Data Controller shall be responsible for determining the purpose of processing under this agreement. If Data Controller is itself a processor, Data Controller represents that the controller of the data has determined the purpose of processing and that the processing under this agreement is permitted based on the controller’s instructions.

With respect to this agreement, Data Controller’s processing instructions are to process data according to the Master Services Agreement between Controller and Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions and no Personal Data will be processed unless explicitly instructed by the Controller.

Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorization from the Data Controller before

undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately notify the Data Controller if, in its 3 opinion, any instruction infringes this Regulation or other Union or Member State data protection provisions. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.

The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the Processing. To the extent required by EU Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.

Data Processor shall ensure that any person it authorizes to process the Data (an “Authorized Person”) shall protect the Data in accordance with Processor’s confidentiality obligations under the Agreement.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Controller and Data Processor agree to implement appropriate technical and organizational measures to ensure a level of security and privacy of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, certification to ISO/IEC 27001:2013 or equivalent and implementation of the controls defined in Annex B of ISO/IEC 27701:2019.

Data Processor shall not transfer the Data outside of the United States (“US”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

If it becomes aware of a confirmed Security Incident, Data Processor shall inform Data Controller without undue delay (within 48 hours), and shall provide information and cooperation to Data Controller so that Data Controller can fulfil any data breach reporting obligations it may have under (and in accordance with the timescale required by) Applicable Data Protection Law. Data Processor shall further take such reasonably necessary measures and actions to mitigate the effects of the Security Incident and shall keep Data Controller informed of all material developments in connection with the Security Incident.

Data Controller consents to Data Processor engaging third party sub-processors to process the Data for the Permitted Purpose provided that: (i) Data Processor notifies Data Controller of such sub-processors; (ii) Data Processor imposes data protection terms on any sub-processor it appoints that require it to protect the Data, namely that sub-processors shall implement the controls defined in Annex B of ISO/IEC 27701:2019. Data Controller may object to Data Processor’s appointment or replacement of a sub-processor prior to its appointment or replacement. In such event, Data Controller may suspend or terminate the Agreement.

Data Processor will remain liable for the acts of any sub-processor acting on its behalf.

The Data Controller may request that the Data Processor audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Agreement.

Upon termination or expiry of the Agreement, Data Processor shall (at Data Controller’s election) destroy or return to Data Controller all Data in its possession or control. This requirement shall not apply to the extent that Data Processor is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Processor shall securely isolate and protect from any further processing except to the extent required by such law.

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU Data Protection Law.

Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 4 (Security), as well as other Data Controller obligations under EU Data Protection Law that are relevant to the Data Processing, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller arising out of a breach of this Data Processing Agreement and/or the EU Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor arising out of a breach of this Data Processing Agreement and/or the EU Data Law by the Data Controller.

This Data Processing Agreement shall come into effect on the effective date of the Service Agreement.

Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations under this Agreement.

The Data Processor shall process Personal Data until the date of expiration or termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.

In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.

This Data Processing Agreement is governed by the laws of Minnesota. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of Hennepin, County. Minnesota.