Data Protection Agreement (DPA)

Aracor Services Data Protection Addendum Last updated October 30, 2024

Introduction

This Data Processing Agreement (henceforth, “DPA”) forms an integral part of the service agreement (henceforth,  “the Service Agreement”) concluded between the customer (henceforth, “Customer”) and Aracor Inc. (henceforth,  “Aracor”). Customer and Aracor are each a “Party” and, collectively, the “Parties”.

This DPA (and Standard Contractual Clauses as applicable) shall be considered pre-signed by Aracor.

By entering into the Service Agreement, Customer is deemed to have signed the DPA and the Standard Contractual  Clauses, as of the effective date of the Service Agreement.

Insofar as this DPA forms an integral part of the Service Agreement concluded between Customer and Aracor, it  shall become effective on the Service Agreement’s effective date.

During the performance of its obligations according to the Service Agreement, Aracor may process Customer  Personal Data. Insofar as Aracor is required to process Customer Personal Data pursuant to the Service Agreement,  the Parties hereby agree that the terms of this DPA shall apply.

This DPA shall prevail over any other existing data processing agreement or similar arrangement between Aracor and the Customer that may already be in place.

Definitions

Capitalized terms used but not defined in this DPA will have the meanings provided in Aracor’s Service Agreement.  The following defined terms are used in this DPA:

“Customer Data” means all Personal Data that are provided to Aracor by, or on behalf of, Customer through use of  the Services.

“Data Protection Requirements” means any applicable laws, regulations, and other legal requirements relating to  (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal,  and other processing of any Personal Data, including the GDPR, Local EU/EEA Data Protection Laws.

“DPA Terms” means the terms in the DPA and any Service-specific terms that specifically supplement or modify the  privacy and security terms in the DPA for the Services. In the event of any conflict or inconsistency between the DPA  and such Service-specific terms, the DPA terms shall prevail.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the  protection of natural persons with regard to the processing of personal data and on the free movement of such data  and repealing Directive 95/46/EC (General Data Protection Regulation).

“Local EU/EEA Data Protection Laws” means any subordinate legislation and regulation implementing the GDPR.

“GDPR Terms” means the terms in Attachment 1, under which Aracor makes binding commitments regarding its  processing of Personal Data as required by Article 28 of the GDPR.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural  person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name,  an identification number, location data, an online identifier or to one or more factors specific to the physical,  physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Subprocessor” means other processors used by Aracor to process Customer Data as described in Article 28 of the  GDPR.

Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”,  “processor”, “profiling”, “personal data”, and “data subject” will have the same meaning as set forth in Article 4 of  the GDPR, irrespective of whether GDPR applies.

General Terms

Compliance with Laws

Aracor will comply with all laws and regulations applicable to its providing the Services. However, Aracor is not  responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not  generally applicable to information technology service providers. Aracor does not determine whether Customer’s  data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security  Incident Notification terms below.

Customer must comply with all laws and regulations applicable to its use of the Services, including laws related to  biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for  determining whether the Services are appropriate for processing of information subject to any specific law or  regulation and for using the Services in a manner consistent with Customer’s legal and regulatory obligations.  Customer is responsible for responding to any request from a third-party regarding Customer’s use of the Services.

Scope

The DPA Terms apply only to the processing of data in environments controlled by Aracor and Aracor’s subprocessors. This includes data sent to Aracor by the Services but does not include data that remains on  Customer's premises or in any Customer selected third party operating environments.

Nature of Data Processing; Ownership

Aracor will use and otherwise process Customer Data only as described and subject to the limitations provided  below (a) to provide Customer the Services in accordance with Customer’s documented instructions and (b) for  business operations incident to providing the Services to Customer. As between the parties, Customer retains all  right, title and interest in and to Customer Data. Aracor acquires no rights in Customer Data. This clause does not  affect Aracor’s rights in software or services Aracor provides to Customer.

Processing to Provide Services to the Customer

For the purposes of this DPA, “to provide” the Services consists of:

• Delivering functional capabilities as configured, and used by Customer and its users, including providing  personalized user experience;

• Troubleshooting (preventing, detecting, and repairing problems); and

• Keeping the Services up to date and performant, and enhancing user productivity, reliability, efficacy,  quality, and security.

In each case, providing the Services is conducted in view of security obligations under Data Protection  Requirements.

When providing the Services, Aracor will not use or otherwise process Customer Data for: (a) user profiling, (b)  advertising or similar commercial purposes, or (c) market research aimed at creating new functionalities, services,  or products or any other purpose, unless such use or processing is in accordance with Customer’s documented  instructions.

Processing for Business Operations Incident to Providing the Services to Customer

For the purposes of this DPA, “business operations” means the processing operations authorized by Customer in  this section.

Customer authorizes Aracor:

(i.) to create aggregated statistical, non-personal data from data containing pseudonymized identifiers (such  as usage logs containing unique, pseudonymized identifiers); and

(ii.) to calculate statistics related to Customer Data

in each case without accessing or analyzing the content of Customer Data and limited to achieving the purposes  below, each as incident to providing the Services to Customer.

Those purposes are:

• billing and account management;

• internal reporting and business modeling, such as forecasting, revenue, capacity planning, and product  strategy; and

• financial reporting.

When processing for these business operations, Aracor will apply principles of data minimization and will not use  or otherwise process Customer Data for: (a) user profiling, (b)advertising or similar commercial purposes, or (c) any  other purpose, other than for the purposes set out in this section. In addition, as with all processing under this DPA,  processing for business operations remains subject to Aracor’s confidentiality obligations and commitments under  Disclosure of Processed Data.

Disclosure of Processed Data

Aracor will not disclose or provide access to any Customer Data except: (1) as Customer directs; (2) as described  in this DPA; or (3) as required by law.

Aracor will not disclose or provide access to any Customer Data to law enforcement unless required by law. If law  enforcement contacts Aracor with a demand for Customer Data, Aracor will attempt to redirect the law enforcement  agency to request that data directly from Customer. If compelled to disclose or provide access to any Customer Data to law enforcement, Aracor will promptly notify Customer and provide a copy of the demand unless legally  prohibited from doing so.

Upon receipt of any other third-party request for Customer Data, Aracor will promptly notify Customer unless  prohibited by law. If the request is valid, Aracor will attempt to redirect the third party to request the data directly  from Customer.

Aracor will only disclose or provide access to any Customer Data as required by law provided that the laws and  practices respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and  proportionate in a democratic society and, as applicable, to safeguard one of the objectives listed in Article 23(1) of  GDPR.

Aracor will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Customer Data; (b)  platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to  Customer Data if Aracor is aware that the data is to be used for purposes other than those stated in the third party’s  request.

In support of the above, Aracor may provide Customer’s basic contact information to the third party.

Processing of Personal Data; GDPR

All Customer Data processed by Aracor in connection with providing the Services is obtained as part of data  generated, derived or collected by Aracor, including data sent to Aracor as a result of a Customer’s use of the  Services.

Processor and Controller Roles and Responsibilities

Customer and Aracor agree that Customer is the controller of Customer Data and Aracor is the processor of such  data, except when Customer acts as a processor of Customer Data, in which case Aracor is a subprocessor. When  Aracor acts as the processor or subprocessor of Customer Data, it will process Customer Data only on documented  instructions from Customer. Customer agrees that Customer’s Service Agreement (including this DPA’s Terms and  any applicable updates), along with the service documentation and Customer’s use and configuration of features  in the Services, are Customer’s complete documented instructions to Aracor for the processing of Customer Data. Information on use and configuration of the Service can be found in the Service Agreement or other agreement  incorporating this DPA. Any additional or alternate instructions must be agreed to according to the process for  amending Customer’s Service Agreement. In any instance where the GDPR applies and Customer is a processor,  Customer warrants to Aracor that Customer’s instructions, including appointment of Aracor as a processor or  subprocessor, have been authorized by the relevant controller.

To the extent Aracor uses or otherwise processes Customer Data subject to the GDPR for business operations  incident to providing the Services to Customer, Aracor will comply with the obligations of an independent data  controller under the GDPR for such use. Aracor accepts the added responsibilities of a data “controller” under  GDPR for such processing to: (a) act consistent with regulatory requirements, to the extent required under GDPR;  and (b) provide increased transparency to Customer and confirm Aracor’s accountability for such processing.  Aracor employs safeguards to protect Customer Data in such processing, including those identified in Annex A of this DPA and those contemplated in Article 6(4) of the GDPR.

Processing Details

The parties acknowledge and agree that:

• Subject Matter. The subject-matter of the processing is limited to Customer Data within the scope of the section of  this DPA entitled “Nature of Data Processing; Ownership” above and the GDPR.

• Duration of the Processing. The duration of the processing shall be in accordance with Customer instructions and  the terms of the DPA.

• Nature and Purpose of the Processing. The nature and purpose of the processing shall be to provide the Services  pursuant to Customer’s Service Agreement and for business operations incident to providing the Services to  Customer (as further described in the section of this DPA entitled “Nature of Data Processing; Ownership” above).

• Categories of Data. The types of Customer Data processed by Aracor when providing the Services include: (i)  Personal Data that Customer elects to include in Customer Data; and (ii) those expressly identified in Article 4 of the  GDPR that may be generated, derived or collected by Aracor, including data sent to Aracor as a result of a Customer’s  use of service-based capabilities. The types of Personal Data that Customer elects to include in Customer Data may  be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to  Article 30 of the GDPR, including the categories of Personal Data set forth in Annex B.

• Data Subjects. The categories of data subjects are Customer’s representatives and end users, such as employees,  contractors, collaborators, and customers, and may include any other categories of data subjects as identified in  records maintained by Customer acting as controller pursuant to Article 30 of the GDPR, including the categories of  data subjects set forth in Annex B.

Data Subject Rights; Assistance with Requests

Aracor will make available to Customer, in a manner consistent with the functionality of the Services and Aracor’s  role as a processor of Personal Data of Data Subjects, the ability to fulfill Data Subject requests to exercise their  rights under the GDPR. If Aracor receives a request from Customer’s data subject to exercise one or more of its  rights under the GDPR in connection with the Services for which Aracor is a data processor or subprocessor, Aracor will redirect the Data Subject to make its request directly to Customer. Customer will be responsible for responding  to any such request including, where necessary, by using the functionality of the Services. Aracor shall comply with  reasonable requests by Customer to assist with Customer’s response to such a data subject request.

Records of Processing Activities

To the extent the GDPR requires Aracor to collect and maintain records of certain information relating to Customer,  Customer will, where requested, supply such information to Aracor and keep it accurate and up-to-date. Aracor may make any such information available to the supervisory authority if required by the GDPR.

Data Security

Security Practices and Policies

Aracor will implement and maintain appropriate technical and organizational measures to protect Personal Data, including within the scope of GDPR, against accidental or unlawful destruction, loss, alteration, unauthorized  disclosure of, or access to, personal data transmitted, stored or otherwise processed. Annex A of this DPA sets forth  the same measures.

Aracor may add industry or government standards at any time.

Data Access

Aracor employs least privilege access mechanisms to control access to Customer Data (including any Personal  Data therein). Role-based access controls are employed to ensure that access to Customer Data required for  service operations is for an appropriate purpose and approved with management oversight. Aracor maintains  Access Control mechanisms described in the table entitled “Security Measures” in Annex A; and there is no standing  access by Aracor personnel to Customer Data, and any required access is for a limited time.

Customer Responsibilities

Customer is solely responsible for making an independent determination as to whether the technical and  organizational measures for the Services displayed in Annex A of this DPA meet Customer’s requirements, including  any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees  that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and  purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies  implemented and maintained by Aracor provide a level of security appropriate to the risk with respect to its Personal  Data. Customer is responsible for implementing and maintaining privacy protections and security measures for  components that Customer provides or controls.

Security Incident Notification

If Aracor becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration,  unauthorized disclosure of, or access to Customer Data while processed by Aracor (a “Security Incident”), Aracor will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security  Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to  mitigate the effects and to minimize any damage resulting from the Security Incident.

Notification(s) of Security Incidents will be delivered to Customer by any means Aracor selects, including via email.  It is Customer’s sole responsibility to ensure Customer maintains accurate contact information with Aracor for each

applicable Product and Professional Service. Customer is solely responsible for complying with its obligations  under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related  to any Security Incident.

Aracor shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33  or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such  Security Incident.

Aracor’s notification of or response to a Security Incident under this section is not an acknowledgement by Aracor of any fault or liability with respect to the Security Incident.

Customer must notify Aracor promptly about any possible misuse of its accounts or authentication credentials or  any security incident related to the Services.

Data Transfers and Location

Location of Customer Data

For the Services, Aracor will store Customer Data at rest within the US.

Aracor does not control or limit the regions from which Customer or Customer’s end users may access or move  Customer Data.

Data Transfers

Personal Data that Aracor processes on Customer’s behalf may not be transferred to, or stored and processed in a  geographic location except in accordance with the DPA and the safeguards provided below in this section. Taking  into account such safeguards, Customer appoints Aracor to transfer Customer Data, to any country in which Aracor or its Subprocessors operate and to store and process Personal Data to provide the Servcies, except as described  elsewhere in the DPA.

In the event the Services are covered by more than one transfer mechanism, the transfer of Personal Data will be  subject to one or more transfer mechanism, as applicable, and in accordance with the following order of  precedence: (a) an adequacy decision granted by the European Commission (b) the EU Standard Contractual  Clauses; (c) the EU Standard Contractual Clauses as modified and applicable under the Swiss data protection law  (d) the UK International Data Transfer Addendum; and, if neither (a), (b), (c), (d) is applicable, then (e) other  applicable data transfer mechanism permitted under applicable Data Protection Law. To the extent that Customer  is located in the United States of America and is self-certified under the Data Privacy Framework Aracor further  agrees (i) to provide at least the same level of protection to any personal data as required by the Data Privacy  Principles; (ii) upon written notice, to work with Customer to take reasonable and appropriate steps to stop and  remediate any unauthorized processing of personal data. The same will apply to Sub-Processors certified under the  Data Privacy Framework. Customer agrees to notify Aracor in writing, without undue delay, if its self-certification to  the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated

Data Retention and Deletion

At all times during the term of Customer’s subscription or the applicable Terms of Service engagement, Customer  will have the ability to access, extract and delete Customer Data stored in the Services.

Aracor will retain Customer Data that remains stored for 90 days after expiration or termination of Customer’s  subscription. After the 90-day retention period ends, Aracor will disable Customer’s account and delete the  Customer Data and Personal Data within an additional 90 days, unless authorized under this DPA to retain such  data.

Processor Confidentiality Commitment

Aracor will ensure that its personnel engaged in the processing of Personal Data (i) will process such data only on  instructions from Customer or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and  security of such data even after their engagement ends. Aracor shall provide periodic and mandatory data privacy  and security training and awareness to its employees with access to Personal Data in accordance with applicable  Data Protection Requirements and industry standards.

Notice and Controls on use of Subprocessors

Aracor may hire Subprocessors to provide certain limited or ancillary services on its behalf. Customer consents to  this engagement. The above authorizations will constitute Customer’s prior written consent to the subcontracting  by Aracor of the processing of Personal Data if such consent is required under applicable law.

Aracor is responsible for its Subprocessors’ compliance with Aracor’s obligations in this DPA. Aracor makes  available information about Subprocessors in Annex C. When engaging any Subprocessor, Aracor will aim to ensure  via a written contract that the Subprocessor may access and process Personal Data only to deliver the services  Aracor has retained them to provide and is prohibited from using Personal Data for any other purpose. Aracor will  aim to ensure that Subprocessors are bound by written agreements that require them to provide at least the level of  data protection required of Aracor by the DPA, including the limitations on disclosure of Processed Data.

From time to time, Aracor may engage new Subprocessors. Aracor will give Customer notice and, as applicable,  update the website and provide Customer with a mechanism to obtain notice of that update of any new  Subprocessor with access to Personal Data.

California Consumer Privacy Act (CCPA)

If Aracor is processing Personal Data within the scope of the CCPA, Aracor makes the following additional  commitments to Customer. Aracor will process Personal Data on behalf of Customer and, not retain, use, or  disclose that data for any purpose other than for the purposes set out in the DPA Terms and as permitted under the  CCPA, including under any “sale” exemption. In no event will Aracor sell any such data. These CCPA terms do not  limit or reduce any data protection commitments Aracor makes to Customer in the DPA Terms, Service Agreement,  or other agreement between Aracor and Customer.

How to Contact Aracor

If Customer believes that Aracor is not adhering to its privacy or security commitments, Customer may contact  customer support. Aracor’s mailing address is: info@aracor.ai with a copy to kf@aracor.ai

Annex A – Security Measures

Aracor will maintain for Personal Data the following security measures, which in conjunction with the security  commitments in this DPA (including the GDPR Terms), are Aracor’s only responsibility with respect to the security  of that data.

DomainPracticesOrganization of Information  SecuritySecurity Roles and Responsibilities. Aracor personnel with access to Personal Data are subject to confidentiality  obligations.
Risk Management Program. Aracor performed a risk assessment before processing Personal Data. Aracor retains  its security documents pursuant to its retention requirements after they are no longer in effect.Asset ManagementAsset Inventory. Aracor maintains an inventory of all media on which Personal Data are stored. Access to the  inventories of such media is restricted to Aracor personnel authorized in writing to have such access.
Asset Handling
- Aracor classifies Personal Data to help identify it and to allow for access to it to be appropriately restricted.Human Resources SecuritySecurity Training. Aracor informs its personnel about relevant security procedures and their respective roles. Aracor also informs its personnel of possible consequences of breaching the security rules and procedures. Aracor will only  use anonymous or redacted data in training.Communications and Operations  ManagementOperational Policy. Aracor maintains security documents describing its security measures and the relevant  procedures and responsibilities of its personnel who have access to Personal Data.
Data Recovery Procedures
- Aracor stores copies of Personal Data and data recovery procedures in a different place from where the primary  computer equipment processing the Personal Data are located.
- Aracor has specific procedures in place governing access to copies of Personal Data .
- Aracor reviews data recovery procedures at least every year.
- Aracor logs data restoration efforts, including the person responsible, the description of the restored data and  where applicable, the person responsible and which data (if any) had to be input manually in the data recovery  process.
Malicious Software. Aracor has anti-malware controls to help avoid malicious software gaining unauthorized access  to Personal Data , including malicious software originating from public networks.
Data Beyond Boundaries
- Aracor encrypts Personal Data that is transmitted over public networks.
- Aracor restricts access to Personal Data in media leaving its facilities.
Event Logging. Aracor logs access and use of information systems containing Personal Data, registering the access  ID, time, authorization granted or denied, and relevant activity.Access ControlAccess Policy. Aracor maintains a record of security privileges of individuals having access to Personal Data. Access Authorization
- Aracor maintains and updates a record of personnel authorized to access Aracor systems that contain Personal  Data.
- Aracor deactivates authentication credentials that have not been used for a period of time. - Aracor identifies those personnel who may grant, alter or cancel authorized access to data and resources.  
- Aracor ensures that where more than one individual has access to systems containing Personal Data, the  individuals have separate identifiers/log-ins.DomainPracticesLeast Privilege
- Technical support personnel are only permitted to have access to Personal Data when needed.  
- Aracor restricts access to Personal Data to only those individuals who require such access to perform their job  function.
Integrity and Confidentiality
- Aracor instructs Aracor personnel to disable administrative sessions when leaving premises Aracor controls or  when computers are otherwise left unattended.
- Aracor stores passwords in a way that makes them unintelligible while they are in force.
Authentication
- Aracor uses industry standard practices to identify and authenticate users who attempt to access information  systems.
- Where authentication mechanisms are based on passwords, Aracor requires that the passwords are renewed  regularly.
- Where authentication mechanisms are based on passwords, Aracor requires the password to be at least eight  characters long.
- Aracor ensures that de-activated or expired identifiers are not granted to other individuals. - Aracor monitors repeated attempts to gain access to the information system using an invalid password.
- Aracor maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently  disclosed.
- Aracor uses industry standard password protection practices, including practices designed to maintain the  confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Network Design. Aracor has controls to avoid individuals assuming access rights they have not been assigned to gain  access to Personal Data they are not authorized to access.Information Security Incident  ManagementIncident Response Process
- Aracor maintains a record of security breaches with a description of the breach, the time period, the consequences  of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering  data.
- For each security breach that is a Security Incident, notification by Aracor (as described in the “Security Incident  Notification” section above) will be made without undue delay.
- Aracor tracks, or enables Customer to track, disclosures of Personal Data, including what data has been disclosed,  to whom, and at what time.
Service Monitoring. Aracor security personnel verify logs at least every six months to propose remediation efforts if  necessary.Business Continuity Management- Aracor maintains emergency and contingency plans for the facilities in which Aracor information systems that  process Personal Data are located.
- Aracor’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Personal  Data in its original or last-replicated state from before the time it was lost or destroyed.

Annex B – Data Subjects and Categories of Personal Data

Data subjects: Data subjects include the Customer’s representatives and end-users including employees,  contractors, collaborators, and customers of the Customer. Data subjects may also include individuals attempting  to communicate or transfer personal information to users of the services provided by Aracor. Aracor acknowledges  that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the  following types of data subjects in the personal data:

• Employees, contractors and temporary workers (current, former, prospective) of Customer; • Dependents of the above;

• Customer's collaborators/contact persons (natural persons) or employees, contractors or temporary  workers of legal entity collaborators/contact persons (current, prospective, former);

• Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of Customer's  services;

• Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with  employees of the Customer and/or use communication tools such as apps and websites provided by the  Customer;

• Stakeholders or individuals who passively interact with Customer (e.g., because they are the subject of an  investigation, research or mentioned in documents or correspondence from or to the Customer);

• Minors; or

• Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).

Categories of data: The personal data that is included in e-mail, documents and other data in an electronic form in  the context of the Services. Aracor acknowledges that, depending on Customer’s use of the Services, Customer  may elect to include personal data from any of the following categories in the personal data:

• Basic personal data (for example place of birth, street name and house number (address), postal code, city  of residence, country of residence, mobile phone number, first name, last name, initials, email address,  gender, date of birth), including basic personal data about family members and children;

• Authentication data (for example user name, password or PIN code, security question, audit trail);

• Contact information (for example addresses, email, phone numbers, social media identifiers; emergency  contact details);

• Unique identification numbers and signatures (for example Social Security number, bank account number,  passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee  number, student number, patient number, signature, unique identifier in tracking cookies or similar  technology);

• Pseudonymous identifiers;

• Financial and insurance information (for example insurance number, bank account name and number,  credit card name and number, invoice number, income, type of assurance, payment behavior,  creditworthiness);

• Commercial Information (for example history of purchases, special offers, subscription information,  payment history);

• Internet activity (for example browsing history, search history); • Any other personal data identified in Article 4 of the GDPR.

Annex C – List of Subprocessors

To support delivery of our Services, Aracor, may engage and use data processors with access to certain Customer  Data (each, a "Subprocessor"). This page provides important information about the identity, location and role of  each Subprocessor.

Subprocessors

Aracor currently uses subprocessors to provide infrastructure services, and to help us provide customer support  and email notifications. Prior to engaging any subprocessor, Aracor performs due diligence to evaluate their privacy,  security and confidentiality practices, and executes an agreement implementing its applicable obligations.  Agreements are executed on terms that offer privacy guarantees no less protective than those at Aracor.

Entity NameLocation of  SubprocessorsAdditional DetailsMicrosoft AzureUSAhttps://learn.microsoft.com/en
gb/compliance/regulatory/gdprMicrosoftIrelandhttps://www.microsoft.com/licensing/docs/view/ Microsoft-Products-and-Services-Data
Protection-Addendum-DPAZoomUSAhttps://explore.zoom.us/en/gdpr/NotionUSAhttps://www.notion.so/notion/Data-Processing Addendum
361b540101274b1fa7e16b90402b0d99QdrantUSAhttps://cloud.qdrant.io/dpaSlackUSAhttps://slack.com/terms-of-service/data processingSentryUSAhttps://sentry.io/legal/dpa/?original_referrer=http s%3A%2F%2Fwww.google.com%2FGithubUSAhttps://docs.github.com/en/site-policy/privacy policiesFigmaUSAhttps://www.figma.com/legal/privacy/WebflowUSAhttps://webflow.com/legal/privacy

Affiliates

Depending on the geographic location of a Customer or their Authorized Users, and the nature of the Services  provided, Aracor may also engage one or more of its Affiliates as Subprocessors to deliver some or all of the Services  provided to a Customer.

Updates

As our business grows and evolves, the subprocessors we engage may also change. We will provide notice of any  new subprocessors by posting such updates here. Please check back frequently for updates.