This Data Processing Addendum, including its Attachments (“Addendum”) forms part of the Master Services Agreement (the “MSA”), between Singular Labs, Inc. (“Singular”), a Delaware corporation with offices at 1111B S Governors Ave STE 25765 Dover, DE 19904 and the customer identified in the signature block below (“Customer”).  This Addendum  supplements the MSA, unless Customer has entered into a superseding written agreement with Singular, in which case, it forms a part of such written agreement (in either case, the “MSA”). By executing this Addendum, Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Customer’s authorized Affiliates, if and to the extent Singular processes Personal Data for which such authorized Affiliates qualify as the Controller. All capitalized terms not defined herein shall have the same meaning set forth in the MSA. In the course of providing the Services under the MSA, Singular may Process Personal Data on Customer’s behalf and the parties agree to comply with the terms and conditions in this Addendum in connection with such Personal Data.

Data Processing Agreement

This Data Processing Addendum (“Addendum”) is entered into between Singular and the Customer.

WHEREAS, the Services involve processing certain personal data and the parties wish to regulate Singular’s processing of such personal data, through this Data Processing Addendum.

THEREFORE, the parties have agreed to this Addendum, consisting of three parts:

• Part One applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states).
• Part Two applies with respect to the UK Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”).
• Part Three applies with respect to the California Consumer Privacy Act of 2018 (CCPA) and Digital Personal Data Protection Act, 2023 of India.
• Sections 1-3 will apply for any other nation/state-specific data privacy regulations including LGPD (Brazil), LFPDPPP (Mexico), PIPEDA (Canada),

Parts One, Two, and Three apply only to Singular’s processing personal data or personal information of the Customer’s smartphone end-users, for which Singular is a Data Processor (as defined in the GDPR), or a service provider (as defined in the CCPA) on behalf of the Customer and under the Customer’s instructions. Parts One, Two, and Three do not apply to Singular’s processing personal data or personal information on the Singular website at https://www.singular.net or Singular’s processing personal data or personal information of representatives of Singular’s existing and prospective businesses using our Services.

In the event of any conflicting stipulations between this Addendum and the terms or any other agreement in place between the parties, the provisions of this Addendum shall prevail, except where explicitly agreed otherwise in writing.

PART ONE

This Part One only applies within the scope identified in the preamble of this Addendum.

1. Customer commissions, authorizes, and requests that Singular provide Customer the Services, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), and in applicable national law implementing the GDPR, or in any subsequent superseding legislation; these shall collectively be referred to as “Data Protection Law”). Customer shall: (a) establish, abide by and communicate a privacy notice to its data subjects, explaining, among others, the processing activities carried out by Singular on behalf of the customer; (b) provide data subjects the ability to opt-out of the processing activities carried out by Singular, and (c) substantiate the legal basis under Data Protection Law for obtaining and processing the Personal Data as carried out by Singular on behalf of the Customer.
2. Customer and Singular hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”), as follows:
   1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).
   2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.
   3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.
   4. In Annex I, for MODULE TWO: Transfer controller to processor:
      1. Data Exporter: Customer.
         1. Activities relevant to the data transferred under these Clauses: online marketing.
         2. Role: Controller.
      2. Data Importer: Singular
         1. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of a marketing analytics and attribution platform.
         2. Role: Processor.
   5. Description of Transfer:
      1. Categories of data subjects whose personal data is transferred: End-users of mobile applications, desktop applications, websites and other properties operated by the Customer.
      2. Categories of personal data is transferred: (i) personal data regarding the behavior and usage patterns of the end-users of mobile applications and other mobile properties operated by the Customer. Subject to the Customer’s discretion, the personal data processed by the platform can include, among others, the end-user’s IP address, Apple’s ID for Advertising (IDFA), Google Android ID and Advertising ID for Android (AIFA), and geo-location information; and (ii) other Personal Data that the Customer may feed into the Services, provided however, that the Customer shall not feed any ‘Special Categories of Data’ within the meaning of the GDPR.
      3. Sensitive data transferred: None.
      4. The frequency of the transfer: on a continuous basis
      5. Nature of the processing: uploading data to the Services, storage on the Services, retrieval, analytics reporting and derived insights.
      6. Purpose(s) of the data transfer and further processing: the provision of a technology platform that provides the Customer the ability to administer, measure and monitor its advertising activities.
      7. The period for which the personal data will be retained: the period set out in the Service Entitlement.
         
      8. Transfers to (sub-) processors:

3. The Customer will comply with its obligations under the GDPR, in particular in the processing instructions it issues to Singular as per Clause 8.1 of the SCCs.
4. If Singular’s assistance to Customer under Clause 10 of the SCCs entails material costs, expenses or resources to Singular, then the parties shall first discuss and agree on the fees payable to Singular for such assistance.
5. Audit and inspections conducted under Clause 8.9 of the SCCs shall be conducted during ordinary business hours of Singular and with minimal disruption to Singular’s ordinary course of business, shall not extend to any activities of Singular with other customers or parties, and if conducted by an independent auditor, such auditor shall be made subject to appropriate confidentiality undertakings satisfactory to Singular. If such inspections or audits entail material costs, expenses or resources to Singular, then the parties shall first discuss in good faith and agree on the fees payable to Singular for such inspections or audits.
6. Singular has appointed the person listed below as a contact person for data protection purposes: Mr. Eran Friedman, eran@singular.net . Any change in this contact person shall be disclosed promptly to Customer.

APPENDIX 1

The following is a summarized description of the key technical and organizational security measures implemented by Singular. A complete and detailed description of the technical and organizational security measures implemented by Singular is provided in Singular’s annual SOC 2 Type II annual report, which Customer can receive a copy of, in confidence, subject to appropriate confidentiality undertakings by the Customer.

• The security policies are documented by the Singular management, reviewed, and approved on a regular basis. Security and Privacy awareness training is performed on an annual basis.
• A comprehensive risk assessment that identifies and evaluates changes to business objectives, commitments and requirements, internal operations and external factors that threaten the achievement of business objectives is performed periodically. As part of this process, threats to system security are identified, evaluated and the risk from these threats is formally assessed. The process is maintained on an ongoing basis.
• The production environment is monitored 24/7/365. Actions performed on the production environment, including OS, DB and application are monitored and logged. Key Singular staff members are notified of events related to security, availability, or confidentiality. Service interruptions, maintenance and updates are communicated to customers. A Disaster Recovery Plan is maintained to continue provide critical services in the event of disaster and is tested on a regular basis.
• Access to system resources is protected through a combination of firewalls, VPNs, SSH keys, application controls and other mechanisms. Single sign-on (SSO) is used for identity and access management. Access is restricted to only authorized personnel per need.
• Physical access to the offices is restricted to authorized personnel using a digital key. Visitors are always accompanied while on premises.
• Permissions to the different environments (servers, database, and application) are reviewed and approved by Singular on a quarterly basis.
• Data is encrypted in transit and at rest.
• A password policy is implemented within the different systems and enforces strong password practices.
• A data loss prevention (DLP) solution is implemented at Singular to identify data breaches. Automated alerts are sent to the Security team in case of suspicious activity.
• An antivirus/malware solution is installed on employees’ laptops, and laptops’ disks are encrypted as well. The process is centrally managed using a unified management tool. 
• Vulnerability tests are performed to the production environment, infrastructure, and network on a regular basis. Third-party penetration tests are performed on an annual basis. Issues are investigated and dealt with as part of the SDLC process or by any necessary means.
• Terminated employees go through an off-boarding process in a timely manner.
• Relevant third-party providers sign confidentiality agreements.

APPENDIX 2

Scope of Processing

Subject-Matter and Duration of Processing
Singular Processes Personal Data for the subject matter specified under the MSA and until the MSA terminates or expires, unless otherwise agreed upon by the parties in writing. 

Nature and Purpose of Processing (i.e., Processing operations)
Personal Data is subject to the following basic processing activity: Customer’s end users provide personal data to access their Singular accounts. Singular is not a system of record or persistence for Customer’s end user data.

Categories of Personal Data
Personal data regarding the behavior and usage patterns of the end-users of mobile applications and other mobile properties operated by the Customer. Subject to the Customer’s discretion, the personal data processed by the platform can include, among others, the end-user’s IP address, Apple’s ID for Advertising (IDFA), Google Android ID and Advertising ID for Android (AIFA), and geo-location information; and (ii) other Personal Data that the Customer may feed into the Services, provided however, that the Customer shall not feed any ‘Special Categories of Data’ within the meaning of the GDPR.

Categories of Data Subjects
Customer’s end users of the Singular software and services.

Special Categories of Data (as applicable)
No Special Categories of Data should be made available to Singular by the customer.

Data exporter(s):_______________________________________________________________
Address: ______________________________________________________________________
Contact person’s name, position and contact details: ______________________________
Activities relevant to the data transferred under these Clauses: _____________________
Signature and date: ____________________________________________________________

Role (controller/processor): CONTROLLER

Data importer: Singular Labs, Inc.
Address: 1111B S Governors Ave STE 25765 Dover, DE 19904
Contact person’s name, position and contact details: Eran Friedman, eran@singular.net
Signature and date: 
Role (controller/processor): PROCESSOR

PART TWO

1. Customer and Singular hereby assent to the Annex to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”), as follows:

Section of the UK SCCs	Content
Table 1 – Start Date	The Effective Date of the Agreement
Table 1 – Parties’ details	Exporter (who sends the Restricted Transfer) Full legal name: As set forth in the Order Form. Main address (if a company registered address): As set forth in the Order Form.	Importer (who receives the Restricted Transfer) Full legal name: Singular Labs, Inc. Main address (if a company registered address): 1111B S Governors Ave STE 25765 Dover, DE 19904
Table 1 – Key Contact	As set forth in the Order Form	Mr. Eran Fridman eran@singular.net  +972-52-885-1140
Table 2 – Addendum EU SCCs	The version of the Approved EU SCCs in Part One above, including the Appendix Information.Date: The Effective Date of the AgreementReference (if any): Part One
Table 3 – Appendix Information	Annex 1A: List of Parties: see Part One Annex 1B: Description of Transfer: see Part One Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: see Appendix to Part One.
Table 4 – Table 4: Ending this Addendum when the Approved Addendum Changes	Which Parties may end this Addendum: ☐ Importer ☒ Exporter ☐ neither Party

PART THREE

1. Scope. This Part Three applies to the processing of ‘personal information’ (as defined in Cal. Civ. Code §1798.140(v)) by Singular within the scope identified in the preamble of this Addendum.
2. Definitions
   1. Capitalized terms used in this Part Three but not defined in this Part Three have the meaning ascribed to them in the Agreement and the Addendum.
   2. “Consumer” means a natural person, including a natural person in their professional or work capacity.
   3. “CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.
   4. “Personal Information” means Personal Data as defined in the preamble of this Addendum.
   5. “Collect” (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer’s behavior or interaction.
   6. “Process” (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of personal information, whether or not by automated means.
   7. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information for monetary or other valuable consideration.
   8. “Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information  for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising  in which no money is exchanged.
3. Singular’s Obligations. The Parties acknowledge and agree that Singular is a ‘service provider’ as defined in Cal. Civ. Code §1798.140(ag). To that end, and unless otherwise requires by law:
   1. Singular must not Sell or Share any Personal Information it Collects.
   2. The parties agree that Customer is disclosing the Personal Information to Singular only for the following limited and specified business purposes: to provide and support the operation of the Singular Services described in the Service Entitlement. Singular is prohibited from retaining, using, or disclosing the Personal Information that it Collects for any commercial purpose other than the foregoing business purposes, unless expressly permitted by the CPRA and this Part Three. Additionally, Singular is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to this Agreement outside the direct business relationship between Singular and Customer, unless expressly permitted by the CPRA and this Part Three.
   3. Singular shall comply with all applicable sections of the CPRA and shall provide, with respect to Personal Information it Collects, the same level of privacy protection as required by the CPRA.
   4. Singular grants Customer the right to take reasonable and appropriate steps to ensure that Singular uses the Personal Information it Collects in a manner consistent with the obligations under this Part Three and the CPRA.
   5. Singular must promptly notify Customer when it makes a determination that it can no longer meet its obligations under this Part Three or the CPRA.
   6. Singular grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Singular’s unauthorized use of Personal Information.
   7. If Singular received a request from a California consumer about his or her is ‘personal information’ (as defined in Cal. Civ. Code §1798.140(o)), Singular shall not comply with the request itself, inform the consumer that Singular’s basis for denying the request is that the Singular is merely a service provider that follows Customer’s instruction, and inform the consumer that they should submit the request directly to the Customer and provide the consumer with the Customer’s contact information.
4. Customer’s obligations. The Customer shall not feed into the Services any Protected Health Information (as defined under the United States Health Insurance Portability and Accountability Act of 1996 (as amended) or any information which are considered sensitive as per the enumerated categories at Cal. Civ. Code §1798.81.5(d).
5. Subcontracting to suppliers. Customer authorizes Singular to subcontract any of its Services-related activities which involve the processing of the personal information or requiring personal information to be processed by any third party supplier, provided that Singular shall ensure that the third party is bound by obligations consistent with this Part Three.
6. Return or deletion of information. Upon Customer’s written request where no subsequent further processing is required, Singular shall, at the instruction of Customer, either delete, destroy or return to Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers process for Customer.
7. Assistance in responding to consumer requests. Singular shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the consumer rights under the California Consumer Privacy Act of 2018. 
8. Data security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Singular’s processing of personal information for Customer, as well as the nature of personal information processed for Customer, Singular shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
9. The parties agree that Singular’s obligations under this Part Three will apply, mutatis mutandis, to its processing of “digital personal data” as defined in the Digital Personal Data Protection Act, 2023 of India.