Data Processing Addendum

Preamble

This Data Processing Addendum, including its Exhibits (this "DPA"), supplements and forms part of the Master Subscription Agreement, Terms of Service, or other written or electronic agreement governing Customer's use of the Services (the "Agreement") between Fleet Service 365, LLC., a Texas limited liability company ("FS365," "we," "us," or "Processor"), and the customer identified in the Agreement ("Customer," "you," or "Controller"). FS365 and Customer are each a "Party" and together the "Parties."

This DPA reflects the Parties' agreement with respect to the Processing of Personal Data by FS365 on behalf of Customer in connection with the Services. To the extent of any conflict between the Agreement and this DPA, this DPA controls solely with respect to the subject matter herein. To the extent of any conflict between this DPA and the Standard Contractual Clauses incorporated by reference in Exhibit C, the Standard Contractual Clauses control.

By entering into the Agreement, Customer is deemed to have executed this DPA. A signature is not required for this DPA to be binding, but Customer may request a counter-signed copy by contacting privacy@fleetservice365.com.

Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in Applicable Data Protection Law.

1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, without limitation:

1. the European Union General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR");
2. the United Kingdom General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 ("UK GDPR");
3. the Swiss Federal Act on Data Protection (revFADP);
4. the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA");
5. the Virginia Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), Utah Consumer Privacy Act ("UCPA"), Texas Data Privacy and Security Act ("TDPSA"), Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, Iowa Consumer Data Protection Act, Tennessee Information Protection Act, Indiana Consumer Data Protection Act, Delaware Personal Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Privacy Act, Minnesota Consumer Data Privacy Act, Maryland Online Data Privacy Act, Nebraska Data Privacy Act, Kentucky Consumer Data Protection Act, Rhode Island Data Transparency and Privacy Protection Act, and similar US state privacy laws now in force or hereafter enacted (collectively, the "US State Privacy Laws"); and
6. any successor, replacement, or related laws or regulations.

1.2 "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Supervisory Authority," "Special Categories of Personal Data," and "Sub-processor" have the meanings given in the GDPR (or the equivalent terms under other Applicable Data Protection Law, including "Business," "Service Provider," "Consumer," and "Sell"/"Share" under CCPA/CPRA).

1.3 "Customer Personal Data" means Personal Data Processed by FS365 on behalf of Customer in the course of providing the Services, as further described in Section 3 and Exhibit C, Annex I.B.

1.4 "Restricted Transfer" means: (a) a transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country not subject to an adequacy decision by the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner; or (b) any onward transfer of such Personal Data.

1.5 "Services" means the FS365 SaaS platform, telematics hardware, mobile applications, APIs, and related services provided by FS365 to Customer under the Agreement.

1.6 "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time. References to specific Modules refer to the modules contained therein.

1.7 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under section 119A(1) of the Data Protection Act 2018, version B1.0, in force from 21 March 2022, as amended or replaced from time to time.

Scope, Roles, and Term

2.1 Scope. This DPA applies to FS365's Processing of Customer Personal Data on behalf of Customer in connection with the Services.

2.2 Roles of the Parties. The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data:

1. Customer is the Controller (or, under CCPA/CPRA, the Business);
2. FS365 is the Processor (or, under CCPA/CPRA, the Service Provider) acting on behalf of Customer; and
3. where Customer itself acts as a processor on behalf of a third-party controller, Customer appoints FS365 as a Sub-processor, and Customer warrants that it has the authority to do so and to enter into this DPA on behalf of that controller.

2.3 FS365 as Controller. Separately, FS365 acts as an independent Controller of certain Personal Data, including: (a) account, billing, and contact information for Customer's authorized users; (b) Personal Data collected through FS365's marketing websites; and (c) Service usage data Processed by FS365 for security, fraud prevention, product improvement, aggregate analytics, and compliance with legal obligations. FS365's Processing of such data is governed by FS365's Privacy Policy and not by this DPA.

2.4 Term. This DPA takes effect on the Effective Date and remains in effect for the duration of the Agreement and for so long as FS365 Processes Customer Personal Data, after which it terminates automatically.

Details of Processing

3.1 Subject Matter. FS365's provision of the Services to Customer under the Agreement.

3.2 Duration. For the term of the Agreement, plus any post-termination retention period required to return or delete Customer Personal Data under Section 11.

3.3 Nature and Purpose. Processing of Customer Personal Data as necessary to provide, secure, support, monitor, and improve the Services for Customer, and to perform FS365's obligations under the Agreement.

3.4 Categories of Data Subjects. Customer's authorized users, drivers, fleet operators, dispatchers, maintenance personnel, fuel-card holders, passengers (if applicable), and other individuals whose Personal Data is submitted to the Services by or on behalf of Customer.

3.5 Categories of Personal Data. As further detailed in Exhibit C, Annex I.B, Customer Personal Data may include:

• Identity and contact data (name, email, phone, employee or driver ID);
• Authentication data (usernames, hashed passwords, MFA tokens);
• Vehicle telematics data linked to identifiable drivers (GPS location, speed, harsh-braking and acceleration events, idling, route history, geofence events);
• Driver behavior and HOS (Hours of Service) data;
• Vehicle maintenance, inspection (DVIR), and fault-code records linked to a driver;
• Fuel-card transaction data;
• Dashcam footage and event-triggered video clips (where the Customer enables this feature);
• Communications and support correspondence; and
• Any other Personal Data Customer chooses to submit to the Services.

3.6 Special Categories. FS365 does not request or require Special Categories of Personal Data. Customer agrees not to submit Special Categories of Personal Data (including health, biometric, or precise location data of non-drivers) to the Services except where: (a) such Processing is strictly necessary for the Services; (b) Customer has a lawful basis under Applicable Data Protection Law; and (c) Customer has notified FS365 in writing in advance.

FS365's Obligations as Processor

4.1 Documented Instructions. FS365 will Process Customer Personal Data only on documented instructions from Customer, including with regard to Restricted Transfers, unless required to do otherwise by Union, Member State, UK, US federal, or US state law to which FS365 is subject. In such a case, FS365 will inform Customer of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest. The Agreement (including this DPA, Customer's configuration of the Services, and any documented instructions provided through support channels) constitutes Customer's complete and final instructions to FS365.

4.2 Compliance with Law. FS365 will Process Customer Personal Data in accordance with Applicable Data Protection Law and will promptly inform Customer if, in FS365's opinion, an instruction infringes Applicable Data Protection Law. FS365 may suspend Processing under an infringing instruction until Customer confirms or modifies it.

4.3 Confidentiality. FS365 will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate written confidentiality obligations and have received appropriate training on data protection.

4.4 Security. FS365 will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as described in Exhibit B, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of natural persons.

4.5 Personnel. FS365 will limit access to Customer Personal Data to personnel who need access to perform their duties, and will maintain access logs.

Sub-processors

5.1 General Authorization. Customer provides FS365 with a general authorization to engage Sub-processors to Process Customer Personal Data in connection with the Services, subject to this Section 5.

5.2 List of Sub-processors. A current list of FS365's Sub-processors is set out in Exhibit A and maintained at subprocessors. Customer may subscribe to email notifications of changes to that list by contacting privacy@fleetservice365.com.

5.3 Notice of New Sub-processors. FS365 will provide Customer with at least thirty (30) days' prior written notice (which may be by email or by updating the public list with notification to subscribers) before engaging a new Sub-processor that Processes Customer Personal Data.

5.4 Objection Right. Customer may object to FS365's engagement of a new Sub-processor on reasonable grounds relating to data protection by providing written notice to privacy@fleetservice365.com within the 30-day notice period. The Parties will work together in good faith to resolve the objection. If FS365 cannot reasonably accommodate Customer's objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services for convenience and receive a pro rata refund of any prepaid, unused fees.

5.5 Sub-processor Contracts. FS365 will enter into a written agreement with each Sub-processor containing data protection obligations no less protective of Customer Personal Data than those in this DPA, as required by Article 28(4) of the GDPR.

5.6 Liability for Sub-processors. FS365 remains fully liable to Customer for the performance of each Sub-processor's obligations relating to the Processing of Customer Personal Data.

Data Subject Rights

6.1 Assistance. Taking into account the nature of the Processing, FS365 will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to enable Customer to fulfill its obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making).

6.2 Forwarding Requests. If FS365 receives a request from a Data Subject in relation to Customer Personal Data, FS365 will, without undue delay: (a) not respond to the request itself except as instructed by Customer or as required by law; and (b) forward the request to Customer for handling.

6.3 Self-Service Tools. Where the Services include self-service functionality enabling Customer to access, correct, export, or delete Customer Personal Data, Customer agrees to use those tools to respond to Data Subject requests where reasonably possible before requesting assistance from FS365.

Personal Data Breach Notification

7.1 Notification. FS365 will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

7.2 Content of Notification. To the extent reasonably available at the time of notification, FS365's notification will describe: (a) the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) the contact point for further information. If all such information is not available at the time of initial notification, FS365 will provide it in phases without undue delay.

7.3 Cooperation. FS365 will reasonably cooperate with Customer in Customer's investigation, mitigation, and notification of the Personal Data Breach, including notifications to Supervisory Authorities and Data Subjects where required.

7.4 No Admission. FS365's notification of, or response to, a Personal Data Breach under this Section 7 is not an acknowledgment by FS365 of any fault or liability with respect to the Personal Data Breach.

Data Protection Impact Assessments and Prior Consultation

FS365 will provide reasonable assistance to Customer with any Data Protection Impact Assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Articles 35 and 36 of the GDPR (or equivalent provisions of other Applicable Data Protection Law), solely in relation to the Processing of Customer Personal Data by FS365 and taking into account the nature of the Processing and the information available to FS365.

Audits and Inspections

9.1 Audit Reports. FS365 will make available to Customer, on request and subject to confidentiality obligations, the most recent reports of independent third-party audits of FS365's information security program, as well as a summary of FS365's then-current technical and organizational measures.

9.2 Customer Audits. To the extent Customer's audit rights cannot reasonably be satisfied by the materials made available under Section 9.1, Customer (or an independent third-party auditor mutually agreed by the Parties and bound by appropriate confidentiality obligations, and excluding any competitor of FS365) may conduct an audit of FS365's compliance with this DPA, subject to the following:

1. audits will be conducted no more than once in any twelve (12) month period, except where required by a Supervisory Authority or following a Personal Data Breach;
2. Customer will provide at least thirty (30) days' written notice;
3. audits will be conducted during normal business hours, in a manner that does not unreasonably interfere with FS365's operations, and will not include access to information of other customers of FS365 or to source code;
4. Customer will bear its own costs and reimburse FS365 for FS365's reasonable costs incurred in supporting the audit at FS365's then-current professional services rates; and
5. Customer will provide FS365 with a copy of the audit report on a confidential basis, and FS365 may use the report only to demonstrate compliance with its obligations under this DPA.

International Data Transfers

10.1 Transfer Mechanism — EEA. Where Customer Personal Data originating in the EEA is subject to a Restricted Transfer to FS365 or its Sub-processors, the EU Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor where Customer is itself a processor) are hereby incorporated into this DPA by reference and completed as set out in Exhibit C.

10.2 Transfer Mechanism — United Kingdom. Where Customer Personal Data originating in the United Kingdom is subject to a Restricted Transfer, the UK Addendum is hereby incorporated into this DPA by reference and completed as set out in Exhibit D.

10.3 Transfer Mechanism — Switzerland. Where Customer Personal Data originating in Switzerland is subject to a Restricted Transfer, the EU Standard Contractual Clauses apply with the following modifications: (a) references to "Regulation (EU) 2016/679" are deemed to include the Swiss Federal Act on Data Protection ("FADP"); (b) the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority for transfers governed by the FADP; (c) the term "Data Subject" includes legal entities until entry into force of the revFADP; and (d) Switzerland is the governing law for transfers governed by the FADP.

10.4 Supplementary Measures. FS365 will implement appropriate supplementary technical, contractual, and organizational measures to protect Customer Personal Data from government access requests in third countries, as described in Exhibit B.

10.5 Alternative Mechanisms. If the European Commission, UK Government, or another competent authority approves a different or successor transfer mechanism, or if the SCCs are invalidated, the Parties will work together in good faith to adopt such alternative mechanism or replacement.

Return and Deletion of Customer Personal Data

11.1 Return or Deletion. Following expiration or termination of the Agreement, FS365 will, at Customer's choice and within ninety (90) days of termination, return all Customer Personal Data to Customer or delete all Customer Personal Data and existing copies, unless retention is required by applicable law.

11.2 Self-Service Export. During the term of the Agreement and for a reasonable period after termination, FS365 will provide Customer with self-service tools to export Customer Personal Data in a commonly used, machine-readable format.

11.3 Retained Copies. FS365 may retain Customer Personal Data to the extent required by applicable law, in routine backup media (which will be deleted in accordance with FS365's standard backup rotation), or in archives required for the establishment, exercise, or defense of legal claims. Any such retained Customer Personal Data remains subject to this DPA for as long as FS365 retains it.

CCPA/CPRA Service Provider Provisions

This Section 12 applies to the extent FS365 Processes Personal Information (as defined in the CCPA/CPRA) of California Consumers on behalf of Customer.

12.1 Service Provider. The Parties acknowledge that Customer is a Business and FS365 is a Service Provider for purposes of the CCPA/CPRA. FS365 is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.

12.2 Restrictions. FS365 will not:

1. Sell or Share (as defined in the CCPA/CPRA) Personal Information;
2. Retain, use, or disclose Personal Information for any purpose other than for the specific Business Purpose of performing the Services, or as otherwise permitted by the CCPA/CPRA;
3. Retain, use, or disclose Personal Information outside the direct business relationship between the Parties; or
4. Combine Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of any other person, or collected from FS365's own interaction with the Consumer, except as permitted under 11 CCR § 7050(b).

12.3 Certification. FS365 certifies that it understands the restrictions in this Section 12 and will comply with them.

12.4 Cooperation. FS365 will provide reasonable assistance to Customer to enable Customer to comply with Consumer rights requests under the CCPA/CPRA, and will notify Customer if FS365 determines it can no longer meet its obligations under the CCPA/CPRA.

12.5 Right to Take Action. Customer has the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by FS365.

12.6 Deidentified Data. Where FS365 receives or generates deidentified data, FS365 will: (a) take reasonable measures to ensure it cannot be associated with a Consumer or household; (b) publicly commit to maintain and use it only in deidentified form and not to attempt to reidentify it; and (c) contractually obligate any recipients to comply with these requirements.

Other US State Privacy Laws

To the extent applicable to the Processing of Customer Personal Data, FS365 will comply with the requirements applicable to processors, service providers, or contractors under the US State Privacy Laws, including the VCDPA, CPA, CTDPA, UCPA, TDPSA, and similar laws. Without limitation, FS365 will: (a) adhere to Customer's instructions; (b) assist Customer in meeting its obligations under such laws, including responding to Consumer rights requests; (c) provide information reasonably necessary to demonstrate FS365's compliance; (d) engage Sub-processors only pursuant to a written contract in accordance with Section 5; (e) allow for and contribute to reasonable assessments by Customer or Customer's designated auditor; and (f) at Customer's direction, delete or return Personal Data at the end of the provision of Services.

Liability

Each Party's liability under or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. For the avoidance of doubt, the limitations of liability in the Agreement apply to all claims, including claims under the SCCs, except to the extent prohibited by Applicable Data Protection Law.

Governing Law and Jurisdiction

15.1 Governing Law. This DPA is governed by the laws of the State of Texas, without regard to its conflict-of-laws principles, except that: (a) the SCCs in Exhibit C are governed by the law specified in those SCCs; and (b) the UK Addendum in Exhibit D is governed by the laws of England and Wales.

15.2 Jurisdiction. The Parties consent to the exclusive jurisdiction of the state and federal courts located in Travis County, Texas, for any dispute arising under this DPA, except: (a) disputes arising under the SCCs are subject to the jurisdiction specified in those SCCs; and (b) disputes arising under the UK Addendum are subject to the jurisdiction of the courts of England and Wales.

Order of Precedence

In the event of any conflict or inconsistency among the following documents, the order of precedence is: (1) the SCCs (Exhibit C) and UK Addendum (Exhibit D), to the extent applicable; (2) this DPA; (3) the Agreement; and (4) any other agreements between the Parties.

Miscellaneous

17.1 Amendments. FS365 may update this DPA from time to time to reflect changes in Applicable Data Protection Law, the Services, or FS365's practices. FS365 will provide Customer with at least thirty (30) days' notice of material adverse changes. Customer's continued use of the Services after the effective date of an updated DPA constitutes acceptance of the updated DPA.

17.2 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA will continue in full force and effect.

17.3 Notices. Notices to FS365 under this DPA must be sent to privacy@fleetservice365.com, with a copy to legal@fleetservice365.com. Notices to Customer will be sent to the email address on file in Customer's account.

17.4 Counterparts. This DPA may be executed in counterparts, including electronically. Electronic signatures have the same effect as handwritten signatures.

Signatures

This DPA is deemed executed upon execution of the Agreement. Customers who require a counter-signed copy may submit a request to privacy@fleetservice365.com.

Exhibit B — Technical and Organizational Measures (TOMs)

This Exhibit B describes the technical and organizational measures implemented by FS365 to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and Annex II of the SCCs. FS365 may update these measures from time to time, provided the overall level of protection is not materially decreased.

B.01Information Security Program

FS365 maintains a written information security program based on industry-recognized frameworks (NIST CSF and ISO/IEC 27001). The program is reviewed at least annually and after any material change in FS365's business, technology, or threat environment.

B.02Organization of Information Security

• A designated security leader (CISO or equivalent) is responsible for the security program.
• A cross-functional security committee meets at least quarterly.
• Defined roles, responsibilities, and segregation of duties for personnel handling Customer Personal Data.

B.03Personnel Security

• Background checks on personnel with access to Customer Personal Data, to the extent permitted by law.
• Mandatory data protection and security training at onboarding and annually thereafter.
• Written confidentiality obligations binding on all personnel.
• Prompt revocation of access upon termination or role change.

B.04Access Control

• Role-based access control (RBAC) following the principle of least privilege.
• Multi-factor authentication (MFA) required for all access to production systems containing Customer Personal Data.
• Single sign-on (SSO) for internal systems.
• Quarterly access reviews and immediate access removal upon role change or termination.
• Privileged access logged and reviewed.

B.05Encryption

• In Transit: TLS 1.2 or higher for all Customer Personal Data transmitted over public networks.
• At Rest: AES-256 encryption for Customer Personal Data stored in databases, object storage, and backup media.
• Key Management: Cryptographic keys managed using a dedicated key management service with role-based access, rotation, and audit logging.

B.06Network Security

• Network segmentation between production, staging, and corporate environments.
• Web application firewall (WAF) and DDoS protection at the edge.
• Intrusion detection and prevention systems.
• Regular vulnerability scanning of internal and external assets.
• Annual third-party penetration testing of the Services.

B.07Application Security

• Secure software development lifecycle (SDLC), including secure coding standards, peer code review, and security testing before release.
• Static application security testing (SAST) and software composition analysis (SCA) integrated into CI/CD.
• Dependency monitoring and timely patching of known vulnerabilities.
• Bug bounty or coordinated vulnerability disclosure program.

B.08Endpoint Security

• Full-disk encryption on employee devices.
• Centralized endpoint management with required security configuration.
• Anti-malware and endpoint detection and response (EDR) on employee devices.
• Mobile device management (MDM) for devices accessing Customer Personal Data.

B.09Logical Isolation

• Multi-tenant architecture with logical separation of Customer Personal Data, enforced at the application and database layers.
• Tenant identifiers required on all data access paths; isolation tested as part of the SDLC.

B.10Logging and Monitoring

• Centralized logging of access to and changes affecting Customer Personal Data.
• 24x7 security monitoring with defined alerting thresholds.
• Log retention consistent with applicable legal and contractual obligations.
• Tamper-resistant log storage.

B.11Business Continuity and Disaster Recovery

• Documented business continuity and disaster recovery plans, tested at least annually.
• Geographically redundant infrastructure for the production environment.
• Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the Services, available on request.
• Encrypted backups with restoration testing.

B.12Incident Response

• Documented Personal Data Breach response plan.
• 24x7 on-call rotation for security incidents.
• Defined notification process to Customer in accordance with Section 7 of the DPA.
• Post-incident review and root-cause analysis for all material incidents.

B.13Physical Security

• Production systems hosted in third-party data centers with industry-recognized security certifications (such as ISO 27001 and PCI DSS).
• Physical access to data centers controlled by the hosting providers; FS365 personnel do not have physical access to underlying infrastructure.
• FS365 office locations secured by badge access, visitor logs, and CCTV.

B.14Vendor and Sub-processor Risk Management

• Security review of Sub-processors prior to engagement.
• Contractual data protection and security obligations no less protective than those in this DPA.
• Annual review of Sub-processor security posture and audit reports.

B.15Data Minimization and Retention

• Configuration options enabling Customer to limit data collection (e.g., disable dashcam capture, truncate location precision, configure retention).
• Documented data retention schedule.
• Secure deletion procedures for end-of-life data and decommissioned media.

B.16Supplementary Measures for Restricted Transfers

To address risks associated with Restricted Transfers, FS365 implements the following supplementary measures in line with EDPB Recommendations 01/2020:

• Encryption as described in Section 5 of this Exhibit B, with keys managed by FS365 and not accessible to government authorities of the importing country in plain form.
• Pseudonymization of Customer Personal Data where technically feasible.
• Government Access Transparency: FS365 publishes a transparency report and will notify Customer (where legally permitted) of any binding legal request for Customer Personal Data from a public authority.
• Challenge of Disproportionate Requests: FS365 will review and, where appropriate, challenge any government access request that is not lawful, valid, or proportionate.
• Minimum Necessary Disclosure: Where disclosure is legally required, FS365 will disclose only the minimum information legally required.

Exhibit C — EU Standard Contractual Clauses

C.1 Incorporation

The Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "SCCs"), are incorporated into this DPA by reference and form an integral part of it. The full text of the SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

C.2 Applicable Modules and Selections

The Parties have selected the following modules and options:

C.3 Annex I.A — List of Parties

Data Exporter

Data Importer

C.4 Annex I.B — Description of Transfer

C.5 Annex I.C — Competent Supervisory Authority

In accordance with Clause 13 of the SCCs, the competent Supervisory Authority is the Irish Data Protection Commission (Module Two and Module Three), unless Customer is established in or has designated a representative in another EEA Member State, in which case the Supervisory Authority of that Member State will be competent.

C.6 Annex II — Technical and Organizational Measures

The technical and organizational measures applied by FS365 are set out in Exhibit B of this DPA, which is incorporated by reference into this Annex II.

C.7 Annex III — Sub-processors (Module Two and Module Three)

The list of authorized Sub-processors is set out in Exhibit A of this DPA, which is incorporated by reference into this Annex III. Customer has provided general written authorization under Clause 9(a), Option 2, with the 30-day notice period set out in Section 5 of the DPA.

Exhibit D — UK International Data Transfer Addendum

This Exhibit D constitutes the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), version B1.0, in force 21 March 2022, issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018. The full text of the UK Addendum is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.

D.1 Table 1: Parties

D.2 Table 2: Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs that this UK Addendum is appended to is the EU SCCs as set out in Exhibit C of this DPA, including all selections, options, and Annexes specified therein.

D.3 Table 3: Appendix Information

The Appendix Information referenced in the UK Addendum is the information set out in Exhibit C (including Annexes I.A, I.B, I.C, II, and III) and Exhibit B of this DPA.

D.4 Table 4: Ending the Addendum When the Approved Addendum Changes

Neither Party may end the UK Addendum as set out in Section 19 of the UK Addendum.

D.5 Governing Law and Jurisdiction

The UK Addendum is governed by the laws of England and Wales. Any dispute arising under the UK Addendum will be resolved by the courts of England and Wales.