BACKGROUND

(A) The Customer and First Thursday have entered into an agreement for the provision of services by First Thursday to the Customer ("Service Agreement") that requires First Thursday to process Personal Data on behalf of the Customer.

(B) This data processing agreement ("DPA") is the 'Data Processing Agreement' referred to in and incorporated into that Service Agreement, and sets out the additional terms on which First Thursday will process Personal Data when providing services to the Customer under the Service Agreement.

AGREED TERMS

1. Definitions

The terms "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" have the meanings given in Applicable Data Protection Law.

"Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including where applicable EU Data Protection Law and UK Data Protection Law.

"EU Data Protection Law" means: (i) all EU regulations or other legislation applicable (in whole or in part) to the processing of personal data (such as Regulation (EU) 2016/679 (the "GDPR")); (ii) the national laws of each EEA member state implementing any EU directive applicable (in whole or in part) to the processing of personal data (such as Directive 2002/58/EC (the "e-Privacy Directive")); and (iii) any other national laws of each EEA member state applicable (in whole or in part) to the processing of personal data, in each case as amended or superseded from time to time.

"EEA" means the European Economic Area.

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").

"UK Data Protection Law" means: (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the Data Protection Act 2018 (the "DPA 2018"); (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 ("PECR"); and (iv) any other laws in force in the UK from time to time applicable (in whole or in part) to the processing of personal data, in each case as amended or superseded from time to time.

Other capitalised terms used but not defined here have the meaning given to them in the Service Agreement, and this DPA shall be interpreted in the same way as the Service Agreement.

2. Relationship of the parties

The Customer appoints First Thursday to process the personal data that is the subject of the Service Agreement (the "Data") on its behalf. In respect of such processing, Customer shall be the controller and First Thursday shall be a processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

3. Prohibited data

The Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to First Thursday for processing (except where and to the extent expressly agreed in advance).

4. Purpose limitation

First Thursday shall process the Data as necessary to perform its obligations under the Service Agreement and in accordance with the documented instructions of the Customer the ("Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law or any UK law applicable to First Thursday. In no event shall First Thursday process the Data for its own purposes or those of any third party.

5. Restricted transfers

5.1 The parties agree that when the transfer of Data from Customer to First Thursday is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:

(a) in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 10 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in the Service Agreement;

(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and

(ix) Annex III of the EU SCCs shall be deemed completed with the information set out at the following URL: [insert URL];;

(b) in relation to Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:

(i) The EU SCCs, completed as set out above in clause 6.1(a) of this DPA shall also apply to transfers of such Data, subject to sub-clause (ii) below;

(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.

(c) in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

6. Onward transfers

First Thursday shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law and pursuant to a lawful mechanism for transfer (such as Standard Contractual Clauses implemented between the relevant exporter and importer of the Data).

7. Confidentiality of processing

First Thursday shall ensure that any person that it authorises to process the Data (including First Thursday's staff, agents, and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality. First Thursday shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

8. Security

The processor shall implement appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access (a "Security Incident"). At a minimum, such measures shall include the measures identified in Annex II.

9. Sub processing

First Thursday shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Customer. Notwithstanding this, Customer consents to First Thursday engaging third party subprocessors to process the Data provided that: (i) First Thursday provides at least thirty (30) days' prior notice of the addition or removal of any sub processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the following URL: [insert URL]; (ii) First Thursday imposes data protection terms on any subprocessor it appoints that protect the Data to the same standard provided for by this Clause and grant Customer, as a third party beneficiary, the right to terminate the subcontract and to instruct the subprocessor to erase or return the Data in the event that First Thursday has factually disappeared, ceased to exist in law or has become insolvent; and (iii) First Thursday remains fully liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors as at the date of the Service Agreement may be found at [insert URL]. If Customer refuses to consent to First Thursday's appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either First Thursday will not appoint the subprocessor or either party may elect to suspend or terminate the Service Agreement without penalty.

10. Cooperation and data subjects' rights

First Thursday shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Customer (at Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to First Thursday, First Thursday shall promptly inform Customer providing full details of the same.

11. Data Protection Impact Assessment

If First Thursday believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer. First Thursday shall provide Customer (at Customer's expense) with all such reasonable and timely assistance as Customer may require in order to enable it to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.

12. Security Incidents

Upon becoming aware of a Security Incident, First Thursday shall inform Customer without undue delay and shall provide all such timely information and cooperation (at Customer's expense) as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. First Thursday shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all developments in connection with the Security Incident.

13. Deletion or return of Data

Upon termination or expiry of the Service Agreement, First Thursday shall (at Customer's election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that First Thursday is required by any applicable EU (or any EU Member State), EEA or UK law to retain some or all of the Data, in which event First Thursday shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

14. Audit

First Thursday shall permit Customer appointed third party auditors to audit First Thursday's compliance with this Clause, and shall make available to Customer all information, systems and staff strictly necessary for Customer's third party auditors to conduct such audit. First Thursday acknowledges that Customer's third party auditors may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to First Thursday's operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except: (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes (on reasonable grounds) that a further audit is necessary due to a Security Incident suffered by First Thursday. First Thursday shall also respond to any written audit questions submitted to it by Customer. Any support required from First Thursday in respect of audits shall be at the Customer's expense.

ANNEX 1

Technical and Organisational Security Measures

Description of the technical and organisational measures implemented by the processor(s) / data importer(s), including any relevant certifications, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data

Personal data is encrypted both in transit and at rest using strong, industry-standard encryption methods. Sensitive fields are individually encrypted and access to encryption keys is strictly controlled. Logs and system outputs are filtered to mask personal identifiers.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Access to internal systems is limited, monitored, and subject to authentication controls. Regular backups are maintained and verified. Systems are designed for fault tolerance and monitored with automated alerting.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Daily backups are maintained, and restore drills are conducted quarterly to ensure the recoverability of critical data.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Technical controls are reviewed and tested regularly as part of the development lifecycle. Automated and manual testing processes are in place. Internal security reviews are conducted on a recurring basis.

Measures for user identification and authorisation

Access to internal systems is restricted to authorised personnel and requires strong authentication, including two-factor authentication. Access controls are role-based and logged.

Measures for the protection of data during transmission

All data transmitted between systems is encrypted using modern transport layer security protocols.

Measures for the protection of data during storage

Data is encrypted at rest using established encryption standards. Access to stored data is restricted and logged.

Measures for ensuring physical security of locations at which personal data are processed

Not applicable. All systems are hosted in secure cloud environments. See sub-processor list for more information.

Measures for ensuring events logging

Logging is in place for application and access events. Logs are monitored and reviewed periodically to support operational and security oversight.

Measures for ensuring system configuration, including default configuration

System configurations are managed through secure and version-controlled processes. Sensitive configurations are stored securely.

Measures for internal IT and IT security governance and management

Security responsibilities are defined and documented. Internal procedures guide how personal data is handled and protected. Governance measures are under regular review.

Measures for certification/assurance of processes and products

Automated and manual testing procedures are in place for all product releases. External assurance and compliance processes are actively pursued.

Measures for ensuring data minimisation

Personal data collection is limited to what is strictly necessary to fulfil the processing purposes. Non-essential or redundant data is not collected.

Measures for ensuring data quality

Data is validated and cleaned before processing to ensure it is accurate, relevant, and complete.

Measures for ensuring limited data retention

Personal data is retained only for as long as necessary to fulfil processing purposes. Data no longer in use is deleted in accordance with retention policies.

Measures for ensuring accountability

All personnel with access to personal data are trained on security and data protection during onboarding. Security responsibilities are clearly assigned.

Measures for allowing data portability and ensuring erasure

Data can be exported in a structured, machine-readable format. Deletion requests are supported and fulfilled without delay.

Sub-processor measures

For transfers to sub-processors, the following specific technical and organisational measures apply.

Sub-processor security obligations

Sub-processors are contractually required to implement security measures substantially equivalent to those set out in this Addendum.