Fund LP Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Fund LP Services Agreement or other written agreement between Fund LP and Customer for the purchase and use of the Services from Fund LP (the "Agreement") to reflect the parties' agreement with regard to the Processing of Personal Data.

By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Fund LP processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the terms "Customer", "You" and "Your" shall include Customer and Authorized Affiliates.

In the course of providing the Services to Customer pursuant to the Agreement, Fund LP may Process Personal Data on behalf of Customer. Fund LP agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and processed by or for Customer through the Services.

1. Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Fund LP, but has not signed its own Agreement with Fund LP and is not a "Customer" as defined under the Agreement.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Customer Data" means what is defined in the Agreement as "Customer Data" or "Your Data."

"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Customer Data.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

"Standard Contractual Clauses" means the agreement executed by and between Customer and Fund LP and attached hereto as Attachment 1 pursuant to the European Commission's decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

"Sub-processor" means any Processor engaged by Fund LP or a member of the Fund LP Group.

"Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Processing of Personal Data

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Fund LP is the Processor, and that Fund LP will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 Fund LP's Processing of Personal Data. Fund LP shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Fund LP is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 2 to this DPA.

3. Rights of Data Subjects

3.1 Data Subject Request. Fund LP shall, to the extent legally permitted, promptly notify Customer if Fund LP receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, Fund LP shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Fund LP shall upon Customer's request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Fund LP is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Fund LP's provision of such assistance.

4. Fund LP Personnel

4.1 Confidentiality. Fund LP shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Fund LP shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability. Fund LP shall take commercially reasonable steps to ensure the reliability of any Fund LP personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. Fund LP shall ensure that Fund LP's access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.4 Data Protection Officer. Fund LP shall have appointed, or shall appoint, a data protection officer if and whereby such appointment is required by Data Protection Laws.

5. Sub-processors

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that Fund LP may engage third-party Sub-processors in connection with the provision of the Services. Fund LP has or will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. Fund LP shall make available to Customer the current list of Sub-processors for the Services identified in Fund LP's Subprocessor List. Such Sub-processor list shall include the identities of those Sub-processors and their country of location. Fund LP shall update the Sub-processor list at least 30 days prior to the addition or replacement of a Sub-processor.

5.3 Objection Right for New Sub-processors. Customer may object to Fund LP's use of a new Sub-processor by notifying Fund LP promptly in writing within ten (10) business days after receipt of Fund LP's notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Fund LP will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Fund LP is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Fund LP without the use of the objected-to new Sub-processor by providing written notice to Fund LP. Fund LP will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

5.4 Liability. Fund LP shall be liable for the acts and omissions of its Sub-processors to the same extent Fund LP would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Security

6.1 Controls for the Protection of Customer Data. Fund LP shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. Fund LP regularly monitors compliance with these measures. Fund LP will not materially decrease the overall security of the Services during the term of the Agreement.

6.2 Third-Party Certifications and Audits. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Fund LP shall make available to Customer that is not a competitor of Fund LP (or Customer's independent, third-party auditor that is not a competitor of Fund LP) a copy of Fund LP's then most recent third-party audits or certifications, as applicable, or any summary thereof, that Fund LP generally makes available to its customers at the time of such request.

7. Security Breach Management and Notification

Fund LP shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Fund LP or its Sub-processors of which Fund LP becomes aware (a "Security Breach"). Fund LP shall make reasonable efforts to identify the cause of such Security Breach and take those steps as Fund LP deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within Fund LP's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.

8. Return or Deletion of Customer Data

Upon termination of the Agreement and upon Customer's request, Fund LP shall either delete or return to Customer all Customer Data, including Personal Data in its possession. This requirement shall not apply to the extent that Fund LP is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Fund LP shall securely isolate and protect from any further processing, except to the extent required by applicable law.

9. Authorized Affiliates

9.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Fund LP and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Fund LP under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Fund LP, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following: 9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Fund LP directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below). 9.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Fund LP and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

10. Limitation of Liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement, and such limitations apply to the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

11. California Consumer Privacy Act (CCPA)

For purposes of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., if at such time Fund LP is deemed a "Service Provider" as such term is defined under the CCPA the parties further acknowledge and agree that:
(a) Fund LP shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer Data for a commercial purpose other than providing the Services or as otherwise permitted by the CCPA; and
(b) Fund LP shall not sell Customer Data.

12. GDPR Obligations

To the extent that Fund LP Processes Customer Personal Data that is protected by the GDPR, Fund LP acknowledges and agrees that it:

(a) shall Process Customer Personal Data only on lawful documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by EEA Laws to which Fund LP is subject; in such a case, Fund LP shall inform Customer of that legal requirement before Processing, unless EEA Laws prohibit such information on important grounds of public interest;

(b) shall ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) shall take all measures required pursuant to Article 32 of the GDPR;

(d) shall respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

(e) taking into account the nature of the Processing, shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

(f) shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Fund LP;

(g) at the choice of Customer, shall delete or return all the Customer Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless EEA Laws requires storage of the Customer Personal Data;

(h) shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.