DATA PROTECTION AGREEMENT

Exhibit A to the Master Services Agreement

Data Protection Agreement

Last Updated: July 18, 2023

1. SCOPE

MotivIT shall Process CLIENT Data in accordance with privacy laws and norms, the applicable privacy policy(ies) and the terms in this Agreement. In the event of conflict between the terms of this Agreement and any other agreement between the parties relating to data usage and protection, the terms of this Agreement will prevail.

2. DEFINITIONS

2.1. “Data Breach” means any actual or suspected misappropriation, improper, unlawful or unauthorized access to, or disclosure or use of CLIENT Data.

2.2. “Data Protection Laws” means data protection and privacy laws of any country in which CLIENT does business including but not limited to the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

2.3. “Opt-in” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

2.4. “Data Subject” means the natural person about whom the Personal Data refers.

2.5. “Personal Data” means any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, Personal Data includes Sensitive Personal Data.

2.6. “Processing/Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.7. “CLIENT Data” means any and all data, information and content (including Personal Data) and whether confidential or not which is made available to or Processed by MotivIT on CLIENT's behalf.

2.8. “Sensitive Personal Data” means a special category of Personal Data identifying racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

3. COMPLIANCE AND COOPERATION

MotivIT will comply with Data Protection Laws in Processing of CLIENT Data. If the Data Protection Laws impose stricter obligations on MotivIT than this Agreement, the Data Protection Laws shall prevail. MotivIT will cooperate with CLIENT regarding Processing of CLIENT Data to enable CLIENT to comply with any Data Protection Laws. MotivIT shall identify a single representative to promptly and fully respond to CLIENT's queries regarding Processing of CLIENT Data.

4. SECURITY AND MANAGEMENT OF CLIENT DATA

MotivIT shall:

4.1. Ensure at all times that it will (with no lesser degree of care and no less robust security measures than those which would apply to MotivIT's own confidential information) implement and maintain reasonable administrative, technical, and physical safeguards designed to: (i) maintain the security and confidentiality of CLIENT Data; (ii) protect against reasonably anticipated threats or hazards to the security or integrity CLIENT Data; and (iii) protect against unauthorized access to or use of CLIENT Data. These safeguards include, but are not limited to, the encryption of CLIENT Data on all devices and removable media and the use of Transport Layer Security (“TLS”) encryption or other reasonably acceptable methods of encryption for transmission across public networks of any electronic communications involving CLIENT Data and keep all CLIENT Data encrypted at rest.

4.2. Process CLIENT Data only to fulfill its obligations to CLIENT as instructed in writing by CLIENT. MotivIT shall not Process any CLIENT Data for its own purpose or for any other purpose;

4.3. Limit access to CLIENT Data to those with a legitimate need to know;

4.4. Maintain current disaster recovery procedures in relation to any systems which Process the CLIENT Data;

4.5. In the event of an actual or suspected Data Breach, immediately notify CLIENT and deploy mitigation efforts to minimize the effects of a Data Breach and continuously update CLIENT of status.

4.6. If permitted by law, promptly notify CLIENT of any data protection related inquires (including inquiries from any regulator, law enforcement or government agency) or complaints related to CLIENT Data;

4.7. Provide reasonable assistance to CLIENT to promptly respond to or resolve any request, question, inquiry or complaint received

4.8. from any Data Subject or any regulator, law enforcement or government agency;

4.9. Unless legally compelled, not disclose CLIENT Data or Processing details unless at the written instruction of CLIENT and if legally compelled, immediately notify CLIENT so CLIENT may seek a protective order;

4.10. Promptly carry out requests from CLIENT to amend, transfer or destroy CLIENT Data; and

4.11. Make changes at its o the Privacy Statement”); or (b) if by phone, by providing a short and relevant collection notice with direction to the URL of the Privacy Statement for further information; or (c) for all other collections, the Privacy Statement will be made available;

4.12. MotivIT represents and warrants that when acting on CLIENT's behalf:

4.12.1. Personal Data will not be collected (including by cookies or other technologies) without providing the Data Subject with fair, lawful and sufficient notice pursuant to applicable Data Protection Laws;

4.12.2. Personal Data will be collected on behalf of CLIENT solely when the Privacy Statement (located at *URL is clearly available to Data Subjects prior to collection:

    (a) if online, the Privacy Statement must be linked immediately adjacent to the “submit” (or similar) button and the consent of the Data Subject must be obtained (e.g., a box which the Data Subject may choose to check, stating “I understand and agree that my personal information will be used as outlined in the Privacy Statement”); or (b) if by phone, by providing a short and relevant collection notice with direction to the URL of the Privacy Statement for further information; or (c) for all other collections, the Privacy Statement will be made available;

4.12.3. Not collect Personal Data of a child under age 16;

4.12.4. For any Personal Data collected for marketing or specific targeting purposes, align with the specific purpose(s) set forth in the Agreement and subject to an Opt- In of the Data Subject;

4.12.5. Any commercial emails sent by the MotivIT will require an affirmative opt-in consent and will include a functional unsubscribe option;

4.12.6. Opt-ins obtained by the MotivIT for text messaging must be by a written (such as electronic format), auditable consent by Data Subject; and text messages sent by MotivIT acting on behalf of CLIENT to a mobile device must comply with the Global Code of Conduct of the Mobile Marketing Association (“MMA”) and any MMA region-based guide (for example, in the U.S., the U.S. Consumer Best Practices for Messaging) or any comparable and applicable in-country guidance or best practice.

5. DATA TRANSFER

MotivIT will not transfer nor permit any Sub-Processor (defined below) to transfer, CLIENT Data outside the jurisdiction in which MotivIT and CLIENT agree in writing CLIENT Data will be hosted, except with CLIENT's prior written consent. The compliance with the minimum data protection can be demonstrated by implementing at least one of the respective mechanisms provided under applicable Data Protection Laws or by ensuring that the exemptions provided thereunder apply.

6. DATA SUBJECT REQUESTS

In the event that MotivIT receives a request from a Data Subject for access to that Data Subject’s Personal Data, or for the rectification or erasure of such Personal Data or any other request or query from a Data Subject relating to its own Personal Data (a “Data Subject Request”), MotivIT will:

a)notify CLIENT immediately of the request (without responding to that Data Subject request, unless it has been otherwise authorized by CLIENT to do so);
b)provide details of the request (and any other relevant information CLIENT may reasonably request) within five business days of receipt of data subject request; and
c)provide assistance to CLIENT as CLIENT may reasonably require for the purposes of responding to the request.

6.1.In the event that CLIENT receives a data subject request concerning Personal Data being processed, stored or used by MotivIT, MotivIT shall provide such assistance to CLIENT as CLIENT may reasonably require for the purposes of responding to the Data Subject Request.

7. SUB-PROCESSORS

MotivIT shall not delegate or subcontract Processing to another party (“Sub-Processor”) without CLIENT's prior written consent at CLIENT's sole discretion. When asking for consent, MotivIT will provide details about the Sub-Processor relating to Processing, security, data and server location. MotivIT must execute an agreement with terms substantially similar to this Agreement imposing the same obligations on the Sub-Processor as imposed on the MotivIT providing CLIENT with third party beneficiary rights of Sub- Processor to CLIENT.

8. INDEMNIFICATION

MotivIT has primary responsibility relating to Processing of CLIENT Data, including the acts or omissions of its personnel, agents and Sub-Processors (each a “Representative”). MotivIT shall indemnify, hold harmless and, upon CLIENT's request, defend CLIENT and its directors, officers, employees, shareholders and agents from and against any and all damages, liabilities, costs, expenses, claims, fines and losses brought by a third party, including reasonable attorneys' fees, in connection with, in whole or in part, MotivIT's and/or any Representative's breach of this Agreement.

9. DATA PROTECTION IMPACT ASSESSMENTS

If MotivIT's processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall immediately notify CLIENT and will provide all reasonable and timely assistance necessary to conduct a data protection impact assessment, and if necessary, consult with the relevant data protection authority.

10. AUDIT, INFRASTRUCTURE AND NOTICES

10.1.Audit. MotivIT shall, subject to confidentiality terms, permit CLIENT or its authorized representatives to have access to the appropriate part of MotivIT's premises, systems, equipment, and other materials and Processing facilities to enable CLIENT (or its authorized representative) to inspect the same for the purposes of monitoring compliance with MotivIT's obligations under this Agreement. If an audit finds non-compliance with this Agreement, MotivIT shall take all reasonable steps to promptly remedy any breach, or provide a detailed report as to why such breach cannot be remedied and pay CLIENT's reasonable audit costs.

10.2.Infrastructure Changes. MotivIT shall notify CLIENT of any planned changes to its infrastructure or processes involving CLIENT Data prior to any change if such a change may materially increase the likelihood of CLIENT Data becoming compromised or lead to the breach of any applicable Data Protection Laws. On CLIENT's request, MotivIT will modify or delay such changes until any reasonable concerns that CLIENT may have are resolved.

11. RECORD OF PROCESSING

MotivIT shall maintain a record of Processing. On request, MotivIT shall make those records available upon written instruction by CLIENT at no additional cost to CLIENT.

12. RETURN OF DATA

Upon written request or termination or expiration of this Agreement, MotivIT shall: (i) immediately cease Processing of the CLIENT Data; and (ii) return to CLIENT in CLIENT's preferred format, or at CLIENT's option destroy or expunge the CLIENT Data and all copies or extracts within five (5) days in accordance with the Guidelines for Media Sanitation.