Data Processing Addendum

Last updated: October 16th, 2024.

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service available at: https://cimphony.ai/terms-of-service and Privacy Policy available at: https://cimphony.ai/privacy-policy (collectively, the “Agreement”) between Cimphony AI, Inc. (“cimphony”) and you (as defined in the agreement). cimphony and you have collectively deemed the “Parties”.

‍1. Subject Matter and Duration.

a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the processing of Your Personal Data in connection with cimphony’s execution of the agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the agreement, this Addendum shall control.

b) Duration and Survival. This Addendum will become legally binding upon the date that you accept and agree to the agreement. cimphony will Process Your Personal Data until the relationship terminates as specified in the agreement. cimphony’s obligations and your rights under this Addendum will continue in effect so long as cimphony. Processes Your Personal Data.

2. Definitions. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

‍a) “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules, and regulations to which the Your Personal Data are subject. “Applicable Data Protection Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements.

b) “Your Personal Data” means personal data pertaining to you or your employees Processed by cimphony. The your personal Data and the specific uses of the Your Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.

c) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

d) “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).

e) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

f) “Processor” means a natural or legal person, public authority, agency or other body which Processes Your Personal Data on behalf of you subject to this Addendum.

g) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Personal Data Processed by cimphony.

h) “Third Party(ies)” means cimphony’s authorized contractors, agents, vendors, and third-party service providers that Process Your Personal Data.

‍3. Data Use and Processing.

‍a) Compliance with Laws. Your Personal Data shall be processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).

‍b) Documented Instructions. cimphony and its third Parties shall Process Your Personal Data only in accordance with your documented instructions or as specifically authorized by this Addendum or the Agreement. cimphony will unless legally prohibited from doing so, inform you in writing if it reasonably believes that there is a conflict between your instructions and applicable law or otherwise seeks to Process Your Personal Data in a manner that is inconsistent with your instructions.

‍c) Authorization to Use Third Parties. To the extent necessary to fulfill cimphony’s contractual obligations under the agreement, you hereby authorize

(i) cimphony to engage Third Parties and

(ii) Third Parties to engage subprocessors. Any Third Party Processing of your personal Data shall be consistent with your reasonable documented instruction and comply with all Applicable Data Protection Law(s).

‍d) cimphony and Third Party Compliance. cimphony agrees to (i) enter into a written agreement with Third Parties regarding such third Parties’ Processing of Your Personal Data that imposes on such third parties (and their sub-processors) data protection and security requirements for our Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to you for cimphony’s Third Parties’ (and their sub processors if applicable) failure to perform their obligations with respect to the Processing of Your Personal Data.

‍e) Right to Object to Third Parties. cimphony shall make available to you a list of Third Parties that Process Your Personal Data upon reasonable request. You may reasonably object to cimphony’s use of a new Third Part(ies) by notifying cimphony promptly in writing within ten business days after receipt of cimphony’s notice by updating this Addendum. If you have legitimate objections to the appointment of any new Third Party, the Parties will work together in good faith to resolve the grounds for the objection for no less than 30 days, and failing any such resolution; you may terminate the part of the service performed under the agreement that cannot be performed by cimphony without the use of the objectionable Third Party.

‍f) Confidentiality. Any person or Third Party authorized to Process Your Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.

‍g) Personal Data Inquiries and Requests. cimphony agrees to comply with all reasonable instructions from you related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request“). At your request and without undue delay, cimphony agrees to assist you in answering or complying with any Privacy Request in so far as it is possible.

‍h) Data Protection Impact Assessment and PriorConsultation. cimphony agrees to provide reasonable assistance at your expense to you where, in your judgment, the type of processing performed by cimphony is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

‍i) Demonstrable Compliance. cimphony agrees to keep records of its processing in compliance with Applicable Data protection law(s) and provide any necessary records to you to demonstrate compliance upon reasonable request.

‍4. Cross-Border Transfers of personal data.

‍a) Cross-Border Transfers of Personal Data. You authorize cimphony and its Third Parties to transfer Your Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Your Personal Data must be supported by an approved adequacy mechanism.

‍b) Standard Contractual Clauses. You and cimphony will use the European Commission Decision C(2010)593 Standard Contractual Clauses for controllers to Processors (“ModelClauses“) as the adequacy mechanism supporting the transfer and processing of Your Personal Data, the terms of which are herein incorporated by reference and made a part hereto. Under Appendix 1 of the Model Clauses, the “data exporter” is you and the “data importer” is cimphony, and the information required by Appendix 1 can be found in Exhibit 1. For the purposes of Appendix 2 of the Model Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum. Pursuant to clause 5(h) of the Model Clauses, you agree that cimphony may engage new Third Parties in accordance with Section(s) 3(c) – 3(e) of this Addendum. The Parties agree that the Illustrative Clause (Optional) is expressly not included in the ModelClauses. Each party’s agreement to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.

‍5. Information Security Program.

a) cimphony agrees to implement appropriate technical and organizational measures designed to protect your Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include:

i)Pseudonymisation of Your Personal Data where appropriate, and encryption of your Personal Data in transit and at rest;

ii)The ability to ensure the ongoing confidentiality, integrity, availability of cimphony’s Processing and Your Personal Data;

iii) The ability to restore the availability and access to Your Personal Data in the event of a physical or technical incident;

iv) A process for regularly testing, assessing, and evaluating the effectiveness of cimphony’s Information Security Program to ensure the security of your personal Data from a reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

‍6. Security Incidents.

a) Security Incident Procedure. cimphony will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents, including procedures to

(i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of security Incidents, document Security Incidents, and their outcomes, and

(ii) restore the availability or access to Your Personal Data in a timely manner.

b) Notice. cimphony agrees to provide prompt written notice without undue delay and within the time frame required underApplicable Data Protection Law(s) (but in no event longer than 48 hours) to your Designated POC upon becoming aware that a Security Incident has taken place. Such notice will include all available details required under Applicable DataProtection Law(s) for you to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

‍7. Data Storage and Deletion.

‍a) Data Storage. cimphony will abide by the following with respect to the storage of Your Personal Data:

i) cimphony will not store or retain any of Your Personal Data except as necessary to perform the Services under the agreement.

‍ii) cimphony will

(i) inform you in writing of all countries where Your Personal Data is processed or stored and

(ii) obtain consent from you for processing or storage in the identified countries. As of the Effective Date, cimphony stores Your Personal Data in the following countries to which you hereby consents: United States.

‍b) Data Deletion. cimphony will abide by the following with respect to the deletion of Your Personal Data:

‍i) Within ninety (90) calendar days of the agreement’s expiration or termination, cimphony will securely destroy(per subsection (iii) below) all copies of Your Personal Data (including automatically created archival copies).

ii) Upon your request, cimphony will promptly return you a copy of all Your personal data within 30 calendar days and, if you also request deletion of your personal Data, will carry that out as set forth above.

‍iii) All deletion of Your Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.

‍iv) Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider. Upon your request, cimphony will provide evidence that cimphony has deleted all your personal data. cimphony will provide the “Certificate of Deletion” within 30 calendar days of your request.