DPA — Motivate AI

Data Privacy Addendum (DPA)

GoMotivate, Inc. (“Company”)

Effective Date: November 1, 2024

This Data Processing Addendum (“DPA”) is made and entered between GoMotivate, Inc. (a Delaware corporation, or any of its current or future subsidiaries, affiliates, successors or assigns (collectively, the “GoMotivate”) and the Company, each a “Party” and together the “Parties”.

This DPA (and its Schedules) supplement any existing agreement between GoMotivate and the Company for the provision of services (including any services provided on a trial basis) (the “Services”) pursuant to which the Parties have agreed that it may be necessary for GoMotivate to process Personal Data as a processor for and on behalf of Company (the “Existing Agreement”), by setting out the additional terms, requirements, and conditions on which GoMotivate will process such Personal Data in accordance with Data Protection Laws.

It is agreed as follows:

1. Definitions and Interpretations.

1.1. In this DPA, unless the context otherwise requires, the following definitions shall apply:

(a) “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (i) EU Regulation 2016/679 ("GDPR") as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the Data Protection Act 2018; and (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "Data Subject", "processing", "processor" and "controller" shall have the meanings set out in the Data Protection Act.

(b) "DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.

(c) "Personal Data" means personal data (as defined in the Data Protection Act) which is processed by GoMotivate pursuant to this DPA, as more particularly described in Schedule 1 (Details of Personal Data Processed).

(d) "Request" means a request from a data subject to exercise any of their rights under the Data Protection Laws in respect of the Personal Data.

(e) "Standard Contractual Clauses" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).

(f) "Sub-Processor" shall have the meaning given in clause 4.1 below.

(g) "UK Addendum" means the UK International Data Transfer Addendum to the Standard Contractual Clauses, as may be amended, replaced or superseded by the ICO from time to time (including as formally issued by the ICO under section 119A(1) Data Protection Act 2018).

1.2. In this DPA, unless the context otherwise requires:

(a) headings are for convenience only and do not affect the interpretation of this DPA;

(b) references to a person includes its legal personal representatives, successors and assigns;

(c) a reference to any statute, enactment, order, regulation or other similar instrument shall be construed as a reference to the statute, enactment, order, regulation or instrument as amended, extended or re-enacted from time to time; and

(d) any phrase introduced by the terms "include", "including", "particularly" or "in particular" or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.

1.3. This DPA is supplementary to any Existing Agreement between the Parties. In the event of inconsistencies between the provisions of this DPA and the Existing Agreement, the provisions of this DPA will prevail.

2. Data Processing Obligations

2.1. The Parties acknowledge and agree that, in respect of processing undertaken pursuant to this DPA, the Company is a controller and GoMotivate is a processor.

2.2. The Parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this DPA.

2.3. Company shall have sole responsibilities for the accuracy, quality, and legality of Personal Data and the means by which Company acquired Personal Data, the legal basis for processing under Data Protection Laws, and shall provide all notices and obtain all consents as may be required under Data Protection Laws in order for GoMotivate to process Personal Data as contemplated by this DPA and any Existing Agreement.

2.4. Customer warrants that it shall only require GoMotivate to process such Personal Data as strictly necessary for the purpose of GoMotivate providing its Services under an Existing Agreement.

2.5. To the extent that GoMotivate receives from, or processes any Personal Data on behalf of the Company, GoMotivate shall:

(a) process such Personal Data (i) only in accordance with Company’s written instructions from time to time (including those set out in this DPA and any Existing Agreement), unless it is required to process Personal Data in accordance with applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, GoMotivate shall notify Company of the relevant legal requirement before processing the Personal Data) and (ii) only for the duration of this DPA;

(b) process the Personal Data for the purpose of delivering the Services under the Existing Agreement, and for the duration of the Services, and shall process only Personal Data and Personal Data in respect of such categories of Data Subject as are required for the purpose of delivering the Services (as more particularly described in the Existing Agreement or as otherwise documented in writing from time to time);

(c) ensure that any persons authorized by it to process Personal Data are committed to binding obligations of confidentiality when processing such Personal Data;

(d) implement and maintain technical and organizational measures to ensure an appropriate level of security for Personal Data, including protecting Personal Data against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access;

(e) to the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, upon the company’s request;

(f) inform Company without undue delay upon becoming aware of a personal data breach (as defined in Article 4 of UK GPDR) impacting any Personal Data (while within GoMotivate’s or its Sub-Processors’ possession or control);

(g) not disclose any Personal Data to any Data Subject or to a third party other than at the written request of Company or as expressly provided for in this DPA;

(h) as Company so directs, return or irretrievably delete all Personal Data on termination of this DPA or on completion of the Services under the Existing Agreement, and not make any further use of such Personal Data (except to the extent that Data Protection Laws require continued storage of the Personal Data by GoMotivate and GoMotivate has notified Company accordingly, in which case the provisions of this clause 2.4 shall continue to apply to such Personal Data);

(i) provide to Company all information necessary to demonstrate compliance with the obligations on GoMotivate under this DPA;

(j) permit Company or its representatives to audit its compliance with this DPA, subject to the following requirements:

● Company may perform such audits once per year, or more frequently if required by the Data Protection Laws applicable to Company;

● Company may use a third party to perform the audit on its behalf, provided that such third party executes a confidentiality agreement acceptable to GoMotivate before the audit;

● audits must be conducted during regular business hours, subject to GoMotivate’s policies, and may not unreasonably interfere with GoMotivate’s business activities;

● Company must provide GoMotivate with any audit reports generated in connection with any audit at no charge unless prohibited by law. Company may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this DPA. The audit reports shall be confidential;

● to request an audit, Company must first submit a detailed audit plan to GoMotivate at least 6 weeks in advance of the proposed audit date. The audit must describe the proposed scope, duration, and start date of the audit. GoMotivate will review the audit plan and inform Company of any concerns or questions (for example, any request for information that could compromise GoMotivate’s confidentiality obligations or its security, privacy, employment or other relevant policies). GoMotivate will work cooperatively with Customer to agree a final audit plan;

● nothing in this clause 2.4(i) shall require GoMotivate to breach any duties of confidentiality word to any of its clients or employees; and

● all audits are at Company’s sole cost and expense;

(k) take such steps as are reasonably required to assist Company in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of UK GDPR; and

(l) notify Company as soon as reasonably practicable if it receives a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to GoMotivate’s processing of that person’s Personal Data and assist the Company, insofar as possible, to respond to such request.

2.6. If the Customer receives any complaint, notice, or communication which relates directly or indirectly to GoMotivate’s processing of Personal Data or to GoMotivate’s compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify GoMotivate and it shall provide GoMotivate with reasonable cooperation and assistance in relation to any such complaint, notice, or communication.

3. Cross-Border Data Transfers

3.1. Where GoMotivate’s processing of Personal Data under this DPA involves a transfer of Personal Data which is required to be processed by the Company in accordance with the GDPR, to GoMotivate outside the European Economic Area (EEA), and such transfer is not governed by a decision of the European Commission pursuant to Article 25(6) of the EU Data Protection Directive 95/946/EC or Article 45, 46, or 49 of GDPR respectively, then such transfer shall be governed by the Standard Contractual Clauses, which are incorporated by reference and are deemed to have been entered into and completed as follows:

(a) Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply, and the provisions of the Standard Contractual Clauses relating only to Modules One, Three, and Four are deleted and shall not apply to such transfer;

(b) The following amendments shall be applied to the Standard Contractual Clauses:

● All footnotes and explanatory notes in the Standard Contractual Clauses are deleted;

● Clause 7 shall not apply and shall be deleted;

● In respect of Clause 9 (sub-processors), Option 2 (general written authorization) applies, and the minimum time period for GoMotivate (as data importer) to inform the Company (as data exporter) in writing of any intended changes to the agreed list of sub-processors in accordance with Clause 9 shall be 10 business days;

● The “OPTION” in Clause 11(a) shall not apply and the wording in square brackets in that Clause shall be deleted;

● In respect of Clause 17 (governing law), the governing law shall be the law of Ireland;

● In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be the courts of Ireland;

● Annexures I of the Standard Contractual Clauses shall be deemed to be prepopulated with the information in Schedule 1 of this DPA.

3.2. Where GoMotivate’s processing of Personal Data under this DPA involves a transfer of Personal Data which is required to be processed by the Company in accordance with the UK GDPR, to GoMotivate outside the UK, and such transfer is not governed by an adequacy decision made in accordance with the relevant provisions of the UK GDPR and the Data Protection Act, or an adequacy decision recognized pursuant to paragraphs 4 and 5 of Schedule 21 of the Data Protection Act, then such transfer shall be governed by the applicable provisions of the Standard Contractual Clauses, as amended by the UK Addendum. The provisions of the UK Addendum are incorporated by reference and are deemed to have been completed as follows:

(a) Relevant information from the Standard Contractual Clauses shall be deemed to be incorporated into the relevant and correlating tables of the UK Addendum;

(b) In respect of Table 4 of the UK Addendum, either party may end the UK Addendum in the circumstances set out in Section 19 of that UK Addendum.

3.3. Where any of the clauses of this DPA conflict with the Standard Contractual Clauses and/or the UK Addendum, the Standard Contractual Clauses and/or the UK Addendum (as applicable) shall prevail.

3.4. The provisions of this clause 3 shall apply only in respect of Personal Data which is subject to the regulation of the GDPR and/or the UK GDPR.

4. Appointment of Sub-Processors

4.1. Customer agrees that GoMotivate may disclose Personal Data to its advisers, auditors or other third parties (“Sub-Processors”) as reasonably required in connection with the performance of its obligations under this DPA and any Existing Agreement, in accordance with this Clause 4.

4.2. GoMotivate will inform Company of the name, address, and role of each Sub-Processor it appoints to process Personal Data.

4.3. Where GoMotivate engages a new Sub-Processor, GoMotivate shall provide Company with at least 10 business days’ notice of the engagement by sending an email notification to Company. Company must promptly notify GoMotivate if it objects to any nominated Sub-Processor, and GoMotivate will take such steps as are reasonably necessary to address any reasonable Company concerns.

4.4. GoMotivate shall ensure that its contract with each Sub-Processor shall impose obligations on the Sub-Processor that are equivalent to the obligations to which GoMotivate is subject to under this DPA.

4.5. Any sub-contracting or transfer of Personal Data pursuant to this Clause 4 shall not relieve GoMotivate of any of its liabilities, responsibilities and obligations to Company under this DPA and GoMotivate shall remain fully liable for the acts and omissions of its Sub-Processors.

5. Term and Termination

5.1. This DPA shall be deemed to have commenced on the Effective Date and shall continue in force for as long as any Existing Agreement remains in effect. This DPA shall automatically terminate on termination of or completion of the Services provided under any Existing Agreement.

5.2. On termination of this DPA, GoMotivate shall, at Company request, promptly return to Company or destroy all Personal Data processed in the GoMotivate environment securely (regardless of form, and whether computerized or physical) except as required by law or as required in order to defend any actual or possible legal claims.

6. Limitation of Liability

6.1. The exclusions and limitations of liability under any Existing Agreement shall apply in respect of any liability arising under this DPA.

7. Counterparts

7.1. This DPA may be executed in any number of counterparts or duplicates, each of which, when executed and delivered, shall be an original, and such counterparts or duplicates together all constitute one and the same instrument.

8. Entire Agreement

8.1. This DPA is the entire agreement between the parties on the subject matter contained herein and supersedes all representations, communications, and prior agreements (oral or written).

8.2. Each Party acknowledges that upon entering into this DPA, it does not rely, and has not relied, upon any representation (negligent or innocent), statement or warranty made or agreed to by any person (whether a Party to this DPA or not) except those expressly repeated in this DPA.

8.3. This Clause 8 shall not apply to any statement, representation, or warranty made fraudulently, or to any provision of this DPA which was induced by fraud for which the remedies available shall be all those available under the laws of England and Wales.

9. Third Party Rights

9.1. A person who is not a Party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to rely upon or enforce any term of this DPA.

10. Governing Law and Jurisdiction

10.1. This Data Processing Agreement and any dispute or claim (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

10.2. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Data Processing Addendum, its subject matter or formation.

SCHEDULE 1

ANNEXURES TO THE STANDARD CONTRACTUAL CLAUSES

ANNEX I: Description of processing/transfer

A. List of Parties

Data Exporter(s):

● Name: The name of the Company as confirmed to be entering the relevant Existing Agreement.

● Address: The address of the Company as confirmed to be entering the relevant Existing Agreement.

● Contact person’s name, position, and contact details: The contact person and their contact details as confirmed on entering the relevant Existing Agreement

● Activities relevant to the data transferred under the SCCs: As agreed between the Parties for receipt of the Services under the relevant Existing Agreement, in accordance with this DPA.

● Signature and date: Signature and date shall be deemed to be as at the date of the relevant Existing Agreement.

● Role (controller/processor): Controller

Data Importer(s):

● Name: GoMotivate, Inc., including any of its current or future subsidiaries, affiliates, successors or assigns.

● Address: 140 NW 17th St. Bend, OR. 97703

● Contact person’s name, position, and contact details:

● Activities relevant to the data transferred under the SCCs: As agreed between the parties for provision of the Services under the relevant Services Agreement, in accordance with this DPA.

● Signature and date: Signature and date shall be deemed to be as at the date of the relevant Existing Agreement.

● Role (controller/processor): Processor

B. Categories of data subjects whose personal data is transferred

Company’s may submit Personal Data to the GoMotivate, the extent of which is determined and controlled by Company in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

● Prospects, customers, business partners and vendors of the Company (who are natural persons)

● Employees or contact persons of Company’s prospects, customers, business partners and vendors

● Employees, agents, advisors, freelancers of Company (who are natural persons)

● Customer’s personnel or users authorized by Company to use the Online Services

C. Categories of personal data transferred

Company may provide Personal Data to GoMotivate in order for GoMotivate to perform the services pursuant to the Existing Agreement, the extent of which is determined and controlled by Company in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• First and last name

• Title

• Position

• Employer

• Contact information (company, email, phone, physical business address)

• ID data

• IP Address and network identifiers

• Localisation data

D. Description of Transfer

The Personal Data processing activities being carried out by the parties under this DPA are as described in the Existing Agreement.

E. Frequency of the Transfer

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis depending on the use of services that GoMotivate provides.

F. Competent Supervisory Authority

Where the data exporter is established in an EU Member State: the data exporter's competent supervisory authority as determined by the GDPR.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2): the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) is established.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES

Description of the technical and organizational measures implemented by GoMotivate (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

GoMotivate represents and warrants, on a continuing basis, that the following technical and organizational measures are, and will remain, in place for the present data processing. The Parties acknowledge and agree that technical details of the security measures may be adapted from time to time to account for technical developments and industry best practices. Such adaptations, however, shall not lower the data protection level. Significant changes shall be agreed in contractual amendments.

A. Physical access control

Technical and organisational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware) where Personal Data are processed, include:

• Establishing access authorisations for employees and third parties;

• Establishing security areas, restriction of access paths;

• Access control system (ID reader, magnetic card, chip card);

• Key management, card-keys procedures;

• Door locking (electric door openers etc.);

• Security staff, janitors;

• Surveillance facilities, video/CCTV monitor, alarm system;

• Securing decentralised data processing equipment and personal computers.

B. Virtual access control

Technical and organisational measures to prevent data processing systems from being used by unauthorized persons include:

• User identification and authentication procedures;

• ID/password security procedures (special characters, minimum length, change of password);

• Automatic blocking (e.g. password or timeout);

• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;

• Creation of one master record per user, user master data procedures, per data processing environment;

• Encryption of archived data media.

C. Data access control

Technical and organisational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorisation, include:

• Internal policies and procedures;

• Control authorisation schemes;

• Differentiated access rights (profiles, roles, transactions and objects);

• Monitoring and logging of accesses;

• Disciplinary action against employees who access Personal Data without authorisation;

• Reports of access;

• Access procedure;

• Change procedure;

• Deletion procedure;

• Encryption.

D. Disclosure access control

Technical and organisational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:

• Encryption/tunnelling;

• Logging;

• Transport security.

E. Availability control

Technical and organisational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include:

• Backup procedures;

• Cloud technology and Infrastructure as a service;

• Remote storage;

• Anti-virus/firewall systems;

• Disaster recovery plan.

F. Separation control

Technical and organisational measures to ensure that Personal Data collected for different purposes can be processed separately include:

• Separation of databases;

• “Internal client” concept / limitation of use;

• Segregation of functions (production/testing);

• Procedures for storage, amendment, deletion, transmission of data for different purposes.

ANNEX III: List of Sub-processors

The controller has authorised the use of the sub-processors identified here and as updated from time to time.

Name of Third Party Sub- Processor Country location of processing Service Lawful transfer mechanism

Microsoft United States Microsoft Hosting & Infrastructure

Database services Microsoft Azure (US East-Virginia Location)

• Cloud computing platform

• Application and data storage Standard Contractual Clauses

EU-US Data Privacy Framework

UK Extension to the EU-US Data Privacy Framework

Swiss-US Data Privacy Framework

OpenAI

United States Artificial intelligence services, including natural language processing and machine learning capabilities. Standard Contractual Clauses

Amazon Web Services United Kingdom

European Economic Area (EEA)

Other locations Cloud computing services used for hosting, data storage, and computing resources.

Amazon Textract:

• machine learning (ML) service for automatically extracting data from documents Standard Contractual Clauses

EU-US Data Privacy Framework

UK Extension to the EU-US Data Privacy Framework

Swiss-US Data Privacy Framework

SCHEDULE 2

APPENDIX TO STANDARD CONTRACTUAL CLAUSES FOR SWITZERLAND

With view to the applicability of data protection laws of Switzerland the Standard Contractual Clauses are supplemented as follows:

A. References to the General Data Protection Regulation (Regulation (EU) 2016/679) shall be understood as references to the Swiss Federal Data Protection Act;

B. the Federal Data Protection and Information Commissioner shall be designated as the supervisory authority pursuant to Clause 13(a);

C. the applicable law in Clause 17 for contractual claims regarding data transfers under the Swiss Federal Data Protection Act shall be Swiss law;

D. in addition to the jurisdiction in Clause 18(b), claims concerning data processing under the Swiss Federal Data Protection Act shall be submitted to the jurisdiction of ordinary courts in Opfikon, Switzerland;

E. the reference to "courts of the Member State" in Clause 18(c) includes Swiss courts; and

F. until the entry into force of the totally revised Swiss Federal Data Protection Act of 20 September 2020, the term "personal data" shall also include data relating to legal entities.