‍Data Processing Addendum

1. Subject Matter and Duration.

a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Primer’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

b) Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Primer will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Primer’s obligations and Customer’s rights under this Addendum will continue in effect so long as Primer Processes Customer Personal Data.

2. Definitions.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

a) “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protections Law(s)” may include, but is not limited to the GDPR and the CCPA.

b) “CCPA” means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations.

c) “Customer Personal Data” means information about an identified or identifiable Individual, also referred to as "Personal Information," (or other substantially similar term) pursuant to Applicable Data Protection Laws, which is Processed under the terms of the Agreement. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Schedule A attached hereto.

d) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

e) “GDPR” means the EU General Data Protection Regulation 2016/679 and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom. References to “Articles” or “Chapters” of the GDPR will be construed accordingly.

f) “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).

g) “Platform Services” means Primer’s proprietary software-as-a-service platform as subscribed to by Customer under the Agreement. For clarity, Platform Services do not include any Customer Personal Data or other source data combined by Customer.

h) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

i) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum. Processor is also a “service provider,” as that term is defined in the CCPA.

j) "SCCs” means the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable.

k) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Primer.

l) “Subprocessor” means any Processor having access to Customer Data and engaged by Primer to deliver the Platform Services under the Agreement.

m) Transfer” means the transfer of Customer Personal Data outside the United Kingdom or EU/European Economic Area (“EEA”).

n) “UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

o) “UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022.

3. Data Use and Processing.

a) Relationship of the Parties. Primer shall process Customer Personal Data for the Permitted Purpose as a processor on behalf of Customer as the controller. For purposes of the CCPA (where applicable), Primer shall process Customer Personal Data as a Service Provider for Customer as a Business.

b) Compliance with Laws.  Each party shall comply with its obligations under Data Protection Laws in respect of any Customer Personal Data it processes under this DPA.

c) Processing Instructions. Primer shall process Customer Personal Data in accordance with Customer’s documented lawful instructions, unless obligated to do otherwise by applicable law, in which case Primer will notify Customer (unless that law prohibits Primer from doing so on important grounds of public interest). For these purposes, Customer instructs Primer to process Customer Data for the purposes described in Schedule A (the “Permitted Purpose”, which, where CCPA applies, is a business purpose). The DPA and the Agreement are Customer's complete and final instructions. Any additional or alternate instructions must be consistent with the terms of the DPA and the Agreement. Without prejudice to subsection (e) below (Customer Responsibilities), Primer shall promptly notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violates Applicable Data Protection Laws (but without obligation to actively monitor Customer's compliance with Applicable Data Protection Law) and in such event Primer shall not be obligated to undertake such processing until such time as the Customer has updated its processing instructions and Primer has determined that the incidence of non- compliance has been resolved.

d) Customer Responsibilities. Customer shall, in its use of the Platform Services and provision of instructions, do so in accordance with Applicable Data Protection Laws. Customer is solely responsible for: (i) the accuracy, quality, and legality of the Customer Personal Data, (ii) the means by which Customer acquired such Customer Personal Data; and (iii) the instructions it provides to Primer regarding the processing of such Customer Personal Data. Customer shall ensure (i) that it has provided notice and obtained (or will obtain) all consents and rights necessary for Primer to process Customer Personal Data pursuant to the Agreement and this DPA, (ii) its instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Applicable Data Protection Laws, and (iii) where the CCPA applies, that the Customer Data is provided to Primer in order to perform the Platform Services for a valid Business Purpose only.

e) CCPA. As used in this Section 3(e) and elsewhere in this Addendum in reference to the CCPA, "Business Purpose”, “Collects”, "Consumer”, "Sell”, “Share” and "Service Provider” have the meanings assigned to them in the CCPA. If Primer is processing Customer Personal Data within the scope of the CCPA (“CCPA Personal Data”), the Parties agree as follows with respect to such CCPA Personal Data. CCPA Personal Data is disclosed by Customer only for limited and specified purposes of providing the Platform Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA. Primer will not Sell or Share CCPA Personal Data it Collects pursuant to the Agreement. Primer agrees not to retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement for any commercial purpose other than for the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA. Primer will not retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement outside of the direct business relationship between Primer and Customer, unless expressly permitted by the CCPA. Customer shall have the right to take reasonable and appropriate steps to help ensure that Primer uses the CCPA Personal Data Collected pursuant to the Agreement in a manner consistent with its obligations under the CCPA. Primer shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA. Upon such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data. Notwithstanding the foregoing, as permitted under the CCPA, Primer may retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement (i) for the specific Business Purpose(s) set forth in the Agreement that is required by the CCPA, (ii) to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA, (iii) for internal use by Primer to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that Primer does not use CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement, or (v) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7). Primer will enable Customer to comply with Consumer requests made pursuant to the CCPA. Customer will inform Primer of any Consumer request pursuant to the CCPA that Primer must comply with and will provide all information necessary for Primer to comply with the request. If Primer receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, the Primer shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

f) Authorization to Use Subprocessors. To the extent necessary to fulfill Primer’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes Primer to engage Subprocessors in providing the Platform Services. Any Processing by Subprocessors of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with all Applicable Data Protection Law(s).

g) Primer and Third Party Compliance. Primer agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors (and their sub-processors) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Primer’s Subprocessors’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.

h) Right to Object to Subprocessors. Primer shall make available to Customer a list of Subprocessors that Process Customer Personal Data upon reasonable request. Prior to engaging any new Subprocessors that Process Customer Personal Data, Primer will notify Customer via email and allow Customer at least fifteen (15) days to object. Where Customer has a reasonable basis to object to a new Subprocessor, Customer must promptly contact Primer within the objection period and provide documentary evidence that reasonably shows that the proposed Subprocessor does not or cannot comply with the requirements of this Addendum. In such event, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, either Party may terminate the part of the service performed under the Agreement that cannot be performed by Primer without use of the objectionable Subprocessor with at least 30 days prior written notice to the other Party. During such notice period, Primer may suspend the affected portion of the Platform Services. Primer shall refund any pre-paid fees to Customer in respect of the terminated part of the Platform Services. If Customer does not raise a legitimate objection within the 15-day period stated above, Customer will be deemed to have approved the new Subprocessor.

i) Personal Data Inquiries and Requests. Primer agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”) related to the processing of Customer Personal Data for the Permitted Purpose.

j) Data Protection Impact Assessment and Prior Consultation. To the extent required under Applicable Data Protection Laws, Primer will provide requested information regarding the Platform Services necessary to enable Customer to carry out data protection impact assessments and prior consultations with data protection authorities.

k) Demonstrable Compliance. Primer agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.

k) Demonstrable Compliance. Primer agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.

4. Cross-Border Transfers of Personal Data.

Customer authorizes Primer and its Subprocessors to Transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Customer Personal Data subject to the GDPR must be supported by an approved adequacy mechanism:

a) Transfers from the EEA. Where a Transfer is made from the European Economic Area (“EEA”), the SCCs are incorporated into this DPA and apply to the transfer as follows:

i) with respect to Transfers from Customer to Customer, Module One applies where both Customer and Customer are Controllers, Module Two applies where Customer is a Controller and Customer is a Processor, and Module Three applies where both Customer and Customer are Processors;

ii) in Clause 7, the optional docking clause does not apply;

iii) in Clause 9(a) of Modules Two and Three, Option 2 applies, and the period for prior notice of subprocessor changes is set forth in Section 3(g) of this DPA;

iv) in Clause 11(a), the optional language does not apply;

v) in Clause 17, Option 1 applies with the governing law being that of Ireland;

vi) in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland;

vii) Annex I of the SCCs is completed with the information in Schedule A to this DPA;

viii) Annex II of the SCCs is completed with the information in Section 5 above of this DPA; and

ix) Annex III of the SCCs is completed with the information in Schedule B to this DPA.

b) Transfers from Switzerland. Where a Transfer is made from Switzerland, the SCCs are incorporated into this DPA and apply to the transfer as modified in Section 10(a) above, except that:

i) in Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Transfer is governed by the Swiss Federal Act on Data Protection;

ii) references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and

iii) references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

c) Transfers from the UK. Where a Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. The UK Transfer Addendum is completed with the information in Section 4(a) above, the Annexes to this DPA; and both “Importer” and “Exporter” are selected in Table 4.

d) Specific application of the SCCs. The following terms apply to the SCCs:

i) Customer may exercise its audit rights under the SCCs as set out in Section 7 below.

ii) Customer may appoint sub-processors under the SCCs as set out in Section 3 above.

iii) With respect to Transfers made to Customer, Customer may neither participate in, nor permit any sub-processor to participate in, any further Transfer unless the further Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism adopted by the importer.

iv) If any provision of this Section 4 is inconsistent with any terms in the SCCs, the SCCs will prevail.

5. Information Security Program.

a) Primer agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall include:

i) Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit and at rest;

ii) The ability to ensure the ongoing confidentiality, integrity, and availability of Primer’s Processing and Customer Personal Data;

iii) The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;

iv) A process for regularly testing, assessing and evaluating the effectiveness of the Customer’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

b) The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Service Provider will therefore evaluate the measures as implemented in accordance with this Section 5 on an on-going basis in order to maintain compliance with the requirements set out in this Section 5. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Data Protection Law(s) or by data protection authorities of competent jurisdiction.

c) Additionally, Service Provider agrees that, at least annually, an independent, reputable, third-party firm will investigate and prepare a SSAE 18 Type II, specifically a SOC 2 Type II, compliance report and certification (“SOC 2”), and that the SOC 2 will be made available to Company upon request.

6. Security Incidents.

a) Security Incident Procedure. Primer will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability of or access to Customer Personal Data in a timely manner.

b) Notice. Primer agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Customer if it becomes aware that a Security Incident has taken place. Primer will provide information relating to the Security Incident to Customer promptly as it becomes known or as is reasonably requested by Customer to fulfill Customer’s obligations as controller. Primer will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.

7. Audits.

a) Right to Audit; Permitted Audits. Primer will make available information to Customer at Customer’s request which is necessary to demonstrate compliance with this Addendum and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer on reasonable, legitimate grounds, not more than once annually. Primer will provide for such audits by allowing Customer to review confidential summary reports ("Audit Report") prepared by third-party security professionals at Primer's selection and expense. If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Primer to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Primer’s clients or suppliers, Primer's proprietary technology or any trade secrets; and (ii) be subject to Section 7(b) below.

b) Audit Terms. Any audits described in this Section shall be:

i) Conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties.

ii) Conducted during Primer’s local business hours.

iii) To the extent possible, conducted upon reasonable advance notice to Primer of at least 60 days.

iv) Of reasonable duration and shall not unreasonably interfere with Primer’s day-to-day operations.

c) Third Parties. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Primer’s and Primer’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.

d) Audit Results. Upon Primer’s request, after conducting an audit, Customer shall notify Primer of the manner in which Primer does not materially comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Primer shall make any necessary changes to ensure compliance with such obligations at its own expense. The results of any such audit shall be considered Primer’s Confidential Information.

8. Data Deletion.

Promptly upon Customer’s request, or within thirty (30) days after the termination or expiration of the Agreement, Primer shall delete or return Customer Personal Data in its possession or control. This requirement shall not apply to the extent Primer is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Primer shall securely isolate and protect from any further processing, except to the extent required by such laws.

9. Liability.

For the avoidance of doubt, Primer’s total overall liability for all claims arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under the Agreement and this Addendum together, and is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Applicable Data Protection Laws.

10. Updates.

Primer may from time to time make changes to this Addendum where (a) the change is required to comply with an Applicable Data Protection Laws; (b) in connection with a merger, acquisition or similar transaction; or (c) the change is commercially reasonable and does not materially reduce the security of the Platform Services.

SCHEDULE A
Details of Processing

SCHEDULE B
Subprocessor List

Amazon Web Platform Services
Google Cloud
Sutro Labs Inc. dba Census