MAILGO DATA PROCESSING ADDENDUM

This data processing addendum ("DPA") supplements and forms part of the Mailgo Terms of Service as updated from time to time between the Subscriber and LeadsNavi Pte. Ltd. (the "Terms of Service"). This DPA is between the Subscriber as defined in the Terms of Service ("Subscriber") and LeadsNavi Pte. Ltd (referred to as "Mailgo" as set out in the Terms of Service). The Subscriber and Mailgo shall each be a "Party" and together the "Parties". In the event of conflict between the terms of the Terms of Service and this DPA, this DPA shall take priority in respect of Personal Data Processing.

1. DEFINITIONS AND INTERPRETATION

1.1. Unless otherwise defined herein, the following definitions apply:

• "Applicable Data Protection Laws" means EU GDPR, UK GDPR and, to the extent applicable, the data protection or privacy laws of any other country (including all law and regulations implementing or made under them, any amendment or re-enactment of them and any judicial or administrative interpretation of any of them);
• "EU GDPR" means EU General Data Protection Regulation 2016/679, as may be amended from time to time;
• "EU SCCs" has the meaning given to it in section 2.1 of Schedule 1 of this DPA;
• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ("Process" and "Processed" shall be construed accordingly);
• "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to an adequacy regulation made by the UK government pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
• "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed by Mailgo under this DPA;
• "Services" has the meaning given to it in the Terms of Service;
• "Subscriber Personal Data" means any Personal Data Processed by Mailgo on behalf of the Subscriber pursuant to, or in connection with, the Terms of Service as supplemented by this DPA, save that Subscriber Personal Data does not include information relating to the Subscriber's Mailgo account information such as information relating to its personnel or representatives, account related communications and/or billing related information;
• "UK GDPR" has the meaning given to it in Section 3(10) (as supplemented by Section 205(4)) of the United Kingdom Data Protection Act 2018, as may be amended or superseded from time to time.

1.2. References to "controller" and "processor" shall have the meaning given to them under the UK GDPR and/or EU GDPR (as applicable).

2. DETAILS OF PROCESSING

2.1. Scope & Role. The Parties agree that in the context of the Services provided by Mailgo to the Subscriber, Mailgo acts as processor to the Subscriber and, that the Subscriber may either be a controller or processor in the context of its activities. This DPA applies to Mailgo's Processing of Subscriber Personal Data.

2.2. Purpose and nature of processing. The purpose of the Processing under this DPA is to maintain and provide the Services subscribed for or otherwise initiated by the Subscriber pursuant to the Terms of Service.

2.3. Categories of data subjects. Categories of data subjects could include Subscriber's existing or prospective customers, suppliers and users.

2.4. Categories of personal data. Categories of Personal Data processed pursuant to this DPA include email addresses and phone numbers.

2.5. Duration. The duration of the Processing under this DPA is determined by the Subscriber in accordance with the Terms of Service.

3. DATA PROCESSING OBLIGATIONS

3.1. Compliance with Laws. Each Party agrees that it shall comply with all laws and regulations applicable to it and binding on it in the performance of this DPA including all Applicable Data Protection Laws. In particular, the Subscriber shall ensure that any customer (or similar) lists containing Personal Data, are up to date, comply with relevant legal requirements and reflect any opt-out or other rights exercised by data subjects.

3.2. Subscriber Instructions. The Parties agree that the Terms of Service as supplemented by this DPA (including instructions via configuration tools and APIs available through the Services) constitute the Subscriber's instructions regarding Processing of Subscriber Personal Data. Mailgo will Process Subscriber Personal Data only in accordance with the Subscriber's instructions and any additional instructions not contemplated by this section 3.2 will require prior written agreement between the Parties including agreement on any additional fees payable. Where required by Applicable Data Protection Laws, Mailgo will notify the Subscriber if, in its opinion, it reasonably believes that an instruction could infringe Applicable Data Protection Laws, however, taking into account the nature of the Services, the Subscriber agrees that Mailgo is unlikely to be able to reasonably determine whether the Subscriber's instructions infringe Applicable Data Protection Laws and/or any other applicable laws.

3.3. Confidentiality Obligations. Mailgo shall take reasonable steps, including with respect to its personnel, to help ensure the confidentiality, data protection and security of the Subscriber Personal Data.

3.4. Subscriber Obligations

The Subscriber shall ensure that throughout the duration of its use of the Services it:

• has a valid legal basis for the Processing;
• complies with all required notices, consents, permissions and rights of data subjects as required under Applicable Data Protection Laws; and
• shall not provide or otherwise make available to Mailgo any Subscriber Personal Data that contains sensitive personal data or Special Category Personal Data (as defined in UK GDPR).

3.5. Security

Taking into account the state of the art, the costs of implementing and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, Mailgo shall, in relation to the Subscriber Personal Data, implement appropriate technical and organisational measures to help ensure a level of security appropriate to the risk of Processing.

3.6. Sub-Processing

3.6.1. Subscriber provides general authorisation to Mailgo's use of sub-Processors to provide Processing activities in relation to Subscriber Personal Data. Information on Mailgo's sub-Processors is available at https://support.mailgo.ai/en-US/kb/article/56/mailgo-sub-processors

3.6.2. In relation to any sub-Processors Mailgo shall:

• impose equivalent data protection obligations on the sub-Processor that protect the Subscriber Personal Data, in substance, to the same standard provided by this DPA; and
• remain fully liable for any breach of this DPA that is caused by an act, error or omission of the sub-Processor to the extent that Mailgo would be liable under this DPA if it were performing such Processing itself directly.

3.7. Data Subject Rights

3.7.1. Taking into account the nature of the Processing and the Services provided by Mailgo, and unless Applicable Data Protection Laws require otherwise, the Parties agree that where a data subject exercises their data privacy rights under Applicable Data Protection Laws:

• Mailgo shall notify the Subscriber if it receives a request from a data subject as soon as reasonably practicable and direct the data subject to submit the request to the Subscriber; and
• the Subscriber will be responsible for responding to any such request.

3.8. Third Party and Public Authority Access Requests

3.8.1. Unless prohibited from doing so under applicable law, Mailgo will notify the Subscriber if it:

• receives any legally binding requests from a public authority, including judicial authorities; or
• becomes aware of any direct access by public authorities or unauthorised third parties to Subscriber Personal Data and the details of any such access.

3.9. Security Incident

3.9.1. Mailgo shall notify the Subscriber without undue delay upon becoming aware of a Security Incident in relation to the Subscriber Personal Data. Such notification or responses to Security Incident shall not be construed as an acknowledgement of fault or liability by Mailgo with respect to the Security Incident.

3.9.2. Where appropriate, Mailgo will provide the Subscriber with reasonable information relating to the Security Incident to allow the Subscriber to comply with its obligations under Applicable Data Protection Laws.

3.9.3. Where the Subscriber notifies a data protection or other supervisory authority of a Security Incident and such notice directly or indirectly refers to or otherwise identifies Mailgo, the Subscriber shall:

• promptly notify Mailgo in advance and in writing; and
• in good faith consult with Mailgo on the content of the notification including any references to Mailgo (taking on board any reasonable corrections of clarifications provided by Mailgo that relate to Mailgo's involvement in the Security Incident).

3.10. Deletion or return of Subscriber Personal Data

If so requested by the Subscriber, Mailgo shall return or delete (or procure the return or deletion of) all copies of the Subscriber Personal Data unless any applicable laws require that copies are kept.

3.11. Restricted Transfers

To the extent that the transfer of Personal Data from the Subscriber to Mailgo is a Restricted Transfer, the Parties agree that the relevant sections of Schedule 1 of this DPA shall apply.

3.12. Assistance

3.12.1. Taking into account (i) the nature of the Services provided, (ii) the Processing undertaken by Mailgo and (iii) the information available to Mailgo, Mailgo shall:

• provide the Subscriber with reasonable assistance to help the Subscriber comply with its obligations under Applicable Data Protection Laws (where applicable); and
• make available to the Subscriber information necessary to demonstrate compliance with this DPA and cooperate with reasonable audit requests provided that such audits are (i) conducted in line with internationally recognised standards and by qualified auditors, (ii) subject to a reasonable scope (determined by Mailgo), (iii) subject to reasonable advance notice (iv) subject to confidentiality terms in form and substance acceptable to Mailgo, (v) conducted within reasonable business hours during which relevant Mailgo personnel are available and with minimal disruption to Mailgo's business, (vi) conducted in accordance with Mailgo's security and other relevant policies, (vii) do not impact the security, confidentiality, integrity or availability of the Services to other Mailgo subscribers and (viii) conducted no more than once per calendar year.

3.12.2. The Parties agree that Mailgo shall be entitled to recover reasonable costs and expenses incurred in connection with complying with sections 3.12.1.1 and/or 3.12.1.2 (as applicable) and such costs and expenses will be payable by the Subscriber to Mailgo within 30 days of receipt of Mailgo's invoice.

SCHEDULE 1

TRANSFER PROVISIONS

1. UK RESTRICTED TRANSFERS

1.1. In this section 1, "UK Addendum" means the International Data Transfer Addendum (version B.1.0) to the EU SCCs issued by the United Kingdom's Information Commissioner and laid before the Parliament in accordance with s119A of the Data Protection Act 2018, in force 21 March 2022.

1.2. Mailgo shall comply with the Importer's obligations, and the Subscriber shall comply with the Exporter's obligations, set out in the UK Addendum, which is hereby incorporated into and forms part of this DPA. The execution of this DPA as part of the Terms of Service, shall be deemed to be treated as executing the UK Addendum.

1.3. For the purposes of the UK Addendum and where the Subscriber is acting as a controller and Mailgo is acting as a processor, module two (controller to processor) of the EU SCCs is in operation and:

• Clause 7 (Docking clause) shall not apply;
• Clause 9(a) requires prior authorisation with 30 days' notice;
• the optional provisions in Clause 11(a) shall not apply; and
• either Party may terminate the UK Addendum pursuant to Section 19.

1.4. In the event that the Subscriber is acting as a processor and Mailgo is acting as a sub-processor, for the purposes of the UK Addendum, module three (processor to processor) of the EU SCCs is in operation and:

• Clause 7 (Docking clause) shall not apply;
• Clause 9(a) requires prior authorisation with 30 days' notice;
• the optional provisions in Clause 11(a) shall not apply; and
• either Party may terminate the UK Addendum pursuant to Section 19.

1.5. The relevant boxes and information in Tables one to three of such incorporated UK Addendum shall be deemed completed accordingly as set out in Schedule 2 of this DPA.

2. EU RESTRICTED TRANSFERS

2.1. In this section 2, "EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

2.2. Mailgo shall comply with the Importer's obligations, and the Subscriber shall comply with the Exporter's obligations, set out in the EU SCCs, which is hereby incorporated into and forms part of this DPA. The execution of this DPA as part of the Terms of Service shall be deemed to be treated as executing the EU SCCs.

2.3. For the purposes of the EU SCCs and where the Subscriber is acting as a controller and Mailgo is acting as a processor, module two (controller to processor) of the EU SCCs is in operation and:

• Clause 7 (Docking clause) shall not apply;
• Clause 9(a) requires prior authorisation with 30 days' notice;
• the optional provisions in Clause 11(a) shall not apply;
• for the purposes of Clause 13(a) of the EU SCCs, all square brackets are removed and all text therein is retained;
• for the purposes of Clause 17, the governing law shall be Ireland;
• for the purposes of Clause 18(b), the relevant courts shall be those of Ireland; and
• either Party may terminate the EU SCCs pursuant to Clause 19 of such EU SCCs.

2.4. For the purposes of the EU SCCs and where the Subscriber is acting as a processor and Mailgo is acting as a sub-processor, module three (processor to processor) of the EU SCCs is in operation and:

• Clause 7 (Docking clause) shall not apply;
• Clause 9(a) requires prior authorisation with 30 days' notice;
• the optional provisions in Clause 11(a) shall not apply;
• for the purposes of Clause 13(a) of the EU SCCs, all square brackets are removed and all text therein is retained;
• for the purposes of Clause 17, the governing law shall be Ireland;
• for the purposes of Clause 18(b), the relevant courts shall be those of Ireland; and
• either Party may terminate the EU SCCs pursuant to Clause 19 of such EU SCCs.

2.5. The relevant boxes and information in Tables one to three of such incorporated EU SCCs shall be deemed completed accordingly as set out in Schedule 2 of this DPA.

SCHEDULE 2

DETAILS OF TRANSFERS