This Data Protection Addendum ("Addendum"), forms part of the PERX ("Agreement).

The Client agreeing to the terms of this DPA (“Client”) and PERX (“Supplier”) have entered into the Agreement (PERX Terms of Service and Order Form) governing the Clients use of the Service.

(i) PERX Rewards owned by EML Money DAC ("Supplier") having principal business address at 2nd Floor La Vallee House, Upper Dargle Road, Bray Co. Wicklow, Ireland and

(ii) The ("Client")

together referred to as the "Parties" and each a "Party".

This Addendum sets out the terms that apply to personal data processed by Parties in connection with the provision of the services under the Principal Agreement.

The terms used in this Addendum shall have the meaning set out in this Addendum. Capitalised not otherwise defined will have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in force and effect.

NOW THEREFORE, in consideration of the mutual obligations set out below, the Parties agree that the terms and conditions set out below are added as an Addendum to the Principal Agreement and shall function as a variation to the Principal Agreement on and from the Addendum Effective Date.

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• "Permitted Purpose(s) and Processing Operation(s)" means the purpose(s) of Processing Personal Data and related Processing operations that Parties, are permitted to undertake pursuant to this Addendum, as set out in Part A of Appendix 1 to this Addendum;
• "Data Protection Laws" means any applicable data protection legislation, including but not limited to the European Economic Area and United Kingdom
• "International Transfer" means a transfer of Personal Data to a third country or to an international organisation as defined by Data Protection Laws;
• "Services" means the services to be supplied by Supplier pursuant to the Principal Agreement;
• "Personal Data" as defined by Data Protection Laws, means Personal Data that is provided pursuant to the Principal Agreement or this Addendum by a Party to the other Party and Processed by that other Party;
• "Sub-processor" means any person (including any third party) appointed by or on behalf of Processor to Process Personal Data on behalf of Controller in connection with this Addendum;
• "Supervisory Authority" means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
• The terms, "Controller", "Data Subject", "Processor", "Member State", "Personal Data", "Personal Data Breach", and "Process / Processing" shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2.1 Appendix 1 to this Addendum sets out the permitted purpose(s) of Processing Personal Data and related Processing operations, as well as the respective roles of the Parties, as either independent Controllers, and / or Processors under applicable Data Protection Laws with respect to each Processing operation.

2.2 The Parties agree that:

2.2.1 where Supplier and Client each act as independent Controllers, each Party undertakes to comply with the provisions set out in clause 3 of this Addendum; and

2.2.2 where Supplier and Client each acts as a Processor on behalf of the other Party, each Party undertakes to comply with the provisions set out in clause 4 of this Addendum.

3.1 The Parties agree that, to the extent Supplier is acting as Controller in relation to Personal Data in respect of certain purposes set out in Part A of Appendix 1, it acts as a separate and independent Controller from Client for the purposes identified in Part A of Appendix 1, while the Client acts as a separate and independent Controller in respect of the same dataset for its own means and purposes defined by the Client itself.

3.2 Each Party undertakes:

3.2.1 to comply with its respective obligations under Data Protection Laws in respect of its Processing of Personal Data; and

3.2.1 notify the other Party without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data.

4.1 The Parties acknowledge that a Party may act as a Processor on behalf of the other Party under the Data Protection Laws in respect of certain purposes set out in Part A of Appendix 1. The Processor shall:

4.1.1 only Process the Personal Data for the Permitted Purposes and Processing Operations from time to time (unless otherwise permitted or required by Data Protection Laws to which Processor is subject, in which case Processor shall inform the Controller of that legal requirement before such Processing, unless that law prohibits such information). The details of the Personal Data to be Processed by the Processor is set out in Appendix 1 to this Addendum;

4.1.2 ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

4.1.3 be entitled to perform International Transfer, provided that Processor has taken measures necessary to ensure the transfer is in compliance with applicable Data Protection Laws, including entering in a valid data transfer mechanism;

4.1.4 implement appropriate technical and organisational security measures set out in Appendix 2 of this Addendum to ensure a level of security appropriate to the risk;

4.1.5 notify the Controller without undue delay, upon the Processor becoming aware of or reasonably suspecting a Personal Data Breach. The Processor shall provide the Controller with sufficient information to allow the Controller to meet any obligations to assess and report a Personal Data Breach under the Data Protection Laws, which may be provided in stages as it becomes available to the Processor and shall include the following: (a) a description of the nature of the Personal Data Breach, including details of any Sub-processors involved, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (b) the name and contact details of Processor's data protection officer or other relevant contact from whom more information may be obtained; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to be taken to address the Personal Data Breach;

4.1.6 cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, containment and remediation of each Personal Data Breach;

4.1.7 in the event of a Personal Data Breach relating to Personal Data, not inform any third party without first obtaining Controller’s prior written consent, unless notification is required by a law to which Processor is subject, in which case Processor shall to the extent permitted by such law (i) not refer to the Controller in any such notification, and (ii) inform Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by Controller before notifying the Personal Data Breach;

4.1.8 promptly notify Controller of any communication from a data subject regarding the Processing of Personal Data, or any other communication (including from a Supervisory Authority) relating to Controller’s obligations under Data Protection Laws in respect of the Personal Data and, taking into account the nature of the Processing, reasonably assist Controller by appropriate technical and organisational measures, as may be reasonably required, for the fulfilment of Controller’s obligation to respond to requests for exercising the data subject's rights;

4.1.9 subject to clause 4.1.10, be authorised to appoint Sub-processors as set out in Appendix 3 of this Addendum. Where Processor adds a new, or makes changes to, any Sub-processor, Processor shall inform Controller (including details of the processing it performs or will perform) of any intended changes concerning the addition or replacement of any Sub-processors at least sixty (60) days prior to the notified change, and Controller may object to any such change within thirty (30) calendar days after being notified. The Parties will then work together in good faith to attempt to find a commercially reasonable solution for Processor which avoids the use of the objected-to Sub-processor. If those efforts are unsuccessful, the Controller shall be entitled to terminate the Principal Agreement and this Addendum. This termination comes into effect upon the date of the appointment or replacement of the sub-processor in question;

4.1.10

• (i) provide Controller with full details of the Processing to be undertaken by each Sub-processor;
• (ii) include terms in the contract between Processor and each Sub-processor which are the same in all material respects and offer at least the same protection as in this Addendum;
• (iii) ensure that any International Transfers are conducted lawfully under applicable Data Protection Laws; and
• (iv) remain fully liable to Controller for any act or omission of its Sub-processor;

4.1.11 cease Processing the relevant Personal Data upon the termination or expiry of the Principal Agreement (“Relevant Date”) and promptly and in any event within 90 (ninety) calendar days of the Relevant Date, either return, or delete from its systems, Personal Data. If Controller does not inform Processor of its choice to require the return or deletion of such Personal Data within 90 (ninety) calendar days of the termination or expiry of the Principal Agreement, or if sooner, the service to which it relates, then Controller shall be deemed to have chosen the deletion of the Personal Data;

4.1.12 assist Controller with any data protection impact assessments which are required under Data Protection Laws and with any prior consultations to any Supervisory Authority of Controller which may be required; and

4.1.13 make available to Controller on request, all information necessary to demonstrate compliance with this clause 4 and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller in relation to the Processing of Personal Data by the Processor. Processor shall permit Controller or another auditor mandated by Controller to inspect, audit and copy any relevant records, processes and systems in order that Controller may satisfy itself that the provisions of this Addendum are being complied with. Processor shall provide full cooperation to Controller in respect of any such audit and shall at the request of Controller provide Controller with evidence of compliance with its obligations under this Addendum.

5.1 This Addendum, together with all Appendices attached hereto and incorporated herein by reference, constitutes the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes all prior understanding and agreements relating to its subject matter. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements (including but not limited to the Principal Agreement) between the Parties, the provisions of this Addendum shall prevail with regard to the Parties’ obligations under the Data Protection Laws concerning the Processing of Personal Data.

5.2 Notices. Any general notice to be given to a Party under or in connection with this Addendum shall be in writing and shall be delivered:

• (i) personally;
• (ii) by a globally recognized overnight courier; or
• (iii) by certified mail, postage prepaid, return receipt requested, or its equivalent.

Such notices shall be deemed given upon receipt.

If any such notice is sent via the mode of delivery listed as (ii) or (iii) within this Clause 5.2, any such notice shall be sent to the Party at the applicable address set forth below or to such other address as to which the Party has given written notice thereof. In the event of notices to be provided by any Party where time is of the essence in accordance with this Addendum as a result of:

• (a)(a) a Personal Data Breach;
• (b)(b) a Data Subject request; or
• (c) (c) an inquiry / communication from a Supervisory Authority,

Such notices to be given by a Party to the other Party shall be emailed to the email address set forth below:

Part A: Permitted Purposes and Processing Operations

This Part A of Appendix 1 to the Addendum sets out the permitted purpose(s) of Processing Personal Data and related Processing operations, as well as the respective roles of the Parties, as either Controllers and/or Processors, under Data Protection Laws with respect to each Processing operation:

Part B: Description of Personal Data Processing and Transfer of Personal Data

1. Scope

1.1 This Part B of Appendix 1 to the Addendum contains the information concerning the Processing of Personal Data by a Party required for the purposes of:

• (i) describing various elements of the Processing of Personal Data as required by Article 28(3) of the GDPR; and
• (ii) compliance with any other applicable Data Protection Laws.

2. Subject Matter and Duration of the Processing of the Personal Data

2.1 The subject matter of the Processing of the Personal Data is set out in the Principal Agreement and this Addendum. The duration of the Processing of the Personal Data is hereby set as the duration of the Principal Agreement.

3. The Nature and Purpose of the Processing of Personal Data

3.1 Information concerning the purpose(s) of Processing the Personal Data and related Processing operations are those set out in Part A of this Appendix 1 to the Addendum.

3.2 The Personal Data Processed by Processor maybe subject to some or all of the following nature of Processing:

3.2.1 For all classes of Data Subjects:

• collecting and recording the Personal Data;
• hosting the Personal Data;
• organizing the Personal Data;
• adapting or altering the Personal Data;
• analysing the Personal Data;
• consulting or retrieving the Personal Data; and
• disclosing or transferring the Personal Data.

4. The Categories of Data Subjects

4.1 The categories of Data Subjects are those set out in Part A of this Appendix 1 to the Addendum.

5. The Categories of Personal Data

5.1 The categories of Personal Data are those set out in Part A of this Appendix 1 to the Addendum.

6. The obligations and rights of the Parties

6.1 The obligations and rights of the Parties are set out in the Principal Agreement and this Addendum.

Where Supplier and Client act as a Processor in specific data processing scenarios (as described in Part A of Appendix 1 to the Addendum), they have agreed to implement the following technical and organisational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

(a) Encryption and Storage - All data within the processing environment utilizes the Pure Array data at rest encryption. The Pure Array uses AES-256 bit encryption. Key management is handled by the array.

(b) Confidentiality, Integrity and availability - Supplier has designed and configured its card processing environment with the confidentiality, availability, and integrity of the data and assets contained within. All systems within the environment are configured to use high availability, raid technology, and redundant pairs, whichever is applicable for the system. Supplier utilizes database replication between the primary and secondary data centers. Database backups are taken regularly and transferred to a secure location. The Supplier network employs a multi-tier firewall configuration, with next-generation firewalls, load balancers, network intrusion devices, and web application firewalls protecting data while in transit. All data within the Supplier card processing environment is encrypted at rest. All logs within the card processing environment are collected and forwarded to the SIEM. Supplier has configured monitoring and alerting for all systems and applications within the card processing environment. Supplier monitors systems for security, application, and performance events and performs quarterly benchmark reviews.

(c) Backup - The Supplier database has been configured in a multi-node availability group, with a mirror deployment of the servers within the secondary datacentre. Supplier has deployed multiple SANs within each datacentre to provide redundant storage. Full nightly backups are taken of the Supplier database and transferred to a remote server. Transactions log backups are taken every fifteen minutes are transferred to a remote server.

(d) Testing - Supplier performs web application security scans after every application release within the card processing environment. Internal vulnerability scans occur each month, while external vulnerability scans are performed each quarter. External, internal, and application penetration tests are conducted twice a year. Supplier maintains multiple testing environments, both logically and physically separated from the development environment. Access to the testing environments is controlled using active directory user groups.

(e) User Identification and Authorisation - Access to the Supplier card processing environment is limited to authorized individuals with limited need. Supplier performs access reviews after each user account is created and on a quarterly basis. All users are assigned unique usernames and must use strong, secure passwords which meet Supplier’s requirements. Accounts with access to the card processing environment must have multi-factor authentication enabled.

(f) Data during Transmission - Data transmitted in and out of the Supplier card processing environment utilizes modern, industry standard encryption methods to secure data in transit.

(g) Physical Access - Physical access to the Supplier card processing environment is limited to authorised employees. Supplier performs quarterly access reviews of all access to Supplier systems. Physical security is managed by data centre hosting providers.

(h) Logging - Supplier utilizes a centralised log aggregation product to analyse security event data and alerts when abnormal activity is detected.

(i) System Configuration - Supplier utilises defined, server hardening guidelines to ensure systems meet configuration standards. Systems within the Supplier card processing environment are subject to vulnerability and configuration assessments before being authorized for use. All changes to systems within Supplier are subject to the Supplier Change Control policy and must have prior approval before implementation. The Supplier card processing environment is subject to annual PCI DSS and SOC 1 Type 2 audits.

(j) Data Minimisation - Supplier limits data collection to data required to support its client programs, regulatory requirements, and requirements outlined by its partner banks.

(k) Data Quality - Supplier performs application monitoring and data integrity check to ensure data quality. Data sanitization techniques are utilized to ensure data entered into the Supplier system meets Supplier standards.

(l) Data Retention - The Supplier data retention policy has been developed to ensure Supplier fulfils its data retention requirements as a service provider.

(m) Accountability - All Supplier employees are assigned unique usernames. All systems within the Supplier card processing environment utilize centralized log aggregation. File integrity monitoring has been deployed within the Supplier card processing environment to detect the unauthorized modification of files. Logs are monitored and reviewed by the Supplier Information Security team.

(n) Data Portability - Supplier supports the individual right to data portability and erasure. Supplier has implemented documented procedures to ensure Supplier’s own regulatory requirements are fulfilled while ensuring individual rights are maintained.

List of approved Sub-processors for the purposes of clause 4.1.9 of this Addendum where Supplier is Processing Personal Data as Processor on behalf of Client.