1

European General Terms and Conditions Revision Date: 1 May 2021

These European General Terms and Conditions (“Legal Terms”) when incorporated by a Statement of Work or Proposal (each an “SOW”) shall govern the services to be provided (“Services”) and constitute the full agreement (collectively the “Agreement”) between the Customer and the Datasite entity (“Datasite”) (each a “Party” and together the “Parties”) named in the SOW. In the event of a conflict between the Legal Terms and any SOWs, the SOW shall govern. Capitalized terms not defined within the Legal Terms are defined in the SOW.

1. Fees, Taxes, Billing Disputes.

(a) Fees. Customer shall pay to Datasite the fees set forth in any SOW (the “Fees”). If the Customer is represented by an advisor in furtherance of the Services, Customer shall pay all Fees incurred by such advisor for the performance of the Services. All Fees are payable in the currency used in the applicable SOW. On each one-year anniversary of the Effective Date of an SOW, Datasite may adjust pricing by an amount equal to the greater of: (a) three (3) percent; or (b) the average of the monthly “All Items” Consumer Price Indices for the United Kingdom for the 12 months immediately preceding the adjustment date.

(b) Payment. Customer shall pay all Fees owing under this Agreement within 30 days of receipt of an invoice from Datasite. Datasite may suspend Services upon non-payment. Interest may be added to all past due invoices in accordance with local laws. If Customer requests that any Fees charged under this Agreement be paid by a third party, then: (a) Customer will promptly notify Datasite in writing of the billing change; (b) payment of Fees from such third party to Datasite will be due within 30 days of receipt of an invoice from Datasite; and (c) Customer will not be relieved of its obligations to pay those, or any other Fees, to Datasite.

(c) Taxes. Amounts payable by Customer under this Agreement are exclusive of all applicable taxes (including VAT and withholding taxes).

2. Ownership and Requirements.

(a) Customer Ownership. Customer has sole responsibility for the accuracy, quality, legality, integrity, and appropriateness of all data, content and information provided to Datasite in conjunction with the Services. Customer owns any document that is uploaded to the Services by or on behalf of the Customer (the “Content”) and Customer’s trademarks or logos, which together are referred to as the “Customer Material.”

(b) Datasite Ownership. All materials, documentation, methodologies, source code, processes, websites, applications and software that Datasite uses in providing the Services, and any and all derivatives, future enhancements or modifications thereto however made and any intellectual property rights therein, are owned by Datasite.

(c) Content. Customer will use reasonable efforts to: (i) provide Datasite with clear and legible copies of the Content in the best possible condition; (ii) cooperate with Datasite in correcting any problems associated with the Content; and (iii) report promptly to Datasite any problems or errors that Customer observes or discovers with the Content. In addition, Customer will immediately notify Datasite in writing of all court orders restricting the use, distribution or disposition of the Content delivered to Datasite.

3. Representations and Warranties.

(a) General Representations. Each Party represents and warrants that it: (i) has full power and authority to enter into and perform its obligations under this Agreement; (ii) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such Party in accordance with its terms; (iii) will comply with all laws applicable to the Party; and (iv) will use up-to-date, generally accepted virus detection devices and procedures to ensure that any electronic data transmitted to Datasite will not contain a virus or other harmful component.

(b) Datasite Representations. During the term of the applicable SOW, Datasite represents and warrants that: (i) the Services will be rendered using sound, professional practices and in a competent and professional manner; and (ii) it has all necessary permissions, software licenses and ownership rights to provide the Services. Customer must provide written notice to Datasite of any warranty claim. Such warranty shall apply only if the applicable Services have been utilized for their intended purpose, and in accordance with the applicable documentation, this Agreement and applicable law.

(c) Customer Representations. Customer represents and warrants that it: (i) has obtained all permissions and consents required by law necessary to transfer the Content so that Datasite may lawfully use and process the Content in accordance with this Agreement; (ii) has delegated authority to its advisors in providing instructions in connection with the Services, and Datasite has no duty to verify such instructions with Customer; (iii) will not use the Services in a manner that would give rise to civil liability, or constitute or encourage conduct that could constitute a criminal offense, under any applicable law or regulation, nor assist, encourage or authorize others to do so; (iv) will not upload Content that infringes on the intellectual property rights of third parties; and (v) will use the Services for the intended business purpose.

(d) Disclaimer of Warranties. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT AND TO THE FULLEST EXTENT PERMITTED BY LAW, THE SERVICES ARE PROVIDED AS-IS, WITHOUT ANY EXPRESS OR IMPLIED

2

WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, OR THOSE ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. THE ABOVE WARRANTIES DO NOT GUARANTEE THAT THE SERVICES WILL BE SECURE, PERFORM UNINTERUPTED, OR ERROR-FREE, OR THAT DATASITE WILL BE ABLE TO CORRECT ALL ERRORS OR THAT THE SERVICES MEET CUSTOMER’S REQUIREMENTS.

(e) Security Classified Information. THE SERVICES SHOULD NOT BE USED FOR STORING ANY INFORMATION IN THE DATA ROOM THAT HAS A SECURITY CLASSIFICATION. ACCORDINGLY, DATASITE DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR ACCESSING OR STORING ANY INFORMATION THAT HAS OR REQUIRES A SECURITY CLEARANCE. CUSTOMER AGREES THAT DATASITE SHALL NOT BE LIABLE FOR ANY CLAIMS OR DAMAGES ARISING FROM OR RELATED TO THE USE OF THE SERVICES FOR SECURITY CLASSIFIED INFORMATION.

4. Confidentiality.

(a) “Confidential Information” means proprietary information of a Party, including but not limited to the Customer Material(including personal data controlled by the Customer), inventions, trade secrets, marketing plans, programs, source code, data and other documentation, customer and shareholder information, other information related to the business of that disclosing party, and the terms and pricing of this Agreement. The term Confidential Information does not include: (i) information that was in the receiving party’s possession or was known to it prior to its receipt from the disclosing party; (ii) information that is or becomes publicly available without the fault of the receiving party; (iii) information that is or becomes rightfully available on an unrestricted basis to the receiving party from a source other than the disclosing party; or (iv) information that was independently developed by the receiving party.

(b) Each Party shall: (i) hold such Confidential Information of the other Party in confidence; (ii) use and disclose it solely in furtherance of or to improve the Services; and (iii) and will take reasonable steps to maintain the confidentiality of all Confidential Information. This Agreement expressly supersedes and replaces in its entirety any non-disclosure agreement executed by Datasite arising out of or in connection with this Agreement.

(c) If a Party is compelled by court order, subpoena, or other requirement of law to disclose Confidential Information, the Party will provide the other Party with prompt notice (unless such notice is prohibited by law) so that the Party may, at its option and expense, seek a protective order or other remedy.

(d) Upon termination of the Agreement, all Content uploaded to the Services by Customer shall be destroyed, or in accordance with the SOW returned, to the Customer. The Parties agree that upon Customer’s request, Datasite shall provide a certification of deletion or destruction of the Content. The Customer agrees to pay all invoices in full before Content is released for delivery. Notwithstanding the provisions of this section 4(d), Datasite is not obligated to immediately erase Content contained in an archived computer system backup made in accordance with its security or disaster recovery procedures, provided that such archived copy will remain subject to these obligations of confidentiality until destruction.

(e) All Content is stored at third-party hosting facilities within the European Economic Area unless otherwise requested by Customer. Customer acknowledges that Datasite’s provision of the Services may involve the processing of some personal data (as defined by applicable data protection laws) which may include Datasite sharing that personal data with Customer’s advisor or its invited third-party Users. Customer has sole responsibility for ensuring that its provision of any personal data to Datasite in order for Datasite to process it in accordance with this Agreement complies with applicable data protection laws. Datasite shall process and use personal data within the Content: (i) only for and on behalf of Customer; (ii) for the purpose of performing Services; (iii) as per the instructions of Customer; (iv) and in accordance with the law. In addition to the obligations set forth, the Parties agree to the Data Processing Addendum 1 attached to this Agreement.

5. Limitation of Liability.

TO THE EXTENT PERMITTED BY ANY APPLICABLE LAW, NEITHER DATASITE NOR CUSTOMER SHALL BE LIABLE TO THE OTHER PARTY OR ANY OTHER THIRD PARTY UNDER ANY THEORY OF RECOVERY, WHETHER BASED IN CONTRACT, IN TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY), UNDER WARRANTY, OR OTHERWISE, FOR ANY PUNITIVE, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL LOSS INCLUDING: LOSS OF PROFITS, BUSINESS, GOODWILL, REPUTATION, OR LOSS RESULTING FROM BUSINESS INTERRUPTION. CUSTOMER EXPRESSLY AGREES THAT UNLESS OTHERWISE STATED HEREIN, THE REMEDIES PROVIDED IN THIS AGREEMENT ARE EXCLUSIVE AND THAT UNDER NO CIRCUMSTANCES SHALL,TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY UNDER ANY THEORY OF RECOVERY, WHETHER BASED IN CONTRACT, IN TORT, UNDER WARRANTY, OR OTHERWISE, EXCEED THE TOTAL PRICE PAID OR PAYABLE TO DATASITE UNDER THE APPLICABLE SOW FOR THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.

THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION 5 OF THE LEGAL TERMS SHALL NOT APPLY TO: (A) FEES PAID OR PAYABLE BY CUSTOMER UNDER THIS AGREEMENT; (B) A BREACH OF SECTIONS 2(b) OR 3(c) OF THE LEGAL TERMS; OR (C) DAMAGES CAUSED BY FRAUD OR A PARTY’S WILLFUL MISCONDUCT.

3

6. Hosting Terms. The following provisions apply to the extent that the Services include hosting Customer’s Content on an Internet-based platform (the “Website”):

(a) Website Users.

(i) Definitions. The Website users (“Users”) are those individuals authorized by Customer, and enabled by Datasite or Customer, to access the Content on the Website. “Managers” are those Users who are authorized by Customer to initiate and conclude Services, upload and manage Content, invite other Managers and Users, and access reports. Customer will pay any Fees incurred by Manager

(ii) Obligations. Users must consent to the Terms of Use and Privacy Notice included in the Website and which may be amended from time to time. Customer is responsible for the use of the Website by any of its Users in compliance with this Agreement. Datasite retains the right to deregister any User from the Services upon request of the employer of such User.

(iii) Go Live Date, Sandbox, Datasite Prepare. Prior to the Go Live Date, or if Customer elects to utilize the sandbox (as described in the SOW) or Datasite Prepare, Customer agrees to only use such Services: (a) for the purpose of managing and distributing Content within the transaction team, including Customer’s employees, agents, clients and advisors in connection with an actual or proposed merger, acquisition, joint venture or other transaction involving the sale or exchange of assets or voting securities of Customer or Customer’s clients; or (b) for such other purpose as agreed by the parties in a SOW, and in respect of both (a) and (b), the Content shall not be made accessible to any third party other than Customer’s agents, advisors or clients. Datasite retains, in its sole discretion, the right to terminate the Services if: (y) suspension is necessary to avoid material harm to Datasite or its business; or (z) that Customer or any User has violated this provision.

(iv) Storage. All Content uploaded to the Website is converted to PDF format, unless otherwise designated by the Manager as download only files (“Special Media”). Fees are totaled based on the outcome of the conversion either on a per 8”X11” page basis (“Page”) or per storage basis (“MB” or “GB”), in each case as described in the SOW, and which shall increase in the increments set forth therein. Datasite storage and Page counts exclude Fees for Optional Products & Services and shall be conclusive except in cases of material error. Incremental storage fees and charges of Optional Products & Services will be invoiced as they are incurred.

(v) Continuation. Upon Customer entering into a Renewal Term (as defined in the applicable SOW), Customer will be invoiced for all Content maintained at the continuation rate identified in the SOW and for any additional Content uploaded during the Renewal Term at Page, MB, GB or Special Media increments set for in the SOW.

(vi) Third-Party Content. The Website includes the capability for Customer to share transaction data that may be owned by a third party (“Third-Party Content”). Customer acknowledges and agrees: (a) Users will have access provided by Customer (including to view, download and query the Third-Party Content) and it is Customer’s sole responsibility to evaluate risks related to sharing Third-Party Content with Users; and (b) Datasite has no control over, and no liability whatsoever, for any acts or omissions of any User with respect to Third Party Content.

(vii) Trial Services. Datasite may make beta services and related documentation (“Trial Services”) available to Customer. Trial Services are not considered “Services” under this Agreement and are provided “As Is” and without warranty of any kind, express or implied, however, all confidentiality and ownership rights, and Customer obligations concerning the Services and Content, shall apply equally to Customer’s use of Trial Services. Datasite may discontinue the Trial Services at any time in its sole discretion and may never make them generally available. Datasite will have no liability for any harm or damage arising out of or in connection with the Trial Services. The provision of any Trial Services to a Customer may be subject to additional terms and conditions.

(viii) Feedback. Customer agrees that any suggestions, improvements, comments or other feedback regarding the Website or Services (“Feedback”) is the exclusive property of Datasite. All Feedback shall be deemed non-confidential.

(ix) Integration with Non-Datasite Applications. The Website may contain features designed to interoperate with Web-based, mobile, offline, or other software applications that are provided by Customer or a third party and interoperates with the Website (“Non-Datasite

Applications”). Datasite does not warrant or support Non-Datasite

Applications. If Customer

chooses to use a Non-Datasite Applications with the Website, Datasite

is not responsible for any disclosure, modification

or deletion of Content resulting from access by such Non-Datasite Application or its provider.

(b) Service Level Agreements.

(i) Scheduled Maintenance. Datasite performs periodic maintenance on the Website for system upgrades, and maintenance (“Scheduled Maintenance”). Advanced notice is provided on the Website. Scheduled Maintenance will not exceed four (4) hours per calendar month. Datasite reserves the right to update, modify, improve, support, and operate the Website and Services based on Customer’s use. Any updates or modifications will not materially diminish the functionality of the Website.

(ii) Availability Guarantee. Aside from Scheduled Maintenance, Datasite guarantees that the Website will be available at least 99.5% of the time measured on a 12-month basis (the “Availability Guarantee”).

(iii) Exceptions. No period of inoperability will be included in calculating the Availability Guarantee to the extent that

4

such downtime is due to: (w) Scheduled Maintenance; (x) failure of Customer or its Users’ internet connectivity; (y) internet traffic problems other than problems arising from networks controlled by Datasite; or (z) any Force Majeure Event.

(iv) Service Credits. If Datasite fails to meet the Availability Guarantee during the Term, Customer may: (x) terminate the SOW and request Datasite to deliver, as soon as commercially practicable, the Content on the Website to Customer’s designee, if Customer does so within five (5) days of Datasite’s failure to meet the Availability Guarantee; or (y) request that Datasite provide Customer the credits described in the table below, provided Customer makes such request within twenty (20) days after Datasite’s failure to meet the Availability Guarantee.

Actual Percentage the Website is Available Credit

99.5% or more None

97% to less than 99.5% 10% of Monthly Fees

96% to less than 97% 25% of Monthly Fees

95% to less than 96% 50% of Monthly Fees

Less than 95% 100% of Monthly Fees

7. Termination.

(a) By Either Party. Either Party may terminate this Agreement and all SOW’s issued hereunder, in whole or in part, in the event of a material breach of this Agreement if not cured within thirty (30) days of written notice from the non-breaching party. A notice of default under this provision shall not constitute a notice of termination under this Agreement. Any notice of termination shall be provided separately.

(b) By Datasite. Datasite may terminate this Agreement and all SOW’s issued hereunder, in whole or in part, in the event the Customer:

(i) ceases to actively conduct its business;

(ii) files a voluntary petition for bankruptcy or has filed against it an involuntary petition for bankruptcy;

(iii) makes a general assignment for the benefit of creditors;

(iv) applies for the appointment of a receiver, trustee or administrator for substantially all of its property or assets or permitted the appointment of any such receiver, administrator or trustee;

(v) has its receivables subject to garnishment, immediately upon written notice of intent to terminate; or

(vi) fails to pay any invoice in full within ten (10) days of notice of default, at which point Datasite may in its discretion suspend the Services or terminate this Agreement, the Services, or any SOW, and will have no obligation to preserve or return the Content.

(c) Effect of Termination. The following will occur upon termination or expiration of a SOW or this Agreement:

(i) Upon a Manager completing closing instructions on the Website, Datasite will terminate Customer’s and all Users’ access to the Website(s).

(ii) Datasite will permanently delete all Customer’s Content maintained by Datasite on the Website. Upon termination or expiration of the SOW, Datasite’s obligation to host Content will cease.

8. General.

(a) Affiliate. Datasite shall be entitled to perform any of the obligations undertaken by it and to exercise any rights granted to it under the Agreement through any Affiliate, provided that any act or omission of such Affiliate shall, for all the purposes of this Agreement, be deemed to be the act or omission of Datasite. For purposes of this Agreement, “Affiliate” means any entity that, directly or indirectly, controls, is controlled by, or is under common control with the Party executing this Agreement.

(b) No Waiver. No failure or delay by either party in exercising any of its rights under this Agreement shall be deemed to be a waiver of that right, and no waiver by either party of a breach of any provision of the Agreement shall be deemed to be a waiver of any subsequent breach of the same or any other provision.

(c) Analytics. Upon anonymizing Content by removing all reference to numeric values, dates, times, proper names, addresses, locations, titles, and personal data (“Anonymized Content”) and incorporating such Anonymized Content with or into similar information derived or obtained from other customers of Datasite (collectively “Aggregated Content”), Customer hereby grants to Datasite a non-exclusive, fully paid, world-wide and irrevocable license to use Aggregated Content exclusively for enhancing features and functionality of the Services.

(d) Survivorship. The following Sections will survive expiration or termination of this Agreement: 1, 2, 4, 5, 7(c), and 8.

(e) Restricted Parties. Datasite reserves the right to prohibit Services to any company or individual from a sanctioned

5

or embargoed country or restrict access or use of Services to any restricted party based on any government list. Customer is solely responsible for obtaining any necessary export license or other approval to transfer Content in connection with its use of the Service.

(f) No Third-Party Beneficiaries. This Agreement does not create any third-party beneficiary rights except as expressly provided by its terms.

(g) Assignment. This Agreement is binding upon and inure for the benefit of the Parties and their respective successors and assigns. It is agreed and understood that neither Party may assign, in whole or in part its rights, interests and obligations, without the other Party’s prior written consent. Notwithstanding the foregoing, upon providing written notice, either Party may assign its rights, interests and obligations under this Agreement or any SOW pertaining thereto to any parent, subsidiary, or Affiliate, or to a successor of all its assets or stock.

(h) Notices and Non-renewal. Wherever provision is made in this Agreement for the giving, service or delivery of any notice, such notice shall be in writing and shall be given using a method providing for proof of delivery, which shall include acknowledgement of receipt of email. Notwithstanding anything to the contrary in the SOW or Legal Terms, Customer's Manager shall carry out Datasite’s closing instructions on the Website in order to provide advance written notice of Customer’s intent not to renew the Term.

(i) Force Majeure. Neither Party is responsible for any delay in the performance of any obligation under this Agreement to the extent that the delay results from events beyond the reasonable control of such Party and is not occasioned by such Party's fault ("Force Majeure"). If a delay or failure of a Party to comply with any obligation set forth in this Agreement is caused by Force Majeure, that obligation (other than the obligation to pay money when due and owing) will be suspended during the continuance of the Force Majeure condition and will not be considered a breach of this Agreement. A Party whose performance is suspended hereunder shall give prompt written notice of any event of Force Majeure and such Party’s best reasonable estimate of when such event will abate.

(j) Marketing Support. Upon the public announcement of an applicable transaction, Datasite may identify Customer as a Datasite customer and use Customer’s name or logo on any Datasite websites or other marketing materials.

(k) Entire Agreement. This Agreement, together with any applicable SOWs and Data Processing Addendum, constitutes the entire agreement between the Parties and supersedes all previous agreements, proposals, and negotiations, whether written or oral, regarding the subject matter herein. No usage of trade or other regular practice or method of dealing between the parties will be used to modify, interpret, supplement, or alter the terms of this Agreement. Datasite rejects the inclusion of any different or additional terms unless expressly agreed to in writing.

Data Processing Addendum

This Addendum on Data Processing (hereinafter: “Addendum”) is by and between:

Customer as defined by the SOW:

– hereinafter referred to as “Controller” –

and

Datasite entity as defined by the SOW:

– hereinafter referred to as “Processor” –

Hereinafter each individually referred to also as the “Party” and collectively as the “Parties.”

Preamble:

(A) The Parties have entered into an Agreement which outlines the Services to be provided (definitions provided in

Section 1 below). As part of the provision of Services by the Processor, Personal Data may be transferred by the

Controller to the Processor.

(B) Capitalized terms not defined in this Addendum are defined in the Agreement. In the event of any conflict

between the provisions in this Addendum and the provisions set forth in the Agreement, the provision or provisions of

this Addendum will prevail.

(C) To ensure compliance by the Parties with Processing obligations pursuant to the Data Protection Rules, as

amended from time to time, the Parties hereby agree as follows:

1. Definitions

1.1. “Agreement” means the Statement of Work and the regional General Terms and Conditions between the

Controller and the Processor;

1.2. “Appendix” means the appendix annexed to and forming an integral part of this Addendum;

1.3. “Data Protection Rules” means the relevant national laws that apply to the Processing of Personal Data,

including but not limited to, the General Data Protection Regulation, Swiss Data Protection Act, United Kingdom Data

Protection Act, the California Consumer Protection Act, and the Australian Privacy Principles, as applicable;

1.4. “Data Subject” means an identified or identifiable natural person whose Personal Data is subject to Processing;

an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors specific to physical, physiological,

genetic, mental, economic, cultural or social identity, or as otherwise defined in applicable Data Protection Rules;

1.5. “Personal Data” means any information relating to a Data Subject contained within the Content.

1.6. "Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss,

alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, or as

otherwise defined in applicable Data Protection Rules;

1.7. “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon

Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage,

adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making

available, alignment or combination, blocking, erasure or destruction, or as otherwise defined in applicable Data

Protection Rules;

1.8. “Services” means the provision of services as described in the Agreement and this Addendum;

1.9. “Special Categories of Data” means the Personal Data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade-union membership, genetic data, biometric data that uniquely identify a natural

person, as well as Personal Data concerning health, sex life or sexual orientation, or as otherwise defined in applicable

Data Protection Rules; and

1.10. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of

Personal Data to Processors established in third countries under Regulation (EU) 2016/679 of the European Parliament

and of the Council of 27 April 2016, adopted by decision of the European Commission dated 16 July 2020, as updated,

amended, replaced or superseded from time to time.

2. Processing Activities

2.1. Customer and Datasite agree that Customer is the Controller of Personal Data and Datasite is the Processor of

such data, except when Customer acts as a processor of Personal Data, in which case Datasite is a subprocessor.

2.2. The Controller shall have sole responsibility for the accuracy, quality, and legality of the Personal Data, and

shall comply with, and is responsible for its invited Users compliance, with applicable Data Protection Rules.

2.3. The Processor agrees to Process the Personal Data in accordance with this Addendum and the Agreement,

pursuant to Controller’s written instructions as set forth in Appendix 1 of this Addendum, and as may be communicated

by the Controller from time to time in accordance with Data Protection Rules.

2.4. If the Processor believes that an instruction infringes upon Data Protection Rules, it will notify the Controller

without undue delay.

3. Duration and Termination of this Addendum

3.1. This Addendum is effective as of the Effective Date and shall remain in force during the term of the Agreement.

This Addendum will terminate automatically with the termination or expiry of any SOW.

3.2. Notwithstanding the termination of this Addendum, the Processor shall continue to be bound by its obligation of

confidentiality.

4. International Transfers

All Personal Data is stored at third-party hosting facilities within the European Economic Area (“EEA”). Controller

acknowledges that Processor may transfer Personal Data outside the EEA in performance of the Services; however,

Personal Data will continue to be stored in the EEA. All transfers of Personal Data out of the EEA and Switzerland

shall be governed by the Standard Contractual Clauses incorporated into this Addendum as Appendix 3. Processor will

abide by the requirements of the EEA and Swiss Data Protection Rules regarding the collection, use, transfer, retention,

and other processing of Personal Data from the EEA and Switzerland.

5. Confidentiality and Security

5.1. The Processor shall keep Personal Data confidential. The Processor shall ensure that its employees are aware of

the applicable privacy and information security requirements and are held by legally binding confidentiality obligations.

5.2. Subject to the Data Protection Rules, the Processor will implement appropriate operational, technical and

organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration,

unauthorized disclosure or access as described in Appendix 2.

5.3. The Processor will update the technical and organizational security measures in line with reasonable

technological developments as determined by Processor and provide access to updated documentation to the Controller

on request in the form of its current ISO 27001 certification.

6. Cooperation and Notification Obligations

6.1. The Parties will co-operate with each other to promptly and effectively handle enquiries, complaints, and claims

relating to the Processing of Personal Data from any government authority or Data Subject.

6.2. If a Data Subject should apply directly to the Processor to exercise his/her Personal Data rights, the Processor

shall forward this request to the Controller without undue delay.

6.3. Unless prohibited by law, if the Personal Data is subject to a control, order or investigation by public authorities, the

Processor will: (a) promptly notify the Controller; and (b) disclose Personal Data only to the extent that is strictly necessary

and proportionate to satisfy the request and in compliance with Data Protection Rules.

6.4. Upon Controller’s request, the Processor will provide the public authorities with information regarding

Processing under this Addendum as well as allow inspections within the scope stated in Section 7.

6.5. The Processor will notify the Controller of a Personal Data Breach that is determined to affect Controller’s

Personal Data without undue delay. The Processor shall provide Controller with the information to reasonably assist

Controller as required by Data Protection Rules.

7. Controller’s Audit and Inspection Rights

Upon Controller’s request, Processor shall make available to Controller information necessary to demonstrate

compliance with Processor’s obligations under the Addendum and Data Protection Rules. Processor allow for and

contribute to audits, including inspections, conducted by Controller, or an independent third-party auditor appointed

Controller, for the purpose of verifying the Processor’s compliance with this Addendum. All inspections shall be to

reasonable confidentiality requirements, conducted during normal working hours, and will not interfere with the course

of the Processor’s business.

8. Use of Subprocessors

8.1 Controller hereby acknowledges and agrees that Processor may use subprocessors to Process Personal Data.

Processor will make available to Controller its current list of subprocessors upon request. Any subprocessor will be

permitted to Process Personal Data only to deliver the Services Processor has retained them to provide and will be

contractually bound by obligations no less protective than this Addendum. The Processor make available to the

Controller applicable portions of the agreements upon request. Processor shall be liable for the acts and omissions of any

subprocessor as if the acts or omissions were performed by Processor under this Addendum.

8.2 If the Processor intends to appoint or replace a subprocessor covered by this Addendum, the Processor shall inform

Controller and give Controller the opportunity to reasonably object to such changes. The Processor shall make available to

Controller information that Controller may reasonably require to assess whether the subprocessor complies with the

Controller’s obligations under this Addendum and applicable Data Protection Rules.

9. Return and Deletion of Personal Data

Upon the request of the Controller or upon termination of this Addendum, the Processor will, return or destroy all

Personal Data and copies thereof. Upon the request of the Controller, the Processor will certify that this has been done.

10. Liability

10.1 The liability of the Parties and the limitation thereof shall be in accordance with the Agreement.

Appendix 1: Processed Personal Data and Purposes

Personal Data are transferred and Processed for the following purposes:

• Secure online repository and data sharing for corporate transactions or internal business purposes.

Scope of Processing:

• As described in the Statement of Work, Processor provides secure online repository tools for storing, managing,

collaborating on and distributing data and documents.

Categories of Personal Data:

• Names, address, company email address, company phone number, compensation and benefits, holiday and

pension information, job titles and functions and potentially all other types of personal data embedded in the

business information uploaded by Controller’s Manager onto the virtual data room.

Special Categories of Data (if applicable):

The Personal Data concerns the following Special Categories of Data (please specify):

• None, unless otherwise identified by Controller

Data Subjects:

The Personal Data concerns the following categories of Data Subjects:

• Business information that may include owner, employee, customer, contractor and vendor data.

Appendix 2 includes:

Appendix 2: Information Security Measures

Section I: Processor’s General Data Security Plan

Section II: Processor’s Information Security Procedure/Process

I. General Data Security Plan

The Processor undertakes to institute and maintain the following data protection measures:

Security Requirement

How the Processor implements the specific information

security measure

Please describe the access control

(physical) measures in your company

to prevent unauthorized persons from

gaining access to Processing systems

within which Personal Data are

Processed or used.

All data centers hold ISO 27001:2013 and SOC 2 Type 2

certifications.

A perimeter of multiple security controls are in place for

all data centers which include multiple require

authentication methods in order to gain access.

2.

Please describe the admission control

measures taken in your company to

prevent Processing systems from being

used without authorization.

Admission is based on business requirements and require

management role identification and approval. Time out

features, strong authentication requirements and access

rights are implemented and trackable.

3.

Please describe the access control

(virtual) measures taken in your

company to ensure that persons

entitled to use a Processing system

have access only to Personal Data to

which they have a right of access, and

that Personal Data cannot be read,

copied, modified or removed without

authorizations in the course of

Processing or use and after storage.

Access is managed through a formal registration and de-

registration procedure for granting and revoking access to

all systems and services based on job role. Audit

reporting allows for the accurate monitoring of activity

and access controls are in place to protect data integrity

and confidentiality.

4.

Describe the transmission control

measures taken in your company to

ensure that Personal Data cannot be

read, copied, modified or removed

without authorization during electronic

transmission or transport, and that it is

possible to check and establish to

which bodies the transfer of Personal

Data by means of data transmission

facilities are envisaged.

Processor has removable media policy with the

appropriate technical controls in place to protect data

integrity and confidentiality and prohibit unauthorized

Personal Data transfer. Remote access is controlled using

multifactor authentication. Data is encrypted at rest and in-

transit using industry standard encryption technologies.

5.

Describe the measures of input control

to ensure that it is possible to check

and establish whether and by whom

Personal Data have been entered into

Processing systems, modified or

removed.

Processor is agnostic to the data the Controller chooses to

upload. All actions with respect to data’ integrity and

confidentiality are tracked and reportable. Controller has

sole determination on what data is provided to Processor.

6.

Describe the assignment control

measures in your company to ensure

that, in the case of commissioned

Processing, the Personal Data are

Processed strictly in accordance with

the instructions.

Audits are conducted annually under ISO 27001

Certification and SOC 2 Type 2 frameworks to ensure

compliance requirements are being met. Authorized

employees and contractors complete training and

acknowledge compliance with Processor’s code of conduct

and policies annually. All employees and contractors are

required to sign NDA.

7.

Describe the availability control

measures your company takes to

ensure that Personal Data are protected

from accidental destruction or loss.

Processor has redundancy with each platform and

maintains logs of system availability. In addition,

redundancy allows for continuous system backups.

Processor has Disaster Recovery and Business Continuity

Plans that are reviewed, updated and tested periodically.

8.

Describe the separation control

measures your company has taken to

ensure that Personal Data collected for

different purposes can be Processed

separately.

Logical separation is maintained within the same multi-

tenant database restricting access to the project(s) to which

the user is authenticated. Processor maintains a 3-tiered

application with separation of data; development, test and

production.

II. Processor’s Information Security Procedure/Process

The Processor implements and follows the following standards, processes, and procedures:

Processor operates an Information Security Management System which complies with the requirements of ISO/IEC

27001:2013 for the following scope: The management of information security applies to processes for the protection of

client information as it pertains to Datasite’s due diligence SaaS platform and services for M&A lifecycle. Included in the

scope is the product platform Datasite Diligence.

Appendix 3: Standard Contractual Clauses

For the purposes of applicable Data Protection Laws for the transfer of personal data to processors established in third

countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: Customer as defined by the SOW, unless otherwise identified below:

Address:

Tel.:…………………. E-mail:………………………………….

(the data exporter)

And

Name of the data importing organisation: DATASITE UK LTD for itself and its in-scope affiliates

Address: 15 Bonhill Street, London EC2A 4DN, United Kingdom,

Tel: +44 203 928 0400 E-mail: privacy@datasite.com

(collectively “the data importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to

the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data

importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject'

and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European

Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the

processing of personal data and on the free movement of such data1;

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data

intended for processing on his behalf after the transfer in accordance with his instructions and the terms of

the Clauses and who is not subject to a third country's system ensuring adequate protection within the

meaning of Article 25(1) of Directive 95/46/EC;

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the

data importer who agrees to receive from the data importer or from any other subprocessor of the data

importer personal data exclusively intended for processing activities to be carried out on behalf of the data

1 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered

it better for the contract to stand alone.

exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the

written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of

individuals and, in particular, their right to privacy with respect to the processing of personal data

applicable to a data controller in the Member State in which the data exporter is established;

(f) 'technical and organisational security measures' means those measures aimed at protecting personal data

against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in

particular where the processing involves the transmission of data over a network, and against all other

unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1

which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e),

and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6,

Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has

ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter

by contract or by operation of law, as a result of which it takes on the rights and obligations of the data

exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6,

Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have

factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has

assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which

it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them

against such entity. Such third-party liability of the subprocessor shall be limited to its own processing

operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data

subject so expressly wishes and if permitted by national law.

Clause 4

The data exporter agrees and warrants:

Obligations of the data exporter

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be

carried out in accordance with the relevant provisions of the applicable data protection law (and, where

applicable, has been notified to the relevant authorities of the Member State where the data exporter is

established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the

data importer to process the personal data transferred only on the data exporter's behalf and in accordance

with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational

security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are

appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration,

unauthorised disclosure or access, in particular where the processing involves the transmission of data over

a network, and against all other unlawful forms of processing, and that these measures ensure a level of

security appropriate to the risks presented by the processing and the nature of the data to be protected having

regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed

before, or as soon as possible after, the transfer that its data could be transmitted to a third country not

providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b)

and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the

transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix

2, and a summary description of the security measures, as well as a copy of any contract for subprocessing

services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain

commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by

a subprocessor providing at least the same level of protection for the personal data and the rights of data

subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

The data importer agrees and warrants:

Obligations of the data importer2

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and

the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the

data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer

of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions

received from the data exporter and its obligations under the contract and that in the event of a change in

this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided

by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case

the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before

processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

2 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary

in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if

they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation,

detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important

economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are

not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not

go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting

requirements or anti-money-laundering reporting requirements.

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise

prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement

investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has

been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the

personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to

the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities

covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of

independent members and in possession of the required professional qualifications bound by a duty of

confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory

authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for

subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove

such commercial information, with the exception of Appendix 2 which shall be replaced by a summary

description of the security measures in those cases where the data subject is unable to obtain a copy from

the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written

consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations

referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation

from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the

data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations

referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist

in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the

data importer as if it were the data exporter, unless any successor entity has assumed the entire legal

obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce

its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own

liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in

paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in

Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or

ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a

claim against the data subprocessor with regard to its own processing operations under the Clauses as if it

were the data exporter or the data importer, unless any successor entity has assumed the entire legal

obligations of the data exporter or data importer by contract or by operation of law, in which case the data

subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own

processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or

claims compensation for damages under the Clauses, the data importer will accept the decision of the data

subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory

authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural

rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests

or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of

any subprocessor, which has the same scope and is subject to the same conditions as would apply to an

audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to

it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor,

pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in

Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established. .

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business

related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data

exporter under the Clauses without the prior written consent of the data exporter. Where the data importer

subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by

way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor

as are imposed on the data importer under the Clauses3. Where the subprocessor fails to fulfil its data

protection obligations under such written agreement the data importer shall remain fully liable to the data

exporter for the performance of the subprocessor's obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-

party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the

claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer

because they have factually disappeared or have ceased to exist in law or have become insolvent and no

successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or

by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing

operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1

shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by

the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available

to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer

and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and

the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter

that it has done so, unless legislation imposed upon the data importer prevents it from returning or

destroying all or part of the personal data transferred. In that case, the data importer warrants that it will

guarantee the confidentiality of the personal data transferred and will not actively process the personal data

transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the

supervisory authority, it will submit its data processing facilities for an audit of the measures referred to

in paragraph 1.

3 This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter

and the data importer under this Decision.