DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the agreement for the subscription by the Customer to the SOFI Master Services Terms ("MST") between Mallowstreet Limited (“Mallowstreet”) and the person or entity who acquires the Service under the MST (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data. All capitalised terms not defined herein will have the meaning set forth in the Master Services Terms.

DATA PROCESSING TERMS

In the course of providing Mallowstreet’s artificial intelligence and machine learning analytical software through SOFI (the "Service") to Customer pursuant to the MST, Mallowstreet may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Mallowstreet as part of the Service for Customer.

DEFINITIONS

1. "Data Protection Legislation" means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or the protection of Personal Data or corporate data (including any national laws implementing any such legislation, including but not limited to the UK GDPR, the UK Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI2003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the EU GDPR.

2. "Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3. EU GDPR means Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any successor laws arising out of the withdrawal of a member state from the European Union.

4. "Personal Data" means any information relating to a Data Subject.

5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

6. "Personnel" means persons authorized by Mallowstreet to Process Customer's Personal Data.

7. "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.

8. "Mallowstreet Information Security Documentation" means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Mallowstreet upon request and subject to adequate confidentiality arrangements.

9. "UK GDPR" means the implementation of the EU GDPR into the laws of England and Wales, Scotland and Northern Ireland as amended from time to time.

DATA PROCESSING

1. Scope and Roles. This DPA applies when Personal Data is Processed by Mallowstreet as part of Mallowstreet’s provision of the Service. In this context and for the purposes of the Data Protection Legislation, Customer is the data controller and Mallowstreet is the data processor.

2. Subject Matter, Duration, Nature and Purpose of Processing. Mallowstreet processes Customer's Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the MST.

3. Type of Personal Data and Categories of Data Subjects. Mallowstreet has no control over the type of Personal Data that Customer and users authorized by Customer upload to the Service. Accordingly, Mallowstreet has no control over the categories of Data Subjects that Customer's Personal Data relates to.

4. Instructions for Mallowstreet's Processing of Personal Data.Mallowstreet will only Process Personal Data on behalf of and in accordance with Customer's instructions. Customer instructs Mallowstreet to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the MST; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the MST. Customer undertakes to provide Mallowstreet with lawful instructions only. Mallowstreet will inform Customer immediately, if in Mallowstreet's opinion an instruction infringes any provision under the Data Protection Legislation and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under the Data Protection Legislation, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, for the Processing of Personal Data by Mallowstreet pursuant to this DPA.

ASSISTANCE

1. Taking into account the nature of the Processing, Mallowstreet will assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subjects' rights under the Data Protection Legislation. Mallowstreet will further assist Customer in ensuring compliance with Customer's obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer's data protection impact assessments and Customer's prior consultation with supervisory authorities, in relation to Mallowstreet's Processing of Personal Data under this DPA. Customer will reimburse Mallowstreet with reasonable costs and expenses incurred by Mallowstreet in connection with the administrative costs of complying with a subject access request only in circumstances where the request is repetitive, excessive or unfounded.

MALLOWSTREET PERSONNEL

1. Limitation of Access. Mallowstreet will ensure that Mallowstreet’s access to Personal Data is limited to those Personnel who require such access to perform the MST.

2. ConfidentialityMallowstreet will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Mallowstreet will ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training in their responsibilities and have executed written confidentiality agreements. Mallowstreet will ensure that such confidentiality agreements survive the termination of the employment or engagement of its Personnel.

SUB-PROCESSORS

1. Mallowstreet may engage third-party service providers to process Personal Data on behalf of Customer ("Sub-Processors"). Customer hereby provides Mallowstreet with a general authorization to engage the Sub- Processors listed in Exhibit A to this Agreement.

2. All Sub-Processors have entered into written agreements with Mallowstreet that bind them by substantially the same material obligations under this DPA.
3. Where a Sub-Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Mallowstreet will remain fully liable to Customer for the performance of that Sub-Processor’s obligations.

4. Mallowstreet may engage with a new Sub-Processor ("New Sub-Processor") to Process Customer Personal Data on Customer's behalf. Customer may object to the Processing of Customer's Personal Data by the New Sub-Processor, for reasonable and explained grounds, within five (5) business days following Mallowstreet's written notice to Customer of the intended engagement with the New Sub-Processor. If Customer timely sends Mallowstreet a written objection notice, the parties will make a good-faith effort to resolve Customer's objection. In the absence of a resolution, Mallowstreet will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New SubProcessor to Process Customer's Personal Data

DATA TRANSFER

1. If Personal Data processed under this DPA is transferred from the UK or a country within the EEA to a country outside the EEA, the parties shall ensure that the Personal Data is adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on standard data protection clauses recognised in accordance with Data Protection Legislation or other appropriate safeguards in accordance with Article 46 of the UK GDPR.

SECURITY

1. Controls. Mallowstreet will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer's Personal Data, pursuant to the Mallowstreet Information Security Documentation. Mallowstreet has been audited by a UKAS accredited auditor and certified to comply with the ISO27001 information security standard. Mallowstreet will not materially decrease the overall security of the Service during the term of providing the Service to the Customer under the MST.

PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION

1. Mallowstreet will process Personal Data securely by means of appropriate technical and organisational measures and will notify Customer without undue delay, but not later than 48 hours, after becoming aware of a Personal Data Breach related to Customer's Personal Data which Mallowstreet, or any of Mallowstreet's Sub-Processors, Process. Mallowstreet's notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of Mallowstreet's data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Mallowstreet to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
2. Mallowstreet will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly.
3. Mallowstreet's liability for a Personal Data Breach toward Customer and any third party is subject to the following limitations: (a) the Personal Data Breach is a result of a breach of Mallowstreet's information security obligations under this DPA; and (b) the Personal Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer (collectively "Customer Representatives"); (ii) Customer Representatives' instructions to Mallowstreet; (iii) willful, deliberate or malicious conduct by a third party; or (iv) acts of God or force major, including, without limitation, acts of war, terror, state-supported attacks, acts of state or governmental action prohibiting or impeding Mallowstreet from performing its information security obligations under the Agreement and natural and man-made disasters.

AUDIT AND DEMONSTRATION OF COMPLIANCE

1. Mallowstreet will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the Data Protection Legislation in relation to the Processing of Personal Data under this DPA by Mallowstreet and its Sub-Processors.
2. Mallowstreet will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Mallowstreet's obligations under this DPA. Mallowstreet may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Mallowstreet, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Mallowstreet; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Mallowstreet's business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; and (vi) Customer will receive only the auditor's report, without any Mallowstreet 'raw data' materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; (vii) at the request of Mallowstreet, Customer will provide it with a copy of the auditor's report; and (viii) As soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.

DELETION OF PERSONAL DATA

1. At the choice of Customer, Mallowstreet will delete or return all Customer's Personal Data to Customer after the end of the provision of Services relating to Processing of Customer's Personal Data, and delete existing copies unless a law of the UK, European Union or an EU member state requires the storage of the Personal Data.

ANONYMIZED AND AGGREGATED DATA

1. Mallowstreet may process data based on extracts of Personal Data on an aggregated and non- identifiable form, for Mallowstreet's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Mallowstreet's discretion.

DISPUTE RESOLUTION

1. The parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commence legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

TERM

1. This DPA takes effect on the effective date of the MST to which it relates and will continue until the MST expires or is terminated.

COMPLIANCE

1. Mallowstreet is responsible to make sure that all relevant Mallowstreet's Personnel adhere to this DPA.

2. Mallowstreet's compliance team can be reached at: Compliance@mallowstreet.com

Exhibit A