Common use of Authorization Regarding Sub Processors Clause in Contracts

Authorization Regarding Sub Processors. 5.1.1 Securiti’s current list of Sub-processors is hereby enclosed at Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to Securiti’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇. In the event Client reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti without the use of the objected-to Sub-processor by providing written notice to Securiti provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Securiti. Client will have no further claims against Securiti due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 SecuritiFirebolt’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”)) and is hereby approved by Data Controller. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-Sub- processor List. Client may reasonably object for reasons related to the GDPR to SecuritiFirebolt’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@to privacy@ ▇▇▇▇▇▇▇▇.▇▇. In the event Client reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Firebolt without the use of the objected-to Sub-processor by providing written notice to Securiti Firebolt provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiFirebolt. Client will have no further claims against Securiti Firebolt due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://subscribe to notifications of new Sub-processors by sending an email to ▇▇▇▇▇▇.▇@▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe▇, and if Client subscribes, Securiti Firebolt shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 Securiti5.1 Velocity’s current list of Sub-processors is hereby enclosed at Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to Securiti’s use of an existing Sub-processor by providing a written objection to available here ▇▇▇▇▇▇▇@://▇▇▇▇▇▇▇▇.▇▇▇▇/subprocessors (“Sub-processor List”) and is hereby approved and authorized by Client. Client hereby grants Velocity a general authorization to appoint new Sub-processors. Velocity shall provide notification of any new Sub-processor(s) to Client by email. Client can designate a point of contact, or Velocity will send it to the admin user or any other established contact detail. 5.2 Client may reasonably object to Velocity’s use of a Sub-processor for reasons related to the GDPR by notifying Velocity promptly in writing within three (3) business days after receipt of Velocity’s notice. Failure to object to such Sub-processor in writing within three (3) business days following Velocity’s notice shall be deemed as acceptance of the Sub-Processor. In the event Client reasonably objects to an existing a Sub-processor, as permitted in the preceding sentences, and Velocity will use reasonable efforts to make available to Client a change in the parties do Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Client. If Velocity is unable to make available such change within a reasonable period of time, which shall not find a solution in good faith to the issue in questionexceed thirty (30) days, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Velocity without the use of the objected-to Sub-processor by providing written notice to Securiti Velocity provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiVelocity. Until a decision is made regarding the Sub-processor, Velocity may temporarily suspend the Processing of the affected Personal Data. Client will have no further claims against Securiti Velocity due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and and/or the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, 5.3 In accordance with Articles 28.7 and if Client subscribes, Securiti shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision 28.8 of the ServicesGDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses. This Section 5 shall not apply to subcontractors of Velocity which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.

Authorization Regarding Sub Processors. 1. 5.1.1 SecuritiAuthomize’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-Sub- processor List”)) and is hereby approved by Data Controller. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), DPA is hereby, or shall be (as applicable), hereby authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to SecuritiAuthomize’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇. In the event Client reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Authomize without the use of the objectedo bjected-to Sub-processor by providing written notice to Securiti Authomize provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiAuthomize . Client will have no further claims against Securiti Authomize due to to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 2. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://shall send an email to ▇▇▇▇▇▇.▇@▇▇▇▇▇▇▇▇▇.▇▇▇ a mechanism with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION, to subscribe to notifications of new Sub-Sub- processors, to which Client shall subscribe, and if Client subscribes, Securiti Authomize shall provide notification of any new Sub-Sub- processor(s) before authorizing such new Sub-Sub- processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 Securiti5.1 Cyera’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”) and is hereby approved by Data Controller. Customer hereby grants a general authorization to Cyera to appoint new Sub-processors, and Cyera shall comply with the conditions of Section 5.2, to 5.4. 5.2 Cyera shall provide notification of any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services (by email, in-app notification or other means). The . 5.3 Customer may reasonably object to ▇▇▇▇▇’s use of a Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR by notifying Cyera promptly in writing within ten three (103) business days following after receipt of Cyera’s notice in accordance with the publication of mechanism set out in Section 5.2 and such written objection shall include the Sub-processor List. Client may reasonably object for reasons related to the GDPR for objecting to SecuritiCyera’s use of an existing such Sub-processor. Failure to object to such Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇in writing within three (3) business days following Cyera’s notice shall be deemed as acceptance of the Sub-Processor. In the event Client Customer reasonably objects to an existing a Sub-processor, as permitted in the preceding sentences, and Cyera will use reasonable efforts to make available to Customer a change in the parties do Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Cyera is unable to make available such change within a reasonable period of time, which shall not find a solution in good faith to the issue in questionexceed thirty (30) days, then Client Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Cyera without the use of the objected-to Sub-processor by providing written notice to Securiti Cyera provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiCyera. Client Until a decision is made regarding the Sub-processor, Cyera may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Securiti Cyera due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and and/or the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 SecuritiActiveFence’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-Sub- processor List”)) and is hereby approved by Data Controller. The Sub-Sub- processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to SecuritiActiveFence’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇.▇▇▇. In the event Client reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti ActiveFence without the use of the objected-objected- to Sub-processor by providing written notice to Securiti ActiveFence provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiActiveFence. Client will have no further claims against Securiti ActiveFence due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti ActiveFence shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 SecuritiApplitools’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”)) and is hereby approved by Data Controller. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-Sub- processor List. Client may reasonably object for reasons related to the GDPR to SecuritiApplitools’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. In the event Client reasonably objects to an existing Sub-Sub- processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Applitools without the use of the objected-to Sub-processor by providing written notice to Securiti Applitools provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiApplitools. Client will have no further claims against Securiti Applitools due to (i) past use of approved Sub-Sub- processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via subscribe to notifications of new Sub-processors by sending an email to ▇▇▇▇://▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti Applitools shall provide notification of any new Sub-processor(s) before authorizing such new Sub-Sub- processor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1.1 SecuritiApplitools’s current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”)) and is hereby approved by Data Controller. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor Subprocessor List. Client may reasonably object for reasons related to the GDPR to SecuritiApplitools’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. In the event Client reasonably objects to an existing Sub-processorSubprocessor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Applitools without the use of the objected-to Sub-processor by providing written notice to Securiti Applitools provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiApplitools. Client will have no further claims against Securiti Applitools due to (i) past use of approved Sub-processors Subprocessors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via subscribe to notifications of new Sub-processors by sending an email to ▇▇▇▇://▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti Applitools shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(sSubprocessor(s) to Process Personal Data in connection with the provision of the Services.

Authorization Regarding Sub Processors. 5.1 Current Sub-processors and New Sub-processors. 5.1.1 Securiti’s Totango's current list of Sub-processors is hereby enclosed at available on Totango's website at: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/subprocessors and included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location 3 (“Sub-processor List”)) and is hereby approved by Data Controller. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by ClientCustomer. In any event, the Sub-processor List shall be deemed authorized by Client Customer unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client Customer may reasonably object for reasons related to the GDPR to SecuritiData Processor’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ for reasons related to the GDPR. In the event Client Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Data Processor without the use of the objected-to Sub-processor by providing written notice to Securiti Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiData Processor. Client Customer will have no further claims against Securiti Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client Customer shall subscribe, and if Client subscribes, Securiti shall provide notification be notified by Totango in advance of any new Subsub-processor(s) before authorizing such new Sub-processor(s) processors being appointed by changes to Process Personal Data in connection with the provision of the Servicesthis website.

Authorization Regarding Sub Processors. 5.1.1 Securiti5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third- party Sub-processors in connection with the provision of the Services. 5.2 List of Current Sub-processors and Notification of New Sub-processors. Data Processor shall make available to Customer the current list of Sub-processors is hereby enclosed at Schedule 2 to the DPAused by Data Processor. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-Sub- processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by ClientCustomer. In any event, the Sub-processor List shall be deemed authorized by Client Customer unless it provides a written reasonable objection for reasons related to the GDPR within ten three (103) business days following the publication of the Sub-processor List. Client Customer may reasonably object for reasons related to the GDPR to SecuritiData Processor’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇IRONSCALES. In the event Client Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Data Processor without the use of the objected-to Sub-processor by providing written notice to Securiti Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiData Processor. Client Customer will have no further claims against Securiti Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client 5.3 Objection Right for New Sub-processors. Customer may find on Securitireasonably object to Data Processor’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ use of a mechanism to subscribe to notifications of new Sub-processors, processor for reasons related to which Client shall subscribe, and if Client subscribes, Securiti shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal the GDPR by notifying Data Processor promptly in connection with the provision of the Services.writing within three

Authorization Regarding Sub Processors. 5.1.1 Securiti’s 5.1 Tuvis’ current list of Sub-processors is hereby enclosed at included in Schedule 2 to the DPA. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location 3 (“Sub-processor List”). The ) and is hereby approved by Client. 5.2 Client shall subscribe to notifications of new Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized processors by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to Securiti’s use of sending an existing Sub-processor by providing a written objection email to ▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇, with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION and if Client subscribes, Tuvis shall provide notification of any new Sub-processor(s).▇▇ 5.3 Client may reasonably object to Tuvis’ use of a Sub-processor for reasons related to the GDPR by notifying Tuvis promptly in writing within five (5) business days after receipt of Tuvis’ notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to the Data Protection Laws and Regulations for objecting to Tuvis’ use of such Sub-processor. Failure to object to such Sub-processor in writing within five (5) business days following Tuvis’ notice shall be deemed as acceptance of the Sub-Processor. In the event Client reasonably objects to an existing a Sub-processor, as permitted in the preceding sentences, and Tuvis will use reasonable efforts to make available to Client a change in the parties do Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Client. If Tuvis is unable to make available such change within a reasonable period of time, which shall not find a solution in good faith to the issue in questionexceed thirty (30) days, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Tuvis without the use of the objected-to Sub-processor by providing written notice to Securiti Tuvis provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiTuvis. Until a decision is made regarding the Sub-processor, Tuvis may temporarily suspend the Processing of the affected Personal Data. Client will have no further claims against Securiti Tuvis due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and and/or the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, 5.4 In accordance with Articles 28.7 and if Client subscribes, Securiti shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision 28.8 of the ServicesGDPR, if and when the European Commission lays down the Standard Contractual Clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such Standard Contractual Clauses. This Section 5 shall not apply to subcontractors of Tuvis which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.

Authorization Regarding Sub Processors. 5.1.1 Securiti’s 1. Appointment ofSub-processors. Client acknowledges and agrees that ▇▇▇▇▇ may engage third-party Sub-processors in connection with the provision of the Services 2. List of Current Sub-processors and Notification of New Sub-processors. (1) Zesty shall make available to Client the current list of Sub-processors is hereby enclosed at Schedule 2 to the DPAused by Zesty via ▇▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇/gdpr . Such Sub-processor list shall include the identities and details of those Sub-processors Subprocessors and their country of location (“Sub-processor ListprocessorList”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to SecuritiZesty’s use of an existing Sub-processor by providing a written objection to ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇. In the event Client reasonably objects to an existing Sub-processorSubprocessor, as permitted in the preceding sentences, and the parties do not find a solution in good faith to the issue in question, then Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Securiti Zesty without the use of the objected-to Sub-processor by providing written notice to Securiti Zesty provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SecuritiZesty . Client will have no further claims against Securiti Zesty due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 5.1.2 Client may find on Securiti’s webpage accessible via ▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇ a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Securiti (2) Zesty shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.