DATA PROTECTION ADDENDUM

This Data Protection Addendum (“DPA”) forms part of the agreement which hyperlinks to this DPA (as amended from time to time, the “Agreement”) between Nasdaq Private Market (“NPM”), and the contracting entities identified in the Agreement (each a “Party”, and collectively the “Parties”), and sets out to reflect the Parties’ agreement related to Processing of Personal Data. This DPA is effective as of the date the hyperlink to this DPA is incorporated into the Agreement.

NPM enters into this DPA on behalf of itself and, to the extent required under Privacy Laws, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “NPM” shall include NPM and NPM’s Affiliates.

WHEREAS this DPA stipulates the obligations of the Parties with respect to Personal Data (defined below) shared between the Parties, and shall manifest the purposes for which the Parties shall Process (as defined below) Personal Data in connection with the services covered by the Agreement. This DPA replaces any existing terms, addendums, or other attachments related to the Processing of Personal Data unless otherwise expressly stated in this DPA.

NOW THEREFORE, in consideration of the premises and the mutual covenants set forth herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree to the following terms regarding the data privacy and data security obligations applicable to the Processing of Personal Data.

1. Definitions

• “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Data Subject” means an identified or identifiable natural person. 
• “EEA” means European Economic Area.
• “Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to Third Countries (as amended, modified, or replaced from time to time); specifically, the applicable module within the Standard Contractual Clauses is MODULE ONE (Transfer Controller to Controller). For the avoidance of doubt, MODULE TWO (Transfer Controller to Processor), MODULE THREE (Transfer Processor to Processor), and MODULE FOUR (Transfer Processor to Controller) do not apply to this DPA.  “UK Standard Contractual Clauses” means the European Commission Standard Contractual Clauses for the Transfer of Personal Data from the Community to Third countries (Controller to Controller Transfers) (2004/915/EC) as adopted under the UK GDPR (excluding the illustrative commercial clauses) or such successor clauses as may be adopted by the UK.
• “Personal Data” means any information relating to a Data Subject; a Data Subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed under this DPA.
• “Privacy Laws” means any applicable data privacy, data protection, and/or data security laws, rules, and regulations, including, to the extent applicable, the European General Data Protection Regulation (the “GDPR”), the United Kingdom (UK) General Data Protection Regulation (the “UK GDPR”), and the California Consumer Privacy Act (“CCPA”).
• “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Restricted Transfer” means a transfer of Personal Data from Company to NPM where such transfer would be prohibited by applicable Data Protection Laws in the absence of appropriate safeguards, including the Standard Contractual Clauses or UK Standard Contractual Clauses (as applicable).
• “Services” means the services provided by NPM (or NPM’s Affiliates, as the case may be) to Company under the Agreement.

All other capitalized terms not defined herein shall have the meaning set forth in the Agreement.

2. Processing Operations and Purpose

• 2.1 The Parties each agree that NPM is receiving Personal Data as an independent Data Controller in connection with the Agreement and shall have all related rights and obligations with respect to such Personal Data.

• 2.2 Company and Purchasers have complied with all applicable data privacy and/or marketing laws in their collection of the Personal Data, has all necessary rights in the Personal Data and has obtained any necessary consents in order to provide the Personal Data to NPM for the purposes described in the Agreement, including as necessary for NPM’s communications with the Data Subjects to whom such Personal Data relates.

• 2.3 The Parties agree that the disclosure of Company Personal Data and/or Purchaser Personal Data to NPM is not done for monetary or other valuable consideration, but is ancillary to the provision of the Services by NPM to Company, Purchasers and NPM shall not engage in the “sale” of such Company Personal Data or Purchaser Personal Data, as such term is defined by the CCPA.

• 2.4 NPM hereby represents and warrants that:

• 2.4.1 it will at all times comply with Privacy Laws, and otherwise ensure that the requirements of Privacy Laws are met in performing its obligations under the Agreement and this DPA;
  • 2.4.2 it will provide appropriate technical and organizational security measures to the Personal Data received from Company and Purchasers, including security measures designed to protect such Personal Data from potential Personal Data Breaches;
  • 2.4.3 it will provide appropriate notice to and, where required by Privacy Laws, obtain appropriate consents from Data Subjects about whom Personal Data relate, regarding its Processing of Personal Data as required by Privacy Laws; and
  • 2.4.4 to the extent required under applicable law, it will comply with any request by a Data Subject to access, change, delete, correct, or exercise related rights to Personal Data Processed pursuant to the Agreement, taking into account the nature of Processing, obligations under Privacy Laws, and Personal Data available to the Parties. 

3. Restricted Transfers

• 3.1 Standard Contractual Clauses. To the extent that Company or any Purchaser makes a Restricted Transfer to NPM (except for a Restricted Transfer subject to the UK GDPR which shall be governed by Section 3.4 below), the Parties agree that the Standard Contractual Clauses will apply to such Restricted Transfer. The Standard Contractual Clauses are incorporated by reference into this DPA, and the remaining details required under the Standard Contractual Clauses are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. For purposes of the Standard Contractual Clauses, the Parties agree:

• 3.1.1 The optional language in Clause 11 (Redress) shall not apply;
  • 3.1.2 For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the exporting Company entity, shall act as the competent Supervisory Authority;
  • 3.1.3 For Clause 17 (Governing Law), Option 2 shall apply and that, in the event that the law of the jurisdiction in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the laws established in Section 15 of the Agreement; and
  • 3.1.4 For Clause 18 (Governing Law), any dispute arising from these Clauses shall be resolved by the courts determined in Section 15 of the Agreement.

• 3.2 Details of the Standard Contractual Clauses. The Personal Data Processing activities in Appendix 1 to the Standard Contractual Clauses will be such activities as necessary for NPM to perform the Services for Company and/or Purchaser(s) (as appropriate) as described in the Agreement. The categories of Data Subjects and categories of Personal Data in Appendix 1 to the Standard Contractual Clauses will be those provided by Company and/or Purchaser(s) (as appropriate) to NPM pursuant to the Services as set forth in Appendix 1 (Processing Details) to this DPA. The data security measures in Appendix 2 to the Standard Contractual Clauses will be those identified in Appendix 2 (Information Security Program) of this DPA.

• 3.3 Restricted Transfers From Non-EEA Jurisdictions; Conflicts. To the extent that the jurisdiction of the data exporter is not located in the European Economic Area or United Kingdom, but from which transfers of Personal Data would be Restricted Transfers, the Standard Contractual Clauses shall be deemed to be amended to remove references to the European Union and its laws and replace such references to the jurisdiction of the data exporter and that jurisdiction’s applicable Data Protection Laws. In the event of any inconsistency between the terms of the Standard Contractual Clauses and any terms of this DPA with respect to Restricted Transfers, the terms of the Standard Contractual Clauses will govern and control with respect to such Restricted Transfers.

• 3.4 Restricted Transfers Under UK GDPR; Conflicts.  To the extent that Company or any Purchaser makes a Restricted Transfer to NPM subject to the UK GDPR, the Parties agree, through March 20, 2022, the UK Standard Contractual Clauses will apply to such Restricted Transfer. The UK Standard Contractual Clauses are incorporated by reference into this DPA, and the remaining details required under the UK Standard Contractual Clauses are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA.  The categories of Data Subjects, purposes of transfer(s), recipients, and categories of Personal Data in Annex B to the UK Standard Contractual Clauses will be as set forth in Appendix 1 (Processing Details) to this DPA. In the event of any inconsistency between the terms of the UK Standard Contractual Clauses and any terms of this DPA with respect to Restricted Transfers subject to the UK GDPR, the terms of the UK Standard Contractual Clauses will govern and control with respect to such Restricted Transfers. For Restricted Transfers to NPM subject to the UK GDPR made from March 21, 2022 onwards, the Parties agree that the terms of the UK International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers, Version B1.0 (available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), in conjunction with the Standard Contractual Clauses, shall apply and that the content of the Tables therein and the remaining details required thereunder are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. 

4. Other Provisions

• 4.1 The Agreement and this DPA shall apply only between the Parties and shall not confer any rights to any third parties.

• 4.2 Except as amended herein, all other terms of the Agreement shall remain unchanged and in full force and effect.

• 4.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, should this not be possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.

• 4.4 In the event of a conflict between the terms of this DPA and the Agreement or Terms, then the terms of this DPA shall control.

APPENDIX 1 to the DPA

Processing Details

1. LIST OF PARTIES

DATA EXPORTER(S)
Name	Company, Purchaser(s) (if applicable) and their Affiliates
Address	The address for Company and Purchaser(s) (if applicable) as set forth in the Agreement
Contact person’s name, position and contact details	The contact details for Company and Purchaser(s) (if applicable) as set forth in the Agreement
Activities relevant to the data transferred under the Standard Contractual Clauses	Receipt of the Services
Signature and date	Company’s and each Purchaser’s (if applicable) signature and date on the DPA
Role (controller/processor)	Data Controller

DATA IMPORTER(S)
Name	NPM
Address	The address for NPM as set forth in the Agreement
Contact person’s name, position and contact details	Legal Department legal@npm.com
Activities relevant to the data transferred under the Standard Contractual Clauses	Performance of the Services
Signature and date	NPM’s signature and date on the DPA
Role (controller/processor)	Data Controller

2. DESCRIPTION OF THE TRANSFER

• 2.1 Categories of data subjects whose personal data is transferred

• Company personnel and representatives
• Company control person
• Beneficial owners
• Potential tender offer participants

• 2.2 Categories of personal data transferred

• Name
• Email address
• Postal Address (beneficial owners only)
• Date of Birth (beneficial owners only)
• Social security number or passport number (beneficial owners only)
• Government-issued identification (company control person only)
• Stock holdings information

• 2.3 Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• None.

• 2.4 The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Multi-transfers

• 2.5 Nature of the processing

• Processing as necessary to facilitate the tender and participation in the tender.

• 2.6 Purpose(s) of the data transfer and further processing

•  To facilitate tender offering and market for company ownership interests.

• 2.7 The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• As long as necessary for the purposes of processing or as may be required by applicable law.

• 2.8For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

3. COMPETENT SUPERVISORY AUTHORITY

• As provided in Section 3.1.2 of the DPA.

APPENDIX 2 to the DPA

Information Security Program

Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. NPM has implemented, and will maintain, a comprehensive written information security program (“Information Security Program“) with respect to the Personal Data transferred to or received by NPM in performance of the Services that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Company Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Company Personal Data.

In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Company Personal Data:

Measures of pseudonymization and encryption of personal data

• Access Controls – policies, procedures, and physical and technical controls to encrypt and decrypt Company Personal Data where appropriate.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Company Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Company Personal Data.

• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Company Personal Data or systems that contain Company Personal Data, including a data backup plan and a disaster recovery plan.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Company Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.

• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Company Personal Data or systems that contain Company Personal Data, including a data backup plan and a disaster recovery plan.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

• Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

Measures for user identification and authorization

• Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Company Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Company Personal Data or information relating thereto to unauthorized individuals.

• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Company Personal Data and protect it from disclosure, improper alteration, or destruction.

Measures for the protection of data during transmission

• Storage and Transmission Security – technical security measures to guard against unauthorized access to Company Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Company Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

Measures for the protection of data during storage

• Storage Media – policies and procedures to ensure that prior to any storage media containing Company Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Company Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Company Personal Data.

Measures for ensuring physical security of locations at which personal data are

Processed

• Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Company Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Company Personal Data

Measures for ensuring events logging

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for ensuring system configuration, including default configuration

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for internal IT and IT security governance and management

• Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.

• Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Company Personal Data, internal or external threats to the data importer or the Company Personal Data, and the data importer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

Measures for certification/assurance of processes and products

• Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

• Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Company Personal Data, internal or external threats to the data importer or the Company Personal Data, and the data importer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

Measures for ensuring data quality

• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Company Personal Data and protect it from disclosure, improper alteration, or destruction.

Measures for ensuring limited data retention

• Device and Media Controls – policies and procedures on hardware and electronic media that contain Company Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Company Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Company Personal Data from electronic media before the media are made available for re-use.

• Storage Media – policies and procedures to ensure that prior to any storage media containing Company Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Company Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Company Personal Data.

Measures for ensuring accountability

• Security Awareness and Training – a security awareness and training program for all members of the data importer’s workforce (including management), which includes training on how to implement and comply with its Information Security Program

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for allowing data portability and ensuring erasure

• Device and Media Controls – policies and procedures on hardware and electronic media that contain Company Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Company Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Company Personal Data from electronic media before the media are made available for re-use.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

• NPM shall ensure Sub-Processors provide technical and organizational measures no less protective than those set forth in the DPA, including this Appendix 2 (Information Security Program).