Data Processing Addendum

Last updated:

Oct 3, 2025

Data Processing Agreement

This Data Processing Agreement ("Data Processing Agreement") is entered into on the (last) day of signing by and between:

1. [insert full company name], with registered office in [insert address and country] and with company registration number [insert company registration number] ("Data Controllers"); and

2. Solace Care, with registered office at Luntmakargatan 26, 111 37 Stockholm, Sweden, and with company registration number 559519-7079 (the "Data Processor");

hereinafter referred to as the Party or Parties.

BACKGROUND

1. The Data Controller determines the purposes and means of the Processing of Personal Data (as defined below).

2. The parties have entered into a service agreement, in connection with the provision of the Service, the Data Processor will process personal data on behalf of the Data Controller. The parties have agreed to provide the Services (as defined below) on the terms set out in the Service Agreement (as defined below).

3. The Parties wish to supplement the Service Agreement with this Data Processing Agreement in order to formalize the terms and conditions that apply to the Processing of Personal Data.

4. The purpose of this Data Processing Agreement is to ensure adequate safeguards to protect privacy and to ensure that the Processing of Personal Data

1. AGREEMENT

1. In addition to the main part of the agreement, this Data Processing Agreement also contains the following documents:

Annex 3.1 Instructions for Treatment

Annex 3.2 Technical and organisational security measures

Appendix 3.3 Subcontractors

1. If any provision of this Data Processing Agreement is inconsistent with any of the terms and conditions of the Services Agreement, the provisions of this Data Processing Agreement shall prevail. Capitalized terms not defined herein (if any) have the meanings set forth in the Service Agreement.

1. DEFINITIONS

1. Terms that have a definition in the EU's General Data Protection Regulation, GDPR, shall have the meaning set out in the Regulation in this Agreement.

2. In this Data Processing Agreement, the terms set out below have the following meanings:

| Applicable law | Any laws and regulations applicable to the Processing of Personal Data under this Data Processing Agreement and the Services Agreement, such as, but not limited to, the GDPR. |

| Approved purpose | The Processor's Processing of Personal Data in accordance with this Processor Agreement on behalf of the Controller (i) as necessary to fulfil the purpose of the Service Agreement or (ii) as otherwise defined in writing by the Controller's Contact Person from time to time; |

| Approved subcontractors | All subcontractors listed in Annex 3.1; |

| Contract | the Service Agreement for the provision of certain professional services by the Processor to the Controller entered into between the Parties on the date specified in Appendix 3.1; |

| Data Controller | An entity that determines the purposes and means of the processing of Personal Data. |

| Data Processor | An entity that processes Personal Data on behalf of a Data Controller. |

| Data Processing Agreement (DPA) | This Data Processing Agreement – including any subsequent amendments thereto – which includes the terms of the main body of this document, together with the appendices and any annexes and any documents expressly incorporated by reference |

| Data Subject | The identified or identifiable natura person who is the subject of Personal Data. |

| GDPR | EU General Data Protection Regulation (Regulation (EU) 2016/679); |

| Personal Data | any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data. |

| Services| The Services to be provided by the Data Processor under the Service Agreement; |

| Standard Contractual Clauses | EU Model Clauses, the EU-approved (Decision 2010/87/EU) Standard Contractual Clauses for the transfer of Personal Data from Data Controllers to Data Processors established in third countries outside the European Economic Area where data protection rules are considered inadequate, including any instruments approved by the European Commission that replace or succeed such contractual clauses; |

1. GENERALLY

1. This Data Processing Agreement governs the Data Processor's Processing of Personal Data on behalf of the Data Controller in order to perform its Services under the Service Agreement. The Data Processor shall only Process the Personal Data for the Approved Purpose and in accordance with Applicable Law, this Data Processing Agreement an the Service Agreement. The Data Processor shall immediately inform the Data Controller if it considers that an instruction is in conflict with Applicable Law.

2. The Data Controller retains formal control and ownership of the Personal Data. The Data Processor shall have no other rights in or to the Personal Data other than the non-exclusive, revocable and time-limited right to Process the Personal Data for the Approved Purpose.

3. There shall be no fees or costs in connection with the Data Processor's performance of its obligations under this Data Processing Agreement other than the fees for the Services set out in the Service Agreement or any special service addendums/appendices attached to it.

1. APPROVED LOCATIONS FOR THE PROCESSING

The Data Processor shall only Process the Personal Data for the Approved Purpose. Processing of Personal Data for any other purpose is prohibited and will be considered a violation of this Data Protection Agreement and the Service Agreement.

1. APPROVED LOCATIONS FOR THE TREATMENT

1. The processing of the Personal Data may only take place in technical environments controlled by the Data Controller, the Data Processor and/or Approved Subcontractor within the Approved Territory.

2. If Personal Data is accessible from a location, this is considered a transfer of Personal Data to such location. Personal data must not be accessible in locations outside the Authorised Territory.

1. ASSISTANCE

1. The Data Processor shall, without undue delay, assist the Data Controller and ensure that the Data Processor's subcontractor assists the Data Controller in responding to or providing information to Data Subjects and national supervisory authorities, regarding the Processing carried out by the Data Processor and its Authorised Subcontractors on behalf of the Data Controller. The Data Processor shall provide such information and support as the Data Controller reasonably requests in order for the Data Controller to comply with Applicable Legislation and notices from relevant authorities.

2. The Data Processor shall assist the Data Controller in complying with Chapter 3 of the GDPR, in particular:

* Correct or delete inaccurate Personal Data;

* Provide a copy of the Personal Data stored in any form of recovery or storage facility held or controlled by the Data Processor or any Authorised Subcontractor;

* Provide information about the Processing of Personal Data;

* Assist in any request or notice, or anticipated request or notice, from or on behalf of a Data

* Subject or the national supervisory authorities, in relation to Personal Data; and

* Otherwise provide all appropriate support to the Controller necessary for the Controller to comply with its legal obligations, such as Articles 32-36 GDPR, and take appropriate technical and organisational measures to provide such support.

1. USE OF SUBCONTRACTORS

1. The Data Processor may only use a subcontractor that is an Approved Subcontractor to perform tasks under this Data Processing Agreement on its behalf. The Data Processor shall in the Sub-Processor Agreement mentioned in section 7.2 ensure that all Processing of Personal Data carried out by an Approved Subcontractor meets the requirements set out in this Processor Agreement. This includes, but is not limited to, verifying that the security measures implemented by an Authorised Subcontractor ensure at least a level of protection equivalent to that required of the Data Processor under this Data Processing Agreement.

2. The Data Processor shall ensure that a Sub-Processor Agreement is entered into between the Data Processor and an Approved Subcontractor before such an Approved Subcontractor Processes Personal Data. The agreement(s) on the Processing of Personal Data shall ensure that such Approved Subcontractor is subject to requirements that are at least as stringent and that provide the Data Controller and the Data Subjects with a minimum equivalent level of protection as the requirements imposed on the Data Processor under this Processing Agreement and Applicable Legislation regarding its Processing Activities.

3. The Processor shall inform the Controller of any planned changes relating to the addition or change of subcontractor and shall give the Controller thirty (30) days' notice to give the Controller the opportunity to object to such changes. If the Data Controller objects to such changes, the relevant subcontractor shall not participate in the Processing of Personal Data on behalf of the Data Controller.

4. The Controller may revoke one or more authorisations issued for use by a particular Authorised Subcontractor. In such cases, the Data Controller shall provide an explanation to the Data Processor with the reason for the withdrawal. To the extent that the withdrawal prevents the Data Processor from delivering the Service, the Parties shall discuss in good faith which alternative solutions and/or subcontractors can be used to continue providing the Service.

2. PROCESSING OF PERSONAL DATA IN CERTAIN JURISDICTIONS

1. If the Processing of Personal Data does not take place

1. within the European Economic Area, or

2. a territory designated by the European Commission as an area guaranteeing an adequate level of protection;

Such processing of Personal Data shall be carried out in accordance with applicable EU model contracts for the transfer of Personal Data to third countries (Standard Contractual Clauses). If the Controller authorizes a transfer to a country outside of a. or b. above, or authorizes access to Personal Data from a country outside of a. or b. above, the Parties shall enter into the EU SCC prior to such transfer or access. If such transfer involves the transfer of Personal Data to an Approved Subcontractor, the Processor shall ensure that the terms of the SCC are imposed on such Approved Subcontractor by requiring the Approved Subcontractor to sign the terms of the SCC with the Controller as an "Exporter of Personal Data" under the SCC prior to such transfer or access.

1. The Data Controller hereby gives its approval to allow the Data Processor to enter into SCC agreements with relevant Approved Subcontractors on behalf of the Data Controller for the above-mentioned purposes.

2. For the avoidance of doubt, the requirement to ensure that the Authorised Subcontractor enters into an agreement for the Processing of Personal Data using the SCC Agreements when required under this Section 8 does not relieve the Processor of its obligations under Section 7, including, but not limited to, the obligation to ensure that the security measures put in place by the relevant Authorised Subcontractor offer the Controller and Data Subjects at least an equivalent level of protection as the requirements imposed on the Data Processor under this Data Processing Agreement.

1. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

1. The Data Processor shall perform its obligations and actions under this Data Processing Agreement with all duze skill, care and accuracy. The Data Processor shall use technical and organizational security measures appropriate to prevent damage that may arise from unauthorized or unlawful Processing, loss, destruction, damage, alteration or disclosure of Personal Data, taking into account the nature of the Personal Data to be protected.

2. Appendix 3.2 "Technical and organisational security measures" further provides instructions regarding technical and organisational security measures.

2. CONFIDENTIALITY

1. The Data Processor shall ensure that it and its employees as well as the subcontractors and their employees keep all Personal Data confidential and that the Personal Data is only accessible to the Data Processor's employees on the basis of the need for information. The Data Processor shall in particular ensure that all personnel involved in the Processing of Personal Data have undergone training.

2. The Personal Data shall be considered confidential information of the Data Controller and, in addition to the terms of this Data Processing Agreement, shall be Treated as confidential in accordance with the confidentiality obligations agreed between the Parties in the Service Agreement or otherwise.

3. The confidentiality obligations set out in this Section 10, including the obligation of employees, consultants, etc., to keep the Personal Data confidential, shall continue to apply even after this Data Protection Agreement expires or is terminated.

3. REVISION

1. The Data Controller is entitled, after informing the Data Processor at least ten (10) business days in advance, to review the Data Processor's (and any subcontractors') compliance with this Data Processing Agreement. If the Data Controller reasonably suspects a Personal Data Breach, a notice period of at least twenty-four (24) hours shall apply. The Data Processor shall provide all information required to demonstrate compliance with this Data Processing Agreement. If an audit (or other circumstance) shows that this Processing Agreement is not complied with, the Data Processor shall correct this.

2. The parties shall bear their own costs in connection with audits conducted or mentioned in this Section 11.

4. REPORTING A PERSONAL DATA BREACH

1. If the Data Processor suspects or becomes aware of a Personal Data Breach, the Data Processor shall, without undue delay (and in any event no later than forty-eight (48) hours after becoming aware of it), notify the Data Controller thereof by sending an email to the customer's specified contact person in the Service Agreement. The Data Processor is obliged to cooperate in remedying the problem as soon as it is reasonable and practicable. The notice shall, where such information is available, contain the following information:

1. Description of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned, a summary of the event that caused the Personal Data Breach, the date and time of the relevant event, and the nature and content of the Personal Data concerned, as well as the physical nature of the breach and the storage media concerned;

2. Description of the nature of the Personal Data Breach (e.g., loss, theft, copying);

3. Description of the likely consequences and potential risk that the Personal Data Breach may have for the Data Subject(s) concerned;

4. Description of the measures proposed or taken by the Data Processor and/or an Approved Subcontractor, as applicable, to manage and mitigate the effects of the Personal Data Breach;

5. Contact details for the Data Processor's Data Protection Officer or other Contact Person.

1. Depending on the nature of the Personal Data Breach, the Data Controller may be required to report to the data protection authority in the country in which it is located. The Data Processor shall therefore, at the request of the Data Controller, provide any other information that the Data Controller reasonably requests in order to comply with the relevant data protection legislation and/or requests from the Data Protection Authority.

1. OTHER REPORTS

1. The Data Processor shall, without undue delay, forward a Data Subject's request for access to his/her Personal Data to the Data Controller. The Data Processor shall refer all queries from data subjects to the Data Controller and shall provide the Data Controller with reasonable assistance as it may require in relation to such complaint;

2. The Processor shall notify the Controller without undue delay if it receives a request from a data protection authority or other governmental body requiring the Processor or any of its Authorised Subcontractors to provide the Data Protection Authority or other governmental body with access to the Controller's Personal Data. Such notice shall, if possible, and to the extent permitted by Applicable Law, be provided before the Data Processor discloses the data.

3. If any law, regulation, authority or regulatory body requires or requires the Processor to retain documents or material that it would otherwise be required to return or destroy under Section 17, it shall, to the extent permitted by law, notify the Controller in writing and provide details of the documents or material it is required to keep. The Data Processor shall not violate Section 17 with respect to the retained documents or materials, but Section 10 shall continue to apply to them.

2. VALIDITY PERIOD

1. This Data Processing Agreement enters into force on the date of (last) signing and will remain in force for as long as the Data Processor or Approved Subcontractors Process or has access to the Personal Data (Term).

3. BREACH

1. Any non-compliance with the requirements of this Data Processing Agreement shall be considered a breach of contract on the part of the Data Processor. The Data Processor shall ensure that all breaches are remedied as soon as possible. The Data Processor shall continuously update the Data Controller on developments and document all measures taken to remedy the non-compliance.

2. Notwithstanding the above, the Data Controller may with immediate effect instruct the Data Processor, for the avoidance of doubt, including any Approved Subcontractors, to suspend or terminate all further Processing of the Personal Data when a breach of this Data Processing Agreement occurs.

3. Each Party shall be liable for any administrative fines imposed on it by a data protection authority or a court of competent jurisdiction due to that Party's failure to comply with its obligations under Applicable Law or to otherwise Process Personal Data in violation of Applicable Law or this Data Processing Agreement. However, if the Data Controller is fined due to the Data Processor having violated or violated Applicable Law or this Data Processing Agreement, the Data Processor shall compensate the Data Controller for this cost and for all related damages, losses or expenses. Such compensation is not subject to the amount limits stipulated in Section 14 of the Service Agreement.

4. The liability towards a Data Subject who has suffered damage as a result of a breach of the GDPR shall be shared between the Data Controller and the Data Processor in accordance with Article 82 GDPR.

4. RETURN OR DELETION OF DATA

1. Upon termination or termination of the Service Agreement, the Data Processor shall delete all personal data that has been processed on behalf of the Data Controller and certify to the Data Controller that this has been done, unless Union or Member State law requires that the personal data be stored. Alternatively, the Data Processor shall, upon instruction from the Data Controller, return personal data in an appropriate standard format to the Data Controller and/or a third party provider.

5. VALIDITY PERIOD AND TERMINATION, ETC.

1. This Data Processing Agreement shall remain in full force for as long as the Data Processor (or any subcontractor) Processes Personal Data on behalf of the Data Controller or until it is replaced by a new Data Processing Agreement. No amendment to this Data Processing Agreement shall be valid unless it is made in writing and signed by authorized representatives.

2. Personal data may not be stored for longer than is necessary to fulfil the original purpose of the Processing in accordance with this Data Protection Agreement. The Data Processor shall follow the processes and procedures for successive deletion of data set out in Appendix 3.1.

3. The Data Processor has the right to delete the Personal Data thirty (30) days after the Service Agreement has expired or been terminated. The Data Controller has the right to request an extension of this Data Processing Agreement for the Processing of Personal Data for as long as this is necessary to protect the obligations and rights of the Data Controller and/or the Data Subjects.

6. DISPUTE RESOLUTION

1. Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or invalidity thereof, shall be resolved in accordance with the terms of the Service Agreement.

ANNEX 3.1 - INSTRUCTIONS FOR TREATMENTPersonal Data to Be Processed

Personal data of the following categories will be Processed.

| Legacy Planning | Users can upload documents and fill in information related to their legacy planning that would benefit their family members to know about after death. | Users uploaded documents and information regarding their legacy planning. | User | 10 Years |

ANNEX 3.2 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Data Processor shall take appropriate technical and organisational measures to protect the Personal Data in such a way that the processing complies with the requirements of the Data Protection Legislation and ensures that the rights of the data subjects under the Data Protection Legislation are protected.

The Data Processor assures and guarantees measures that provide a level of security appropriate taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing, as well as the likelihood and seriousness of the risks to the rights and freedoms of the Data Subjects. Where necessary, the measures shall include.

1. Measures of pseudonymization and encryption of personal data.

Solace maintains Customer Data in an encrypted format at rest using Advanced Encryption Standard and in transit using TLS 1.2 or higher.

1. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Solace commits to strict confidentiality obligations. Additionally, Solace requires every subcontractor to sign confidentiality provisions.

1. Measures for ensuring the ability in a timely manner in the event of a physical or technical incident.

Solace performs regular backups of Customer Data, which is hosted in AWS data centers. Backups are retained across multiple regions and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).

1. Processes for regular testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of processing.

Solace maintains a risk-based assessment security program. The framework for Solace’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Solace’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Solace’s business operations.

1. Measures for user identification and authorization.

Solace employees are required to use unique user access credentials and passwords for authorization. Multi-factor authentication is required throughout the system. Solace follows the principles of least privilege through role-based and time-based access models when provisioning system access. Solace personnel are authorized to access Customer Data based on their job function, role, responsibilities, and seniority. Access is promptly removed upon role change or termination.

1. Measures for the protection of data.

Customer Data is encrypted when in transit between the Customer and Solace using TLS 1.2 or higher. Customer Data is stored encrypted using the Advanced Encryption Standard.

1. Measures for ensuring physical security of locations at which personal data are processed.

Solace headquarters and office spaces have a physical security program to monitor the overall office security.

The Services operate on Amazon Web Services (“AWS”) and Google Cloud (“GCS”) and are protected by the security and environmental controls of Amazon and Google, respectively.

Further information about AWS security is available at [aws.amazon.com/security/](https://aws.amazon.com/security/) and [aws.amazon.com/security/sharing-the-security-responsibility/](http://aws.amazon.com/security/sharing-the-security-responsibility/). For AWS SOC Reports, please see [aws.amazon.com/compliance/soc-faqs/](https://aws.amazon.com/compliance/soc-faqs/). Detailed information about GCS security is available at [cloud.google.com/docs/tutorials#security](https://cloud.google.com/docs/tutorials#security).

1. Measures for ensuring systems configuration, including default configuration.

Solace relies on infrastructure-as-code processes and internally developed modules to ensure uniform and repeatable systems configuration throughout the infrastructure. An elaborate change management process ensures every change is reviewed by domain experts before rollout. Additionally, automated processes are in place to validate adherence to best practices and scan for vulnerabilities or other potential security threats.

1. Measures for internal IT and IT security governance and management.

Solace’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Solace’s business operations.

Security is managed at the highest levels of the company, with the Chief Technology Officer and Chief Executive Officer regularly to discuss issues and coordinate security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Solace employees for their reference.

1. Measures for certifications/assurance of processes and products.

Solace conducts third-party audits to attest compliance with the security framework and annual application penetration testing. Solace security controls and processes are set in accordance with the ISO27001:2022 certification.

1. Measures for ensuring data minimization.

Solace operates under a strict data minimisation principle balanced with the obligations arising from the regulated nature of the service provided.

1. Measures for ensuring limited data retention.

Solace operates under a strict data retention principle balanced with the obligations arising from the regulated nature of the service provided.

1. Measures for ensuring accountability.

Solace has adopted measures for ensuring accountability, such as implementing data protection policies across the business, maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data.

1. Measures for allowing data portability and ensuring erasure.

Solace will provide assistance to the Customer as may reasonably be required under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability, and objection).

1. For transfers to subcontractors, also describe the specific technical and organisational measures to be taken by the subcontractor to be able to provide assistance to the controller and, for transfers from a processor to a subcontractor, to the data exporter.

When Solace engages a subcontractor under this Agreement, Solace and the subcontractor enter into an agreement with data protection terms substantially similar to those contained herein. Each subcontractor agreement must ensure that Solace is able to meet its obligations to the Customer. In addition to implementing technical and organisational measures to protect personal data, subcontractors must: a) notify Solace in the event of a Security Incident so Solace may notify the Customer; b) delete data when instructed by Solace in accordance with the Customer’s instructions to Solace; c) not engage additional subcontractors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with the Customer’s instructions to Solace.

ANNEX 3.3 - SUBCONTRACTORS LIST

Approved subcontractors

The table below provides a summary of the Personal Data Categories, storage locations, data flows and legal basis for each Approved Subcontractor's processing activities.

| :------------------------: | :-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------: | :--------------------------------------: | :------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------: |

| Amazon Web Services | This is a web hosting provider. We use it to host our Platform code and database. | Contact Details, Data from your Project, Data that identifies you | EU & US | EU-U.S. Data Privacy Framework | [aws.amazon.com/](https://aws.amazon.com/privacy/) |

| GitHub | GitHub is a website and cloud-based service that helps us store and manage our CMS code. Users also use GitHub to send us bugs and feature requests tickets. | Contact Details, Data that identifies you | US | EU-U.S. Data Privacy Framework | [docs.github.com/fr/site-policy/privacy-policies/github-privacy-statement](https://docs.github.com/fr/site-policy/privacy-policies/github-privacy-statement) |

| Google Cloud Platform | We define an OAuth 2.0 app on Google to support login via Google on Solace Cloud | Contact Details, Data that identifies you | US | EU-U.S. Data Privacy Framework | [cloud.google.com/terms/cloud-privacy-notice](https://cloud.google.com/terms/cloud-privacy-notice) |

| Complianz | Complianz is a wordpress plugin that allows us to ask for and handle users’ cookie consents (that are necessary to meet GDPR requirements). | Data that identifies you | EEA | The European Commission's Standard Contractual Clauses | [complianz.io/legal/privacy-statement/](https://complianz.io/legal/privacy-statement/) |

| Google Analytics | Google provides Solace’s business IT systems. We use Google Analytics to track website usage and prepare reports, and Google Ads to place sponsored search results and measure their effectiveness. | Contact Details, Data on how you use Strapi | US | EU-U.S. Data Privacy Framework | [policies.google.com/privacy](https://policies.google.com/privacy) |

| Datadog | Monitoring and Logging | Content Data, Usage and Interaction Data, Device and Technical Data, Authentication and Access Data | EU | EU-U.S. Data Privacy Framework | [datadoghq.com/legal/terms/2014-12-31/](https://www.datadoghq.com/legal/terms/2014-12-31/) |

| Hotjar | Website behavior analytics and feedback | Behavioral and Interaction Data, Device and Technical Data, Form and Input Data, Identifiers and Analytics Data, Optional User Feedback Data | Ireland | Standard Contract Clauses (SCC) | [hotjar.com/legal/policies/terms-of-service/](https://www.hotjar.com/legal/policies/terms-of-service/) |

| Loom | Video messaging for async communication | Content Data, Usage and Interaction Data, Device and Technical Data, Authentication and Access Data, Optional Feedback or Support Data | EU | EU-U.S. Data Privacy Framework | [atlassian.com/legal/loom/terms-of-service](https://www.atlassian.com/legal/loom/terms-of-service) |

| Typeform | Online form and survey builder | Contact Information Demographic Information Behavioral Data Technical Data Consent Data | EEA, Ireland | The European Commission's Standard Contractual Clauses (SCC) | [admin.typeform.com/to/dwk6gt?typeform-source=www.google.com](https://admin.typeform.com/to/dwk6gt?typeform-source=www.google.com) |

IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.

Solace (Processor)

Signature: ____________________________________

Name: Person

Title: Person

Date: Date

Person (Controller)

Signature: ____________________________________

Name: Person

Title: Person

Date: Date