provide commercially reasonable cooperation to assist Client to respond, to the extent required under Applicable Data Protection Law.

4.3. Cooperation. Upon Clients request, Epsilon shall provide all such reasonable and timely assistance and information necessary to demonstrate that its Processing of Client Data complies with Applicable Data Protection Law.

4.4. Deletion of Personal Data. Upon termination or expiration of the Agreement and this DPA, Epsilon shall delete all Client Data in its possession or control. This requirement shall not apply to the extent Epsilon is required by applicable laws to retain some or all Client Data, and shall not apply to Client Data Epsilon has archived on back-up systems, which Client Data Epsilon shall securely isolate and protect from any further Processing.

4.5. Engagement of Sub-Processors. Client authorizes Epsilon to use Sub-Processors to assist in providing the Services. If required by Applicable Data Protection Law, Epsilon will: (i) provide an up-to-date list of the Sub-Processors it has appointed upon written request from Client; and (ii) notify Client (email to suffice) of any intended changes concerning the addition or replacement of Sub-Processors and give Client the opportunity to object to such changes within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. Epsilon will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that require the Sub-Processor to protect Client Data in accordance with Applicable Data Protection Law, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor consistent with this DPA.

4.6. Confidentiality. Epsilons personnel and Sub-Processors shall be subject to confidentiality obligations related to Client Data that Epsilon and such Sub-Processors Process as a Processor.

4.7. Records and Audit. Client acknowledges that Epsilon is regularly audited against appropriate security standards. Upon request, Epsilon shall supply a summary copy of its available audit report(s) to Client, which reports shall be subject to the confidentiality provisions of the Agreement. Epsilon shall also respond to any written audit questions submitted to it by Client related directly to the Processing of Client Data by Epsilon, provided that Client shall not exercise this right more than once per year. Notwithstanding anything to the contrary in the Agreement and except as otherwise mutually agreed in a writing signed by the authorized representatives of the parties that specifically references this Section, any audit related to data protection shall be governed solely and exclusively by this Section.

4.8. Personal Data Breach. Epsilon shall, upon becoming aware of a Personal Data Breach affecting Client Data in the possession, and resulting from the acts or omissions, of Epsilon or any of its Sub-Processors, without undue delay and within the timeframes required by Applicable Data Protection Law, notify Client and provide reasonable information relating to the Personal Data Breach to the extent known to Epsilon. Notification to be made to the email address provided in the Data Services Form, unless otherwise provided by Client to Epsilon in accordance with the notice section of the T&Cs. Epsilon and Client will, in good faith, discuss mitigation or remediation efforts where possible and as required of Epsilon under Applicable Data Protection Law, in relation to any such Personal Data Breach arising solely from the acts or omissions of Epsilon or any of its Sub-Processors. Client agrees that it will also take reasonable steps designed to minimize any costs related to mitigation and remedy. Client shall be solely responsible for breach notification obligations to applicable Regulators and/or Data Subjects. Prior to sending any such notification, the parties will consult in good faith as to the content of such notification; without limiting the generality of the foregoing, Client agrees that it will not refer to Epsilon by name in any such notice except with Epsilons prior written consent.

4.9. Additional Processing Prohibitions. As required under Applicable Data Protection Law, Epsilon will not: (i) sell or share (as defined by Applicable Data Protection Law) Client Data; (ii) retain, use, or disclose the Client Data (a) except as necessary to perform the business purpose or (b) outside the direct business relationship between Epsilon and Client; or (iii) combine Client Data with Personal Data that Epsilon receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject, provided that Epsilon may combine such information to perform any business purpose as defined under Applicable Data Protection Law. If Client instructs Epsilon to combine or match Client Data with Personal Data provided by a third party, Client represents and warrants that it maintains a data sharing agreement with such third party.

5. SURVIVAL. To the extent that Recipient continues to Process the Personal Data disclosed or made available by Disclosing Controller, the terms of this DPA shall survive termination or expiry of the Agreement, and Recipient may continue to Process the Personal Data for the period identified in the description of processing, provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.

6. Entire Agreement. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Services, as such data processing agreement and terms relate to Personal Data within the scope of this DPA.

SCHEDULE 1 - TECHNICAL AND ORGANIZATIONAL MEASURES

Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

1 Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.

2 Confidentiality, integrity, and availability: Recipient shall maintain confidentiality, integrity, and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process, or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, and network/data segregation controls.

3 Vulnerability management: Wherever applicable, a party must ensure that any software component (such as code or API) provided to the other party is free from any security vulnerability or issues and ensure security of data processed using such component.

4 Asset management: Recipient shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that (a) employees must return Recipients assets upon termination of employment; (b) assets shall be disposed of securely when they are no longer required; and (c) retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.

5 Identity and access management: Any employee of Recipient having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.

6 Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.

7 Security risk management program relating to third parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.

8 Encryption: To the extent the parties have agreed in writing that the Disclosing Controller can share sensitive data (as defined by Applicable Data Protection Laws) with the Recipient, Recipient will ensure that any such sensitive data is encrypted at rest and in transit.

Schedule 2

DESCRIPTION OF PROCESSING

Capitalized terms not defined in this SOW shall have the meaning given them in the Data Processing Addendum (DPA) by and between the Parties. In the event of a conflict, the order of precedence pertaining to this Description of Processing is (i) this Description of Processing; (ii) the DPA; (iii) the Agreement.

A. DISCLOSING CONTROLLER TO PROCESSOR

1.1. Parties

i. Disclosing Controller is Client

ii. Processor is Epsilon

1.2. Data Subjects

The Data to be processed concerns the following categories of Data Subjects (please specify):

i. Client Customers

1.3. Purpose(s) of the Processing

The Client provided Personal Data may be processed for the following purposes:

i. Performing services on behalf of the Controller, including providing analytic services.

1.4. Instructions for Processing:

i. Clients instructions for the Processing of the Personal Data disclosed by Client are found in the Agreement.

1.5. Categories of Personal Data

The Client Data to be processed concern the following categories of Personal Data.

i. Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers.

1.6. Duration of the Processing

The Personal Data will be Processed for as long as is necessary for the purposes for the term specified in the Data Services Form or as needed to comply with another legal obligation.

B. Disclosing Controller to Recipient Controller

1.1. Parties

i. Disclosing Controller is Epsilon

ii. Recipient Controller is Client

1.2. Data Subjects

The Data to be processed concerns the following categories of Data Subjects (please specify):

i. Consumers

1.3. Purpose(s) of the Processing

The Data may be processed for the following purposes:

i. Advertising and Marketing including cross-context behavioral advertising (aka targeted advertising or interest based advertising).

ii. Analytics for Clients internal use only.

1.4. Categories of Personal Data

The Data to be processed concern the following categories of Personal Data and depends on the data set provided by Epsilon (e.g. (i) TX Spend includes offline commercial or transaction information; (ii) Total Source Plus includes only offline data, not online data); (iii) Shoppers Voice includes opt-in voluntary survey responses reflecting demographic data, attitudinal data, and health information; (iv) Abacus includes offline identifiers and transaction information).

i. Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers.

ii. Commercial or transactions information: e.g., records of personal property, goods or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

iii. Demographical and statistical information: e.g., information regarding membership in protected classes or classification, such as information about a consumers race, color, age, medical condition (where self-reported), ancestry, national origin, religion, ethnicity, marital status, or gender.

iv. Inferences: e.g., inferences drawn from any of the information identified in this section to create a profile about a consumer reflecting the consumers preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

v. Professional or employment-related information: e.g., business name, job title, or job history.

vi. Education information: e.g., school records, degree.

1.5. Duration of the Processing

i. The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement.

C. Disclosing Controller to Recipient Controller For Abacus only

1.1. Parties
i. Disclosing Controller is Client

ii. Recipient Controller is Epsilon

1.2. Data Subjects

The Data to be processed concerns the following categories of Data Subjects (please specify):

i. Clients customers United States

1.3. Purpose(s) of the Processing

The Data may be processed for the following purposes:

i. Advertising and Marketing including cross-context behavioral advertising (aka targeted advertising or interest based advertising).

ii. Analytics for Clients internal use only

1.4. Categories of Personal Data

The Data to be processed concern the following categories of Personal Data and depends on the data set provided by Epsilon (e.g. (i) TX Spend includes offline commercial or transaction information; (ii) Total Source Plus includes only offline data, not online data); (iii) Shoppers Voice includes opt-in voluntary survey responses reflecting demographic data, attitudinal data, and health information; (iv)(ii) Abacus includes offline identifiers and transaction information).

i. Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers.

ii. Commercial or transactions information: e.g., records of personal property, goods or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

iii. Demographical and statistical information: e.g., information regarding membership in protected classes or classification, such as information about a consumers race, color, age, medical condition (where self-reported), ancestry, national origin, religion, ethnicity, marital status, or gender.

iv. Inferences: e.g., inferences drawn from any of the information identified in this section to create a profile about a consumer reflecting the consumers preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

v. Professional or employment-related information: e.g., business name, job title, or job history.

vi. Education information: e.g., school records, degree.

1.5. Duration of the Processing

i. The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement, or as needed to comply with another legal obligation.