DATA PROCESSING ADDENDUM This Data Processing Addendum (the "Addendum") forms a part of the Heroic Cloud Terms (https://cloud.heroiclabs.com/terms.txt) or other agreement executed by the Parties that references this Addendum (the "Agreement") between GameUp Online, Inc. d/b/a Heroic Labs ("Heroic," "We," "Us" or "Our") and Customer (together with Heroic, the "Parties"). 1. Subject Matter and Duration. 1. Subject Matter. This Addendum reflects the Parties' commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control. For purposes of Data Protection Laws, Heroic is the "data processor" and Customer is the "data controller". 2. Duration and Survival. This Addendum will become legally binding between the Parties upon the effective date of the Agreement. Heroic will Process Customer Personal Data until the relationship terminates as specified in the Agreement or as otherwise directed by Customer. Heroic's obligations and Customer's rights under this Addendum will continue in effect so long as Heroic Processes Customer Personal Data. 2. Definitions. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply. 3. "Customer" means the entity that executed the Agreement. 4. "Customer Personal Data" means Personal Data Processed by Heroic on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto. 5. "Data Protection Laws" means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. "Data Protection Laws" shall include, but not be limited to, the California Consumer Privacy Act of 2018 ("CCPA"), and the EU General Data Protection Regulation 2016/679 ("GDPR"). 6. "Personal Data" shall have the meaning assigned to the terms "personal data" and/or "personal information" under Data Protection Laws. 7. "Process," "Processes," "Processing," "Processed" means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. 8. "Security Incident(s)" means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. 9. "Services" means any and all products and services that Heroic provides and/or performs under the Agreement, including the Heroic Cloud. 10. "Subprocessor(s)" means Heroic's authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors) that Process Customer Personal Data. 3. Data Use and Processing. 1. Documented Instructions. Heroic and its Subprocessors shall Process Customer Personal Data solely for the purpose of providing the Services to Customer, and solely to the extent necessary to provide the Services to Customer, in each case, in accordance with the Agreement, this Addendum and Data Protection Laws. Heroic will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions. 2. Authorization to Use Subprocessor. To the extent necessary to fulfill Heroic's contractual obligations under the Agreement or any SOW or ordering document executed in connection therewith, Customer hereby authorizes Heroic to engage Subprocessors. Any Subprocessor Processing of Customer Personal Data shall be consistent with Customer's instructions, the Agreement, this Addendum, and shall comply with Data Protection Laws. For the avoidance of doubt, Heroic is not responsible or liable for the acts or omissions of any subprocessors chosen by Customer. 3. Heroic and Subprocessor Compliance. Heroic shall (i) enter into a written agreement with Subprocessors regarding such Subprocessor's Processing of Customer Personal Data that imposes on such Subprocessors (and their sub-processors) data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Customer for Heroic's Subprocessors' failure to perform their obligations with respect to the Processing of Customer Personal Data. Heroic shall flow down all material obligations in this Addendum to Subprocessors regarding, among other things: (i) Customer Personal Data and (ii) all Customer's and Customer's regulator's rights regarding review and audit. 4. Right to Object to Subprocessor. Heroic shall make available to Customer a list of Subprocessors that Process Customer Personal Data upon reasonable request. Prior to engaging any new Subprocessors that Process Customer Personal Data, Heroic will notify Customer via email and allow Customer 30 days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties will work together in good faith to resolve the grounds for the objection for no fewer than 30 days, and failing any such resolution, Customer may terminate the part of the Services performed under the Agreement that cannot be performed by Heroic without use of the objectionable Subprocessor. Heroic shall refund any pre-paid fees to Customer in respect of the terminated part of the Services. 5. Confidentiality. Any person or Subprocessor authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality. 6. Personal Data Inquiries and Requests. Heroic agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws. 7. Sale of Customer Personal Data Prohibited. Heroic shall not sell Customer Personal Data as the term "sell" is defined by the CCPA. Heroic shall not disclose or transfer Customer Personal Data to a Subprocessor or other parties that would constitute "selling" as the term is defined by the CCPA. Notwithstanding anything in the Agreement or any SOW or ordering document entered into in connection therewith, the Parties acknowledge and agree that Heroic's access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. 8. Data Protection Impact Assessment and Prior Consultation. Heroic agrees to provide reasonable assistance at Customer's expense to Customer where, in Customer's judgement, the type of Processing performed by Heroic requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities. 9. Demonstrable Compliance. Heroic agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to Customer to demonstrate compliance upon reasonable request. 4. Cross-Border Transfers of Personal Data. 1. Cross-Border Transfers of Personal Data. Customer authorizes Heroic and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism. 2. Standard Contractual Clauses. Customer acknowledges that Heroic processes Customer Personal Data in a country that has not been designated under GDPR as providing an adequate level of protection for personal data and Heroic and Customer agree that the European Commission Implementation Decision C(2021)3972final Standard Contractual Clauses (Module 2) for Controllers to Processors ("Model Clauses") support the transfer of Customer Personal Data, the terms of which are herein incorporated by reference. Pursuant to clause 9(a) of the Model Clauses, Customer agrees that Heroic may engage new Subprocessors in accordance with Section 3.2 – 3.4 of this Addendum. The optional clauses are expressly not included. Each party's signature to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents. 5. Information Security Program. 1. Heroic agrees to implement appropriate technical and organizational measures to protect Customer Personal Data (the "Information Security Program"). At a minimum, such measures shall include: 1. Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit; 2. The ability to ensure the ongoing confidentiality, integrity, availability of Heroic's Processing and Customer Personal Data; 3. The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident; 4. A process for regularly testing, assessing and evaluating the effectiveness of the Heroic's Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. 6. Security Incidents. 1. Security Incident Procedure. Heroic will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner. 2. Notice. Heroic agrees to provide prompt written notice without undue delay (and in any event within 48 hours) to Customer's Designated POC if it verifies that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 7. Audits. 1. Right to Audit; Permitted Audits. In addition to any other audit rights described in the Agreement, Customer and its regulators shall have the right, upon at least 30 days' prior written notice, to an on-site audit (at a date and time mutually agreed upon) of Heroic's architecture, systems, policies and procedures relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator: 1. Following any notice from Heroic to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data; 2. Upon Customer's that Heroic is not in compliance with Data Protection Laws, this Addendum or its security policies and procedures under the Agreement; 3. As required by governmental regulators; and 4. For compliance purposes, once annually. 2. Audit Terms. Any audits described in this Section shall be: 1. Conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties and paid for by Customer; 2. Conducted during reasonable times; 3. To the extent possible, conducted upon reasonable advance notice (but no less than 30 days' prior notice) to Heroic and once per calendar year; and 4. Of reasonable duration and shall not unreasonably interfere with Heroic's day-to-day operations. 3. Third Parties Auditor. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Heroic's and Heroic's customers' confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement. 4. Audit Results. Upon Heroic's request, after conducting an audit, Customer shall notify Heroic of the manner in which Heroic does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein. Upon such notice, Heroic shall make any reasonable necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six months of Heroic's notice of completion of any necessary changes. To the extent that a Customer audit identifies any material security vulnerabilities, Heroic shall remediate those vulnerabilities within a commercially reasonable amount of time of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time. 8. Data Storage and Deletion. 1. Data Storage. Heroic will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement. 2. Data Deletion. Heroic will abide by the following with respect to deletion of Customer Personal Data: 1. Within a reasonable amount of time after the Agreement's expiration or termination, or sooner if requested by Customer, Heroic will securely destroy (per subsection 8.2.3 below) all copies of Customer Personal Data (including automatically created archival copies). 2. Upon Customer's request, Heroic will promptly return to Customer a copy of all Customer Personal Data within 30 days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above. 3. Customer Personal Data shall be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media (e.g., NIST SP 800-88). 4. Upon Customer's request, Heroic will provide a "Certificate of Deletion" certifying that Heroic has deleted all Customer Personal Data. Heroic will provide the "Certificate of Deletion" within 30 days of Customer's request. 9. Limitation of Liability. 1. The Limitation of Liability provision set forth in the Agreement will apply to this Addendum. 10. Contact Information. 1. Heroic and the Customer agree to designate a point of contact for urgent privacy and security issues (a "Designated POC"). The Designated POC for both parties are: Heroic Designated POC: Andrei Mihu; andrei@heroiclabs.com Customer Designated POC: Customer's administrator of its Heroic Labs' account Exhibit A 1.1 Subject Matter of Processing The subject matter of Processing is the Services pursuant to the Agreement. 1.2 Duration of Processing The Processing will continue until the expiration or termination of the Agreement. 1.3 Categories of Data Subjects May include, but is not limited to, the following: * Customer (who may be natural persons) * Employees, subcontractors, independent contractors, agents and representatives of Customer (who may be natural persons) * End Users of Customer (who may be natural persons) * 1.4 Nature and Purpose of Processing The purpose of Processing of Customer Personal Data by Heroic is the performance of the Services pursuant to the Agreement. 1.5 Types of Personal Data May include, but is not limited to, the following: * First and last name, * Title * Position * Employer * Contact information (such as email, phone, physical address) * Electronic identification data (such IP addresses and mobile device IDs) * Payment data (such as last four of credit card, expiration, card type) * Any information uploaded or transmitted by a natural person to the Services