Data Processing Agreement

1.1 Definitions

Terms used but not defined in this DPA have the meanings given in the Agreement.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including:

• General Data Protection Regulation (EU) 2016/679 ("GDPR")
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA")
• Personal Information Protection and Electronic Documents Act ("PIPEDA")
• Other applicable privacy and data protection laws

"Controller" or "Data Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller with respect to Personal Data in Customer Content.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person that is submitted by Customer or Authorized Users as part of Customer Content, including but not limited to:

• Names, email addresses, and contact information
• Business information and professional details
• User behavior and usage data
• Any other information that identifies or could identify a natural person under Applicable Data Protection Law

"Processing" or "Process" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, erasure, or destruction.

"Processor" or "Data Processor" means an entity that processes Personal Data on behalf of the Controller. Under this DPA, Relevant is the Processor with respect to Personal Data in Customer Content.

"Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission or other relevant authorities.

"Subprocessor" means any third party engaged by Relevant to process Personal Data on behalf of Customer.

1.2 Interpretation

References to "Personal Data," "Data Subject," "Controller," "Processor," and "Processing" shall be interpreted in accordance with Applicable Data Protection Law. Where CCPA/CPRA applies, these terms correspond to "Personal Information," "Consumer," "Business," "Service Provider," and "Processing" or "Selling," as applicable.

‍

3.1 Processing Instructions

Relevant shall process Personal Data only:

1. As instructed by Customer through use of the Services and as described in the Agreement and this DPA
2. As necessary to comply with applicable laws (in which case Relevant shall notify Customer unless legally prohibited)
3. As otherwise agreed in writing between the parties

The Agreement (including this DPA) constitutes Customer's complete and final instructions for processing Personal Data. Processing outside these instructions requires prior written agreement.

3.2 Compliance with Instructions

If Relevant believes that any instruction from Customer violates Applicable Data Protection Law, Relevant shall:

• Promptly inform Customer of this assessment
• Suspend processing of the relevant Personal Data until the instruction is clarified or withdrawn
• Not be liable for any failure to process Personal Data as a result of such suspension

3.3 Prohibited Data

Customer must not submit the following types of Personal Data to the Services unless explicitly authorized in writing by Relevant:

• Special Category Data (GDPR): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation
• Sensitive Personal Information (CCPA): Social security numbers, driver's license numbers, passport numbers, financial account numbers, precise geolocation data, genetic data, biometric data processed to identify individuals, health information, or information concerning sex life or sexual orientation
• Children's Data: Personal Data of individuals under 13 years of age (or 16 in the EEA/UK)
• Protected Health Information: Data subject to HIPAA
• Payment Card Data: Credit card numbers, CVV codes, or other cardholder data subject to PCI-DSS
• Student Records: Data subject to FERPA

If Customer submits any prohibited data types, Customer shall immediately notify Relevant and:

• Relevant may suspend processing or require immediate deletion
• Customer shall indemnify Relevant for any resulting liabilities
• Relevant may terminate the Agreement immediately

‍

5.1 General Authorization

Customer provides general authorization for Relevant to engage Subprocessors to assist in providing the Services, subject to the terms of this Section 5.

5.2 Current Subprocessors

Relevant currently uses the following categories of Subprocessors:

Cloud Infrastructure and Hosting:

• Amazon Web Services (AWS) - United States
• Supabase - United States

AI and Machine Learning Services:

• OpenAI (ChatGPT) - United States
• Anthropic (Claude) - United States

Payment Processing:

• Stripe, Inc. - United States

Communication and Support Services:

• Resend - Email delivery - United States
• Fireflies.ai - Call recording and transcription - United States

Analytics Services:

• Google LLC (Google Analytics) - United States
• [Additional analytics services as implemented]

Customer Relationship Management:

• [To be determined - will update upon selection]

A current list of specific Subprocessors, including their names, locations, and processing activities, is available upon request at privacy@getrelevant.ai.

5.3 Subprocessor Obligations

Relevant shall:

• Enter into written agreements with each Subprocessor imposing data protection obligations substantially similar to those in this DPA
• Ensure Subprocessors implement appropriate technical and organizational security measures
• Remain fully liable to Customer for the performance of Subprocessors' obligations
• Conduct due diligence on Subprocessors before engagement

5.4 New Subprocessor Notification and Objection

Notice: Relevant will provide Customer with at least 30 days' advance notice before engaging any new Subprocessor or materially changing the processing performed by an existing Subprocessor. Notice will be provided by:

• Email to Customer's primary contact
• Update to the Subprocessor list (if published online)
• Notice through the Services dashboard

Objection: Customer may object to a new Subprocessor or change on reasonable data protection grounds by notifying Relevant in writing within 30 days of receiving notice.

Resolution: If Customer objects:

• The parties will work together in good faith to address the concerns
• Relevant may, at its discretion: (a) implement measures to address the objection, (b) not engage the Subprocessor for processing Customer's Personal Data, or (c) allow Customer to terminate the affected Services and receive a pro-rated refund

If Customer does not object within 30 days, Customer is deemed to have consented to the new Subprocessor.

5.5 Subprocessor List Updates

Relevant will maintain an up-to-date list of Subprocessors and make it available upon request. Customer may request the current list at any time by contacting privacy@getrelevant.ai.

‍

6.1 Assistance with Data Subject Requests

Relevant will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights to:

GDPR Rights:

• Access their Personal Data
• Rectify inaccurate Personal Data
• Erase Personal Data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Not be subject to automated decision-making

CCPA/CPRA Rights:

• Know what Personal Information is collected, used, disclosed, or sold
• Access their Personal Information
• Delete Personal Information
• Correct inaccurate Personal Information
• Opt out of sale or sharing of Personal Information
• Limit use of sensitive Personal Information
• Not be discriminated against for exercising rights

PIPEDA Rights:

• Access their Personal Information
• Correct inaccurate Personal Information
• Challenge compliance with PIPEDA

6.2 Process for Data Subject Requests

Received by Customer: If Customer receives a Data Subject request, Customer shall:

• Contact Relevant at privacy@getrelevant.ai for assistance
• Provide sufficient information to identify the Data Subject and the requested action
• Verify the Data Subject's identity before Relevant processes the request

Received by Relevant: If Relevant receives a Data Subject request directly:

• Relevant will promptly notify Customer
• Relevant will not respond to the Data Subject without Customer's prior written consent, except to inform the Data Subject to submit their request to Customer
• Customer remains responsible for responding to the request

Relevant's Assistance: Relevant will:

• Provide Customer with access to Personal Data within the Services (through existing export/access features)
• Assist with deletion or correction of Personal Data upon Customer's verified instruction
• Respond to assistance requests within 15 business days (or sooner if legally required)
• Charge reasonable fees for assistance that requires significant manual effort beyond normal service operations

6.3 Limitations

Relevant is not required to assist with Data Subject requests to the extent:

• The request is manifestly unfounded or excessive
• Complying would violate applicable laws or legal obligations
• The Personal Data is no longer in Relevant's possession or control
• The request relates to Personal Data for which Customer is the Controller and Customer has direct access through the Services

‍

7.1 Security Incident Response

Upon becoming aware of a Security Incident affecting Personal Data, Relevant shall:

Immediate Actions:

• Take reasonable steps to contain and mitigate the Security Incident
• Investigate the Security Incident to determine its nature, scope, and impact
• Implement measures to prevent recurrence

Notification to Customer:

• Notify Customer of the Security Incident without undue delay and in any event within 72 hours of becoming aware of it
• Provide notification to Customer's primary contact email and any designated security contact

7.2 Security Incident Information

Relevant's notification shall include, to the extent known and legally permissible:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident and mitigate potential adverse effects
• Contact point for further information
• Timeline of events

Relevant may provide information in phases if full details are not immediately available.

7.3 Customer Responsibilities

Upon receiving notification of a Security Incident:

• Customer is responsible for determining whether notification to Data Subjects, supervisory authorities, or other parties is required under Applicable Data Protection Law
• Customer is responsible for making any legally required notifications
• Relevant will reasonably cooperate with Customer's notification efforts

7.4 Security Incident Assistance

Relevant will provide reasonable assistance to Customer in:

• Investigating the Security Incident
• Mitigating harm to affected Data Subjects
• Fulfilling Customer's obligations to notify supervisory authorities and Data Subjects
• Documenting the Security Incident and response

Assistance requiring significant manual effort beyond Relevant's immediate response may be subject to reasonable fees.

7.5 Exclusions

The following do not constitute Security Incidents:

• Unsuccessful attempts to breach security that do not result in unauthorized access to Personal Data
• Incidents caused entirely by Customer or Authorized Users (e.g., Customer sharing credentials)
• Authorized access by Relevant personnel for legitimate service delivery purposes
• Incidents solely affecting availability (service outages) without unauthorized access or disclosure

‍

8.1 Transfers from EEA, UK, and Switzerland

Customer acknowledges that Relevant and its Subprocessors may transfer and process Personal Data in countries outside the European Economic Area (EEA), United Kingdom (UK), and Switzerland, including the United States, which may not provide the same level of data protection.

8.2 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, Relevant relies on the following mechanisms:

Standard Contractual Clauses: The parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission Decision 2021/914 of June 4, 2021, which are incorporated into this DPA by reference and attached as Appendix A.

UK Addendum: For transfers from the UK, the UK International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0) is incorporated by reference.

Swiss Addendum: For transfers from Switzerland, references to GDPR in the Standard Contractual Clauses shall be interpreted as references to Swiss Federal Act on Data Protection, and the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

8.3 Alternative Transfer Mechanisms

If the Standard Contractual Clauses are invalidated, amended, or replaced, or if other lawful transfer mechanisms become available, Relevant may rely on such alternative mechanisms, provided they offer equivalent protection.

8.4 Supplementary Measures

In addition to Standard Contractual Clauses, Relevant implements supplementary technical and organizational measures to ensure adequate protection, including:

• Encryption of Personal Data in transit and at rest
• Pseudonymization where feasible
• Contractual restrictions on government access to data
• Regular security assessments and audits
• Data minimization practices

8.5 Government Access Requests

If Relevant receives a legally binding request from a government authority to disclose Personal Data:

• Relevant will promptly notify Customer (unless legally prohibited)
• Relevant will challenge the request if there are reasonable grounds to believe it is unlawful
• Relevant will minimize disclosure to the extent legally possible
• Relevant will not provide direct access to Personal Data to government authorities

8.6 Subprocessor Locations

All Subprocessor locations are disclosed in Section 5.2. Most Subprocessors are located in the United States. Customer consents to these transfers subject to the mechanisms described in this Section 8.

‍

9.1 Audit Rights

Customer has the right to audit Relevant's compliance with this DPA, subject to the conditions in this Section 9.

9.2 Audit Methods

Customer may exercise audit rights through the following methods:

Option 1 - Documentation Review (Primary Method):

• Customer may request and review Relevant's security documentation, including:
  
  • Descriptions of technical and organizational measures
  • Security policies and procedures
  • Security certifications (SOC 2, ISO 27001, when obtained)
  • Summaries of third-party security audits
  • Subprocessor documentation

Option 2 - Questionnaire:

• Customer may submit a written questionnaire regarding Relevant's data protection practices
• Relevant will respond within 30 days

Option 3 - On-Site Audit (Limited):

• On-site audits may be conducted only if:
  
  • Documentation review and questionnaires are insufficient
  • Customer has reasonable grounds to believe Relevant is not complying with this DPA
  • Required by Applicable Data Protection Law or supervisory authority
  • Subject to the limitations in Section 9.3

9.3 Audit Conditions

On-site audits are subject to the following:

Frequency: No more than once per year, unless:

• Required by Applicable Data Protection Law
• A Security Incident has occurred
• Ordered by a supervisory authority

Notice: At least 60 days' advance written notice

Scope: Limited to matters directly related to this DPA and processing of Personal Data

Duration: Conducted during business hours and completed within a reasonable timeframe

Confidentiality: Auditors must sign confidentiality agreements

Non-Disruption: Conducted in a manner that minimizes disruption to Relevant's operations

Costs: Customer bears all costs of audits, including Relevant's reasonable costs for time spent facilitating the audit (if significant)

Third-Party Auditors: Customer may use independent third-party auditors approved by Relevant (approval not to be unreasonably withheld)

Security Clearance: Auditors must pass reasonable security screening

9.4 Audit Reports

Following an audit:

• Customer will provide Relevant with a copy of the audit report
• The audit report is considered Customer's Confidential Information
• Customer will provide Relevant reasonable opportunity to address any findings
• If material non-compliance is found, Relevant will prepare a remediation plan within 30 days

9.5 Alternative Compliance Evidence

In lieu of an on-site audit, Relevant may, at its discretion, provide:

• Third-party audit reports (SOC 2 Type II, ISO 27001, etc.)
• Summary reports from independent security assessments
• Responses to industry-standard security questionnaires (CAIQ, SIG, etc.)

‍

10.1 Retention During Term

During the term of the Agreement, Relevant will retain Personal Data as necessary to provide the Services and as directed by Customer through use of the Services.

10.2 Deletion or Return Upon Termination

Upon termination or expiration of the Agreement:

30-Day Export Period: Customer may export Personal Data for 30 days following termination (if termination is not due to Customer's breach).

Deletion Timeline: Within 90 days of termination, Relevant will delete or anonymize all Personal Data, except:

• Personal Data required to be retained for legal, regulatory, accounting, or tax purposes
• Personal Data in backup systems (deleted within 180 days)
• Anonymized, aggregated, or de-identified data that cannot identify individuals

Certification: Upon Customer's written request, Relevant will provide written certification of deletion.

10.3 Customer-Requested Deletion

Customer may request deletion of specific Personal Data at any time by:

• Using self-service deletion features in the Services
• Contacting privacy@getrelevant.ai with specific deletion instructions

Relevant will process deletion requests within 30 days.

10.4 Legal Hold

If Relevant is subject to a legal hold, preservation order, or other legal obligation to retain Personal Data, Relevant:

• Will notify Customer (unless legally prohibited)
• Will retain only the minimum Personal Data required
• Will resume deletion once the legal obligation ends

10.5 Backup Retention

Personal Data in backup systems is retained for disaster recovery purposes and is:

• Encrypted and access-controlled
• Not used for operational purposes
• Deleted according to backup rotation schedules (maximum 180 days)

‍

This Section 11 applies only to the extent that the GDPR applies to the processing of Personal Data under this DPA.

11.1 Roles

For purposes of the GDPR:

• Customer is the Data Controller
• Relevant is the Data Processor
• Authorized Users whose Personal Data is processed in connection with their use of the Services are Data Subjects

11.2 Data Controller Obligations

Customer acknowledges that it is responsible for:

• Determining the lawful basis for processing (Article 6 GDPR)
• Providing privacy notices to Data Subjects (Article 13-14 GDPR)
• Obtaining consent where required
• Conducting Data Protection Impact Assessments where required (Article 35 GDPR)
• Maintaining records of processing activities (Article 30 GDPR)
• Appointing a Data Protection Officer if required (Article 37 GDPR)

11.3 Data Processor Obligations

Relevant acknowledges that it will:

• Process Personal Data only on documented instructions from Customer (Article 28(3)(a))
• Ensure personnel processing Personal Data are subject to confidentiality obligations (Article 28(3)(b))
• Implement appropriate technical and organizational measures (Article 28(3)(c) and Article 32)
• Respect conditions for engaging Subprocessors (Article 28(3)(d) and Article 28(4))
• Assist Customer with Data Subject requests (Article 28(3)(e))
• Assist Customer with security, breach notification, and impact assessments (Article 28(3)(f))
• Delete or return Personal Data upon termination (Article 28(3)(g))
• Make available information necessary to demonstrate compliance and allow audits (Article 28(3)(h))

11.4 Data Protection Impact Assessments

If Customer is required to conduct a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, Relevant will provide reasonable assistance, including:

• Information about the nature, scope, context, and purposes of processing
• Description of security measures implemented
• Information about Subprocessors and data transfers

11.5 Consultations with Supervisory Authority

If Customer is required to consult with a supervisory authority under Article 36 GDPR (prior consultation), Relevant will provide reasonable assistance and information.

11.6 Supervisory Authority

The lead supervisory authority for matters under this DPA depends on Customer's establishment:

• If Customer is established in the EEA: The supervisory authority in Customer's primary establishment
• If Customer is not established in the EEA but offers goods/services to EEA data subjects: The Irish Data Protection Commission (unless otherwise agreed)

11.7 Standard Contractual Clauses

The Standard Contractual Clauses referenced in Section 8.2 form part of this DPA. In case of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

‍

This Section 12 applies only to the extent that the CCPA/CPRA applies to the processing of Personal Information under this DPA.

12.1 Roles

For purposes of CCPA/CPRA:

• Customer is a Business
• Relevant is a Service Provider (as defined in CCPA Section 1798.140(ag))
• Relevant is NOT a Third Party with respect to Personal Information processed under this DPA

12.2 Service Provider Obligations

Relevant certifies that it:

Does Not Sell or Share Personal Information: Relevant does not sell or share (as those terms are defined in CCPA) Customer's Personal Information to third parties.

Prohibited Uses: Relevant will not:

• Retain, use, or disclose Personal Information for any purpose other than providing the Services specified in the Agreement
• Retain, use, or disclose Personal Information outside the direct business relationship with Customer
• Combine Personal Information with Personal Information received from other sources (except as necessary to provide the Services)

Permitted Uses: Relevant may:

• Process Personal Information as necessary to provide the Services
• Use Personal Information for internal purposes that are reasonably necessary and proportionate to providing the Services
• Create de-identified or aggregated information, provided such information cannot be re-identified

Compliance: Relevant understands and will comply with the obligations of a Service Provider under CCPA Sections 1798.140(ag)(2).

12.3 Consumer Rights Assistance

Relevant will assist Customer in responding to Consumer rights requests under CCPA/CPRA, including:

• Right to know what Personal Information is collected
• Right to delete Personal Information
• Right to correct inaccurate Personal Information
• Right to opt out of sale/sharing
• Right to limit use of Sensitive Personal Information

12.4 Sale/Sharing Prohibition

Relevant certifies that it does not and will not "sell" or "share" (as defined in CCPA) Personal Information processed under this DPA. Customer grants Relevant permission to disclose Personal Information to Subprocessors solely as necessary to provide the Services, which does not constitute a sale or sharing under CCPA.

12.5 Sensitive Personal Information

If Customer submits Sensitive Personal Information (as defined in CCPA Section 1798.140(ae)), Relevant will:

• Use and disclose such information only for permitted business purposes under CCPA Section 1798.121(a)
• Not use or disclose such information for purposes of inferring characteristics about Consumers

12.6 Subcontractors

Relevant may engage subcontractors (Subprocessors) to assist in providing the Services. Such subcontractors are also Service Providers bound by obligations similar to those in this Section 12.

12.7 Certification

Upon request, Relevant will provide Customer with a signed certification that it understands and will comply with the restrictions in California Civil Code Section 1798.140(w)(2)(A).

‍

13.1 Relationship to Agreement

This DPA is incorporated into and forms part of the Agreement. In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict with respect to processing of Personal Data.

13.2 Amendments

This DPA may be amended only:

• By written agreement signed by authorized representatives of both parties, or
• By Relevant posting an updated DPA with at least 30 days' notice for non-material changes that maintain or enhance data protection

Material changes require Customer's affirmative consent.

13.3 Liability

Liability Cap: Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement, except:

• Liability under the Standard Contractual Clauses (if applicable) is governed by the terms of those Clauses
• Liability that cannot be limited or excluded by Applicable Data Protection Law

No Limitation: Limitations of liability do not apply to:

• Violations of this DPA caused by willful misconduct or gross negligence
• Breach of confidentiality obligations
• Infringement of Data Subjects' rights
• Violations mandating unlimited liability under Applicable Data Protection Law

13.4 Duration

This DPA remains in effect for as long as Relevant processes Personal Data on behalf of Customer, including any retention period after termination of the Agreement as described in Section 10.

13.5 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

13.6 Governing Law and Jurisdiction

Governing Law: This DPA is governed by the same law as the Agreement, except to the extent Applicable Data Protection Law requires otherwise.

Jurisdiction: Disputes are subject to the dispute resolution provisions in the Agreement, except:

• Data Subjects may bring claims in accordance with Applicable Data Protection Law
• Supervisory authorities may exercise their powers as provided by law
• Standard Contractual Clauses (if applicable) are governed by their own dispute resolution provisions

13.7 Notices

Notices under this DPA shall be sent to:

To Customer: The contact email and address in the Agreement

To Relevant:
Relevant Labs, Inc.
131 Continental Dr, Suite 305
Newark, Delaware 19713
Email: privacy@getrelevant.ai

13.8 Language

This DPA is drafted in English. Any translation is for convenience only. In case of conflict, the English version controls.

13.9 Order of Precedence

In case of conflict:

1. Standard Contractual Clauses (if applicable)
2. This Data Processing Agreement
3. The Master Service Agreement or Terms of Service
4. Other policies and documentation

13.10 Survival

The following provisions survive termination or expiration:

• Section 4 (Security Measures) - for retained data
• Section 7 (Data Breach Notification) - for incidents during the term
• Section 9 (Audits) - for audits of the term
• Section 10 (Data Retention and Deletion)
• Section 13 (General Provisions)

13.11 Contact for Data Protection

For questions, concerns, or requests regarding this DPA or data protection:

Privacy Team:
Email: privacy@getrelevant.ai
Mail: Relevant Labs, Inc., Attn: Privacy Team, 131 Continental Dr, Suite 305, Newark, Delaware 19713

Data Protection Officer (if appointed):
[To be updated if/when appointed]

‍

[The Standard Contractual Clauses (Module Two: Controller to Processor) as approved by European Commission Decision 2021/914 of June 4, 2021 are incorporated here by reference.]

Note: The full text of the Standard Contractual Clauses is available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

Annexes to Standard Contractual Clauses:

Annex I: List of Parties

Data Exporter (Controller):

• Name: Customer (as identified in the Agreement)
• Address: As specified in the Agreement
• Contact: As specified in the Agreement
• Role: Controller

Data Importer (Processor):

• Name: Relevant Labs, Inc.
• Address: 131 Continental Dr, Suite 305, Newark, Delaware 19713
• Contact: privacy@getrelevant.ai
• Role: Processor

Annex II: Description of Transfer

Categories of data subjects: See Section 2.3 of this DPA

Categories of personal data: See Section 2.3 of this DPA

Sensitive data: None (unless Customer violates Section 3.3)

Frequency of transfer: Continuous during the term

Nature of processing: See Section 2.3 of this DPA

Purpose of processing: To provide the Services as described in the Agreement

Retention period: See Section 10 of this DPA

Subprocessors: See Section 5 of this DPA

Annex III: Technical and Organizational Measures

The technical and organizational measures implemented by Relevant are described in Section 4 of this DPA, which is incorporated by reference into this Annex III.

RELEVANT LABS, INC.

By: ___________________________
Name: _________________________
Title: _________________________
Date: _________________________

CUSTOMER

By: ___________________________
Name: _________________________
Title: _________________________
Date: _________________________

End of Data Processing Agreement

‍