Data Processing Addendum

This GDPR Data Processing Addendum forms part of the Subscription Agreement or any other written or electronic agreement between Jabmo and the Customer for the purchase of ABM Platform and ABM Services from Jabmo to reflect the parties’ agreement with regard to the Processing of Personal Data.

By signing the Agreement, Customer enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorised Affiliates, if and to the extent Jabmo processes Personal Data for which such Authorised Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorised Affiliates. All capitalised terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to Customer pursuant to the Agreement, Jabmo may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

BACKGROUND

A. Jabmo and the Customer have entered, or propose to enter, into an End User License Agreement (“EULA”) under which Jabmo will make available its Account-based Marketing Platform (“ABM Platform”) and other Account-based Marketing services to the Customer (“ABM Services”), which will include:

a. account-based advertising;
b. account-based re-targeting; and
c. account-based analytics.

B. Jabmo considers that, in performing the ABM Services under the EULA, it may be processing
some personal data on behalf of the Customer.

C. In addition, Jabmo may integrate its ABM Platform with the Customer’s marketing automation
platform or CRM solution, which will necessitate the processing of email addresses, user
behaviour and other personal data as processor of the Customer (“Integrated ABM
Service”).

D. Jabmo is aware that its customers wish to ensure that they are in full compliance with Data
Privacy Laws (as defined below) and, therefore, Jabmo is willing to commit to comply with
Data Privacy Laws in respect of both the ABM Services and the Integrated ABM Service.

E. The parties are therefore entering this Addendum to set out their respective rights and
obligations in respect of the processing of personal data as part of the ABM Services and the
Integrated ABM Service.

IT IS AGREED AS FOLLOWS:

1. INTERPRETATION

1.1. In this Addendum:“ABM Platform” has the meaning set out in paragraph A of the Background;

“ABM Services” has the meaning set out in paragraph A of the Background;

“Customer” means the customer of Jabmo that has signed this Addendum;

“Data Privacy Laws” means the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, any amendment, consolidation, re-enactment or replacement thereof, and any other legislation of equivalent purpose or effect enacted in the United Kingdom, or, where relevant, the European Union;

“EULA” has the meaning set out in paragraph A of the Background;

“GDPR” means the General Data Protection Regulation (EU) 2016/679 as applied, supplemented, modified and/or replaced by the laws of England (or, where applicable, those of a relevant EU member state) from time to time;

“Integrated ABM Service” has the meaning set out in paragraph C of the Background;

“Jabmo” means Jabmo, SAS, a private limited company incorporated in France whose address is 18 rue de Londres, 75009 Paris, France;

“Personal Data” has the meaning given to it by the GDPR, but will only include personal data to the extent that such personal data, or any part of such personal data, is processed in relation to the performance of the Services;

“Services” means, together, the ABM Services and the Integrated ABM Service that are provided by Jabmo to the Customer under the EULA; and otherwise, words and phrases with defined meanings in the GDPR have the same meanings when used in this Addendum.

1.2. In the event of any inconsistency between the EULA and this Addendum, this Addendum will take precedence.

2 Details of personal data to be processed

The parties agree (for informational purposes only, and without creating additional obligations on either party or limiting the rights and obligations of either party otherwise existing), the following particulars of the Personal Data to be processed:

2.1 for ABM Services:

2.1.1 the subject matter of the processing is:

2.1.1.1 to the extent the corporate IP ranges processed as part of the ABM Services constitute Personal Data, such corporate IP
ranges; and

2.1.1.2 the Personal Data collected from data subjects by means of the cookies placed as part of the ABM Services;

2.1.2 the duration of the processing is the duration of the EULA;

2.1.3 the nature and purpose of the processing is to advertise the Customer to individuals who work at the target of the Integrated ABM Service in the context of their employment by that target;

2.1.4 the types of personal data are: corporate IP ranges (to the extent they constitute Personal Data) and information collected by means of cookies; and

2.1.5 the categories of data subject are individuals who work at the target of the Integrated ABM Service; and

2.2 for Integrated ABM Service,

2.2.1 the subject matter of the processing is the Personal Data collected from third party systems by way of the Integrated ABM Service;

2.2.2 the duration of the processing is the duration of the EULA;

2.2.3 the nature and purpose of the processing is the synchronisation of the data collected as part of the ABM Services with the Personal Data collected from third party systems by way of the Integrated ABM Service;

2.2.4 the types of personal data are: email addresses and user behaviour information; and

2.2.5 the categories of data subject are individuals who work at the target of the Integrated ABM Service whose details are held on the Customer’s marketing automation platform and/ or CRM system.


3 Mutual Obligations

Each party will comply with the Data Privacy Laws applicable to it in connection with this Addendum, and will not cause the other party to breach any of its obligations under Data Privacy Laws.

4 Customer obligations

4.1 The Customer:

4.1.1 will provide to Jabmo on demand all such information as Jabmo may reasonably request in connection with the performance of its obligations under this Addendum, including but not limited to the information which Jabmo needs in order to comply with article 30(2) GDPR (if not already within Jabmo’s knowledge); and

4.1.2 represents and warrants that all such information will be correct, complete and not misleading, and that it has disclosed to Jabmo all information relating to the Personal Data which is relevant to Jabmo’s performance of its obligations under this Addendum or the Data Privacy Laws in respect of the Personal Data.

4.2 Without prejudice to the generality of clause 3 (Mutual Obligations), the Customer will ensure that in respect of the Personal Data to be processed by Jabmo under this Addendum:

4.2.1 it has established and recorded a valid legal basis for that processing pursuant to article 6 GDPR and, in particular (but without limitation) to drop the cookies required for account-based retargeting and account-based
analytics on its websites;

4.2.2 it has established and recorded a valid exemption for the processing of any special categories of Personal Data pursuant to article 9 GDPR;

4.2.3 it has complied with and/or will prior to the commencement of processing comply with the information provision requirements of articles 13 and 14 GDPR, and is able to demonstrate that compliance;

4.2.4 it has complied with and/or will comply with article 22 GDPR in respect of any automated individual decision making in respect of the data subject, including profiling, which it may undertake in connection with the Personal Data;

4.2.5 it secures those systems and services related to the Personal Data that are within the Customer’s control;

4.2.6 it has conducted and recorded any required privacy impact assessment, or has satisfied itself that no privacy impact assessment is required;

4.2.7 it has made any required notifications to, and obtained any required permissions from, each relevant supervisory authority; and

4.2.8 it has in place appropriate processes and procedures to enable it to comply with requests from data subjects to exercise their rights under GDPR, in particular their rights of objection, access and erasure.

4.3 Jabmo acknowledges, and will comply with, its obligations under article 28(3) GDPR to inform the Customer if, in its opinion, an instruction given by the Customer infringes Data Privacy Laws. However, the Customer acknowledges and agrees that Jabmo is not a law firm and does not give legal advice, and therefore Jabmo will have no liability whatsoever to the Customer arising out of or in connection with the content or effect of any such opinion, or whether or when any such opinion is given or not given,
or otherwise arising out of or in connection with any such opinion in any way. Without prejudice to its other rights under this Addendum, Jabmo reserves the right to decline to act (or to decline to continue to act) on an instruction of the Customer which it
considers to be unlawful, but its failure to do so, or to do so by a particular time, will not be construed as a waiver of any of the Customer’s obligations under this clause 4.

5 Jabmo Obligations

5.1 Where Jabmo processes Personal Data (as processor) on behalf of the Customer (as controller) in connection with the Services, Jabmo will:

5.1.1 process that Personal Data only in accordance with the written instructions contained in the EULA or (at the Customer’s cost) such different or additional instructions received in writing from the Customer from time to time. If compliance with such additional instructions prevents or hinders the performance of Jabmo’s obligations under this Addendum or the EULA, Jabmo will be excused from the performance of the affected obligations, without liability;

5.1.2 ensure that all of its personnel with access to that Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

5.1.3 take the technical and organisational security measures so as to ensure a level of security in respect of the Personal Data processed by it that is appropriate to the risks that are presented by the processing in particular
from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed and the nature of the Personal Data;

5.1.4 be entitled to appoint a sub-processor to process the Personal Data on its behalf provided always that:

5.1.4.1 it binds any such sub-processor by a written agreement complying with the requirements of article 28 GDPR as it applies to that sub-processor’s processing activities;

5.1.4.2 Jabmo remains liable to the Customer for the acts and omissions of any sub-processor, as if they were the acts or omissions of Jabmo itself;

5.1.4.3 it will first inform the Customer of the identity of the proposed sub-processor and provide the Customer with a reasonable opportunity to object to that sub-processor’s engagement. If the Customer does so object it will inform Jabmo within 14 days of being so informed, giving reasons for the objection, and if Jabmo cannot within 30 days of that objection address the reasons for it to the Customer’s reasonable satisfaction then Jabmo may choose not to appoint that sub-processor, or it may choose to appoint that sub-processor regardless, in which case the Customer will be entitled to terminate the EULA by notice to
Jabmo; and

5.1.4.4 for the purposes of clause 5.1.4.3 , it is acknowledged and agreed that Jabmo already uses the following sub-processors and the Customer has agreed to their appointment: AppNexus, Microsoft Azure, and Jabmo Inc (being Jabmo’s US affiliate);

5.1.5 taking into account the nature of the processing and insofar as is possible, assist the Customer (at the Customer’s cost) with the fulfilment of the Customer’s obligation to respond to requests by data subjects to exercise their rights under the Data Privacy Laws over that Personal Data, by providing relevant information requested by the Customer and copies of relevant Personal Data requested by the Customer within a reasonable time and in a commonly used electronic format, in each case unless that information or relevant Personal Data is already accessible to the Customer without Jabmo’s intervention;

5.1.6 taking into account the nature of the processing and the information available to Jabmo, assist the Customer (at the Customer’s cost) in carrying out privacy impact assessments pursuant to article 35 GDPR and prior consultations pursuant to article 36 GDPR in respect of that Personal Data, by providing such relevant information about the processing carried out by
Jabmo as the Customer may reasonably request;

5.1.7 inform the Customer of any personal data breach which occurs in respect of the Personal Data under Jabmo’s control without undue delay after becoming aware of it, providing sufficient details to enable the Customer to comply with
its own notification obligations (and Jabmo may provide such details in stages as they become available to it, provided that it is reasonable to do so);

5.1.8 after the termination of the Services, delete or return to the Customer (at the Customer’s option and cost) all copies of the Personal Data in its possession or control, and procure that any relevant Sub-Processor does the same, unless the applicable laws of the United Kingdom or European Union require Jabmo or that Sub-Processor to retain a copy of it;

5.1.9 make available to the Customer on demand all information reasonably necessary to demonstrate compliance with this Addendum, to the extent that it is not already available to the Customer; and

5.1.10 allow the Customer, or its external auditor (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit Jabmo’s data processing activities insofar as they relate to the Personal Data, to enable the Customer to verify that Jabmo is in compliance with this Addendum provided that:

5.1.10.1 the Customer may exercise that inspection and audit right no more frequently than once per calendar year, unless required by a supervisory authority;

5.1.10.2 the Customer will meet Jabmo’s reasonable costs incurred as a result of any such inspection or audit, unless that inspection or audit shows Jabmo to be in breach of this Addendum;

5.1.10.3 the Customer (or its auditor, as the case may be) will not thereby be entitled to access to personal data or confidential information of any other Jabmo customer, nor to direct access to any computer or storage system unless explicitly required by a
supervisory authority;

5.1.10.4 the Customer (or its auditor, as the case may be) complies with Jabmo’s reasonable policies while onsite, including its safety and security policies; and

5.1.10.5 any information coming into the Customer’s possession (or that of its auditor, as the case may be) as a result of such inspection or audit will be and remain the confidential information of Jabmo, and the Customer will (and will procure that its auditor will, as the case may be) treat it accordingly.

5.2 Jabmo and the Customer acknowledge their mutual obligations under Chapter V GDPR in relation to international transfers of Personal Data. The Customer permits Jabmo to transfer Personal Data outside of the European Economic Area to Jabmo’s
sub-processors (which are appointed under clause 5.1.4 ), in which case Jabmo and the Customer agree to enter into such arrangement as may reasonably be required by Jabmo to provide adequate safeguards in respect of that transfer, such as the
entry into a standard-form contract governing such transfer which has been approved by the EU Commission.

6 Term and Termination

6.1 This Addendum will have effect from the date they are accepted until the EULA is terminated or expires, whereupon they will terminate automatically.

6.2 A material breach of this Addendum will constitute a material breach of the EULA for the purposes of the termination rights set out in the EULA.

7 General

7.1 Except as expressly provided in this Addendum, any failure to exercise or delay in exercising (whether fully or at all) a right or remedy provided by this Addendum or by law does not constitute a waiver of the right or remedy or a waiver of any other rights
or remedies.

7.2 A person who is not a party to this Addendum has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Addendum.

7.3 This Addendum and all non-contractual obligations arising out of or in connection with them are governed by English law and subject to the exclusive jurisdiction of the English courts.