Data Processing Addendum

This Data Processing Addendum (“DPA”) is an agreement between Gateway AI Services, Inc.  (“Gateway”) and the Customer (as defined in the Gateway Terms and Conditions) and is effective as of  the date the Customer accepts the Gateway Terms and Conditions, and is hereby incorporated by  reference into them.  

Gateway and Customer are hereinafter collectively referred to in this DPA as the “Parties” or each  individually as “Party”.  

WHEREAS, Gateway and Customer entered into a Gateway Alpha Tester Agreement (the “Principal  Agreement”) which may involve automated and manual Processing of Personal Data of Data Subjects  subject to Data Protection Laws in the context of the Services;  

WHEREAS, this DPA is hereby incorporated into the Principal Agreement between Gateway and  Customer; and  

WHEREAS, in accordance with Data Protection Laws, the Parties hereby enter into this DPA which shall  govern the Processing of Personal Data of Data Subjects subject to Data Protection Laws in the context of  the Services.  

NOW, THEREFORE, the Parties agree as follows:  

1. Definitions  

Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Principal  Agreement. In this DPA, the following terms have the following meaning:  

“Applicable Law” means all applicable laws, including Data Protection Laws, orders, statutes, codes,  regulations, ordinances, decrees, rules, subordinate legislation, treaties, directives, bylaws, standards or  other requirements with similar effect of any governmental or regulatory authority, each as updated from  time to time which apply to Customer or Gateway in the circumstances governed by this DPA.  

“CCPA” means the California Consumer Privacy Act and the California Privacy Rights Act, and their  applicable regulations.  

[“Customer Content” shall have the meaning given to the term under the Principal Agreement.  Customer Content may include Personal Data.]1 

“Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of,  or access to Personal Data transmitted, stored or otherwise Processed by Gateway or its Sub-processors  on behalf of Customer under the Principal Agreement, or any other incident involving such Personal Data  that would require notification to a governmental authority or to a Data Subject.  

“Data Protection Laws” means all laws and regulations (including, without limitation, the CCPA),  applicable to Gateway’s or a Sub-processor’s Processing of Personal Data under the Principal Agreement.  

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates. An  identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to  an identifier such as a name, an identification number, location data, an online identifier or to one or more  factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that  natural person. 

NTD: This will need to conform to the applicable term in the Principal Agreement.1 

“Personal Data” means any information included in the Customer Content that relates to a Data Subject  and which is protected under Data Protection Laws and Processed by Gateway or a Sub-processor under  the Principal Agreement.  

“Processing” (or “Processed” or “Process”) means any operation or set of operations which is performed  on Personal Data or on sets of Personal Data, whether or not by automated means, and governed by Data  Protection Laws, such as collection, recording, organization, structuring, storage, adaptation or alteration,  retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,  alignment or combination, restriction, erasure or destruction.  

“Services” means the services described in the Principal Agreement, including the offering of the  [Platform] and support services.2 

“Sub-processor” means any third party engaged by Gateway to Process Personal Data in order to provide  the Services under the Principal Agreement.  

“Personnel” means any employee, contractor or other person performing Services or otherwise accessing  Personal Data, in each case, on behalf of Gateway.  

2. Gateway Obligations  

The Parties shall comply with the terms of this DPA, and each Party is responsible for compliance  with its respective obligations under applicable Data Protection Laws. Gateway shall Process Personal  Data on behalf of Customer to maintain and provide the Services in accordance with this DPA and  documented instructions received from Customer. Customer hereby instructs Gateway to Process  Personal Data: (a) in accordance with the Principal Agreement, including to maintain and provide the  Services; (b) to comply with other documented reasonable instructions provided by Customer where such  instructions are consistent with the terms of the Principal Agreement; and (c) where required by  Applicable Law. Customer’s instructions for the Processing of Personal Data shall comply with Data  Protection Laws. Gateway shall notify Customer about any instruction from Customer which, in  Gateway’s opinion, infringes Data Protection Laws. Additional instructions outside the scope of this DPA  (if any) shall require prior written agreement between Gateway and Customer, including agreement on  any additional fees payable by Customer to Gateway for carrying out such instructions.  

Gateway Personnel shall Process Personal Data only as instructed to by Customer, unless otherwise  required to do so by Data Protection Laws or other Applicable Laws. Gateway shall take commercially  reasonable steps to ensure that access to Personal Data is limited to Personnel performing Services in  connection with the Agreement. Gateway will not publish, disclose, divulge or otherwise permit third  parties to access any Personal Data, except, in each case, in accordance with the Principal Agreement and  this DPA (including as necessary to maintain and provide the Services and to Sub-processors in  accordance with this DPA), with Customer’s consent or as necessary to comply with the law or a valid  and binding order of a governmental body (such as a subpoena or court order).  

1. CCPA Obligations. The terms “business,” “business purpose,” “commercial purposes,”  “consumer,” “personal information,” “sell,” “sale”, “share,” and “service provider” as used in  this subsection 2.1 have the meanings defined in the CCPA. With respect to “personal  information” of a “consumer” under the CCPA, Gateway shall only Process such personal  information in accordance with this subsection 2.1. This subsection 2.1 shall not be an  admission that sharing of personal information between Customer and Gateway constitutes a  sale. Each Party hereby acknowledges and agrees that for purposes of this DPA and the Principal  Agreement, Customer is a business subject to the CCPA and Gateway is acting, pursuant to the  Principal Agreement and this DPA, as Customer’s service provider.  

NTD: Term should be defined in Principal Agreement.2 

1.1. Gateway is prohibited from selling or sharing personal information it collects pursuant to  the Principal Agreement. It shall only Process such personal information as a service  provider on Customer’s behalf for the specific business purpose of providing the Services  and as otherwise permitted in the Principal Agreement. Customer is disclosing the personal  information to Gateway only for the business purposes set forth within the Principal  Agreement and for such other purposes as may be permitted by the CCPA. Gateway shall  be prohibited from retaining, using, or disclosing such personal information that it collected  pursuant to the Principal Agreement for any purpose or commercial purpose other than the  specific business purposes specified in the Principal Agreement or as otherwise permitted  by the CCPA. Gateway is further prohibited from retaining, using, or disclosing the  personal information that it collected, pursuant to the Principal Agreement, outside the  direct business relationship between Gateway and Customer, unless expressly permitted by  the CCPA or the Principal Agreement. Gateway shall comply with all applicable sections of  the CCPA, including – with respect to the personal information that it collected pursuant to  the Principal Agreement – providing the same level of privacy protection as required of  businesses by the CCPA, assisting Customer in responding to and complying with  consumers’ requests made pursuant to the CCPA, and implementing reasonable security  procedures and practices appropriate to the nature of the personal information to protect the  personal information from unauthorized or illegal access, destruction, use, modification, or  disclosure in accordance with Civil Code section 1798.81.5. Gateway certifies that it  understands and will comply with the restrictions set forth in this Section 2.1.  

1.2. Upon reasonable prior written notice, and subject to the confidentiality obligations in the  Principal Agreement, Gateway shall grant Customer the right to take reasonable and  appropriate steps to ensure that Gateway uses the personal information that it collects  pursuant to the Principal Agreement in a manner consistent with Customer’s obligations  under the CCPA, as mutually agreed upon. Gateway shall notify Customer after it makes a  determination that it can no longer meet its obligations under the CCPA. Gateway shall  further grant Customer the right, upon reasonable prior written notice, and subject to the  confidentiality obligations in the Principal Agreement, to take reasonable and appropriate  steps to stop and remediate Gateway’s unauthorized use of personal information. Gateway  shall use reasonable efforts at Customer’s cost to enable Customer to comply with  consumer requests made pursuant to the CCPA. Customer shall promptly inform Gateway  of any consumer request made pursuant to the CCPA that they must comply with and  provide the information necessary for Gateway to comply with the request.  

3. Customer Obligations  

Customer agrees and represents that (a) it shall have sole responsibility for the accuracy, quality, and  legality of Personal Data and the means by which Customer acquired Personal Data; (b) it has and will  maintain during the Term of the Principal Agreement all necessary consents from, and has provided and  will continue to provide during the Term of the Principal Agreement, all required disclosures and notices  to Data Subjects required under applicable Data Protection Laws for the Processing of Personal Data and  recording of communications with its Personnel by Gateway; (c) it will provide notice of sharing of  Personal Data with Gateway consistent with the requirements of Data Protection Laws, including without  limitation, the CCPA, and will be solely responsible for compliance with the CCPA; (d) it will only  provide Gateway with Personal Data from Data Subjects in the United States and will not provide  Personal Data from Data Subjects located outside the U.S. (including in the European Economic Area or the United Kingdom); (e) all instructions from Customer to Gateway with respect to Processing of  Personal Data shall comply with Data Protection Laws; (f) no Personal Data includes or will include any  information (i) that is subject to the Health Insurance Portability and Accountability Act, or (ii) of or  relating to children under the age of 16; and (g) it shall promptly inform Gateway of (i) any non 

compliance by Customer, its employees, or contractors with the Principal Agreement or the provisions of  the Data Protection Laws relating to the protection of Personal Data processed under the Principal  Agreement; (ii) any legally binding request for disclosure of Personal Data by a law enforcement  authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation  by the law enforcement authorities; and (iii) any relevant notice, inquiry, or investigation by a  governmental authority or claim by a Data Subject relating to Personal Data.  

4. Sub-processors  

Customer agrees that Gateway may use Sub-processors to fulfill its contractual obligations under this  DPA or to provide certain services on its behalf, such as providing support services or other Services.  Where Gateway engages a Sub-processor to carry out specific Processing activities (on behalf of  Customer), it shall do so by way of a written contract that provides for substantially similar data  protection obligations as those binding Gateway under this DPA with respect to the protection of Personal  Data to the extent applicable to the nature of the Services provided by such Sub-processor.  

5. Notification of Access Requests and Complaints  

Gateway shall, to the extent legally permitted, promptly notify Customer of any Data Protection  Communication it receives. “Data Protection Communication” means (a) any request received directly  by a Party from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws; or (b)  any complaint or allegation made to a Party relating to Personal Data, either from a Data Subject, a  governmental authority (including the California Privacy Protection Agency), or other third party.  Gateway shall not respond to a Data Protection Communication it receives, unless Gateway is authorized  to do so by Customer or Gateway is legally compelled to respond. Where Gateway is compelled to  respond to a Data Protection Communication, unless prohibited by law, it shall permit Customer to make  representations and/or participate in the response process to ensure compliance with Data Protection  Laws.  

Customer is responsible for responding to a Data Protection Communication received directly by  Customer by using its own access to the relevant Personal Data. If Customer is unable to access the  relevant Personal Data after reasonable efforts, Gateway will, at Customer’s request, provide reasonable  assistance to Customer in responding to any such Data Protection Communication directly received by  Customer to the extent the response to such Data Protection Communication is required under Data  Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising  from Gateway’s provision of such assistance.  

6. Data Security3 

Gateway shall implement, maintain and comply with reasonable information and network security  programs, practices and procedures that govern the Services appropriate to the nature of the Personal Data  and designed to protect the Personal Data from unauthorized or illegal access, destruction, use,  modification or disclosure.  

7. Data Breach  

Gateway shall notify Customer without undue delay after becoming aware of a Data Breach. In the  event of a Data Breach, Gateway shall provide Customer with all reasonable assistance in investigating  any such Data Breach. Gateway will also provide reasonable assistance to Customer to enable Customer  

NTD: To be updated with any additional security measures. 3 

to comply with its obligations under Data Protection Laws to notify the applicable governmental authority  and the affected Data Subjects, taking into account the nature of Processing and the information available  to Gateway. Unless legally required by Data Protection Laws, or other Applicable Laws, Gateway will not  disclose the Data Breach to any third party without obtaining Customer's prior written consent, not to be  unreasonably withheld, unless required to do so by Applicable Laws. Gateway’s obligation in this Section  7 shall not apply to breaches of Personal Data or other Customer Content that are caused by Customer or  its representatives or users or Personal Data that is not Processed on behalf of Customer. Except to the  extent required by law, Gateway shall have no responsibility to provide notifications to governmental  authorities or to Data Subjects relating to a Data Breach, and Customer shall be solely responsible for any  such notifications.  

8. Return and Deletion of Personal Data  

Unless prohibited by law, Gateway will, at Customer’s option, delete or return all Customer Content,  including Personal Data, on termination or expiration of the Principal Agreement in accordance with the  Principal Agreement. Until all Personal Data is deleted or returned, Gateway shall continue to comply  with this DPA. If Applicable Law prohibits the return or deletion of Personal Data, Gateway will  continue to comply with this DPA and will only Process Personal Data to the extent and for as long as  required under Applicable Law. The foregoing shall not apply to usage data or any Personal Data that has  been de-identified or aggregated in accordance with Data Protection Laws.  

9. Requests for Personal Data from Governmental Bodies  

Upon Customer's written request, Gateway will provide reasonable assistance to Customer in the  event of an investigation by or request from any regulator, or similar authority, if and to the extent that  such investigation or request relates to Personal Data. To the extent permitted by Applicable Law, if  Gateway receives a valid and binding order (“Request”) from any governmental body (“Requesting  Party”) for disclosure of Personal Data, Gateway will use reasonable efforts to redirect the Requesting  Party to request Personal Data directly from Customer. As part of this effort, Gateway may provide  Customer’s basic contact information to the Requesting Party. If compelled to disclose Personal Data to a  Requesting Party, Gateway will give Customer reasonable notice of the Request to allow Customer to  seek a protective order or other appropriate remedy, if Gateway is legally permitted to do so. If, after  exhausting the steps described above in this Section 9, Gateway remains compelled to disclose Personal  Data to a Requesting Party, Gateway will disclose only the minimum amount of Personal Data necessary  to satisfy the Request.  

10. Liability  

The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability  set out in the Principal Agreement. Any reference to “limitation of liability” of a Party in the Principal  Agreement shall be read to mean the aggregate liability of a Party and all of its affiliates under the  Principal Agreement and this DPA.  

11. Miscellaneous  

The Processing of Personal Data under this DPA is governed by the law of the Principal Agreement,.  Any disputes between the Parties relating to the Processing of Personal Data under this DPA will be  subject to the exclusive jurisdiction of the courts set forth in the Principal Agreement. Unless stated  otherwise, each party shall perform its obligations under this DPA at its own cost. In the event of  inconsistencies between the provisions of this DPA and other agreements between the Parties, including  but not limited to the Principal Agreement, the provisions of this DPA shall prevail. This DPA may only  be modified by a written amendment signed by authorized representatives of each of the Parties. This  DPA will become effective as of the date the Parties have executed it and, notwithstanding expiry of the  Term of the Principal Agreement, will remain in effect until, and will automatically expire upon, deletion  of all Personal Data by Gateway and/or any applicable Sub-processors. If any provision of this DPA is  found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the  invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all  provisions not affected by such invalidity or unenforceability will remain in full force and effect. This  DPA may be executed in any number of counterparts, each of which when executed shall constitute a  duplicate original, but all the counterparts shall together constitute the one agreement.  

By using the Services and accepting the Terms and Conditions, the Customer agrees to the terms of this  DPA.