Data Processing Addendum

"Applicable Data Protection Laws"

means all laws, regulations, and binding legal requirements relating to the privacy, protection, security, or processing of Personal Data, including, without limitation: (a) European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation ("GDPR"); (b) the UK Data Protection Act 2018 and the retained EU law version of the GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (c) the Swiss Federal Data Protection Act ("Swiss FDPA"); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"); and (e) any other applicable privacy, data protection, or data security laws or regulations in any jurisdiction governing the Processing of Personal Data, as each may be amended, superseded, or replaced from time to time.

Common Terms

"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" (and any analogous terms) will have the meaning(s) given in the Applicable Data Protection Laws, and terms such as "Process" and "Processed" shall be construed accordingly.

"Customer Affiliate"

means an entity that directly or indirectly controls, is controlled by, or is under common control with Customer, where "control" means ownership or control of more than 50% of the voting interests of the subject entity. Customer Affiliates are permitted to use the Services pursuant to the Agreement between Obvious and Customer, and the terms of this DPA shall apply to any Processing of Personal Data of Customer Affiliates as if such Customer Affiliate were the Customer hereunder.

"Customer Personal Data"

means Personal Data that Customer or any Customer Affiliate uploads or provides to Obvious as part of the Service and that is governed by this DPA.

"EEA"

means the European Economic Area.

"Restricted Transfer"

means a transfer of Customer Personal Data that is subject to restrictions under Applicable Data Protection Laws, including but not limited to: (a) a transfer of Customer Personal Data from the EEA, United Kingdom, or Switzerland to a country or territory outside of those jurisdictions which is not subject to an adequacy decision or adequacy regulations.

"SCCs"

means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.

"Service Provider"

has the meaning given in the CCPA and other Applicable Data Protection Laws for an entity that processes personal data on behalf of a business.

"Subprocessor"

means any third party, including any affiliate of the Processor, engaged by the Processor to Process Customer Personal Data on behalf of the Customer in connection with the Agreement. For clarity, a Subprocessor is a Processor engaged by another Processor to carry out specific Processing activities on behalf of the Customer, as contemplated by Article 28 of the GDPR and the UK GDPR.

"UK Addendum"

means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

4.1 General Restrictions

Obvious will not:

• (a) retain, use, disclose, sell, or share (as those terms are defined in Applicable Data Protection Laws) Customer Personal Data for any purpose other than to provide the Services or as otherwise authorized in the Agreement;
• (b) retain, use or disclose Customer Personal Data for a commercial purpose or otherwise beyond the context of the direct business relationship between Obvious and Customer as set forth in the Agreement; or
• (c) combine Customer Personal Data received from or on behalf of Customer with Customer Personal Data Obvious receives from or on behalf of another person or which Obvious collects on its own except as permitted by Applicable Data Protection Laws and in accordance with Customer's documented instructions (including but not limited to as set out in the Agreement and this DPA).

4.2 Exceptions

Notwithstanding the foregoing provisions of Section 4.1, the restrictions in Section 4.1 shall not apply:

• (a) if Obvious is required to perform such actions by any applicable law to which Obvious is subject, in which case Obvious shall inform Customer of that legal requirement; or
• (b) to Obvious's Processing of de-identified, anonymized or aggregated data, or to the use of internal analytics that do not involve Customer Personal Data.

4.3 Certification

Obvious certifies that it understands the restrictions of this Section 4 and will comply with all Applicable Data Protection Laws.

14.1 Authorization for Restricted Transfers

Customer authorizes Obvious to transfer Customer Personal Data outside the EEA, the United Kingdom, Switzerland, or other relevant jurisdictions as necessary to provide the Services, subject to the requirements of Applicable Data Protection Laws. Obvious will ensure that any such transfer is made in compliance with Applicable Data Protection Laws, including but not limited to the GDPR and the UK GDPR, as applicable.

14.2 Transfer Mechanisms

If Obvious carries out a Restricted Transfer of Customer Personal Data, Obvious will implement appropriate safeguards for such transfers to that territory consistent with Applicable Data Protection Laws. These safeguards may include, but are not limited to:

• (a) Entering into the SCCs.
• (b) Entering into the UK Addendum.
• (c) Entering into the Swiss Addendum set forth in Exhibit 3.
• (d) Entering into any other contractual provisions or frameworks approved by a competent regulator or authority for cross-border Personal Data transfers.

14.3 Standard Contractual Clauses

The parties agree that to the extent that the Processing of Customer Personal Data involves a Restricted Transfer then the parties shall each comply with their respective obligations as set out in the SCCs and/or the UK Addendum, each incorporated herein by reference, and amended as follows:

• (a) The optional docking clause in Clause 7 does not apply.
• (b) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is as specified in Section 9 of this DPA.
• (c) In Clause 11, the optional language does not apply.
• (d) The parties agree that Module Two (Controller to Processor) of the SCCs applies where Customer is a Controller, and Module Three (Processor to Processor) of the SCCs applies where Customer is a Processor.
• (e) (SCCs only) In Clause 13(a) ('Supervision') and Annex I.C, Option 1 shall apply with the competent Supervisory Authority being the Irish Data Protection Commission.
• (f) (SCCs only) In Clause 17 (Option 1), the SCCs will be governed by the laws of Ireland.
• (g) (SCCs only) In Clause 18(b), disputes will be resolved in the courts of Ireland.
• (h) For the purposes of Annex I.A, the Customer shall be the data exporter and Obvious shall be the data importer.
• (i) For the purposes of Annex I.B, the description of transfer is set out at Exhibit 1.
• (j) For the purposes of Annex I.C, the technical and organizational measures are set out at Exhibit 2.

14.4 Assistance and Cooperation

If required by Applicable Data Protection Laws, Obvious will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant Supervisory Authorities, taking into consideration the nature of the Processing and Customer Personal Data.

Categories of Data Subjects

• Customer's Authorized Users (employees, contractors, agents)
• Customer's end users or customers
• Any other Data Subjects included or referenced in Customer content, Artifacts, or data uploaded into the Service by Customer or its Authorized Users

Categories of Customer Personal Data

Customer Personal Data may include but is not limited to:

• Identification data: first and last name, username, email address, phone number
• Professional data: employer, title and position, business contact information
• Account data: login credentials, account settings, user preferences
• Content data: any Personal Data contained within Artifacts, documents, workbooks, presentations, Projects, or other content created or uploaded by Customer
• Usage data: connection and/or localization data, IP addresses, device information, activity logs
• Special category Personal Data (if uploaded by Customer): as defined in Article 9 of the GDPR and/or UK GDPR, including but not limited to racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, and data regarding health, sex life, genetic data, or biometric data

Nature and Purpose of Processing

• Receiving Customer Personal Data: including collection, accessing, retrieval, recording, and data entry
• Holding Customer Personal Data: including storage, organization, and structuring
• Processing Customer Personal Data: including analysis, transformation, manipulation, and AI-assisted processing via the Agent
• Updating Customer Personal Data: including correcting, adaptation, alteration, alignment, and combination
• Sharing Customer Personal Data: including disclosure, dissemination, allowing access, or otherwise making available (within Customer's organization or to Permitted Third Parties as authorized by Customer)
• Deleting Customer Personal Data: including erasure and destruction

Duration of Processing and Retention of Customer Personal Data

Obvious will Process Customer Personal Data as long as required to conduct the Processing activities instructed in this DPA or by applicable laws and shall retain the Customer Personal Data as described in Section 5.

Frequency of Transfer

Continuous.

1. Physical and Environmental Security

Obvious, or Obvious's Subprocessors, implements measures designed to prevent unauthorized persons from gaining access to the Customer Personal Data Processing equipment (namely, database and application servers and related hardware). This shall be accomplished by:

• Following industry-standard guidelines provided by data centers*
• Securing the decentralized Customer Personal Data Processing equipment and personal computers via standard cloud data hosting providers*
• The data center where Customer Personal Data is hosted is secured by restricted access controls, and other security measures*
• Maintenance and inspection of supporting equipment shall only be carried out by authorized personnel*
• Endpoint monitoring for all Obvious-owned devices with mobile device management

2. Access Control (IT-Systems and/or IT-Application)

Obvious implements a roles and responsibilities concept with centrally-managed, industry standard SSO providers. Obvious implements an authorization and authentication framework including, but not limited to, the following elements:

• Role-based access controls
• Process to create, modify, and delete accounts implemented
• Access to IT systems and applications is protected by authentication mechanisms
• Access to IT systems and applications shall require, at least, multi-factor authentication for privileged accounts and federated single sign on where appropriate
• All access to Customer Personal Data is logged, monitored, and tracked
• Privileged access rights to IT systems, applications, and network services are only granted to individuals who reasonably need it to accomplish their tasks (least-privilege principle)
• Access rights of employees and external personnel to IT systems and applications is removed immediately upon termination of employment or contract

3. Availability Control

Obvious protects systems and applications against malicious software by implementing anti-malware solutions with industry-standard solutions built into all physical hardware. Obvious, and Obvious's Suppliers, defines, documents and implements a backup concept for IT systems, including:

• All Customer Personal Data is stored in multiple availability zones to protect against environmental threats (e.g., heat, humidity, fire), physical attacks, or accidents*
• Taking regular (daily) backup snapshots that allow for point-in-time rollback
• The restoration of Customer Personal Data from backups is tested regularly based on the criticality of the IT system or application

IT systems and applications in non-production environments are logically or physically separated from IT systems and applications in production environments.

4. Operations Security

• Obvious maintains and implements an Information Security Framework reflecting the measures described herein, which is regularly reviewed and updated, annually at minimum but quarterly by practice
• Employees of Obvious must complete annual security awareness and data privacy training
• Obvious logs security-relevant events, such as user management activities (e.g., creation, deletion), failed logons, changes on the security configuration of the system on IT systems and applications
• All critical vulnerabilities identified must be remediated within seven (7) days of identification

5. Transmission Controls

• Obvious administers IT systems and applications by using encrypted connections, with TLS and SSH
• Obvious protects the integrity of content during transmission by network protocols, such as TLS 1.2 or greater
• Obvious encrypts, or enables its Subprocessors to encrypt, Customer Personal Data that is transmitted over public networks
• Obvious uses secure Key Management Systems (KMS) to store secret keys in the cloud

6. Security Incidents

Obvious maintains and implements an incident handling process, including but not limited to:

• Records of security breaches
• Obvious notification processes according to legal standards
• An incident response scheme to address roles, responsibilities, communication strategies, specific procedures, and coverage of all critical system components

7. Asset Management, System Acquisition, Development and Maintenance

• Obvious identifies and documents information security requirements prior to the development and acquisition of new IT systems and applications
• Obvious establishes a formal process to control and perform changes to developed applications
• Obvious plans and incorporates security tests into the System Development Life Cycle of IT systems and applications

8. Human Resource Security

• A background check must be conducted for all employees and contractors that will Process Customer Personal Data and/or physically access Customer offices
• Background checks on hires must be conducted by a reputable third party and include criminal check and employment verification where permitted by applicable law and go back for seven (7) years where such records exist
• Employees with access to Customer Personal Data are bound by confidentiality obligations
• Employees with access to Customer Personal Data are trained regularly regarding data protection laws and regulations, annually at minimum

9. Cryptography

• Digital certificates are only accepted and trusted if the digital certificate was issued by a trusted certification authority
• Certificates are used and allocated to dedicated IT-systems and applications
• Obvious implements a process for the management and implementation of cryptographic keys, including rules and requirements to generate, store, backup, distribute, and revoke cryptographic keys

1. Interpretation

1.1 Where this Addendum uses terms that are defined in the SCCs, those terms will have the same meaning as in the SCCs. In addition:

• (a) "Swiss FDPA" means the Swiss Federal Act on Data Protection of 25 September 2020 (in force as of 1 September 2023), and the Swiss Ordinance on Data Protection of 31 August 2022, as each may be amended from time to time.
• (b) "FDPIC" means the Swiss Federal Data Protection and Information Commissioner.

1.2 This Addendum will be read and interpreted in light of the provisions of the Swiss FDPA, and so that it fulfills the intention for it to provide appropriate safeguards as required by Article 16 of the Swiss FDPA.

1.3 This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in the Swiss FDPA.

2. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the SCCs or other related agreements between the parties, the provisions which provide the most protection to Data Subjects will prevail.

3. Amendments to the SCCs for Swiss Transfers

3.1 To the extent that any Processing of Customer Personal Data is exclusively subject to the Swiss FDPA, the SCCs as incorporated in Section 14.3 of this DPA are amended as follows:

• (a) References to "Regulation (EU) 2016/679" or "that Regulation" or "GDPR" are replaced by "Swiss FDPA" and references to specific Article(s) of the GDPR are replaced with the equivalent Article or Section of the Swiss FDPA to the extent applicable.
• (b) References to Regulation (EU) 2018/1725 are removed.
• (c) References to the "European Union", "Union", "EU" and "EU Member State" are replaced with "Switzerland".
• (d) Clause 13(a) and Part C of Annex I are not used; the competent supervisory authority is the FDPIC insofar as the transfers are governed by the Swiss FDPA.
• (e) Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by the Swiss FDPA."
• (f) Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to the Swiss FDPA will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The parties agree to submit themselves to the jurisdiction of such courts."

3.2 The Swiss FDPA extends data protection rights to legal entities as well as natural persons. Accordingly, the protections under this DPA and the SCCs as amended by this Addendum shall apply to Personal Data of legal entities to the extent required by the Swiss FDPA.

4. Dual Application

4.1 To the extent that any Processing of Customer Personal Data is subject to both the Swiss FDPA and the GDPR, this DPA (including the SCCs as incorporated in Section 14.3) will apply:

• (a) as set forth in Section 14.3 with respect to transfers subject to the GDPR; and
• (b) as amended by Section 3 of this Swiss Addendum with respect to transfers subject to the Swiss FDPA, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under Section 3.1(e) of this Swiss Addendum.

5. Notifications

Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under the Swiss FDPA.