US Data Processing Agreement

1. DEFINITIONS

1.1. The terms “Business“, “Business Purpose“, “Consumer“, “Controller“, “Personal Data“, “Personal Information“, “Processing” or “Processor“, “Sale“, “Sell” and “Share“, “Sensitive Data“, “Service Provider“, shall all have the same meanings as ascribed to them under the U.S. Data Protection Laws. “Personal Data” shall include “Personal Information” under this U.S. DPA, and a “Controller” shall include a “Business” and a “Processor” shall include and refer to a “Service Provider” under this US DPA.

1.2. “Customer Data” means the Personal Data related to the Customer Data (as defined in the Agreement) shared and processed by the parties under the Agreement.

1.3. “Merchant Information” means the Personal Data related to the Merchant Information (as defined in the Agreement) shared and processed by the parties under the Agreement, excluding any such Personal Data processed by Flex in the role of a data controller, or business, as applicable.

1.4. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.5. “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this US DPA, and any implementing regulations and amendment thereto, including without limitation, the Federal Consumer Act, the Gramm-Leach-Bliley Act (Title 15, Chapter 94 of the U.S. Code) (“GLBA”); and applicable state laws, including without limitations: (i) California Consumer Privacy Act of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (“CCPA”); (ii) the Colorado Privacy Act (“CPA”); (iii) the Connecticut Data Privacy Act (“CTDPA”); (iv) Delaware Personal Data Privacy Protection Act (“DPDPA”), (v) the Florida Digital Bill of Rights (“FDBR”); (vi) the Indiana Consumer Data Protection Act (“ICDPA”); (vii) the Iowa Consumer Data Protection Act (“ICDPA”); (viii) the Kentucky Consumer Data Protection Act (“KCDPA”); (ix) the Maryland Online Consumer Privacy Act (“MOCPA”); (x) the Minnesota Consumer Data Privacy Act (“MCDPA”); (xi) the Montana Consumer Data Privacy Act (“MTCDPA”); (xii) the Nebraska Data Privacy Act (“NDPA”); (xiii) the New Hampshire Data Privacy Protection Act (“NHDPA”); (xiv) the New Jersey Data Protection Act (“NJDPA”); (xv) the Oregon Consumer Data Privacy Act (“OCDPA”); (xvi) the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”); (xvii) the Texas Data Privacy and Security Act (“TDPSA”); (xviii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq. (“UCPA”); (xix) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”); and (xx) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392) (“VCDPA”).

2. ROLES; COMPLIANCE WITH LAWS

2.1. With respect to the Processing of Customer Data or Merchant Information, the parties agree and acknowledge that Merchant is the Controller, and Flex is the Processor. However, each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the US Data Protection Laws.

2.2. The subject matter, duration, nature and purpose of the Processing, types of Personal Data Processed, and categories of Data Subjects are as described in the table in Section 11 below.

3. FLEX OBLIGATIONS

3.1. Flex shall process the Customer Data or Merchant Information only on behalf of and under the instructions of the Merchant, for the limited Business Purpose outlined under the table in Section 11 below, in accordance with US Data Protection Laws, and shall not: (i) Sell Customer Data or Merchant Information or otherwise making Customer Data or Merchant Information available to any third party for monetary or other valuable consideration; (ii) Share Customer Data or Merchant Information with any third party for cross-context behavioural advertising; (iii) retain, use or disclose the Customer Data or Merchant Information for any purpose other than for a Business Purpose or as specified in the Agreement; (iv) combine the Customer Data or Merchant Information with other Personal Data that it receives from, or on behalf of, another merchant, or collects independently; (v) process any Personal Data that Flex is aware, or should have known, was created, received or generated unlawfully and shall notify Merchant immediately upon becoming aware. Without limiting the foregoing, Flex will notify Merchant if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Flex hereby certifies that it understands the restrictions in the applicable US Data Protection Laws and will comply with them.

3.2. To the extent applicable, Flex will take reasonable measures to ensure that de-identified data cannot be associated with an individual and will publicly commit to maintain de-identified data only in a de-identified form and not attempt to re-identify it.

3.3. Flex shall ensure that each person processing Personal Data is subject to a duty of confidentiality with respect to the data.

3.4. At the written direction of Merchant, Flex shall delete or return all Customer Data or Merchant Information as requested at the end of the provision of the services under the Agreement, unless retention of the personal data is required by law.

3.5. Flex shall, taking into account the context of the processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4. CONSUMER REQUESTS

4.1. Flex shall provide assistance, as Merchant may reasonably request, where and to the extent applicable, in connection with any obligation by Merchant to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws.

5. SUB-PROCESSORS

5.1. The Merchant acknowledges that Flex may transfer Customer Data or Merchant Information to and otherwise interact with third party sub-processor or sub-contractor (“Sub-Processor”). The Merchant hereby authorizes Flex to engage and appoint such Sub-Processors already engaged by Flex to Process Customer Data or Merchant Information, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf, and to engage an additional or replace an existing Sub-Processors to Process Customer Data or Merchant Information, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Merchant (such notice can be provided through the Merchant account or through an email correspondence) (“Notice” and “Notice Period” respectively). In case the Merchant has not objected to the adding or replacing of a Sub-Processor within Notice Period, such Sub-Processor shall be deemed approved by the Merchant. In the event the Merchant objects to the adding or replacing of a Sub-Processor, within Notice Period, Flex may, under Flex’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Merchant.

6. DATA PROTECTION ASSESSMENTS

6.1. Upon Merchant’s reasonable request, Flex will make available such information in Flex’s possession as reasonably necessary for Merchant to conduct and document data protection assessments in accordance with US Data Protection Laws. Merchant will have the right to: (i) take reasonable and appropriate steps to help ensure that Flex uses Customer Data in a manner consistent with Flex’s obligations under this US DPA and as required by US Data Protection Laws; and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Customer Data or Merchant Information under and as required by applicable US Data Protection Laws.

7. AUDIT

7.1. Flex shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this US DPA and shall make such records available to the Merchant upon Merchant’s thirty (30) days prior written request, however no more than once per twelve (12) months of engagement (“Audit Reports”). The Audit Report provided shall be considered Flex’ Confidential Information and shall be subject to the corresponding confidentiality obligations or require signed a non-disclosure agreement.

7.2. Alternatively, in the event the Audit Report is reasonably determined as not sufficient for the purpose of demonstrating compliance, Flex shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Merchant or by Flex, information necessary to reasonably demonstrate compliance with this US DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Flex may object to an auditor appointed by the Merchant in the event Flex reasonably believes the auditor is not suitably qualified or is a competitor of Flex. Merchant shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Flex’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Flex shall agree to an Audit solely under the following terms: (i) a thirty (30) day prior written notice was provided; and (ii) restrict its findings only to information relevant to Customer Data or Merchant Information or an applicable Security Incident.

7.3. Nothing in this U.S. DPA will require Flex to either disclose to Merchant or its third-party auditor, or to allow Merchant or its third-party auditor to access: (i) any data of any other Flex’s merchant; (ii) Flex’s internal accounting or financial information; (iii) any trade secret of a Flex or its affiliates; (iv) any information that, in Flex’s reasonable opinion, could compromise the security of any Flex’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Merchant or its third-party auditor seeks to access for any reason other than the good faith fulfilment of Merchant’s obligations under the US Data Protection Laws. No access to any part of Flex’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.

8. CERTIFICATION

8.1. Flex certifies that it understands the rules, requirements and definitions of the US Data Protection Laws and agrees to refrain from Selling or Sharing Personal Information. Flex acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Personal Information for a Business Purpose or as specified in the Agreement.

9. SECURITY INCIDENT

9.1. Flex will notify the Merchant upon becoming aware of any Security Incident involving the Customer Data or Merchant Information as required by the data breach provisions under the US Data Protection Laws. The notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Flex of any fault or liability with respect to the Security Incident.

9.2. Flex will: (i) take reasonably necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) upon Merchant’s request, co-operate with the Merchant and provide the Merchant with such reasonable assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident, if applicable, obligation to notify the affected Consumers.

10. TERM AND TERMINATION

10.1. This US DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as Flex Processes Customer Data.

10.2. Flex shall be entitled to terminate this US DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Merchant’s instructions or this US DPA infringe applicable legal requirements, provided Merchant did not provide updated instructions to cure such infringement within ten (10) days from receiving applicable notice from Flex.

11. DETAILS OF PERSONAL DATA