Standard Provider Agreement

Standard Provider Terms and Conditions

The following Standard Provider Terms and Conditions (the “Master Agreement”), together with the GDPR Addendum attached as Annex A hereto, if applicable (the “GDPR Addendum,” and together with the Master Agreement, the “Agreement”) are made by and between Provider (the party indicated on the applicable Statement of Work incorporating these terms) and Illumio, Inc. ("Illumio" or “Client”), and shall govern any and all Statements of Work (as defined below) referring to this Agreement, and shall supersede any and all conflicting terms.

1. Services. The Client and the Provider shall execute one or more statements of work that describe the specific services to be performed by the Provider (each, a “Statement of Work”). Each Statement of Work shall expressly refer to this Agreement, form a part of this Agreement and be subject to the terms and conditions contained herein. A Statement of Work may be amended only by written agreement of each of the parties to this Agreement. The Provider will perform all services described in each Statement of Work (the “Services”) in accordance with the terms and conditions set forth in the applicable Statement of Work and this Agreement.

2. Delivery. In connection with the Services, the Provider will deliver to the Client the deliverables, designs, modules, software, products, documentation and other materials specified in each Statement of Work (the “Deliverables”), in accordance with the delivery schedule and other terms and conditions as set forth in such Statement of Work.

3. Acceptance. Following Provider’s delivery of any Deliverable, Client (with the assistance of Provider, if so requested) will review, evaluate and/or test each Deliverable in accordance with the procedures identified in the Statement of Work to confirm that the Deliverable satisfies, conform to and operates in accordance with all acceptance criteria, specifications or requirements for such Deliverable, as specified in the Statement of Work (collectively, the “Acceptance Criteria”), as applicable. Client will use its commercially reasonable efforts to review, evaluate and/or test the Deliverable within the time period set forth in the Statement of Work. If the Deliverable fails to satisfy, conform to or otherwise operate in accordance with all applicable Acceptance Criteria, then Client will as promptly as practicable furnish Provider the specific defects in the Deliverable and, if applicable, the modifications to the Deliverable required for the Deliverable to satisfy the applicable Acceptance Criteria. Upon receipt of such a defect report, Provider will use its best efforts promptly to modify the Deliverable and re-submit the Deliverable to Client to review, evaluate and/or test in accordance with the terms of this Section. The foregoing procedure will repeat until Client finally accepts or rejects the Deliverable. If Client finally rejects any Deliverable, then Client may terminate the applicable portion of the Statement of Work or, if specified in the Statement of Work, this Agreement, immediately upon written notice to Provider.

4. Payment. As Provider’s sole compensation for the performance of Services, Client will pay Provider the fees specified in the Statement of Work in accordance with the terms set forth therein. Without limiting the generality of the foregoing Provider acknowledges and agrees that, if specified in the Statement of Work, Client’s payment obligation will be expressly subject to Provider’s completion or achievement of certain milestones to Client’s reasonable satisfaction. All fees and other amounts set forth in the Statement of Work, if any, are stated in and are payable in U.S. dollars. Unless otherwise provided in the Statement of Work, Provider will invoice Client on a monthly basis for all fees and expenses payable to Provider. Client will pay the full amount of each such invoice within sixty (60) days following receipt thereof, except for any amounts that Client disputes in good faith. The parties will use their respective commercially reasonable efforts to promptly resolve any such payment disputes.

5. Relationship. Provider is an independent contractor and nothing in this Agreement will be construed as establishing an employment or agency relationship between Client and Provider or any Provider personnel. Provider has no authority to bind Client by contract or otherwise. Provider will perform Services under the general direction of Client, but Provider will determine, in Provider’s sole discretion, the manner and means by which Services are accomplished, subject to the requirement that Provider will at all times comply with applicable law. Provider will report to all applicable government agencies as income all compensation received by Provider pursuant to this Agreement. Provider will be solely responsible for the payment of all compensation to all Provider personnel, as well as for payment of all withholding taxes, social security, workers’ compensation, unemployment and disability insurance or similar items required by any government agency. Provider personnel will not be entitled to any benefits paid or made available by Client to its employees, including, without limitation, any vacation or illness payments, or to participate in any plans, arrangements or distributions made by Client pertaining to any bonus, stock option, profit sharing, insurance or similar benefits. Provider will indemnify and hold Client harmless from and against all damages, liabilities, losses, penalties, fines, expenses and costs (including reasonable fees and expenses of attorneys and other professionals) arising out of or relating to any obligation imposed by law on Client to pay any withholding taxes, social security, unemployment or disability insurance or similar items in connection with compensation received by Provider pursuant to this Agreement.

6. Liability Insurance. Provider acknowledges that Client will not carry any liability insurance on behalf of Provider. Provider will maintain in force adequate liability insurance to protect Provider from: (a) claims under workers’ compensation and state disability acts; and (b) claims of personal injury (or death) or tangible or intangible property damage (including loss of use) that arise out of any act or omission of Provider or any Provider personnel.

7. Intellectual Property. Provider will, as an integral part of the performance of Services, disclose in writing to Client all inventions, products, designs, drawings, notes, documents, information, documentation, improvements, works of authorship, processes, techniques, know-how, algorithms, specifications, specimens or samples, hardware, circuits, computer programs, databases, user interfaces, encoding techniques, and other materials of any kind that Provider may make, conceive, develop or reduce to practice, alone or jointly with others, in connection with performing Services, or that result from the Services, whether or not they are eligible for patent, copyright, mask work, trade secret, trademark or other legal protection (the “Provider Work Product”). Provider Work Product includes without limitation any Deliverables that Provider delivers to Client pursuant to this Agreement. Provider and Client agree that, to the fullest extent permitted by applicable law, each item of Provider Work Product will be a work made for hire owned exclusively by Client. Provider agrees that regardless of whether an item of Provider Work Product is a work made for hire, all Provider Work Product will be the sole and exclusive property of Client. Provider hereby irrevocably transfers and assigns to Client, and agrees to irrevocably transfer and assign to Client, all right, title and interest in and to the Provider Work Product, including all worldwide patent rights (including patent applications and disclosures), copyright rights, mask work rights and any and all other intellectual property or proprietary rights (collectively, “Intellectual Property Rights”) therein. At Client’s request and expense, during and after the term of this Agreement, Provider will assist and cooperate with Client in all respects and will cause all Provider personnel to assist and cooperate with Client in all respects, and will execute documents and will cause all Provider personnel to execute documents, and will take such further acts reasonably requested by Client to enable Client to acquire, transfer, maintain, perfect and enforce its Intellectual Property Rights and other legal protections for the Provider Work Product. To the extent that Provider owns or controls (presently or in the future) any patent rights, copyright rights, mask work rights, trade secret rights, or any other intellectual property or proprietary rights that may block or interfere with, or may otherwise be required for, the exercise by Client of the rights assigned to Client under this Agreement (collectively, “Related Rights”), Provider hereby grants or will cause to be granted to Client a non-exclusive, royalty- free, irrevocable, perpetual, transferable, worldwide license (with the right to sublicense) to make, have made, use, offer to sell, sell, import, copy, modify, create derivative works based upon, distribute, sublicense, display, perform and transmit any products, software, hardware, methods or materials of any kind that are covered by such Related Rights, to the extent necessary to enable Client to exercise all of the rights assigned to Client under this Agreement.

8. Confidential Information. For purposes of this Agreement, “Confidential Information” means and will include: (a) any information, materials or knowledge regarding Client and its business, financial condition, products, programming techniques, customers, suppliers, technology or research and development that is disclosed to Provider or to which Provider has access in connection with performing Services; (b) the Provider Work Product; and (c) the terms and conditions of this Agreement. Confidential Information will not include any information that: (i) is or becomes part of the public domain through no fault of Provider; (ii) was rightfully in Provider’s possession at the time of disclosure, without restriction as to use or disclosure; or (iii) Provider rightfully receives from a third party who has the right to disclose it and who provides it without restriction as to use or disclosure. Provider agrees to hold all Confidential Information in strict confidence, not to use it in any way, commercially or otherwise, except in performing Services, and not to disclose it to others. Provider further agrees to take all actions reasonably necessary to protect the confidentiality of all Confidential Information including, without limitation, implementing and enforcing procedures to minimize the possibility of unauthorized use or disclosure of Confidential Information.

9. Information Security. Provider represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Confidential Information does and will comply with all applicable federal, state and foreign privacy and data protection laws, as well as all other applicable regulations and directives. Provider shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Without limiting Provider’s obligations under this Section, Provider shall implement administrative, physical, and technical safeguards to protect Confidential Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Confidential Information is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement. At a minimum, Provider’s safeguards for the protection of Confidential Information shall include: (a) limiting access of Confidential Information to authorized employees; (b) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (c) implementing network, application, database, and platform security; (d) securing information transmission, storage, and disposal; (e) implementing authentication and access controls within media, applications, operating systems, and equipment; (vi) encrypting Confidential Information at all times, both at rest or in transit; (f) strictly segregating Confidential Information from information of Provider or its other customers so that Confidential Information is not commingled with any other types of information; (g) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at Provider’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (h) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (i) providing appropriate privacy and information security training to Provider’s employees. During the term of each authorized employee’s employment by Provider, Provider shall at all times cause such authorized employees to abide strictly by Provider’s obligations under this Agreement and Illumio’s standard policies and procedures. Provider further agrees that it shall maintain a disciplinary process to address any unauthorized access, use, or disclosure of Confidential Information by any of Provider’s officers, partners, principals, employees, agents, or contractors. Upon Illumio’s written request, Provider shall promptly identify for Illumio in writing by category all authorized employees as of the date of such request. Upon Illumio’s written request, Provider shall provide Illumio with a network diagram that outlines Provider’s information technology network infrastructure and all equipment used in relation to fulfilling its obligations under this Agreement, including, without limitation: (i) connectivity to Illumio and all third parties who may access Provider’s network to the extent the network contains Confidential Information; (ii) all network connections, including remote access services and wireless connectivity; (iii) all access control measures (for example, firewalls, packet filters, intrusion detection and prevention services, and access-list-controlled routers); (iv) all backup or redundant servers; and (v) permitted access through each network connection. Upon Illumio’s written request, to confirm compliance with this Agreement, as well as any applicable laws and industry standards, Provider shall promptly and accurately complete a written information security questionnaire provided by Illumio, or a third party on Illumio’s behalf, regarding Provider’s business practices and information technology environment in relation to all Confidential Information being handled and/or services being provided by Provider to Illumio pursuant to this Agreement. Provider shall fully cooperate with such inquiries. Provider shall: (A) provide Illumio with the name and contact information for an employee of Provider who shall serve as Illumio’s primary security contact and shall be available to assist Illumio twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; (B) notify Illumio of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after Provider becomes aware of it; and (C) notify Illumio of any Security Breaches by emailing Illumio at [email protected], with a copy by email to Provider’s primary business contact within Illumio. Immediately following Provider’s notification to Illumio of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. Provider agrees to fully cooperate with Illumio in Illumio’s handling of the matter, including, without limitation: (1) assisting with any investigation; (2) providing Illumio with physical access to the facilities and operations affected; (3) facilitating interviews with Provider’s employees and others involved in the matter; and (4) making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law, regulation, industry standards, or as otherwise required by Illumio. Provider shall at its own expense immediately contain and remedy any Security Breach (as defined below) and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards. Provider shall reimburse Illumio for all actual costs incurred by Illumio in responding to, and mitigating damages caused by, any Security Breach, including all costs of notice and/or remediation pursuant to this Section. Provider agrees that it shall not inform any third party of any Security Breach without first obtaining Illumio’s prior written consent, other than to inform a complainant that the matter has been forwarded to Illumio’s legal counsel. Further, Provider agrees that Illumio shall have the sole right to determine: (x) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in Illumio’s discretion; and (y) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. Service provider agrees to maintain and preserve all documents, records, and other data related to any Security Breach. Provider agrees to fully cooperate at its own expense with Illumio in any litigation, investigation, or other action deemed necessary by Illumio to protect its rights relating to the use, disclosure, protection, and maintenance of Confidential Information.

10. Warranties. Provider represents and warrants that Provider has no pre- existing obligations or commitments (and will not assume or otherwise undertake any obligations or commitments) that would be in conflict or inconsistent with or that would hinder Provider’s performance of its obligations under this Agreement. Provider represents and warrants that Services will be performed in a thorough and professional manner, consistent with high professional and industry standards by individuals with the requisite training, background, experience, technical knowledge and skills to perform Services. Provider represents and warrants that the Provider Work Product will not infringe, misappropriate or violate the rights of any third party, including, without limitation, any Intellectual Property Rights or any rights of privacy or rights of publicity, except to the extent any portion of the Provider Work Product is created, developed or supplied by Client or by a third party on behalf of Client. During the term of this Agreement, Provider will not, directly or indirectly, in any individual or representative capacity, engage or participate in or provide services to any business that is competitive with the types and kinds of business being conducted by Client. Provider represents and warrants that all Provider personnel who perform Services are and will be bound by written agreements with Provider under which: (a) Provider owns or is assigned exclusive ownership of all Provider Work Product; and (b) Provider personnel agree to limitations on the use and disclosure of Confidential Information no less restrictive than those provided in Section 8 hereof.

11. Indemnity. Provider will defend, indemnify and hold Client harmless from and against all claims, damages, liabilities, losses, expenses and costs (including reasonable fees and expenses of attorneys and other professionals) arising out of or resulting from: (a) any action by a third party against Client that is based on a claim that any Services performed under this Agreement, or the results of such Services (including any Provider Work Product), or Client’s use thereof, infringe, misappropriate or violate such third party’s Intellectual Property Rights; and (b) any action by a third party against Client that is based on any act or omission of Provider or any Provider personnel and that results in: (i) personal injury (or death) or tangible or intangible property damage (including loss of use); or (ii) the violation of any statute, regulation or ordinance.

12. Term; Termination. This Agreement will commence on the Effective Date (as defined in the applicable Statement of Work) and, unless terminated earlier in accordance with the terms of this Agreement, will remain in force and effect for as long as Provider is performing Services pursuant to the Statement of Work. Either party may terminate this Agreement (including the Statement of Work) if the other party breaches any material term of this Agreement and fails to cure such breach within thirty (30) days following written notice thereof from the non- breaching party. Client may terminate this Agreement (including the Statement of Work) at any time, for any reason or no reason, upon at least ten (10) days written notice to Provider. Upon the expiration or termination of this Agreement for any reason: (a) Provider will promptly deliver to Client all Provider Work Product, including all work in progress on any Provider Work Product not previously delivered to Client, if any; (b) Provider will promptly deliver to Client all Confidential Information in Provider’s possession or control; and (c) Client will pay Provider any accrued but unpaid fees due and payable to Provider pursuant to Section 4 hereof. The rights and obligations of the parties under Sections 6, 7, 8, 9, 10 and 12 will survive the expiration or termination of this Agreement.

12. Miscellaneous. Provider may not assign or transfer this Agreement, in whole or in part, without Client’s express prior written consent. Any attempt to assign this Agreement, without such consent, will be void. Subject to the foregoing, this Agreement will bind and benefit the parties and their respective successors and assigns. Except as expressly set forth in this Agreement, the exercise by Client of any of its remedies under this Agreement will not be deemed an election of remedies and will be without prejudice to its other remedies under this Agreement or available at law or in equity or otherwise. Because the Services are personal and unique and because Provider will have access to Confidential Information of Client, Client will have the right to enforce this Agreement and any of its provisions by injunction, specific performance or other equitable relief, without having to post a bond or other consideration, in addition to all other remedies that Client may have for a breach of this Agreement at law or otherwise. If any action is necessary to enforce the terms of this Agreement, the substantially prevailing party will be entitled to reasonable attorneys’ fees, costs and expenses in addition to any other relief to which such prevailing party may be entitled. This Agreement will be governed by and construed in accordance with the laws of the State of California, excluding its body of law controlling conflict of laws. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties irrevocably consent to the personal jurisdiction and venue therein. If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. All notices required or permitted under this Agreement will be in writing, will reference this Agreement, and will be deemed given: (a) when delivered personally; (b) one (1) business day after deposit with a nationally-recognized express courier, with written confirmation of receipt; or (c) three (3) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid. All such notices will be sent to the addresses set forth above or to such other address as may be specified by either party to the other party in accordance with this Section. This Agreement constitutes the complete and exclusive understanding and agreement of the parties with respect to its subject matter and supersedes all prior understandings and agreements, whether written or oral, with respect to its subject matter. In the event of a conflict, the terms and conditions of this Agreement will take precedence over the terms and conditions of any Statement of Work. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by each of the parties hereto.

ANNEX A

GDPR ADDENDUM

This GDPR Addendum is made as of the Effective Date (as defined in the applicable Statement of Work) by and between the Client and the Provider executing the Statement of Work if and to the extent that the Provider processes any Personal Data (as defined below) provided by or collected for the Client in connection with the Services under the Master Agreement and any Statement of Work. This GDPR Addendum sets out the additional terms, requirements and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store any Personal Data when providing Services under the Master Agreement and any Statement of Work.

1. Definitions. The following definitions apply in this GDPR Addendum:

"Business Purpose" means the Services under the Master Agreement and any Statement of Work.

"Data Subject" means an individual who is the subject of Personal Data.

"Personal Data" means any information the Provider processes for the Client that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider's possession or control or that the Provider is likely to have access to, or (ii) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

"Process" means any activity that involves the use of Personal Data or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of “process.” It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it; and also includes transferring Personal Data to third parties.

"Privacy and Data Protection Requirements" means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

"Security Breach" means any act or omission that compromises the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Data is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

"Standard Contractual Clauses” means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

2. Interpretation. GDPR Addendum is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this GDPR Addendum. In the case of conflict or ambiguity between: (a) any of the provisions of this GDPR Addendum and the provisions of the Master Agreement, the provisions of this GDPR Addendum will prevail; and (b) any of the provisions of this GDPR Addendum and any Standard Contractual Clauses, the provisions of the Standard Contractual Clauses will prevail.

3. Obligations. The Client retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider. The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client's written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this GDPR Addendum or the Privacy and Data Protection Requirements. The Provider must promptly notify the Client if, in its opinion, the Client's instruction would not comply with the Privacy and Data Protection Requirements. The Provider must promptly comply with any Client request or instruction requiring the Provider to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized processing. The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Client or this GDPR Addendum specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Data, the Provider must first inform the Client of the legal requirement and give the Client an opportunity to object or challenge the requirement, unless the law prohibits such notice. The Provider will reasonably assist the Client with meeting the Client's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider's processing and the information available to the Provider. The Provider must promptly notify the Client of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider's performance of the Master Agreement. The Provider will only collect Personal Data for the Client using a notice or method that the Client specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Client's identity, the purpose or purposes for which their Personal Data will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Client's prior written consent.

4. Employees. The Provider will limit Personal Data access to: (a) those employees who require Personal Data access to meet the Provider's obligations under this GDPR Addendum and the Master Agreement; and (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties. The Provider will ensure that all employees: (i) are informed of the Personal Data's confidential nature and use restrictions; (ii) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Data and how it applies to their particular duties; and (iii) are aware both of the Provider's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this GDPR Addendum. The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, all of the Provider's employees with access to the Personal Data.

5. Technical Measures. The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. The Provider must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete. The Provider will immediately notify the Client if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures. The Provider must take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss of the Personal Data, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breach. The Provider will promptly notify the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Data at its own expense. The Provider will immediately notify the other party if it becomes aware of: (a) any unauthorized or unlawful processing of the Personal Data; or (b) any Security Breach. Immediately following any unauthorized or unlawful Personal Data processing or Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Client in the Client's handling of the matter, including: (i) assisting with any investigation; (ii) providing the Client with physical access to any facilities and operations affected; (iii) facilitating interviews with the Provider's employees, former employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Client. The Provider will not inform any third party of any Security Breach without first obtaining the Client's prior written consent, except when law or regulation requires it. The Provider agrees that the Client has the sole right to determine: (A) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Client's discretion, including the contents and delivery method of the notice; and (B) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. The Provider will cover all reasonable expenses associated with the performance of the obligations under this GDPR Addendum, unless the matter arose from the Client's specific instructions, negligence, willful default, or breach of this GDPR Addendum, in which case the Client will cover reasonable expenses. The Provider will also reimburse the Client for actual reasonable expenses the Client incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in this Section.

7. Transfer. The Provider may receive, access, transfer, or store Personal Data. The Provider must not receive, access, transfer, or store Personal Data unless the transfer complies with the Privacy and Data Protection Requirements.

8. Subcontractors. The Provider may not authorize any third party or subcontractor to process the Personal Data.

9. Third Party Rights. The Provider must notify the Client immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Data processing or to either party's compliance with the Privacy and Data Protection Requirements. The Provider must notify the Client within three (3) business days if it receives a request from a Data Subject for access to their Personal Data. The Provider will give the Client its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request. The Provider must not disclose the Personal Data to any Data Subject or to a third party unless the disclosure is either at the Client's request or instruction, permitted by this GDPR Addendum or otherwise required by law.

10. Term; Termination. This GDPR Addendum will remain in full force and effect so long as: (a) the Master Agreement remains in effect; or (b) the Provider retains any Personal Data related to the Master Agreement in its possession or control. Any provision of this GDPR Addendum that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data will remain in full force and effect. The Provider's failure to comply with the terms of this GDPR Addendum is a material breach of the Master Agreement. In such event, the Client may terminate the Master Agreement effective immediately upon written notice to the Provider without further liability or obligation. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Requirement, they may terminate the Master Agreement upon written notice to the other party.

11. Return; Destruction. At the Client's request, the Provider will give the Client a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Client. On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Client, return and not retain, all or any Personal Data related to the Agreement in its possession or control. The Provider will certify in writing that it has destroyed the Personal Data within two (2) days after it completes the destruction.

12. Records. The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out for the Client, including but not limited to, the access, control, and security of the Personal Data, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the "Records"). The Provider will ensure that the Records are sufficient to enable the Client to verify the Provider's compliance with its obligations under this GDPR Addendum. At least once per year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this GDPR Addendum, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. Upon the Client's written request, the Provider will make all of the relevant audit reports available to the Client for review, including, as applicable, the Provider's latest Statement of Controls audit report and reports relating to its ISO/IEC 27001 certification.

13. Indemnification. The Provider agrees to indemnify, keep indemnified, and defend at its own expense the Client against all costs, claims, damages, or expenses incurred by the Client or for which the Client may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this GDPR Addendum or applicable Privacy and Data Protection Requirements.