Common use of Processing of Customer Personal Data Clause in Contracts

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 Process Customer Personal Data only on Customer’s documented instructions, as set out in the Agreement and this DPA, including Customer providing instructions via APIs made available by CrowdStrike with the Offerings, and as required by Applicable Laws (the “Documented Instructions”). Any additional or alternate instructions, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: (i) Customer’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth in the Agreement for Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable Laws.

Processing of Customer Personal Data. 2.1 CrowdStrike a. Customer is a business or the controller (as applicable) with respect to the processing of Customer Personal Data. Customer hereby grants Tines general authorization to process Customer Personal Data as a processor or service provider (as applicable) on its behalf in connection with the Tines Offerings and appoint other subprocessors to support the Offerings, including, without limitation, by processing Customer Personal Data, as provided herein. In the event that Customer is considered a processor or service provider acting on behalf of its own customers, Tines shall process the Customer Personal Data as a sub-processor or service provider acting on behalf of Customer. ▇. ▇▇▇▇▇ shall: 2.1.1 : (a) Process the Customer Personal Data only on Customer’s documented instructionsin accordance with the instructions provided by Customer to Tines, as set out forth in the Agreement Agreement, unless otherwise required by an Applicable Data Protection Law or other law to which Tines is subject; (b) implement and this DPA, including maintain the Tines Security Standards to protect the Customer providing instructions via APIs made available Personal Data; and (c) ensure that only authorized personnel who are under written confidentiality obligations have access to such Customer Personal Data. c. Customer is responsible for determining and controlling the nature and extent of Processing of Customer Personal Data by CrowdStrike Tines to deliver the Offerings. Customer is responsible for its lawful use of the Offerings and for the lawfulness of its own processing of Customer Personal Data under or in connection with the Offerings. Customer represents and warrants that it has provided all notices and disclosures regarding the processing of Customer Personal Data required by Applicable Data Protection Laws and obtained valid data subject consent, and where applicable, as required by Applicable Data Protection Laws to process Customer Personal Data pursuant to the Agreement. d. With respect to the Cloud Services, Tines will only host Customer Personal Data in the region(s) offered by ▇▇▇▇▇ and selected by Customer on an Order Form (the “Documented InstructionsHosting Regions”). Any additional or alternate instructions, having an impact to Customer is solely responsible for the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform regions from which it accesses the Customer if CrowdStrike determines that: Personal Data, for any transfer or sharing of Customer Personal Data by Customer, and for any subsequent designation of other Hosting Regions. Once Customer has selected a Hosting Region, Tines will not process Customer Personal Data from outside the Hosting Region except as necessary to provide the Tines Offerings to Customer in accordance with the Agreement, which may include transfers of Usage Data, as described above, to where Tines’s Sub-processors maintain data processing operations, or as necessary to comply with the law or binding order of a governmental body. Customer acknowledges regardless of the Hosting Region selection, where Customer is receiving Cloud Services, Usage Data (ias defined in the Cloud Addendum) Customerwill be transferred and replicated in Tines’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructionsdata warehouse in EMEA. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for ▇. ▇▇▇▇▇ has no obligation to assess the Processing contents or accuracy of the Customer Personal Data, including securing all permissionsto identify information subject to any specific legal, consents regulatory, or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors other requirement. Customer is responsible for any claim brought against any one or more making an independent determination as to whether its use of them arising from an allegation of the Tines Offerings will meet Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth in the Agreement for Customer to defend requirements and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its legal obligations under Applicable Data Protection Laws. f. Taking into account the nature of the processing, and the information available to Tines, Tines shall provide reasonable assistance to Customer to enable Customer to fulfil its obligations to engage in any data protection impact assessments or consultations with supervisory authorities which may be required under Applicable Data Protection Laws.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 Process Customer Personal Data only on Customera. The Parties agree that this Addendum and the Principal Agreement constitute Customers documented instructions regarding Pathfix’s documented instructions, as set out in the Agreement and this DPA, including Customer providing instructions via APIs made available by CrowdStrike with the Offerings, and as required by Applicable Laws (the “Documented Instructions”). Any additional or alternate instructions, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: (i) Customer’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data. b. The scope of the processing of the Customer Personal Data provided by Customer to Pathfix for e.g. the subject-matter of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are specified in Annexure 1 of this Addendum. c. The Customer shall in its use of the Services, and Customer’s instructions to Pathfix, comply with Data Protection Laws. The Customer shall ensure that its instructions will not cause Pathfix to be in breach of the Data Protection Laws. The Customer shall establish and have any and all required legal basis in order to collect, Process and transfer to Pathfix the Customer Personal Data, and to authorize the Processing by Pathfix, and for Pathfix’s Processing activities on Customer’s behalf, including securing all permissionsthe pursuit of ‘business purposes’ as defined under the CCPA. d. In processing your Customer Personal Data, consents or authorizations that may be required; andwe will comply with Data Protection Laws. We shall as per our obligations under Article 28 of GDPR; 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors for any claim brought against any one or more of them arising i. process the Customer Personal Data only in accordance with documented instructions from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process you (as set forth in this Addendum or the Principal Agreement or as directed by you through the Services). If Data Protection Laws require us to process the Customer Personal Data for any other purpose, we will inform you of this requirement first, unless such law(s) prohibit this on important grounds of public interest; ii. notify you promptly if, in our opinion, an instruction for the processing of Customer Personal Data given by you infringes upon the Data Protection Laws; iii. make available to defend you all information reasonably requested by you for the purpose of demonstrating that your obligations relating to the appointment of Sub-Processors have been met; iv. not generate copies, duplicates and/or backups of the Customer Personal Data without the prior written consent and indemnify CrowdStrike knowledge of the Customer. e. We will assist you in your obligations under Articles 35 and 36 of GDPR by performing any required data protection impact assessments, and informing any supervisory authority if nonesuch assessment indicates that such processing would result in high risk in the absence of measures taken by you to mitigate the risk. f. We will assist you in your obligations under Articles 15 through 18 of GDPR by providing you documentation, then CrowdStrike will: (a) notify product functionality, or processes to assist you in retrieving, correcting, deleting or restricting Customer Personal Data. g. We shall ensure that our personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality with regard to such claimCustomer Personal Data; and ensure that none of our personnel publish, (b) permit disclose or divulge any Customer Personal Data to control any third party. h. We will upon your written request following the defense expiration or settlement earlier termination of the Principal Agreement securely delete such claim; provided, however, Customer Personal Data in our possession in compliance with procedures and retention periods outlined in our Principal Agreement. i. Pathfix acknowledges and confirms that it does not receive or process any Customer Personal Data as consideration for any services or other items that Pathfix provides to the Customer under the Principal Agreement. Pathfix shall not settle have, derive, or exercise any claim rights or benefits regarding Customer Personal Data Processed on Customer’s behalf, and may use and disclose Customer Personal Data solely for the purposes for which such Customer Personal Data was provided to it, as stipulated in a manner the Principal Agreement and this Addendum. Pathfix certifies that requires CrowdStrike it understands the rules, requirements and definitions of the CCPA and agrees to admit liability or make refrain from selling (as such term is defined in the CCPA) any changes with respect to Customer Personal Data Processed hereunder, without the Offerings without CrowdStrikeCustomer’s prior written consent, and (c) provide nor taking any action that would cause any transfer of the Customer with reasonable assistance in connection with Personal Data to or from Pathfix under the defense Principal Agreement or settlement of this Addendum to qualify as “selling” such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in Customer Personal Data under the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable LawsCCPA.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and Cybereason is a Processor. Unless otherwise required by applicable law, Cybereason will only Process Customer Personal Data only as a Processor on behalf of and in accordance with Customer’s documented instructions, prior written instructions as set out in the Agreement and this DPA, including the Agreement, or by other written agreement of the parties. Cybereason is hereby instructed to Process Customer providing instructions via APIs made available by CrowdStrike with Personal Data to the Offeringsextent necessary to enable Cybereason to provide the Services and performance of the Agreement, this DPA and any applicable Statement of Work, or as otherwise required by Applicable Laws (applicable law. As part of providing the “Documented Instructions”). Any additional or alternate instructionsServices, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: Cybereason may (i) deidentify or aggregate Customer Personal Data and (ii) Process Customer Personal Data for purposes of identifying threats and malicious activity, mitigating fraud, financial loss or other harm; establishing, exercising or defending legal claims; and building, analyzing and improving Cybereason’s products, services and systems. If Cybereason cannot Process Customer Personal Data in accordance with Customer’s instructions conflict due to an applicable legal requirement, Cybereason will (i) promptly notify Customer of that legal requirement and/or of the inability to comply with Applicable Lawsany instructions before the relevant Processing, to the extent permitted by European Data Protection Legislation; or and (ii) Applicable Laws require cease all Processing (other than merely storing and maintaining the security of the relevant Customer Personal Data) until such time as Customer issues new instructions with which Cybereason is able to comply. If this provision is invoked, Cybereason will not be liable to Customer under the Agreement for any Processing contrary failure to perform the Services until such time as Customer issues new instructions in regard to such Processing. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of European Data Protection Legislation. Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal DataData shall comply with European Data Protection Legislation. In accordance with the requirements of European Data Protection Legislation, including securing Customer shall provide all permissions, consents required notices or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliatesother information to Data Subjects, and CrowdStrike Subprocessors obtain all required consents from Data Subjects (or establish another legal basis for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this SectionProcessing), whether by a as is necessary for Cybereason to receive and Process Customer Personal Data Subject or a government authority. In for the event of such a claim, the Parties shall follow the process purposes set forth in this DPA. In connection with the Agreement performance of this DPA and the Agreement, Customer authorizes Cybereason to transfer Customer Personal Data from the EEA, United Kingdom and Switzerland, if applicable, to any jurisdiction in which Cybereason or its sub-Processors are located, including, but not limited to, the United States, Japan, Israel and to any country that is recognized by the European Commission as providing an adequate level of protection for personal data. Where such transfers occur, Cybereason will transfer the Customer Personal Data in accordance with European Data Protection Legislation. For transfers to defend the United States, Cybereason has certified to the EU-U.S. and indemnify CrowdStrike Swiss-U.S. Privacy Shield Frameworks as administered by the U.S. Department of Commerce (“Privacy Shield”) and if nonewill remain certified to the Privacy Shield or adopt an alternate data transfer mechanism approved under applicable European Data Protection Legislation for the duration of this DPA. To learn more about the Privacy Shield Frameworks, then CrowdStrike will: please visit ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/. For transfers not covered by the Privacy Shield, Customer and Cybereason shall execute the EU Standard Contractual Clauses or adopt such other transfer mechanism approved under applicable European Data Protection Legislation. Customer, as Controller/data exporter (for the purposes of the Standard Contractual Clauses), hereby authorizes Cybereason to enter into the EU Standard Contractual Clauses for and on its behalf. Cybereason shall not (i) Sell Personal Data, or (ii) retain, use or disclose Personal Data (a) notify Customer for any purpose other than for the specific purpose of such claimperforming the services specified in the Agreement or this Addendum, or (b) permit outside of the direct business relationship between Cybereason and Customer. Cybereason certifies that it understands and will comply with the requirements and restrictions set forth in this Section 4 of the Addendum. Cybereason will take reasonable steps to ensure that personnel whom Cybereason authorizes to Process Customer Personal Data on its behalf are subject to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes confidentiality obligations with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide that Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable LawsPersonal Data.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 Process The Customer Personal Data only hereby acknowledges and agrees that TENSOR SOCIAL acts as a Processor for the purposes of Services Agreement, and any personal data Scraped and provided to Customer, and/or any third party on behalf of Customer’s documented instructions, as set out by TENSOR SOCIAL in the Agreement and this DPA, including Customer providing instructions via APIs made available by CrowdStrike connection with the Offerings, and as required by Applicable Laws (the “Documented Instructions”). Any additional or alternate instructions, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: (i) Customer’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions Services Agreement is provided strictly for the purposes of matching Influencers with businesses for the promotion and potential future partnership (“Authorized Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates”), and CrowdStrike Subprocessors for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by that Customer acts as a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth in the Agreement for Customer to defend sole and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes separate Controller with respect to such purposes. 2.2 Customer hereby represents and warrants that it, and/or any third party on its behalf, (i) shall Process the Offerings without CrowdStrike’s prior written consent, Customer Personal Data solely in compliance and as permitted under the Applicable Laws; and (cii) provide shall not Process the Customer Personal Data for any purpose other than for the Authorized Processing of Customer Personal Data. 2.3 TENSOR SOCIAL is unaware of any additional uses of the Customer Personal Data except for the Authorized Processing and, in any event, Customer is responsible for the compliance with reasonable assistance in connection with Applicable Laws as the defense or settlement Controller of such claimCustomer Personal Data, at whichever other way it is Processed. 2.4 This addendum shall apply only to the extent that the Applicable Laws apply to the processing of Customer Personal Data. 2.5 TENSOR SOCIAL shall not, when acting as a Processor of Customer, Process Customer Personal Data other than on the Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer documented instructions unless Processing is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under required by Applicable Laws related to CrowdStrike’s adherence which the relevant Contracted Processor is subject, in which case TENSOR SOCIAL shall, to its obligations under the extent permitted by Applicable LawsLaws and commercially practicable, inform the Customer of that legal requirement before the relevant Processing of that Personal Data. 2.6 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Customer Personal Data as required by article 28(3) of the GDPR. Nothing in Annex 1 confers any right or imposes any obligation on any party to this Addendum.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and Cybereason is a Processor. Unless otherwise required by applicable law, Cybereason will only Process Customer Personal Data only as a Processor on behalf of and in accordance with Customer’s documented instructions, prior written instructions as set out in the Agreement and this DPA, including the Agreement, or by other written agreement of the parties. Cybereason is hereby instructed to Process Customer providing instructions via APIs made available by CrowdStrike with Personal Data to the Offeringsextent necessary to enable Cybereason to provide the Services and performance of the Agreement, this DPA and any applicable Statement of Work, or as otherwise required by Applicable Laws (applicable law. As part of providing the “Documented Instructions”). Any additional or alternate instructionsServices, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: Cybereason may (i) deidentify or aggregate Customer Personal Data and (ii) Process Customer Personal Data for purposes of customer support, verifying credentials, extracting usage and service performance information, identifying threats and malicious activity, mitigating fraud, financial loss or other harm; establishing, exercising or defending legal claims; and building, analyzing and improving Cybereason’s products, services and systems. If Cybereason cannot Process Customer Personal Data in accordance with Customer’s instructions conflict due to an applicable legal requirement, Cybereason will (i) promptly notify Customer of that legal requirement and/or of the inability to comply with Applicable Lawsany instructions before the relevant Processing, to the extent permitted by applicable law; and (ii) cease all Processing (other than merely storing and maintaining the security of the relevant Customer Personal Data) until such time as Customer issues new instructions with which Cybereason is able to comply. If this provision is invoked, Cybereason will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new instructions in regard to such Processing. The parties acknowledge that Customer discloses Customer Personal Data to Cybereason for Business Purposes. Cybereason will not Sell Customer Personal Data or, unless otherwise permitted or required by applicable law, (i) retain, use or disclose the Customer Personal Data (a) for purposes other than providing the Services and carrying out its obligations pursuant to the Agreement, or (b) outside of the direct business relationship between Cybereason and Customer, or (ii) Applicable Laws require any Processing contrary combine Customer Personal Data received pursuant to the Agreement with personal information received from or on behalf of another person(s), or collected from Cybereason’s own interaction with individuals, unless permitted by Data Protection Legislation. Cybereason certifies that it understands and will comply with the requirements and restrictions set forth in this Section 3 of the DPA. Each party will Process Customer Personal Data in compliance with its respective obligations under Data Protection Legislation and will notify the other party in writing if it makes a determination that it can no longer meet its obligations. Customer shall use the Services in accordance with the requirements of Data Protection Legislation. Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authorityshall comply with Data Protection Legislation. In accordance with the event requirements of such a claimData Protection Legislation, Customer shall provide all required notices or other information to Data Subjects, obtain all required consents from Data Subjects (or establish another legal basis for Processing) and take any other steps required by Data Protection Legislation, as is necessary for Cybereason to receive and Process Customer Personal Data for the Parties shall follow the process purposes set forth in the Agreement for Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in this DPA. In connection with the defense performance of this DPA and the Agreement, Customer authorizes Cybereason to remotely access any Customer Personal Data from the United States, Japan, Israel, and such other jurisdiction as may be necessary from time to time. Where such access occurs, Cybereason will access the Customer Personal Data in accordance with applicable Data Protection Legislation. The parties hereby enter into and shall comply with the provisions of the EU Standard Contractual Clauses as set out in Exhibit A (for transfers outside the EEA and Switzerland) and the UK International Data Transfer Addendum as attached to this DPA as Exhibit B (for transfers outside the UK) to implement appropriate safeguards for transfers of Customer Personal Data to countries that are not recognized by the European Commission, Switzerland or settlement the UK as providing an adequate level of such claimprotection for Personal Data. Customer acknowledges that Cybereason may, at Customer’s cost its discretion, certify to any successor frameworks (or other similar mechanisms) to the EU-U.S. (including the UK-US Data Bridge thereto) and expense. In additionthe Swiss-U.S. Data Privacy Frameworks as administered by the U.S. Department of Commerce (or such other relevant organization) and that such certification will replace the European Transfer Clauses, CrowdStrike may participate all on the condition that such certification has not been found to be invalid by the European Commission or any other competent authority (such as those in the defense UK) in the jurisdiction in which the Processing is occurring. Customer, as Controller/data exporter (for the purposes of the European Transfer Clauses), understands that Cybereason may execute the European Transfer Clauses also on behalf of its affiliates. Where Cybereason makes an onward transfer of Customer Personal Data, Cybereason shall ensure the entity receiving the onward transfer of Customer Personal Data agrees to be bound by the appropriate Module of the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (i.e., Module 3), unless such onward transfer is otherwise permitted by European Data Protection Laws. The parties shall work together in good faith to enter into a Replacement Transfer Mechanism reasonably requested by Cybereason and take such action (which may include execution of documents) as may be required to give effect to such Replacement Transfer Mechanism for purposes of compliance with applicable Data Protection Legislation, all on the condition that such Replacement Transfer Mechanism has not been found to be invalid by the European Commission or any claim, and if Customer other competent authority in the jurisdiction in which the Processing is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable Lawsoccurring.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 3.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and ASAPP is a Processor. Unless otherwise required by applicable law, ASAPP will only Process Customer Personal Data only as a Processor on behalf of and in accordance with Customer’s documented instructions, pr instructions as set out in the Agreement and this DPA, including the Agreement, or by other written agreement of the parties. ASAPP is hereby instructed to Process Customer providing instructions via APIs made available by CrowdStrike with Personal Data to the Offeringsextent necessary to enable ASAPP to provide the Services and performance of the Agreement, this DPA and any applicable Statement of Work, or as otherwise required by Applicable Laws (applicable law. As part of providing the “Documented Instructions”). Any additional or alternate instructionsServices, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: ASAPP may (i) deidentify or aggregate Customer Personal Data and (ii) Process Customer Personal Data for purposes of customer support, verifying credentials, extracting usage and service performance information, identifying threats and malicious activity, mitigating fraud, financial loss or other harm; establishing, exercising or defending legal claims; and building, analyzing and improving AS If ASAPP cannot Process Customer Personal Data in applicable legal requirement, ASAPP will (i) promptly notify Customer of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by applicable law; and (ii) cease all Processing (other than merely storing and maintaining the security of the relevant Customer Personal Data) until such time as Customer issues new instructions with which ASAPP is able to comply. If this provision is invoked, ASAPP will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new instructions in regard to such Processing. 3.2. The parties acknowledge that Customer discloses Customer Personal Data to ASAPP for Business Purposes. ASAPP will not Sell Customer Personal Data or, unless otherwise permitted or required by applicable law, (i) retain, use or disclose the Customer Personal Data (a) for purposes other than providing the Services and carrying out its obligations pursuant to the Agreement, or (b) outside of the direct business relationship between ASAPP and Customer’s instructions conflict with Applicable Laws; , or (ii) Applicable Laws require any Processing contrary combine Customer Personal Data received pursuant to the CustomerAgreement with personal information received from or on behalf of another person(s), or collected from ASAPP’s instructionsown interact Protection Legislation. ASAPP certifies that it understands and will comply with the requirements and restrictions set forth in this Section 3 of the DPA. 2.2 3.3. Each party will process Customer shall: 2.2.1 Be responsible Personal Data in compliance with its respective obligations under Data Protection Legislation and will notify the other party in writing if it makes a determination that it can no longer meet its obligations. Customer shall use the Services in accordance with the requirements of Data Protection Legislation. Cust Personal Data shall comply with Data Protection Legislation. In accordance with the requirements of Data Protection Legislation, Customer shall provide all required notices or other information to Data Subjects, obtain all required consents from Data Subjects (or establish another legal basis for complying with Applicable Laws when making decisions Processing) and issuing instructions take any other steps required by Data Protection Legislation, as is necessary for ASAPP to receive and Process Customer Personal Data for the Processing purposes set forth in this DPA. 3.4. In connection with the performance of this DPA and the Agreement, Customer authorizes ASAPP to remotely access any Customer Personal Data from the United States, Argentina, Uruguay, India, the United Kingdom, and such other jurisdiction as may be necessary from time to time. Where such access occurs, ASAPP will access the Customer Personal Data in accordance with applicable Data Protection Legislation. The parties hereby enter into and shall comply with the provisions of the EU Standard Contractual Clauses (for transfers outside the EEA and Switzerland) and the UK International Data Transfer Addendum (for transfers outside the UK) to implement appropriate safeguards for transfers of Customer Personal Data to countries that are not recognized by the European Commission, Switzerland or the UK as providing an adequate level of protection for Personal Data. Customer acknowledges that ASAPP may, at its discretion, certify to any successor frameworks (or other similar mechanisms) to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as administered by the U.S. Department of Commerce (or such other relevant organization) and that such certification will replace the European Transfer Clauses, all on the condition that such certification has not been found to be invalid by the European Commission or any other competent authority (such as those in the UK) in the jurisdiction in which the processing is occurring. Customer, as Controller/data exporter (for the purposes of the European Transfer Clauses), understands that ASAPP may execute the European Transfer Clauses also on behalf of its affiliates. 3.5. Where ASAPP makes an onward transfer of Customer Personal Data, including securing all permissionsASAPP shall ensure the entity receiving the onward transfer of Customer Personal Data agrees to be bound by the appropriate Module of the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (i.e., consents or authorizations that Module 3), unless such onward transfer is otherwise permitted by European Data Protection Laws. 3.6. The parties shall work together in good faith to enter into a Replacement Transfer Mechanism reasonably requested by ASAPP and take such action (which may include execution of documents) as may be required; and 2.2.2 Defend and indemnify CrowdStrikerequired to give effect to such Replacement Transfer Mechanism for purposes of compliance with applicable Data Protection Legislation, CrowdStrike Affiliates, and CrowdStrike Subprocessors for all on the condition that such Replacement Transfer Mechanism has not been found to be invalid by the European Commission or any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth other competent authority in the Agreement for Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control jurisdiction in which the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer processing is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable Lawsoccurring.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 Process 3.1. This DPA applies to the Processing of Customer Personal Data only on Customer’s documented instructions, by Company as set out forth in the Agreement and this DPA. If Data Protection Legislation recognizes the roles of Controller and Processor as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including with respect to transfers of Customer providing instructions via APIs made available by CrowdStrike with the OfferingsPersonal Data, and as unless Processing is required by Applicable Laws (applicable Data Protection Legislation to which Company is subject, in which case Company shall, to the “Documented Instructions”)extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. 3.2. The Parties agree that Customer’s Processing instructions are contained in the Agreement and that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or alternate instructionsdifferent instructions require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: (i) Customer’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal DataData shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, including securing all permissions, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliatesquality, and CrowdStrike Subprocessors legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for any claim brought against any one or more of them arising from an allegation of performing legal research and/or for providing legal advice to Customer. 3.3. If Company cannot process Customer Personal Data according to Customer’s breach of this Sectioninstructions due to a legal requirement under any applicable Data Protection Legislation, whether by a Data Subject or a government authority. In the event Company will (a) promptly notify Customer of such inability, providing a claimreasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the Parties shall follow greatest extent permitted by applicable law; and (b) Process (or continue to Process) Customer Personal Data to the process extent Company is able to comply with Customer’s instructions in order to provide the Services as set forth in the Agreement for Agreement. 3.4. Each of Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: Company will comply with their respective obligations under Data Protection Legislation. Customer shall (a) notify provide all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Company’s, Processing of Customer of such claim, Personal Data and (b) permit ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents which are necessary for Company to control Process Customer Personal Data in accordance with this DPA and the defense or settlement of such claim; provided, howeverAgreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer shall will otherwise obtain and maintain a valid legal basis in accordance with Data Protection Legislation to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement. 3.5. Unless specifically required for Company to provide the Services, Customer Personal Data may not settle include any claim sensitive or special data that imposes specific data security or data protection obligations on Company in a manner addition to or different from those specified in any documentation or which are not provided as part of the Services. Customer understands and agrees that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision Company does not diminish differentiate between different types of data sensitivity when Processing Customer Personal Data or treat certain types of Personal Data Subject’s rights under Applicable Laws related differently from other types and applies the same security measures to CrowdStrike’s adherence to its obligations under Applicable Lawsall Customer Personal Data as set forth in Section 6 of this Addendum.

Processing of Customer Personal Data. 2.1 CrowdStrike shall:2.1. Except where otherwise expressly set forth herein, the Parties agree that Customer is the Controller (and Business) and that Magnet is a Processor (and Service Provider) with respect to the Processing of Customer Personal Data to provide the Services. Schedule A to this Addendum sets out the subject- matter and duration of the Processing, the nature and purpose of the Processing, the type of Customer Personal Data, and the categories of Data Subjects. Customer is responsible for the accuracy, quality, and legality of the Customer Personal Data it provides to Magnet, and the means by which it acquires and uses Customer Personal Data, including in connection with the Services. 2.1.1 2.2. Each Party will comply with their respective obligations under applicable Data Protection Laws. Customer shall instruct Magnet to process Customer Personal Data in a manner consistent with Data Protection Laws. 2.3. Customer represents and warrants that (a) it will use the Services solely as permitted under the Agreement; (b) it has the authority and right to enter into this Addendum; and (c) it has the authority and right, and all required lawful permission(s), to unlock any Device(s) in Customer’s possession, custody, or control; to access and otherwise Process the Customer Personal Data stored on or otherwise accessible within or through such Device(s); and to provide such Customer Personal Data to the Services on behalf of itself, and/or to permit Magnet to do any of the foregoing. Customer warrants and covenants it will at no time unlock or access Devices, Process Customer Personal Data, or instruct Magnet to Process Customer Personal Data in violation of applicable laws. Customer further represents and warrants that it will ensure it has obtained all required permission(s) to access and Process, and to permit Magnet to collect, access, use, store, transfer, and otherwise Process, Customer Personal Data as set forth under the Agreement and this Addendum, such as a court order, lawful governmental or law enforcement request(s), other legal process, or lawful law enforcement powers of investigation, in each case relating to each Data Subject whose Personal Data is accessed or otherwise Processed by Customer and/or Magnet in connection with the Product or the Services. Customer will, upon Magnet’s request, provide Magnet with written confirmation of such permission. 2.4. Magnet will Process Customer Personal Data only on for the purposes specified in Schedule A hereto and in accordance with the documented instructions of Customer’s documented instructions, as set out . Customer hereby instructs Magnet to Process Customer Personal Data (a) for the purposes specified in the Agreement and this DPASchedule A, including to provide the Services; (b) as permitted by applicable law; (c) in accordance with any settings or configurations applied or provided by Customer providing instructions via APIs made available or its Authorized Users within the Product or the Services; (d) to engage Subprocessors as permitted hereunder; and (e) as further instructed by CrowdStrike with the Offerings, and as required by Applicable Laws (the “Documented Instructions”). Any additional or alternate instructions, having an impact to the Offerings must be agreed upon by the Parties separately Customer in writing; and 2.1.2 Unless prohibited by Applicable Law. Customer shall ensure that its acts or omissions, inform the Customer if CrowdStrike determines that: (i) Customer’s including in relation to any instructions conflict with Applicable Laws; to Magnet or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissionsdo not cause Magnet to breach Data Protection Laws. 2.5. For Customer Personal Data that is subject to the CCPA, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties Magnet shall follow the process set forth in the Agreement for Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: not (a) notify Sell or Share Customer of such claim, Personal Data; (b) retain, use or disclose Customer Personal Data outside Magnet’s direct business relationship with Customer; or (c) combine Customer Personal Data with Personal Data received from other sources. Magnet will inform Customer if Magnet believes it is unable to comply with the CCPA, permit Customer to control the defense or settlement of such claim; provided, however, suspend any unauthorized Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consentPersonal Data Processing, and (c) provide cooperate with Customer with reasonable assistance in connection to remediate any unauthorized Customer Personal Data Processing so that it is compliant with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable LawsCCPA again.

Processing of Customer Personal Data. 2.1 CrowdStrike shall: 2.1.1 Company will in the course of providing Services, including with regard to Transfers of Personal Data to a third country, Process Customer Personal Data only on Customer’s behalf of and under the documented instructionsInstructions of Customer unless required to do so otherwise under Applicable Data Protection Law; in such a case, as set out Company will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Schedule 1 specifies the duration of the Processing, the nature and purpose of the Processing, and the types of Personal Data and categories of data subjects. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own Processing of Customer Personal Data and (b) it has, and will continue to have, the right to Transfer, or provide access to, Customer Personal Data to Company for Processing in accordance with the terms of the Agreement and this DPA. Customer appoints Company as a Data Processor to Process Customer Personal Data on behalf of, including Customer providing and in accordance with, Customer’s instructions via APIs made available by CrowdStrike with (a) as set forth in the OfferingsAgreement, this DPA, and as required otherwise necessary to provide the Services to Customer (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by Applicable Laws the parties (the “Documented InstructionsPermitted Purposes”). Any additional or alternate instructions, having an impact Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Company is not responsible for determining which laws are applicable to the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform the Customer if CrowdStrike determines that: (i) Customer’s instructions conflict with Applicable Laws; business nor whether Company’s provision of the Services meets or (ii) Applicable Laws require any Processing contrary to will meet the Customerrequirements of such laws. Customer will ensure that Company’s instructions. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors for any claim brought against any one or more of them arising from an allegation of when done in accordance with Customer’s breach instructions, will not cause Company to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Company will inform Customer if it becomes aware or reasonably believes that Customer’s data Processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or Processing, or prior to permitting Customer’s end users to transmit or Process, any Personal Data via the Services. Customer specifically acknowledges that its use of this Section, whether by a the Services will not violate the rights of any Data Subject that has opted-out from sales or a government authority. In the event other disclosures of such a claimCustomer Personal Data, the Parties shall follow the process set forth in the Agreement for Customer to defend and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with extent applicable under the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its obligations under Applicable LawsCCPA.

Processing of Customer Personal Data. 2.1 CrowdStrike a. Customer is a business or the controller (as applicable) with respect to the processing of Customer Personal Data. Customer hereby grants Tines general authorization to process Customer Personal Data as a processor or service provider (as applicable) on its behalf in connection with the Tines Offerings and appoint other subprocessors to support the Offerings, including, without limitation, by processing Customer Personal Data, as provided herein. In the event that Customer is considered a processor or service provider acting on behalf of its own customers, Tines shall process the Customer Personal Data as a sub-processor or service provider acting on behalf of Customer. ▇. ▇▇▇▇▇ shall: 2.1.1 : (a) Process the Customer Personal Data only on Customer’s documented instructionsin accordance with the instructions provided by Customer to Tines, as set out forth in the Agreement Agreement, unless otherwise required by an Applicable Data Protection Law or other law to which Tines is subject; (b) implement and this DPA, including maintain the Tines Security Standards to protect the Customer providing instructions via APIs made available Personal Data; and (c) ensure that only authorized personnel who are under written confidentiality obligations have access to such Customer Personal Data. c. Customer is responsible for determining and controlling the nature and extent of Processing of Customer Personal Data by CrowdStrike Tines to deliver the Offerings. Customer is responsible for its lawful use of the Offerings and for the lawfulness of its own processing of Customer Personal Data under or in connection with the Offerings. Customer represents and warrants that it has provided all notices and disclosures regarding the processing of Customer Personal Data required by Applicable Data Protection Laws and obtained valid data subject consent, and where applicable, as required by Applicable Data Protection Laws to process Customer Personal Data pursuant to the Agreement. d. With respect to the Cloud Services, Tines will only host Customer Personal Data in the region(s) offered by ▇▇▇▇▇ and selected by Customer on an Order Form (the “Documented InstructionsHosting Regions”). Any additional or alternate instructions, having an impact to Customer is solely responsible for the Offerings must be agreed upon by the Parties separately in writing; and 2.1.2 Unless prohibited by Applicable Law, inform regions from which it accesses the Customer if CrowdStrike determines that: Personal Data, for any transfer or sharing of Customer Personal Data by Customer, and for any subsequent designation of other Hosting Regions. Once Customer has selected a Hosting Region, Tines will not process Customer Personal Data from outside the Hosting Region except as necessary to provide the Tines Offerings to Customer in accordance with the Agreement, which may include transfers of Usage Data, as described above, to where Tines’s Sub-processors maintain data processing operations, or as necessary to comply with the law or binding order of a governmental body. Customer acknowledges regardless of the Hosting Region selection, where Customer is receiving Cloud Services, Usage Data (ias defined in the Cloud Addendum) Customerwill be transferred and replicated in Tines’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructionsdata warehouse in EMEA. 2.2 Customer shall: 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for ▇. ▇▇▇▇▇ has no obligation to assess the Processing contents or accuracy of the Customer Personal Data, including securing all permissionsto identify information subject to any specific legal, consents regulatory, or authorizations that may be required; and 2.2.2 Defend and indemnify CrowdStrike, CrowdStrike Affiliates, and CrowdStrike Subprocessors other requirement. Customer is responsible for any claim brought against any one or more making an independent determination as to whether its use of them arising from an allegation of the Tines Offerings will meet Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth in the Agreement for Customer to defend requirements and indemnify CrowdStrike and if none, then CrowdStrike will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires CrowdStrike to admit liability or make any changes with respect to the Offerings without CrowdStrike’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, CrowdStrike may participate in the defense of any claim, and if Customer is already defending such claim, CrowdStrike’s participation will be at CrowdStrike’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to CrowdStrike’s adherence to its legal obligations under Applicable Data Protection Laws. f. Taking into account the nature of the processing, and the information available to Tines, Tines shall provide reasonable assistance to Customer to enable Customer to fulfil its obligations to engage in any data protection impact assessments or consultations with supervisory authorities which may be required under Applicable Data Protection Laws.