MES Data Protection Addendum

This StudioC Data Protection Addendum (Addendum) supplements the StudioC Services Terms of Service (Terms) between TheStudio C, LLC (StudioC) and you, the person or organization to whom StudioC has agreed to provide certain services, software and content (Offerings) pursuant to an order of yours that StudioC has accepted (Order). This Addendum forms a part of the Terms. If there is any conflict between this Addendum and the Terms, this Addendum will prevail to the extent of the conflict.

1. Definitions. The following terms shall have the meanings set out below.

1.1. The term “Applicable Data Privacy Law” means all laws and regulations that apply to a party’s processing of personal information in connection with the provision or receipt of Offerings, including the California Consumer Privacy Act of 2018 (“CCPA”), the General Data Protection Regulation (EU 2016/679) (“GDPR”), and any other substantially similar data protection laws.

1.2. The term “personal information” means information about an identified or identifiable individual (the “data subject”), and includes information protected as “personal information”, “personal data” or any analogous term by Applicable Data Privacy Law.

1.3. A “controller”, with respect to certain personal information, means an entity that determines the purposes and means of processing of the personal information.

1.4. A “processor”, with respect to certain personal information, means an entity that processes the personal information on behalf of, and pursuant to the instructions, of a controller of the personal information.

1.5. To “process” data means to perform any operation or set of operations on the data, including collecting, using, storing and disclosing it.

1.6. “Received Personal Information” means any personal information that StudioC receives from you or your representatives, or on your or your representatives’ behalf, in connection with StudioC’s provision of Offerings.

1.7. “Your Account Data” means personal information that relates to your relationship with StudioC, including your or your representatives’ names, contact information, billing information, and information about your and their use of StudioC’s online services, and includes personal information described in StudioC’s Privacy Statement.

2. The Obligations of the Parties. Depending on the Offerings that StudioC provides, StudioC acts as either a controller or processor with respect to the Received Personal Information. By default, StudioC acts as a processor with respect to all Received Personal Information, but in the cases of certain Offerings specified here or in an Order, StudioC shall provide such Offerings on an independent controller basis. StudioC also acts as a controller with respect to Your Account Data. Wherever StudioC acts as a controller, the provisions set forth in Section 3 below shall apply. Wherever StudioC acts as a processor, the provisions set forth in Section 4 below shall apply. Regardless of whether StudioC acts as a controller or processor, Section 5 below shall apply to you and StudioC.

3. Terms that Apply where StudioC is a Controller. Wherever StudioC acts as a controller with respect to Received Personal Information, StudioC will process the personal information in accordance with Applicable Data Privacy Law and all privacy notices and privacy policies that StudioC has provided to the data subjects of the personal information explaining the circumstances and manner in which StudioC processes their personal information. With regards to any transfers of personal information under this Addendum from the United Kingdom, Switzerland or European Economic Area to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Privacy Law, the personal information will be transferred, and StudioC will process the personal information (other than Your Account Data, which StudioC will process in accordance with Applicable Data Privacy Law) in accordance with the Standard Contractual Clauses for controller-to-controller transfers approved by the European Commission in decision 2004/915/EC, which are hereby incorporated by reference. Details required under the Standard Contractual Clauses’ Annex B are set forth in Exhibit 1 to this Addendum.

4. Terms that Apply where StudioC is a Processor. Wherever StudioC acts as a processor with respect to Received Personal Information, StudioC will comply with the following obligations with respect to the personal information.

4.1. General Limitation. StudioC will only process the personal information on your documented instructions or as permitted or required by Applicable Data Privacy Law. Without limiting the generality of the foregoing, StudioC agrees that it will not sell any of the personal information, as the term “sell” is defined in the CCPA, and will not, except as permitted or required by applicable laws and regulations, collect, retain, share, disclose, or use any of the personal information: (i) for any purpose other than for the specific purpose of providing the Offerings that StudioC agreed to provide in your Order in respect of which StudioC acts as a processor; or (ii) outside the direct business relationship between you and StudioC. You agree that your Order, the Terms, and any other contracts between you and StudioC form part of your documented instructions to us to process the personal information. The subject matter and details of the processing are described in Exhibit 3 to this Addendum. If applicable laws and regulations require StudioC to process the personal information in a manner different from your documented instructions, StudioC will inform you of that legal requirement before proceeding with the processing, to the extent permitted by applicable law.

4.2. Subcontractors and Locations of Processing. As long as StudioC performs the following actions in compliance with Applicable Data Privacy Law and this Addendum, you authorize StudioC to: (i) subcontract its obligations to process the personal information to any subcontractor of StudioC’s choosing; and (ii) process the personal information or arrange to have the personal information processed in any jurisdiction. StudioC will impose data protection terms on any such subcontractor to the standard required by Applicable Data Privacy Law. StudioC will provide you with information about the identity and location of its subcontractors and any intended changes to such subcontractor arrangements on your request at reasonable intervals. StudioC shall remain liable to you for any failure by a subcontractor to fulfill its data protection obligations hereunder.

4.3. Confidentiality. StudioC will ensure that persons authorized to process the personal information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such personal information.

4.4. Data Subject Rights Assistance. If an individual makes a written request to StudioC purporting to exercise their rights under Applicable Data Privacy Law in relation to the personal information, StudioC shall forward the request to you without undue delay and you agree to address the request in accordance with Applicable Data Privacy Law. On your written request, StudioC will provide you with reasonable assistance (at your expense if doing so would require StudioC to assign significant resources to such effort) to assist you in complying with your obligations with respect to the request under Applicable Data Privacy Law.

4.5. Impact Assessments and Consultations. StudioC will provide you with reasonable assistance (at your expense if doing so would require StudioC to assign significant resources to such effort) in connection with any data privacy or protection impact assessment or consultations with regulatory authorities that you may be required to undertake in accordance with Applicable Data Privacy Law.

4.6. Security Incident Notification. If StudioC discovers or reasonably believes that the personal information has been subject to accidental or unlawful destruction, loss or alteration, or unauthorized access, use or disclosure resulting from a breach of security measures (collectively, a “Security Incident”), StudioC will, to the extent permitted by applicable law, notify you without undue delay, and in any case no later than required under Applicable Data Privacy Law. StudioC will make reasonable efforts to mitigate the cause of the Security Incident and provide reasonable assistance to you in the event that you are required under Applicable Data Privacy Law to notify a regulatory authority or any relevant data subjects of the Security Incident.

4.7. Return or Deletion of Personal Information. StudioC will delete or return to you the personal information after the end of the provision of the relevant Offerings, and delete existing copies of the personal information unless applicable laws and regulations require further storage of the personal information.

4.8. Demonstrating Compliance. StudioC plans to engage third-party security professionals at its own expense to assess StudioC’s security measures with respect to its processing of the personal information. Such assessments may result in the generation of a confidential audit report (“Audit Report”). On your written request at reasonable intervals, StudioC will make available to you a copy of StudioC’s most recent Audit Report subject to reasonable confidentiality controls. You agree that receiving a copy of the Audit Report will satisfy any audit or inspection rights you may have under Applicable Data Privacy Law (including, where applicable, Article 28(3) of the GDPR or Clauses 5(f) and 12(2) of the Standard Contractual Clauses for controller-to-processor transfers approved by the European Commission in decision 2010/593/EU). StudioC shall promptly inform you if, in its opinion, an instruction infringes Applicable Data Privacy Law.

4.9. Application of Standard Contractual Clauses. With regard to transfers of personal information under this Addendum from the United Kingdom, Switzerland or European Economic Area to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Privacy Law, you and StudioC agree that the Standard Contractual Clauses for controller-to-processor transfers approved by the European Commission in decision 2010/593/EU, shall apply and are hereby incorporated by reference. Details required under the Standard Contractual Clauses’ Appendices 1 and 2 are set forth in Exhibit 2 to this Addendum.

4.10. De-identified Data. StudioC may de-identify Received Personal Information and may use De-identified Data (as defined below) for the purpose of creating ideas that will improve performance and effectiveness of the present and future services, products and software provided by StudioC, to provide customized reporting and analysis such as developing attributes and algorithms, evaluating trends, and generating aggregate benchmarks. “De-identified Data” as used herein means data or information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual. For the avoidance of doubt, when data or information is “De-identified” it would not include the following identifiers (whether of the individual or his/her relatives, household members, or employers): names, geographic subdivisions smaller than state/province (including zip/postal code), all elements of birth dates except year, telephone numbers, email addresses, social security numbers or other government identifiers, account numbers, internet protocol addresses, biometric identifiers, full face photos and comparable images, and any unique identifying numbers, characteristics or codes. Among other things, StudioC will make no attempt to reidentify such information and will implement: (i) technical safeguards that prohibit reidentification of the individual to whom the information may pertain; (ii) business processes that specifically prohibit reidentification of the information; and (iii) business processes that prevent inadvertent release of de-identified information.

5. General Obligations. Regardless of whether StudioC acts as a controller or processor with respect to Received Personal Information, you and StudioC agree to the following provisions.

5.1. Your Processing of Received Personal Information. You represent, warrant and agree that: (i) all Received Personal Information has been collected, processed and transferred to StudioC in accordance with Applicable Data Privacy Law; and (ii) your instructions relating to StudioC’s processing of Received Personal Information will not cause StudioC to violate any applicable law or regulation, including Applicable Data Privacy Law. Without limiting the generality of the foregoing, you agree that you have provided all necessary notices and obtained all necessary consents from data subjects as required under Applicable Data Privacy Law before providing their personal information to StudioC in connection with the receipt of Offerings from StudioC. You shall defend, indemnify and hold harmless StudioC and its affiliates, and all of their officers, directors, employees, shareholders, legal representatives, agents, successors and assigns, from and against any and all claims, liabilities, suits, demands,

damages, losses, judgments, fines, penalties, interest, costs and expenses (including reasonable attorneys’ fees and professional and court costs) arising from or relating to any breach of this section by you, or any act or omission of yours, or your employees or contractors, in activities arising from or relating to Received Personal Information. StudioC reserves the right to terminate all Offerings where it reasonably believes that you have contravened or will contravene this section 5.

5.2. No Consideration. You and StudioC agree that StudioC does not receive any Received Personal Information as consideration for any services or other items that it provides to you.

5.3. Security. You and StudioC shall implement reasonable and appropriate technical, physical and organizational security measures in relation to the processing of Received Personal Information, including but not limited to those required under Applicable Data Privacy Law.

5.4. Updates. StudioC may update the terms of this Addendum, including where necessary to: (i) comply with updates to Applicable Data Privacy Law; (ii) reflect changes resulting from a merger, acquisition, or other similar transaction; or (iii) address StudioC’s release of new products or services or material changes to any existing Offerings. StudioC will provide you with prior notice of such updates as required by applicable laws and regulations.

Last Revised: January 22, 2021

Exhibit 1 – Annex B to the 2004 Controller-to-Controller Standard Contractual Clauses
The terms used herein shall have the same meaning as the defined terms in the StudioC Data Protection Addendum.

Data Subjects
The personal data transferred concern data subjects located in the United Kingdom, Switzerland and/or the European Economic Area of Received Personal Information that StudioC processes as a controller in connection with providing certain Offerings requested on your Order.

Purposes of the Transfer(s) You transfer the relevant Received Personal Information to enable StudioC to provide certain Offerings requested on your Order.

Categories of data The personal data transferred concern categories of data that you would transfer to StudioC for the purposes of StudioC providing the Offerings requested on your Order. Some or all such categories of personal data may be listed in the relevant privacy notice or other documentation that StudioC provides to data subjects in connection with providing the corresponding Offering.

Recipients StudioC may disclose personal data to the following categories of recipients in the following situations, as permitted or required by applicable law:

• Service providers. StudioC may share the personal data transferred with affiliated and unaffiliated service providers, as necessary to provide services to StudioC, subject to confidentiality and data protection agreements.

• In connection with a sale or similar transaction. StudioC may provide personal data transferred to a potential or actual buyer in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of StudioC’s business, assets, or stock (including in connection with any bankruptcy or similar proceedings), including any due diligence related to such a transaction.

• For legal reasons. StudioC may share personal data transferred with law enforcement authorities, courts, legal counsel and other appropriate recipients in this context for legal reasons as StudioC believes to be necessary or appropriate to: (a) satisfy any applicable law, legal process, or proper governmental request; (b) enforce any agreement StudioC may have entered into with the data subject; (c) detect, prevent, or otherwise address fraud, security or technical issues; (d) protect against harm (whether tangible or intangible) to the rights, property or safety of StudioC, its users or the public as required or permitted by law; and (e) establish or exercise StudioC’s rights, defend against a legal claim, and investigate, prevent or take action regarding possible illegal activities or a violation of StudioC’s policies.

• Other categories of recipients with the data subject’s consent.

Sensitive Data The personal data transferred concern categories of sensitive data that you would transfer to StudioC for the purposes of StudioC providing the Offerings requested on your Order. Some or all such categories of personal data may be listed in the relevant privacy notice or other documentation that StudioC provides to data subjects in connection with providing the corresponding Offering.

Data protection registration information of data exporter (where applicable)
Not applicable

Additional useful information (storage limits and other relevant information)
Please refer to the StudioC Services Terms of Service, your Order, and the StudioC Data Protection Addendum.

Contact points for data protection enquiries
Data importer (StudioC, LLC): Please refer to StudioC’s Privacy Statement. Data exporter (you): Please refer to your Order.

Exhibit 2 – Appendices to the 2010 Controller-to-Processor Standard Contractual Clauses

Appendix 1 to the 2010 Controller-to-Processor Standard Contractual Clauses This Appendix forms part of the Clauses and must be completed and signed by the parties. The terms used herein shall have the same meaning as the defined terms in the StudioC Data Protection Addendum. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. The terms used herein shall have the same meaning as the defined terms in the StudioC Data Protection Addendum.

Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer): You. Please refer to your Order.

Data importer
The data importer is (please specify briefly activities relevant to the transfer): StudioC, LLC. Please refer to StudioC’s Entity Representative Privacy Statement and your Order.

Data subjects
The personal data transferred concern the following categories of data subjects (please specify): The personal data transferred concern data subjects located in the United Kingdom, Switzerland and/or the European Economic Area of Received Personal Information that StudioC processes as a processor in connection with providing certain Offerings requested on your Order.

Categories of data
The personal data transferred concern the following categories of data (please specify): The personal data transferred concern categories of data that you would transfer to StudioC for the purposes of StudioC providing the Offerings requested on your Order.

Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): The personal data transferred concern categories of sensitive data that you would transfer to StudioC for the purposes of StudioC providing the Offerings requested on your Order.

Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify): StudioC will process the personal data transferred to provide the Offerings requested on your Order with respect to which StudioC acts as a processor.

Appendix 2 to the 2010 Standard Contractual Clauses Controller-to-Processor
This Appendix forms part of the Clauses and must be completed and signed by the parties. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Exhibit 3 – Details of Processing