DATA PROCESSING AGREEMENT

Last Updated: December 1, 2024

This Data Processing Agreement (this “DPA”) supplements the Consulting Master Services Agreement (“Agreement”) between Platinum Equity Advisors, LLC (“Platinum”) and Consultant and sets forth Platinum’s instructions for and governs Consultant’s Processing of Personal Data (as such terms are defined below in this DPA). Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. Capitalized terms not defined in this DPA will have the meanings given to them in the Agreement. In the event of a conflict between this DPA and the terms of the Agreement, this DPA will control.

  1. DEFINITIONS

For the purposes of this DPA, the following terms shall have the corresponding meanings given to them below. All other capitalized terms used in this DPA but not defined in this DPA or in the Agreement shall have the corresponding meanings given to them in Data Protection Laws (as defined below).

    • Business” means the sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects Consumers’ Personal Data or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the Processing of Consumers’ Personal Data.

    • Business Purpose” means the use of Personal Data for the Business’s operational purposes, or other notified purposes, or for the Service Provider’s operational purposes, as defined by regulations adopted pursuant to paragraph (11) of subdivision (a) of Section 1798.185, provided that the use of Personal Data shall be reasonably necessary and proportionate to achieve the purpose for which the Personal Data was collected or processed or for another purpose that is compatible with the context in which the Personal Data was collected, including performing Services on behalf of the Business.

    • Consumer” means a natural person who is a California resident.

    • Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

    • Controller to Processor Clauses” means (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time.

    • Data Protection Laws” means the EU/UK Privacy Laws, US Privacy Laws, the Swiss Data Protection Law, the Singapore Personal Data Protection Act and its subsidiary legislation (each as applicable), and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, replaced or superseded from time to time.

    • Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    • EEA” means the European Economic Area.

    • EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

    • Personal Data” means any “personal information” or “personal data”, as defined by the applicable Data Protection Laws, including without limitation any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household.

    • Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Processor or any other meaning given in applicable Data Protection Laws.

    • Process, Processing, or Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    • Processing Activities” refers to the processing activities to be described by the parties in the Agreement and the Statement(s) of Work, as set out in the Annexes.

    • Processor” or “Data Intermediary” means the entity acting on behalf of the Controller.

    • Processor to Processor Clauses” means (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

    • Service Provider” or “Contractor” means the entity acting on behalf of the Business.

    • Subprocessors” means any third party (including Consultant’s affiliates) engaged by Consultant to carry out its obligations under the Agreement and the Statement(s) of Work.

    • Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.

    • US Privacy Laws” means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act.

  1. AMENDMENTS

Platinum and Consultant agree that Platinum Equity Advisors, LLC may, in its reasonable business judgement and upon ten (10) days’ prior notice to Consultant, amend this DPA in accordance with any updates or amendments to or new interpretations of Data Protection Laws.

  1. DETAILS OF PROCESSING

Platinum and Consultant agree that the details of processing are as described in Annex I.

  1. OBLIGATIONS OF CONSULTANT

    1. Consultant acknowledges that the protection of Personal Data is of high importance to Platinum, in particular considering the impact that a Consultant’s breach of its obligations in relation to the Personal Data could have on Platinum’s image, reputation and assets.

    2. Consultant shall act as a Service Provider, Contractor, Processor, Data Intermediary or any similar term provided under Data Protection Laws and Platinum shall be considered the Business, Service Recipient, Controller or any similar term provided under Data Protection Laws, and each shall comply with its respective obligations under applicable Data Protection Laws. Consultant shall carry out any Processing of the Personal Data only in accordance with Platinum’s documented instructions, for the limited and specific purposes of performing the services set forth in the Agreement (the “Services”) and for no other purposes than the ones expressly defined and approved by Platinum, unless required to do so by law (in such a case, Consultant shall inform Platinum of that legal requirement before processing, unless that law prohibits Consultant from doing so on important grounds of public interest.)

    3. Consultant shall notify Platinum (i) immediately if Consultant, on the instruction of Platinum, infringes applicable EU/UK Privacy Laws and (ii) otherwise without undue delay if it makes a determination that it can no longer meet its obligations under other applicable Data Protection Laws.

    4. To the extent required by US Privacy Laws, and upon reasonable written notice that Platinum reasonably believes Consultant is using Personal Data in violation of Data Protection Laws or this DPA, Consultant shall grant Platinum the right to take reasonable and appropriate steps to help ensure that Consultant uses the Personal Data in a manner consistent with Platinum’s obligations under Data Protection Laws, and stop and remediate any unauthorized use of the Personal Data.

    5. Consultant shall require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data in accordance with the provisions of this DPA, and is appropriately trained on their obligations when Processing the Personal Data.

    6. Consultant shall not: (i) sell or share the Personal Data; (ii) retain, use, disclose or otherwise process the Personal Data for any purpose other than for the specific Business Purpose expressly defined and approved by Platinum in the Agreement and the Statement(s) of Work; (iii) retain, use disclose or otherwise process the Personal Data outside of the direct business relationship between Consultant and Platinum; or (iv) combine the Personal Data that Consultant receives from Platinum with Personal Data that it receives from others or that it collects on its own, provided, that Consultant may combine Personal Data to perform any Business Purpose as permitted under the applicable Data Protection Laws and documented in and authorized by Platinum in the Agreement and the Statement(s) of Work.

    7. Consultant guarantees to Platinum that it has in place, and will implement and maintain throughout the term of the Agreement and the term of each Statement of Work appropriate technical, organizational and contractual measures, including (as the case may be) but not limited to those provided for in the Agreement, to ensure the security of the Personal Data and to prevent unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data. Such technical, organizational and contractual measures set out in this Agreement or otherwise agreed upon by the Consultant and Platinum shall (i) take into account the nature of the Personal Data, the risks that are presented by the Processing Activities, the harm that might result from unauthorized or unlawful Processing or accidental loss or destruction of, or damage to, the Personal Data, as well as the state of the art, the best practices and the highest technical standards; (ii) be designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the Processing in order to meet the requirements of Data Protection Laws; and (iii) ensure that, by default, only the Personal Data which are necessary are Processed for the purposes defined by Platinum. On request, Consultant shall provide Platinum with a then current written description of the security measures being taken. In any event, Consultant shall not decrease the security level accorded to the Personal Data during the term of the Agreement and the term of each Statement of Work.

    8. Consultant shall also:

    1. notify Platinum about any request of communication of the Personal Data it may receive from third parties, public authorities or jurisdictions, as well as about any action and/or measures initiated by such third parties, authorities or jurisdictions regarding the Processing of the Personal Data (to the extent legally permissible);

    2. promptly notify Platinum about any Data Subject’s request and/or complaint it may receive in relation to the Personal Data and assist Platinum to investigate and deal with such request and/or complaint. In any case, Consultant shall not revert to or otherwise communicate with Data Subjects about the Personal Data unless otherwise instructed by Platinum;

    3. comply with any request of Platinum in relation to the access, rectification, erasure, blocking, restoring, deletion and objection of Personal Data, and ensure the portability and the right to be forgotten of the Personal Data, as well as any other requests and rights under applicable Data Protection Laws as they may be amended from time to time;

    4. promptly notify Platinum of any change that may impact the Processing of the Personal Data;

    5. reasonably and appropriately cooperate with Platinum to enable it to comply with Data Protection Laws and to assess and document the compliance of the Processing of the Personal Data with Data Protection Laws and this section, including by providing to Platinum any information that Platinum may need or that may be necessary;

    6. immediately inform Platinum in writing if it believes that Platinum’s instructions with respect to the Processing of the Personal Data infringes any applicable Data Protection Laws and include sufficient details for Platinum to assess the basis of such belief;

    7. implement reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure;

    8. assist Platinum in notifying relevant competent authorities and/or affected individuals of Personal Data Breaches, and conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and

    9. assist Platinum by entering into this DPA.

  1. SUBPROCESSING PERSONAL DATA

    1. Platinum hereby grants Consultant general written authorization to engage the Subprocessors set out in Annex III, subject to the requirements of this Section 5. Except as permitted in Annex III or below in Section 5.b (iv), Consultant shall not engage any Subprocessors to process Personal Data.

    2. To the extent Consultant engages any Subprocessors to process Personal Data on its behalf as permitted in this DPA, Consultant shall:

        1. engage Subprocessor only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant Subprocessor than the obligations on Consultant under this DPA;

        2. ensure that persons authorized to carry out Processing of the Personal Data are bound by confidentiality obligations equivalent to those set out in the Agreement;

        3. ensure that any Subprocessor’s personnel are duly trained on their obligations when Processing the Personal Data;

        4. if Consultant intends to make any changes concerning the addition or replacement of any Subprocessor, it shall provide Platinum with 20 business days’ prior written notice, during which Platinum can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Data Protection Laws (and if Platinum does not so object, Consultant may proceed with the appointment or replacement); and

        5. provide to Platinum, at Platinum’s request, a copy of the contract with the Subprocessors which carry out Processing of the Personal Data or, failing that, a description of the essential elements of the contract, including the obligations related to the protection of the Personal Data.

    3. In any event, Consultant shall remain fully liable to Platinum for the performance of the Subprocessors as if any act or omission of the Subprocessors were conducted by Consultant.

  1. TRANSFERRING PERSONAL DATA

    1. Consultant undertakes not to and shall procure that its Subprocessors do not transfer the Personal Data out of the EEA or Singapore or allow access to the Personal Data from territories outside of the EEA or Singapore, where applicable, without Platinum’s prior written consent. Consultant shall request such prior consent by notifying Platinum with a reasonable prior notice and with all relevant information relating to the purpose of such transfer and the country where the Personal Data would be transferred.

    2. In light of the information provided by Consultant, if Platinum agrees to consider such transfer, Consultant shall facilitate the implementation of the measures defined by Platinum to ensure an adequate level of protection to the transferred Personal Data required under applicable Data Protection Laws, including, the execution of the EU Standard Contractual Clauses (Controller to Processor) (Commission Implementing Decision (EU) 2021/914) and UK Addendum, or a data processing agreement compliant with the Singapore Personal Data Protection Act, as applicable.

    3. To the extent Consultant Processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Consultant shall comply with the data importer’s obligations and Platinum shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:

      1. for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, Platinum is a controller and Consultant is a processor, and the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex I shall apply and the Start Date is the effective date of the Agreement, and the signature(s) (in any form) given in connection with the execution of this Agreement by a party and the dates of such signature(s) shall apply as the dated signature required from that party;

      2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 13;

      3. for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organizational security measures, and the technical and organizational measures taken by Consultant to assist Platinum, as each are set out in Annex II, shall apply;

      4. if applicable, for the purposes of Annex III or Part 1 (as relevant) of such Controller to Processor Clauses, the list of authorised sub-contractors set out in Schedule 4 (Authorised Sub-contractors) shall apply; and

      5. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 8 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I, Section C., the competent supervisory authority shall be the Data Protection Commission Ireland; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be the law and courts of Ireland; (vi) Part 1, Platinum as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.

    4. To the extent Consultant is authorized to appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, Consultant shall execute the Processor to Processor Clauses with any relevant Subprocessor (including affiliates) it appoints on behalf of Platinum.

    5. In any case, Consultant will be entitled to proceed with a transfer only as and when (i) the transfer has been expressly approved by Platinum and (ii) the above-mentioned measures have been duly implemented to the satisfaction of Platinum. For the avoidance of doubt, Consultant shall bear any cost arising from such transfer, including in relation to the implementation of the above-mentioned measures.

  1. DATA PROTECTION AUDITS

Upon the reasonable request of Platinum, Consultant shall make available to Platinum such information in its possession as is reasonably necessary to demonstrate Consultant’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Platinum or another auditor mandated by Platinum and reasonably accepted by Consultant. Platinum shall be permitted to conduct such an assessment no more than once every 12 months, upon 30 days’ advance written notice to Consultant, and only after Platinum and Consultant have come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Platinum, to the extent permitted by Data Protection Laws, Consultant may arrange for a qualified and independent auditor to conduct, at Consultant’s expense, an assessment of Consultant’s policies and technical and organizational measures in support of its obligations under Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Platinum upon reasonable request. Notwithstanding the foregoing, in no event shall Consultant be required to give Platinum access to information, facilities or systems to the extent doing so would cause Consultant to be in violation of confidentiality obligations owed to other Platinum’s or its legal obligations.

  1. PERSONAL DATA BREACH

    1. In addition to the requirements set forth in the Agreement, in the event Consultant identifies or believes that there has been any Personal Data Breach, Consultant shall promptly notify Platinum by providing notice by email to databreach@platinumequity.com (or to such other address(es) as Platinum shall designate to Consultant in writing from time to time), and in any event, shall inform Platinum within twenty-four (24) hours after becoming aware of such Personal Data Breach. In such circumstances, Consultant shall at least share the following information with Platinum:

    • the name and contact details of the data protection officer or other contact point where more information can be obtained;

    • the nature of the Personal Data Breach, including but not limited to the categories and number of Data Subjects and the types and volume of Personal Data concerned by the Personal Data Breach;

    • a chronological account, including the date on which and the circumstances in which Consultant discovered the Personal Data Breach and the steps taken thereafter;

    • a description of how the Personal Data Breach occurred;

    • a description of the measures Platinum could take to mitigate the possible adverse effects of the Personal Data Breach and to prevent from another potential Personal Data Breach;

    • the consequences of the Personal Data Breach;

    • the measures proposed or taken by Consultant following the Personal Data Breach, including to eliminate or mitigate any potential harm to any affected Data Subjects, to address or remedy any failure or shortcoming that caused the Personal Data Breach and to prevent from any new occurrence.

    1. In any case, Platinum and Consultant shall actively cooperate with each other, and Consultant shall (and procure that its Subprocessors’ shall) provide any information necessary for Platinum to notify or respond to competent authorities or Data Subjects. Platinum shall first approve any public communication and/or official notification to competent authority or to Data Subjects regarding such potential or actual Personal Data Breach.

  1. RETURN OR DESTRUCTION OF PERSONAL DATA

    1. Upon Platinum’s request and at any time during the term of the Agreement and the term of each Statement of Work, Consultant shall promptly provide to Platinum a copy of the Personal Data it Processes in a format prescribed by Platinum.

    1. Upon termination or expiry of the Agreement and each Statement of Work, Consultant shall cease immediately any Processing of the Personal Data and shall, upon Platinum’s request, return and/or delete the Personal Data no later than one (1) month following Platinum’s request. In case of return to Platinum, following Platinum’s issuance of a receipt of acknowledgement of the restitution, Consultant shall destroy all Personal Data (including but not limited to any file containing the Personal Data) within forty-eight (48) hours after the issuance of the above-mentioned Platinum’s receipt and prove to Platinum that such destruction did take place. Should the law prevent Consultant from deleting all or part of the Personal Data, Consultant shall inform Platinum of such requirements and implement, at its costs, the relevant anonymization or pseudo-anonymization measures.

ANNEX II

Description of Processing Activities Template

  1. LIST OF PARTIES

    1. DATA EXPORTER: Platinum (Controller)

    1. DATA IMPORTER: Consultant (Processor)

  1. DESCRIPTION OF TRANSFER

    1. Nature of the Processing:

The Processing to be carried out by Consultant is as follows:

On behalf of Platinum, collection, review, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation and use of the Personal Data (as described below), only for the Purpose defined below, as well as deletion of the Personal Data in accordance with Platinum’s instructions at the end of the Processing duration as set out below.

    1. Purposes of the Processing:

The Personal Data will be Processed for the purpose of providing the Services, as set forth in the Agreement or Statement of Work, as applicable (the “Purpose”).

    1. Categories of PERSONAL Data to be Processed

(CHECK ALL THAT APPLY):

The categories of Personal Data that will be Processed for the purpose of providing the Services is set forth in the Agreement or Statement of Work.

    1. Categories of Data Subjects (CHECK ALL THAT APPLY):

The categories of Data Subjects about whom Personal Data will be is set forth in the Agreement or Statement of Work.

    1. Duration of the Processing:

Purpose of the Processing

Duration of the Processing

the Purpose

The duration during which the Processing is necessary to provide the relevant Services

  1. COMPETENT SUPERVISORY AUTHORITY

Data Protection Commission Ireland

ANNEX II (continued)

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Consultant shall comply with those security measures and confidentiality obligations specified in the Agreement and each Statement of Work and those communicated to Consultant from time to time during the term of the Agreement and each Statement of Work.

OTHER REQUIREMENTS

In addition to the requirements specified in the Agreement and each Statement of Work, Consultant shall comply with the following: Not applicable.

ANNEX III

LIST Of SUBPROCESSORS

The Subprocessors of Consultant authorized by Platinum are set forth in the applicable Statement of Work.