FRIENDLIAI DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into and forms part of the applicable agreement for the provision of FriendliAI services (“Agreement”) between the applicable FriendliAI entity that is party to that Agreement (hereafter, “FriendliAI”), and the applicable customer or partner that is party to that Agreement (“Customer”) and is effective as of the date of the Agreement. The Customer and FriendliAI may be referred to individually as a “Party” and collectively as the “Parties” under this DPA.

WHEREAS:

(A) The Customer wishes to subcontract certain Services to FriendliAI under the Agreement, which may require the Processing of Personal Data;

(B) The Parties seek to implement this DPA to assist with compliance with applicable Data Protection Laws including the GDPR, UK GDPR and US State Privacy Laws; and

(C) The Parties wish to identify their rights and obligations.

The parties agree to comply with the following provisions, each acting reasonably and in good faith.

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

“Alternative Adequate Level of Protection” means: (a) the country where FriendliAI or the applicable Sub-Processor is located is recognized by the Data Protection Laws of the EEA and/or UK (as applicable) to have an adequate level of protection of Personal Data; (b) FriendliAI or the applicable Sub-Processor have implemented binding corporate rules which provide adequate safeguards as required by the Data Protection Laws of the EEA and/or UK (as applicable); or (c) FriendliAI or the applicable Sub-Processor has implemented any other similar program or appropriate safeguards that are recognized by the Data Protection Laws of the EEA and/or UK (as applicable) as providing an adequate level of protection.

“Business” shall have the meaning given to it in the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CPRA”), and its accompanying regulations, each as they may be amended from time to time.

“Consumer” shall have the meaning given to it in the CCPA.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data, and also includes a ‘business’ as that term is defined in the CCPA.

"Data Protection Laws" means any laws and regulations applicable in any relevant jurisdiction relating to privacy or the use or Processing of Personal Data, including without limitation: (a) CCPA and US State Privacy Laws; (b) GDPR; (c) UK GDPR; (d) the DPA 2018; (e) EU Directive 2002/58/EC (as amended by 2009/139/EC) and any legislation implementing or made pursuant to such directive, including (in the UK) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (f) any provincial or federal laws or regulations in Canada, including without limitation, PIPEDA and any substantially similar legislation enacted in the Provinces of Alberta, British Columbia and Quebec; (g) the PIPA, and (h) any laws or regulations ratifying, implementing, adopting, supplementing or replacing any of the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.

“Data Subject” means the identified or identifiable person to whom Personal Data relates, and also includes a ‘consumer’ as that term is defined in the CCPA.

“DPA” means this Data Processing Agreement and all Schedules, if any.

“EEA” means the European Economic Area, including Switzerland and those countries comprising the European Union (“EU”) and the European Free Trade Association.

"EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data in countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time) currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en&uri=CELEX:32021D0914. This includes the Controller-to-Processor Clauses and the Processor-to-Processor Clauses which are hereby incorporated by reference.

“GDPR” means: (a) General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC and any implementing laws in each EU member state, each as they may be amended from time to time.

"Personal Data" means all data which is defined as ‘personal data’ or ‘personal information’ or similar in the applicable Data Protection Laws, and which is provided by Customer or its customers or end users to FriendliAI or accessed, stored or otherwise Processed by FriendliAI in connection with the Services.

“PIPA” means the Korean Personal Information Protection Act, as amended in 2023.

“PIPEDA” means the Personal Information Protection Electronic Documents Act, SC 2000 c5 and its accompanying regulations, each as they may be amended from time to time.

“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity that Processes Personal Data on behalf of the Controller, and also includes a ‘service provider’ as that term is defined in the CCPA.

“Schedule” means a schedule to this DPA, which forms an integral part of this DPA.

“Security Incident” means a breach of FriendliAI security or any FriendliAI Sub-Processor’s security leading to accidental or unlawful destruction, theft, loss, alteration or unauthorized disclosure of, or access to, Personal Data.

“Selling” shall have the meaning given to it in the CCPA and “sell” shall be construed accordingly.

“Services” means shipping and software services offered by FriendliAI, and any other services provided by FriendliAI to Customer under the Agreement.

“Service Provider” shall have the meaning given to it in the CCPA.

“Sub-Processor” means another Processor subcontracted by FriendliAI which is to Process Personal Data for the purpose of the Services.

“Supervisory Authority" means the applicable data protection authority or other regulatory authority responsible for regulating the Processing of Personal Data in connection with the Services.

"UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020 in the UK and including the UK Data Protection Act 2018 (“DPA 2018”), and any implementing laws in the United Kingdom, each as they may be amended from time to time.

“UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the United Kingdom’s Information Commissioner’s Office, Version B1.0, in force as of March 21, as revised under section 18 of the UK Mandatory Clauses, which is hereby incorporated by reference.

“US State Privacy Laws” means any laws and their accompanying regulations, each as they may be amended from time to time, applicable at the federal level and in any relevant US state relating to privacy or the use or processing of Personal Data.

Capitalized terms used, but not defined, in this DPA are defined in the Agreement.

2. Object of this DPA

The Parties acknowledge and agree that, except as provided in the paragraph below, this DPA will apply when Personal Data is Processed by FriendliAI. In this context, FriendliAI will act as Processor or Sub-Processor to Customer, who can act either as Controller or Processor of Personal Data.

Notwithstanding anything in this DPA to the contrary, where FriendliAI captures contact details and payment details for its internal business purposes of sales and marketing, account management, technical support, billing, legal and regulatory compliance and such other activities as set out in its Privacy Policy (a) FriendliAI is the Controller of such Personal Data, and such activities are outside of the general scope of this DPA; and (b) when acting as the Controller of such data, FriendliAI shall Process such Personal Data in line with the applicable Privacy Policy of FriendliAI or its affiliates.

3. Duration and Termination

This DPA shall remain in effect as long as FriendliAI carries out Processing of Personal Data on behalf of Customer as set forth in the Agreement, or until the termination of the Services, whichever period is longer.

Upon the termination or expiration of this DPA or the Agreement, any rights and obligations of the Parties accrued prior to the termination or expiration thereof shall continue to exist.

Customer acknowledges and agrees that FriendliAI shall have no liability for any losses incurred by Customer arising from or in connection with the FriendliAI’s inability to perform the Services as a result of FriendliAI complying with a request to delete or return Personal Data made by Customer.

The provisions of Sections 1, 3, and 10-13 of this DPA shall survive the termination or expiration of this DPA, the Agreement and the Services.

4. Data Protection

Because the performance of the Agreement and the delivery of the Services includes the Processing of Personal Data, the Customer and FriendliAI shall comply with applicable Data Protection Laws to the extent that the Personal Data is within the scope of such Data Protection Laws. It shall be the responsibility of the Customer to inform FriendliAI which Personal Data FriendliAI Processes on behalf of the Customer is within the scope of CCPA, US State Privacy Laws, GDPR, UK GDPR, PIPEDA or other Data Protection Laws.

As the Controller or Processor of Personal Data, the Customer shall ensure that it has established a valid legal basis for the Processing of the Personal Data by FriendliAI. Customer’s instructions for the Processing of Personal Data shall comply with applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including compliance with any applicable Data Subject notice and consent requirements.

FriendliAI shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions (including those set out in the Agreement and this DPA) for the following purposes unless required to by applicable laws to which FriendliAI is subject: (A) Processing in accordance with the Agreement; (B) Processing initiated by Customer or Customer’s customers or end users in their use of the Services; and (C) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement, and (D) as required by applicable Data Protection Laws. In addition, pursuant to Article 26 of the Korean Personal Information Protection Act (“PIPA”), FriendliAI shall only process Personal Data originating from the Republic of Korea in accordance with the Korean Addendum for Delegation of Personal Data Processing Services, included in Schedule 6 of this DPA.

To the extent required by applicable Data Protection Laws, FriendliAI, in acting as the Customer’s Processor, shall:

• take reasonable steps to ensure that persons authorized to Process the Personal Data are subject to statutory or contractual confidentiality obligations or are otherwise bound by confidentiality obligations;

• take technical and organizational measures appropriate (having regard to the state of technological development and cost of implementation) for protection of the security, confidentiality and integrity of Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, theft, alteration, damage or unauthorized disclosure of, or access to, Personal Data), as set forth in Schedule 4 (Annex II) of this DPA;

• at the Customer’s cost and request, assist, insofar as this is possible, to fulfil the Customer’s obligations to respond to requests made by Data Subjects in relation to their rights with regard to their Personal Data (as further set forth in Section 7 of this DPA);

• at the Customer’s cost and request, provide reasonable assistance in relation to any mandatory obligations applicable to the Customer in relation to the performance of Data Protection Impact Assessments by the Customer under applicable Data Protection Laws;

• make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and, at the cost and request of the Customer, allow for and contribute to audits, including inspections conducted by the Customer or another auditor mandated by the Customer, as set forth in Section 9 of this DPA; and

• inform the Customer promptly if it believes that any instruction from the Customer infringes applicable Data Protection Laws.

5. Data Transfers

Customer shall ensure that any data transfers are in compliance with the requirements of Data Protection Laws.

Where Customer acts as a Controller and FriendliAI as a Processor, and the Personal Data is subject to the Data Protection Laws of the EEA and/or the UK (as applicable), (b) transferred to FriendliAI outside the EEA and (c) where no Alternative Adequate Level of Protection applies, the Parties hereby agree that the EU SCCs (Controller-to-Processor – Module 2) will apply to the transfer of such Personal Data, as construed by reference to Schedule 1 hereto. FriendliAI may terminate the EU SCCs by giving Customer 30 days’ notice and implementing an alternative framework as may be required as provided in the Data Protection Laws of the EEA and/or the UK (as applicable).

Where Customer acts as a Processor and FriendliAI as a Sub-Processor, and the Personal Data is (subject to the Data Protection Laws of the EEA and/or the UK (as applicable), (b) transferred to FriendliAI outside the EEA and (d) where no Alternative Adequate Level of Protection applies, the Parties hereby agree that the EU SCCs (Processor-to-Processor – Module 3) will apply to the transfer of Personal Data, as construed by reference to Schedule 1 hereto. FriendliAI may terminate the EU SCCs by giving Customer 30 days’ notice and implementing an alternative framework as required as provided in the Data Protection Laws of the EEA and/or the UK (as applicable).

The Parties hereby agree that the UK Addendum, as construed by reference to Schedule 2 hereto, will also apply to the transfer of Personal Data from the UK and shall supplement the EU SCCs, to the extent such transfers are subject to the UK GDPR and are to a country where no Alternative Adequate Level of Protection is recognized in the UK (as described in the UK GDPR). FriendliAI may terminate the UK Addendum by giving Customer 30 days’ notice and implementing an alternative framework as may be required as provided in the UK GDPR.

6. California Consumer Privacy Act

Customer and FriendliAI shall comply with the CCPA to the extent that the Customer is a Business and FriendliAI is a Service Provider Processing the Personal Data of Consumers on behalf of the Customer. It shall be the responsibility of Customer to inform FriendliAI which Personal Data FriendliAI Processes on behalf of the Customer is within the scope of the CCPA.

Customer warrants that it discloses Personal Data of Consumers to FriendliAI solely for (i) a valid business purpose, and (ii) to permit FriendliAI to perform the Services. FriendliAI agrees to provide the same level of protection of the consumer’s rights under the CPRA as the Customer and provide the same level of privacy protection as required of businesses by the CCPA and its accompanying regulations.

To the extent the CCPA is applicable, FriendliAI shall not retain, use, or disclose Personal Data of Consumers obtained in the court of providing Services, including for any commercial purpose other than the business purposes specified in the Agreement except:

• To process or maintain Personal Data of Consumers on behalf of the Customer in compliance with the Agreement;

• To retain and employ another Service Provider as a Sub-Processor, where the Sub-Processor meets the requirements for a Service Provider under CCPA;

• For internal use by FriendliAI to build or improve the quality of its services, provided that the use does not including building or modifying Consumer profiles to use in providing Services to another Business or correcting or augmenting data acquired from another source; and/or

• To detect data Security Incidents, or to protect against fraudulent or illegal activity.

This DPA shall not restrict FriendliAI’s ability to:

• Comply with federal, state, or local laws;

• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena or summons by federal, state, or local authorities;

• Cooperate with law enforcement agencies concerning conduct or activity that the Customer, FriendliAI, or a third party reasonably and in good faith believes may violate federal, state, or local law; and/or

• Exercise or defend legal claims.

For clarity, FriendliAI shall not sell or share a Consumer’s Personal Data as the term ‘sell’ or “share” is defined in the CCPA when a Consumer has opted-out of the sale of their Personal Data with the Customer and such request has been conveyed to FriendliAI.

FriendliAI shall refrain from combining Personal Data received from Customer with Personal Data (1) received from, or on behalf of, one or more entities to which it is a Service Provider or Processor, or (2) collected from FriendliAI’s own interaction with the consumer, or (3) of opted-out consumers which FriendliAI receives from or on behalf of Customer with Personal Data which FriendliAI receives from or on behalf of another person or persons, or collects from its own interaction with consumers.

FriendliAI shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA.

FriendliAI grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

FriendliAI shall use the Personal Data only for the limited and specified purposes set out in Schedule 3 (Annex I).

FriendliAI certifies that it understands and will comply with the restrictions set out in this Addendum. If FriendliAI at any time determines that it can no longer meets its obligations under this Addendum or Law, FriendliAI shall immediately notify Customer after FriendliAI makes such determination. FriendliAI grants Customer the right to take reasonable and appropriate steps to ensure that FriendliAI uses the Personal Data that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA and its regulations. FriendliAI shall cooperate with Customer including but not limited to, providing documentation to Customer verifying that FriendliAI no longer retains or uses Personal Data of Consumers who have made a valid request to delete with the Customer.

No Re-Identification. FriendliAI agrees, except as may be necessary to fulfil the express requirements of the Agreement, to refrain from attempting to reidentify or identify any individual based on Personal Data.

7. Rights of Data Subjects

FriendliAI shall respond to any Data Subject complaint, inquiry, or request to exercise their rights regarding Personal Data (including right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making) (a “Data Subject Request”) by either asking the Data Subject to make their request to Customer or by promptly notifying the Customer of the same.

FriendliAI will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify, erase and restrict Processing of Personal Data (including via the deletion functionality provided by the Services, if available), and to export Personal Data.

To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, FriendliAI shall upon Customer’s request (and taking into account the nature of the Processing) provide commercially reasonable efforts to assist Customer in fulfilling its obligation to respond to Data Subject Requests that are required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any reasonable costs arising from FriendliAI's provision of such assistance.

8. Sub-Processing

To the extent permitted under the Agreement, FriendliAI may appoint third parties to assist in providing the Services who may be considered Sub-Processors, provided that such Sub-Processors:

(a) agree to act only on FriendliAI’s instructions when Processing Personal Data (which instructions shall be consistent with the Customer’s Processing instructions to FriendliAI); and

(b) have entered into a written agreement with FriendliAI containing data protection obligations no less protective than those in this DPA with respect to the Processing of Personal Data to the extent applicable to the nature of the Services provided by such Sub-Processor.

The list of current FriendliAI Sub-Processors is attached as Schedule 5 (Annex III). When any new Sub-Processor is appointed that will Process Personal Data, FriendliAI will, [at least thirty (30) days before the new Sub-Processor Processes any Personal Data, notify Customer of the appointment via email at the email address(es) for notice as listed in the Agreement,] or by posting for thirty (30) days the proposed new Sub-Processor on the applicable website found here https://friendli.ai/subprocessors (Notice Period).

In the event that Customer reasonably objects to the Processing of its Personal Data by any Sub-Processor, it shall inform FriendliAI immediately by emailing its objection and the grounds for its objection to the email address(es) for notice as listed in the Agreement. In such event, FriendliAI will do one of the following at FriendliAI’s option: (a) instruct the Sub-Processor to cease any further Processing of the Customer’s Personal Data, in which event this DPA shall continue unaffected (Customer acknowledges that the inability to use a particular new Sub-Processor may result in delay in performing the Services, inability to perform the Services or increased fees), or (b) allow the Customer to terminate this DPA and the Agreement and related Services immediately with no further liability to FriendliAI. Customer’s failure to object in writing within the Notice Period time period shall constitute approval to use the new Sub-Processor.

FriendliAI shall be liable for the acts and omissions of its Sub-Processors to the same extent FriendliAI would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

9. Data Protection Impact Assessment

FriendliAI shall, taking into account the nature of the processing and the information available to FriendliAI, provide reasonable assistance to Customer at Customer's cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.

10. Security Incidents

FriendliAI shall notify the Customer of a Security Incident in relation to Customer’s Personal Data without undue delay and, at the Customer’s request, provide reasonable assistance in relation to any mandatory obligations applicable to the Customer in relation to a Security Incident under applicable Data Protection Laws, in each case at the Customer’s cost; provided, however, that nothing in this paragraph shall prohibit FriendliAI from taking the steps as FriendliAI deems necessary and reasonable in order to remedy or mitigate the effects of the Security Incident;

11. Deletion of Personal Data

Upon termination or expiration of the DPA or the Agreement, or at any earlier moment if the Personal Data are no longer relevant for the delivery of the Services, at the choice of the Customer, FriendliAI shall enable Customer to retrieve and/or delete Personal Data from the Service before any termination of the Agreement. Customer instructs FriendliAI, after the end of the provision of the Services, to delete all Personal Data in FriendliAI's possession or control, and FriendliAI shall delete such Personal Data within 90 days or shorter as required by Applicable Data Protection Laws, including, without limitation, when a Data Subject exercises their right to erasure, but this requirement shall not apply to the extent FriendliAI is required by applicable law to retain all or some of the Personal Data or to Personal Data FriendliAI has archived on backup systems, which data FriendliAI shall securely isolate and protect from further processing expect to the extent required by such law, until such time as the relevant backup archive is destroyed in accordance with FriendliAI's standard backup destruction policies, which shall not exceed 90 days after the date such data was backed up.

12. Audit Rights

To the extent that Audit Rights are specifically authorized by the applicable Data Protection Law, upon Customer’s request, with not less than thirty (30) days' notice, FriendliAI agrees (at Customer’s expense) to permit Customer to perform reviews of FriendliAI's compliance with its security obligations set forth under the DPA (the "Customer Audits"). Customer Audits may be conducted by the internal and external auditors and personnel of Customer who have entered into FriendliAI's form of nondisclosure agreement (collectively, "Auditors"). The scope of such Customer Audits shall be agreed in advance with FriendliAI. Such Customer Audits shall be conducted in accordance with FriendliAI's security policies and procedures, without undue disruption to FriendliAI’s operations, in a commercially reasonable manner, and shall be limited to the security aspects of the Services provided to Customer. Customer Audit(s) will be performed at Customer’s sole cost and Customer will reimburse FriendliAI for its reasonable costs associated with such additional Customer Audits. Customer shall promptly notify FriendliAI with information regarding the results of Customer Audits, including any information that FriendliAI is not Processing Personal Data in accordance with its obligations under this DPA. If the requested scope of the Customer Audit is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of the request of the Customer Audit and FriendliAI confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

13. Customer Instructions

FriendliAI shall not be liable for any claim brought by Customer or any end user or customer of Customer or any other third party arising from FriendliAI's compliance with Customer’s instructions.

14. Limitation of Liability

The total liability of FriendliAI (and its Affiliates and their respective employees, directors, officers, agents, successors, and assigns) arising out of or related to this DPA and the Agreement, whether in contract, tort, or other theory of liability, shall in the aggregate, be subject to the limitation of liability set forth in the Agreement.

15. Miscellaneous Provisions

This DPA, together with the Agreement, sets out all of the terms that have been agreed between the Parties in relation to the subjects covered by it hereof and supersedes and replaces all prior agreements or understandings, whether written or oral, with respect to the same subject matter that are still in force between the Parties.

Any amendments to this DPA, as well as any additions or deletions, must be agreed to in writing by both Parties.

Customer acknowledges that FriendliAI may disclose any information processed pursuant to this DPA, and any other relevant data protection and privacy provisions to the U.S. Department of Commerce, the Federal Trade Commission, or any other judicial or regulatory body upon their request.

To the extent that any provision of this DPA conflicts with any provision of the Agreement, the terms of the DPA shall prevail, as to the specific subject matter of the DPA.

Whenever possible, the provisions of this DPA shall be interpreted in such a manner as to be valid and enforceable under the applicable law. If any part of this DPA is held invalid, illegal or unenforceable, the validity of all remaining parts will not be affected. Moreover, in such an event, the Parties shall amend the invalid, illegal or unenforceable parts and/or agree on a new provision to reflect as much as possible the intended purpose of the invalid, illegal or unenforceable provision.

Any failure, delay, action or inaction by a Party to exercise its rights under this DPA, shall not be considered a waiver of that Party’s rights under this DPA, and shall not operate to preclude such rights. Any waiver of a right must be express and in writing.

16. Applicable Law and Jurisdiction

To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the EU SCCs and the UK Addendum), this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, the laws of the jurisdiction specified in the Agreement shall apply to this DPA.

List of Schedules:

• Schedule 1: References to EU Standard Contractual Clauses - Controller to Processor and Processor to Processor

• Schedule 2: (if applicable) UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

• Schedule 3: Data Processing Details (also Annex I to the EU SCCs)

• Schedule 4: Security (also Annex II to the EU SCCs)

• Schedule 5: Sub-Processors (also Annex III to the EU SCCs)

• Schedule 6: Korean Addendum for Delegation of Personal Data Processing Services

---

Schedule 1 - EEA Transfers

This Schedule shall apply when the Personal Data is (a) subject to the Data Protection Laws of the EEA and/or the UK (as applicable) (b); transferred to FriendliAI outside the EEA and/or UK and (c) where no Alternative Adequate Level of Protection applies (the “EEA Transfer”).

The Parties hereby agree that the EU SCCs shall be construed as set forth below. FriendliAI may terminate the EU SCCs by giving Customer 30 days’ notice and implementing an alternative framework as may be required as provided by the Data Protection Laws of the EEA and/or the UK (as applicable).

1. The EEA Transfer shall be governed by the EU SCCs and references in the EU SCCs and in this Schedule 1 to the data exporter shall be Customer and references to the data importer shall be FriendliAI.

2. The EU SCCs are hereby incorporated into this DPA with and construed as follows (with references in this paragraph 1.2 to Clauses being to Clauses of the EU SCCs):

1.1.a.1. All footnotes and explanatory notes in the EU SCCs are deleted;

1.1.a.1.1. Where the EEA Transfer is a Controller to Processor transfer, specifically where Customer acts as the Controller and data exporter, and FriendliAI acts as the Processor and data importer, only the provisions relating to Module 2 apply to such EEA Transfer;

1.1.a.1.2. Where the EEA Transfer is a Processor to Processor transfer, specifically where Customer acts as the Processor and data exporter, and FriendliAI acts as the Sub-Processor and data importer, only the provisions relating to Module 3 apply to such EEA Transfer;

1.1.a.2. Clause 7 (Docking Clause) of the EU SCCs (Module 2 and Module 3) applies.

1.1.a.3. The instructions to the data importer shall be construed by reference to Section 4 of this DPA and which in the case of Module 3 constitute the instructions of the relevant Controller(s);

1.1.a.4. Clause 8.5 (Duration of processing and erasure or return of data) of the EU SCCs (Module 2 and Module 3) shall be construed by reference to Section 3 of this DPA;

1.1.a.5. Clause 8.9(d) (audits) of the EU SCCs (Module 2 and Module 3) shall be construed by reference to Section 9 of this DPA;

1.1.a.6. With respect to Clause 9 (sub-processors), ‘Option 2: General Written Authorisation’ applies, and the data importer shall specifically inform the data exporter in writing of any intended changes to the Sub-Processor list set forth at Annex III in accordance with Section 8 of this DPA;

1.1.a.7. The optional provision in Clause 11(a) (Redress) of the EU SCCs (Module 2 and Module 3) does not apply;

1.1.a.8. With respect to Clause 13(a) (supervision), the following wording shall apply: where the data exporter is established in an EU Member State, the Supervisory Authority shall be the Supervisory Authority of that EU Member State. Where the data exporter is not established in an EU Member State but has appointed an EU representative pursuant to the GDPR, the Supervisory Authority shall be the Supervisory Authority of the EU Member State in which the EU representative is established. In all other cases, the Supervisory Authority shall be the Supervisory Authority of Ireland;

1.1.a.9. In respect of Clause 17 (governing law), Option 1 shall apply, and the Clauses shall be governed by the laws of Ireland; and

1.1.a.10. In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be the courts of Ireland.

b) Annex I of the EU SCCs shall be completed with the information set out in Schedule 3 of this DPA.

c) Annex II of the EU SCCs shall be completed with the information set out in Schedule 4 of this DPA.

d) Annex III of the EU SCCs shall be completed with the information set out in Schedule 5 of this DPA.

e) Where the Data Protection Laws of Switzerland apply, the governing law, jurisdiction and Supervisory Authority shall be those of Switzerland. In addition, references in the EU SCCs to:

1.1.e.1. the “EU/Member State” shall be construed as references to Switzerland;

1.1.e.2. the GDPR shall refer to the Data Protection Laws of Switzerland; and

1.1.e.3. “supervisory authority” shall refer to the Supervisory Authority of Switzerland.

---

Schedule 2 – UK Transfers

This Schedule shall apply in addition to Schedule 1 when the Personal Data is (a) subject to the UK GDPR and the DPA 2018 (b); transferred to Vendor outside the UK and (c) where no Alternative Adequate Level of Protection applies (the “UK Transfer”).

The Parties hereby agree that the UK Addendum supplements the EU SCCs and shall be construed as set forth below. FriendliAI may terminate the UK Addendum by giving Customer 30 days’ notice and implementing an alternative framework as may be required as provided by the UK GDPR and the DPA 2018. In the event of any conflict between Schedule 1 and this Schedule 2, this Schedule 2 takes precedence.

1.1. The UK Transfer shall be governed by the UK Addendum and the EU SCCs which are hereby incorporated into this DPA and construed as follows.

1.2. References in the UK Addendum and in this Schedule 2 to the data exporter shall be Customer and references to the data importer shall be FriendliAI.

1.3. Table 1 of the UK Addendum shall be completed as follows:

1.1.e.4. The parties’ details shall be the parties set forth in Schedule 3 of this DPA.

1.1.e.5. The Key Contact shall be the contacts set forth in Schedule 3 of this DPA.

1.4. Table 2 of the UK Addendum shall be completed as follows: the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as set forth in Schedule 1 of this DPA.

1.5. Table 3 of the UK Addendum shall be completed as follows: Annexes 1A and 1B shall be as set forth in Schedule 3 of this DPA; Annex II shall be as set forth in Schedule 4 of this DPA; and Annex III shall be as set forth in Schedule 5 of this DPA.

1.6. Table 4 of the UK Addendum shall be completed as follows: Customer or FriendliAI may end this Schedule 2 as set out in Section 19 of the EU SCCs.

---

Schedule 3 - Data Processing Details
(also Annex I to the EU SCCs)

A. LIST OF PARTIES

Customer/Data Exporter details:

Name: The entity identified as “Customer” in the Agreement and this DPA.

Address: The address for Customer as otherwise specified in the DPA or the Agreement.

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.

Activities relevant to the data transferred under these Clauses: Receipt of the Services under the Agreement.

Role: Controller or Processor (as applicable)

FriendliAI/Data Importer details:

Name: FriendliAI, as identified in the Agreement and DPA.

Address: The address for FriendliAI as specified in the DPA or Agreement.

Contact person’s name, position and contact details: The contact details for FriendliAI, as specified in the DPA or Agreement.

Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.

Role: Processor or Sub-Processor (as applicable).

In addition to the information provided elsewhere in this DPA, the Parties wish to document the following information in relation to the Processing activities:

B. DESCRIPTION OF TRANSFER

1. Categories of Data Subjects

The Personal Data Processed concern the clients of the Customer and such other Data Subjects as required to provide the Services and such other Data Subjects as applicable to the Services.

2. Categories of Personal Data Transferred

The categories of Personal Data involved are: Personal Data that may include, amongst others, first name, surname, date of birth (to the extent applicable, e.g., to comply with age requirements on certain deliveries, etc.), contact information (including postal address, telephone number, email address), and description of package contents and such other Personal Data as required to provide the Services.

3. Sensitive Personal Data

Such Sensitive Personal Data as required to provide the Services.

4. Frequency of Transfer

Continuous

5. Nature of the Processing

The Processing operations performed by FriendliAI on behalf of the Customer relate to the provision of the Services and the collection, recording, organization, storage, use, and transmission of Personal Data to provide the Services in the Agreement.

6. Purpose of the Data Transfer and Further Processing

The purpose is the scope of Services provided under the Agreement, which includes, but is not limited to, (i) selecting carrier rates based on the addresses of expedition and receipt; (ii) creating expedition labels; (iii) transmitting the Personal Data to third party carriers and partners acting as independent Controllers for the purpose of making the deliveries; (iv) following up on returns by customers; and (v) tracking deliveries.

Processing by Sub-Processors is addressed in Schedule 5.

7. Retention Period

The shortest duration between (i) your deletion of the Personal Data from the Customer’s FriendliAI account, and (ii) the end of the contractual relationship between Customer and FriendliAI, subject to Section 3 of the DPA.

8. Duration of Processing

The Processing performed by FriendliAI on behalf of the Customer shall be for the term set forth in the Agreement/DPA.

C. COMPETENT SUPERVISORY AUTHORITY

As per Schedule 1 and Schedule 2 (as applicable) of this DPA.

---

Schedule 4 - Security
(also Annex II to EU SCCs)

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

This Annex forms part of the Clauses.

Description of the Technical and Organizational Security Measures implemented by the data importer:

Measure	Description
Measures of pseudonymization and encryption of Personal Data	Encrypt data in transit (TLS with strong ciphers) and at rest. Passwords are hashed with Argon2/bcrypt/PBKDF2+salth/pepper. Apply data masking, pseudonymization, and anonymization to decouple identifiers from individuals. Confidential data and backups are encrypted.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Access control with least privilege, RBAC, MFA for privileged access; quarterly access reviews. Secure operations: separation of dev/stage/prod, logging/monitoring, time sync, file-integrity/IDS, and vulnerability management with defined SLAs. Risk program: annual risk assessments and network security assessment to drive controls and treatments. Secure-by-design and privacy-by-design principles embedded in SDLC; code review, testing, and developer training.
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident	Regular backups stored separately, with restore tests performed at least annually; restore activity is logged. Incident Response includes containment, recovery, and remediation steps; the IR plan is reviewed/tested at least annually.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing	Annual risk assessment & periodic network security assessment; tracked via risk register/treatment. Quarterly vulnerability scans of public-facing systems; patch timelines by severity. Annual backup restore tests; IR plan tested at least annually. Quarterly user access reviews; documented results.
Measures for user identification and authorization	Every individual is assigned a unique user account to ensure traceability and administrator accounts are separated from standard user accounts. Strong authentication is enforced through password complexity requirements, automatic lockouts after repeated failures, and multifactor authentication for sensitive or privileged operations.
Measures for the protection of data during transmission	TLS with strong ciphers; industry-standard configurations for public networks. Remote connections to production must be encrypted; use company VPN when transmitting confidential data over public Wi-Fi.
Measures for the protection of data during storage	Encrypt confidential data at rest and endpoint storage encryption (HDD/SSD). Confidential systems encrypt data at rest; backups encrypted; secure wipe/destruction at end of life. Passwords stored as salted/peppered one-way hashes.
Measures for ensuring events logging	Log user logins/logouts, CRUD on objects, security setting changes, and admin access; include IDs/IPs/timestamps/action/object; protect logs from tampering.
Measures for ensuring system configuration, including default configuration	Remove unnecessary default accounts and change vendor default credentials before deployment. Formal change management with testing/review/approval and rollback plans. Remove/disable default accounts and minimize services.
Measures for internal IT and IT security governance and management	Defined roles from Board/Exec to Engineering, Support, and HR for security oversight, risk, IAM, and vendor governance. Policy framework with compliance monitoring and audits; clear incident reporting channel. Risk governance via risk register/treatment plans and periodic reporting to leadership.
Measures for certification/assurance of processes and products	Third-party agreements and reviews align with frameworks (e.g., SOC 2) where applicable. Internal/external audits and ongoing monitoring to verify policy compliance. Annual network security assessment and continuous vulnerability management provide technical assurance.
Measures for ensuring data minimization	Collect/use/retain PII only for legitimate business purposes; delete or de-identify as soon as no longer needed; prohibit storage on personal/removable media. Use masking/pseudonymization and “Privacy by Default” in design.
Measures for ensuring data quality	All create, read, update, and delete (CRUD) operations on production data are logged to maintain traceability and accountability. Formal change management procedures and acceptance testing are in place to prevent unintended or erroneous changes to systems and data.
Measures for ensuring accountability	Documented roles/responsibilities; approval workflows for access/changes; regular reviews/audits.
Measures for allowing data portability and ensuring erasure	Customers can request the deletion of their accounts and associated personal data, which is carried out within defined timeframes once all legal and business requirements have been met. Verified data-subject requests are honored to ensure that personal data is either permanently erased or fully anonymized when no longer necessary.

---

Schedule 5 - Sub-Processors
(also Annex III to EU SCCs)

FriendliAI has appointed, and the Customer authorizes, the following Sub-Processors:

Name	Location	Description of Processing Activity	Contact Information and Website
Amazon Web Services	United States	Data Management	aws-korea-privacy@amazon.com https://aws.amazon.com/
Stripe, Inc.	United States	Electronic payment processing	privacy@stripe.com https://stripe.com/
Vercel Inc.	United States	Data Management	privacy@vercel.com
Google, LLC	United States	Analysis of Usage Patterns/Analytics	googlekrsupport@google.com https://marketingplatform.google.com/about/analytics/
Amplitude, Inc.	United States	Analysis of Usage Patterns/Analytics	privacy@amplitude.com https://amplitude.com/
Microsoft Corporation (Clarity)	United States	Analysis of Usage Patterns/Analytics	clarity@microsoft.com
WorkOS, Inc.	United States	Authentication, and Identity Management	support@workos.com
Cloudflare, Inc.	United States	Data Management	dpo@cloudflare.com
HubSpot, Inc.	United States	Email Marketing	privacy@hubspot.com
Oracle Corporation	United States	Data Management	https://www.oracle.com/legal/data-privacy-inquiry-form/ https://oracle.com
Twilio Inc.	United States	Application Email Service	privacy@twilio.com

---

Schedule 6 – Korean Addendum for
Delegation of Personal Data Processing Services

The applicable customer or partner that is party to the Agreement (“Customer”) and FriendliAI (“FriendliAI”) agree upon the following matters set forth in this Addendum regarding delegation of processing of Personal Data in connection with the (“Agreement”) entered into between Customer and FriendliAI:

Purpose and Scope of Delegation

1. Under Article 26 of the Korean Personal Information Protection Act (“PIPA”) and Article 25 of the Korean Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (“Network Act”), the Customer hereby delegates to the FriendliAI, and the FriendliAI hereby agrees to provide, the processing of any Personal Data related to the services contemplated in the Service Agreement (“Delegated Services”) insofar as the delegation is related to the original purpose of collecting and using the Personal Data for the Customer’s own business purposes.

2. In the event the FriendliAI collects, records, stores, uses, provides, or discloses any Personal Data or otherwise performs any act similar thereto (collectively referred to as “processing”) in the course of performing the Delegated Services, FriendliAI shall not engage in any such activities for any purpose other than to provide the Delegated Services to the Customer and its end-users, which shall include services such as data processing and other limited related services at the direction of the Customer.

Customer’s Obligations

3. The Customer agrees and warrants:

a. that the processing, including the transfer itself, of Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable laws;

b. that it has instructed, and throughout the duration of the Personal Data processing services will instruct, the FriendliAI to process the Personal Data transferred only on the Customer’s behalf and in accordance with the applicable laws;

c. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; and

d. that it will ensure compliance with the security measures.

FriendliAI’s Obligations

4. FriendliAI agrees and warrants:

a. To process the Personal Data only on behalf of the Customer and in compliance with its instructions and this Addendum; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Customer of its inability to comply.

b. That it has no reason to believe that any of the applicable laws prevents it from fulfilling the instructions received from the Customer and its obligations under the Agreement and that in the event of a change in the law which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum, it will promptly notify the change to the Customer as soon as it is aware; and

c. To observe all applicable Korean privacy laws and regulations, including the PIPA, Network Act and subordinate legislations and notifications thereunder.

Sub-Processing

5. The Customer hereby expressly consents to the FriendliAI subcontracting the processing of the Personal Data in connection with the Delegated Services to the third parties listed in Schedule 5 attached hereto.

6. FriendliAI shall not subcontract any of its processing operations performed on behalf of the Customer under the Addendum without the prior written consent of the Customer. Where the FriendliAI subcontracts its obligations under the Addendum, with the consent of the Customer, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the FriendliAI under the Addendum. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the FriendliAI shall remain fully liable to the Customer for the performance of the sub-processor's obligations under such agreement.

Training and Monitoring

7. The Customer may educate the FriendliAI so that Personal Data of data subjects may not be lost, stolen, leaked, forged, altered, or damaged because of the delegation of personal information. The Customer may also supervise the FriendliAI's processing of Personal Data by inspecting the status of processing, as prescribed by the PIPA and the Network Act.

Liability

8. In the event that the FriendliAI violates any obligation regarding the processing of the Personal Data under any of the above provisions and the Customer incurs damage as a result thereof, the FriendliAI shall be liable to compensate for such damages.

9. Notwithstanding Article 8 and any other provisions of the Agreement or the Addendum, to the extent permitted by applicable law, (i) the FriendliAI shall be liable only in the case of fraud, wilful misconduct, or gross negligence, and (ii) the FriendliAI shall be liable only for ordinary damages and shall not be liable for any special, punitive, indirect or consequential damages.

Last Modified: September 5, 2025