Introduction

This Data Processing Addendum ("DPA") and the schedules to this DPA apply to the Processing of Client Personal Data on behalf of Client as identified on the Master Services Agreement (the "Client") in order to provide Services Client may have ordered from Rainmaker Bots.

This DPA forms part of the Master Services Agreement available at https://www.rainmakerbots.ai or such other location as the Master Services Agreement may be posted from time-to-time or such alternative agreement Client may have entered into with Rainmaker Bots pursuant to which Client has accessed Rainmaker Bots's Services, as defined in the applicable agreement (the "Agreement"). In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail, unless the Agreement explicitly provides otherwise, identifying the relevant portion of the DPA that it is superseding.

For purposes of this DPA, Client and Rainmaker Bots agree that Client may be a Data Controller of Client Personal Data and Rainmaker Bots may be a Data Processor of such data, except when Client acts as a Data Processor of Client Personal Data, in which case Rainmaker Bots is a subprocessor. In the course of providing Services to Client pursuant to the Agreement, Rainmaker Bots may Process Client Personal Data on behalf of Client. Rainmaker Bots agrees to comply with the following provisions with respect to any Client Personal Data submitted by or on behalf of Client for the Services or collected and Processed through the Services.

1. Definitions

Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement or in the Applicable Data Protection Law.

• "Applicable Data Protection Law" refers to all laws and regulations applicable to Rainmaker Bots's Processing of Personal Data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) ("GDPR").
• "Client Personal Data" means any Personal Data Processed by Rainmaker Bots on behalf of Client pursuant to or in connection with the Agreement, with the explicit exclusions of Client Feedback, the Personal Data of representatives of third party organizations such as those the Client wishes to procure from, and records of communications between Rainmaker Bots and Client.
• "CCPA" means the California Consumer Privacy Act 2018 Cal. Civ. Code 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum.
• "Delete" means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and "Deletion" will be construed accordingly.
• "GDPR" means the EU General Data Protection Regulation 2016/679 and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom. References to "Articles" or "Chapters" of the GDPR will be construed accordingly.
• "Personal Data" shall have the meaning ascribed to it, or to substantially similar phrases, in Applicable Data Protection Law.
• "Services" means those services and activities to be supplied to or carried out by or on behalf of Rainmaker Bots for Client pursuant to the Agreement.
• "Transfer" means the transfer of Client Personal Data outside the United Kingdom or EU/European Economic Area ("EEA").
• "Subprocessor" means any third party appointed by or on behalf of Rainmaker Bots to Process Client Personal Data.

2. Processing of Client Personal Data

Rainmaker Bots will in the course of providing Services, including with regard to Transfers of Personal Data to a third country, Process Client Personal Data only on behalf of and under the documented Instructions of Client unless required to do so otherwise under Applicable Data Protection Law; in such a case, Rainmaker Bots will inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

Client is responsible for ensuring that:

• (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own Processing of Client Personal Data
• (b) it has, and will continue to have, the right to Transfer, or provide access to, Client Personal Data to Rainmaker Bots for Processing in accordance with the terms of the Agreement and this DPA.

Client appoints Rainmaker Bots as a Data Processor to Process Client Personal Data on behalf of, and in accordance with, Client's instructions:

• (a) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Client (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse)
• (b) as necessary to comply with applicable law
• (c) as otherwise agreed in writing by the parties ("Permitted Purposes")

Client will ensure that its instructions comply with Applicable Data Protection Law. Client acknowledges that Rainmaker Bots is not responsible for determining which laws are applicable to Client's business nor whether Rainmaker Bots's provision of the Services meets or will meet the requirements of such laws.

3. Security

Rainmaker Bots will ensure that its employees (including subprocessors) who Process Client Personal Data for Rainmaker Bots or who have access to Client Personal Data are authorized to Process this Personal Data, and have undertaken to, or are contractually bound to observe confidentiality.

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Natural Persons, Rainmaker Bots will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR. This may include:

• the pseudonymization and encryption of Personal Data
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services
• the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident

4. Subprocessing

Client agrees that Rainmaker Bots may use subprocessors to fulfill its contractual obligations under the Agreement.

Where Rainmaker Bots authorizes any subprocessor as described in this Section 4, Rainmaker Bots agrees to impose data protection terms on any subprocessor it appoints that require it to protect Client Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR.

Client provides a general consent for Rainmaker Bots to engage onward subprocessors, conditional on the following requirements:

1. Any onward subprocessor must agree in writing to only Process data in a country that the European Commission has declared to have an "adequate" level of protection; or to only Process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities
2. Rainmaker Bots will restrict the onward subprocessor's access to Client Personal Data only to what is strictly necessary to provide the Services, and Rainmaker Bots will prohibit the subprocessor from Processing the Client Personal Data for any other purpose.

5. Data Rights Requests

Rainmaker Bots's Services provide Client with a number of self-service features, including the ability to rectify, delete, obtain a copy of, or restrict use of Client Personal Data, which may be used by Client to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Rainmaker Bots Services at no additional cost.

In addition, upon Client's request, Rainmaker Bots will provide reasonable additional and timely assistance (at Client's expense only if complying with Client's request will require Rainmaker Bots to assign significant resources to that effort) to assist Client in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.

In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory or third party, including, but not limited to law enforcement, is made directly to Rainmaker Bots in connection with Rainmaker Bots's Processing of Client Personal Data, Rainmaker Bots will inform Client providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Rainmaker Bots will not respond to any such request, inquiry or complaint without Client's prior consent.

6. Personal Data Breach

Upon becoming aware of a Personal Data Breach, Rainmaker Bots will without undue delay and within forty-eight (48) hours inform Client and provide written details of the Personal Data Breach reasonably required to fulfill Client's notification obligations under Applicable Data Protection Law. Where possible, such details will include:

• The nature of the Personal Data Breach
• The categories and approximate number of data subjects concerned
• The categories and approximate number of Client Personal Data records concerned
• The likely consequences
• The measures taken or proposed to be taken to mitigate any possible adverse effects

7. DPIA and Consultation

Rainmaker Bots will provide reasonable assistance to Client in connection with data protection impact assessments, and prior consultations with Supervisory Authorities, which Client reasonably considers to be required of Client by Article 35 or 36 of the GDPR, with regards to Processing of Client Personal Data by Rainmaker Bots.

8. Return and Deletion of Client Personal Data

Within two (2) months after the expiry or termination of the Agreement, Rainmaker Bots will, upon Client's request return all Client Personal Data to Client. Following the earlier of such request or the two (2) month period, Rainmaker Bots will destroy any Client Personal Data and any copies in Rainmaker Bots's control or possession and provide written confirmation once returned or destroyed.

9. De-Identified Data

"De-identified Data" means Client Personal Data that has been Processed such it can no longer be linked to an identified or identifiable Natural Person, or a device linked to such person. Rainmaker Bots may Process Client Personal Data to create de-identified data for Rainmaker Bots's legitimate business purposes. De-identified data will not be considered Client Personal Data and Rainmaker Bots may retain such data at its discretion.

10. Audits

Rainmaker Bots will make available information to Client at Client's request which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Client or another auditor, as requested by Client on reasonable, legitimate grounds for suspecting a breach of this DPA.

11. International Data Transfers

Client authorizes Rainmaker Bots and its subprocessors to Transfer Client Personal Data across international borders, including from the UK or European Economic Area to the United States. Any international Transfer of Client Personal Data from the UK or European Economic Area to a Third Country must be supported by an approved EU adequacy mechanism. Rainmaker Bots and Client will use the Standard Contractual Clauses described in Schedule 2 as the adequacy mechanism supporting the Transfer and Processing of Client Personal Data.

12. Jurisdiction Specific Terms

Where Rainmaker Bots Processes Client Personal Data protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3, the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) ("Jurisdiction Specific Terms") apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

13. Liability

Client and Rainmaker Bots will each be separately liable to the other party for damages it causes by any breach of the clauses in this DPA. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party will be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its Applicable Data Protection Law.

14. Failure to Perform

In the event that changes in law or regulation render performance of this DPA impossible or commercially unreasonable, the Parties may renegotiate this DPA in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement's termination provisions.

15. Updates

Rainmaker Bots may update the terms of this DPA from time to time; provided, however, Rainmaker Bots will provide at least thirty (30) days prior written notice to Client when an update is required as a result of (a) the release of new products or services or material changes to any of the existing Services; (b) changes in Applicable Data Protection Law; or (c) a merger, acquisition, or other similar transaction. The then-current terms of this DPA are available at https://www.rainmakerbots.ai.

16. Duration and Survival

This DPA will become legally binding upon the Effective Date of the Agreement or upon the date that the Parties sign this DPA if it is completed after the effective date of the Agreement. Rainmaker Bots will Process Client Personal Data until the relationship terminates as specified in the Agreement. Any obligation imposed on Rainmaker Bots under this DPA in relation to the Processing of Client Personal Data will terminate when Rainmaker Bots no longer Processes Client Personal Data.

Schedules

Schedule 1: Client Personal Data Processing Details

Subject Matter of Processing:
The Processing will involve: the performance of the Services pursuant to the Agreement.

Duration of Processing:
The Processing will continue as set forth in the Agreement.

Categories of Data Subjects:
Client employees, contractors, agents, and/or representatives.

Special Categories of Personal Data:
None

Nature and Purpose of Processing:
Includes the following: The Processing activities performed by Rainmaker Bots will be as described in the Agreement.

Types of Personal Data:
Corporate contact information such as name, job title, email address, physical address and phone number.

Physical Location of Personal Data Processed by Rainmaker Bots:

• The data of US customers are stored in AWS data centers located in both Frankfurt, Germany, and within the United States.
• The data of EU customers are stored exclusively in AWS data centers located in Frankfurt, Germany.

Schedule 2: Cross Border Data Transfer Mechanisms

1. Definitions

• "EC" means the European Commission
• "EEA" means the European Economic Area
• "Standard Contractual Clauses" means, depending on the circumstances unique to Client, any of the following:
  • UK Standard Contractual Clauses, and
  • 2021 Standard Contractual Clauses
• "UK Standard Contractual Clauses" means the Standard Contractual Clauses for data controller to data processor transfers approved by the EC in decision 2010/87/EU ("UK Controller to Processor SCCs")
• "2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the EC in decision 2021/914

2. Cross Border Data Transfer Mechanisms

2.1 Order of Precedence

In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence:

1. the applicable Standard Contractual Clauses as set forth in Section 2(ii) (UK Standard Contractual Clauses) or Section 2(iii) (2021 Standard Contractual Clauses) of this Schedule 2;
2. if (a) is not applicable, then other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

2.2 UK Standard Contractual Clauses

The parties agree that the UK Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data.

2.3 2021 Standard Contractual Clauses

The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission as providing an adequate level of protection for Personal Data.

For Module Two (Controller to Processor) and Module Three (Processor to Processor), where applicable:

• In Clause 7, the optional docking clause will not apply
• In Clause 9, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 5 (Sub-Processors) of this DPA
• In Clause 11, the optional language will not apply
• In Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law
• In Clause 18(b), disputes will be resolved before the courts of Ireland

Details for Annex I, Part A:

Data Exporter:

• Client
• Contact Details: The email address(es) designated by Client in Client's account via its notification preferences
• Data Exporter Role: As set forth in Section 2 (Processing of Personal Data) of this DPA

Data Importer:

• Rainmaker Bots, Inc.
• Contact details: Rainmaker Bots Privacy Team – support@rainmakerbots.ai
• Data Importer Role: Data Processor
• Address: 1044 Christie Vista SW, Edmonton, Alberta, Canada T6W4W8

Schedule 3: Jurisdiction Specific Terms

1. Australia

• The definition of "Applicable Data Protection Law" includes the Australian Privacy Principles and the Australian Privacy Act (1988)
• The definition of "Personal Data" includes "Personal Information" as defined under Applicable Data Protection Law
• The definition of "Sensitive Data" includes "Sensitive Information" as defined under Applicable Data Protection Law

2. Brazil

• The definition of "Applicable Data Protection Law" includes the Lei Geral de Proteção de Dados (LGPD)
• The definition of "Data Processor" includes "operator" as defined under Applicable Data Protection Law

3. Canada

• The definition of "Applicable Data Protection Law" includes The Federal Personal Information Protection and Electronic Documents Act (PIPEDA)
• Rainmaker Bots's subprocessors are third parties under Applicable Data Protection Law, with whom Rainmaker Bots has entered into a written contract that includes terms substantially similar to this DPA

4. Israel

• The definition of "Applicable Data Protection Law" includes the Protection of Privacy Law (PPL)
• The definition of "Data Controller" includes "Database Owner" as defined under Applicable Data Protection Law
• The definition of "Data Processor" includes "Holder" as defined under Applicable Data Protection Law

5. Japan

• The definition of "Applicable Data Protection Law" includes the Act on the Protection of Personal Information (APPI)
• The definition of "Personal Data" includes "Personal Information" as defined under Applicable Data Protection Law
• The definition of "Data Controller" includes "Business Operator" as defined under Applicable Data Protection Law