PERSONAL DATA PROCESSING ADDENDUM

This Personal Data Processing Addendum (the “DPA”) is subject to the terms of the Lamina Deal Marketplace Platform Agreement or Lamina Limited Access Platform Agreement (the “Master Agreement”), as applicable, between Lamina, LLC (“Lamina”) and the party identified as “Customer” in such Master Agreement and is incorporated into such Master Agreement. This DPA reflects the parties’ agreement with respect to the Processing of Personal Data (defined below) by Lamina on behalf of Customer in connection with access to and use of the Lamina Loan Platform (as defined below) pursuant to the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA unless otherwise expressly indicated herein.

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this DPA.

“Affiliate” has the meaning set forth in the Master Agreement.

"Business Purpose" means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

"Data Subject" means an individual who is the subject of the Personal Data and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

“Lamina Loan Platform” has the meaning set forth in the Master Agreement.

"Personal Data" means any information the Lamina processes for the Customer pursuant to provision of services under the Master Agreement that (a) identifies or relates to an individual who can reasonably be identified directly or indirectly from that data alone or in combination with other information in the Lamina's possession or control or that the Lamina is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal data or information.

"Processing, processes, or process" means any activity that involves the use of Personal Data or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

"Privacy and Data Protection Requirements" means all applicable laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

“Sub-Processor” means an entity engaged by Lamina to Process Personal Data on behalf of, and under the instructions of, Customer in connection with the provision of services under the Master Agreement.

2. Roles of the Parties and Processing Purposes
2.1 Customer is the “business” or “controller” and Lamina is the “processor” or “service provider” (as those terms are defined under the Privacy and Data Protection Requirements) with respect to Personal Data. Customer is responsible for its compliance obligations under the Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Lamina. Notwithstanding the foregoing, this DPA does not apply to instances where Lamina acts as an independent “business” or “controller” with respect to Personal Data, such as data Lamina collects from Customer for billing purposes.

2.2 Appendix A describes the general Personal Data categories and related types of Data Subjects the Lamina may process to fulfill the Business Purposes of the Master Agreement. The Customer discloses Personal Data to Lamina only for the limited and specified Business Purposes.

3. Lamina's Obligations

3.1 Lamina will only process, retain, use, or disclose the Personal Data as is reasonably necessary for the Business Purposes in accordance with the Customer's instructions, including as set forth in this DPA, the Master Agreement, and any applicable order form or as Privacy and Data Protection Requirements permit. Lamina will not process, retain, use, or disclose the Personal Data in a way that does not comply with this DPA or the Privacy and Data Protection Requirements or for any other purpose outside of the parties' business relationship, except as permitted under Privacy and Data Protection Requirements. This includes not combining or updating the Personal Data with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. As set forth in the Master Agreement, Lamina will not use Personal Data to conduct internal research and development activities to improve products or services. Lamina will promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with the Privacy and Data Protection Requirements.

3.2 Lamina will promptly comply with a Customer request or instruction requiring Lamina to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized processing.

3.3 Lamina will maintain the confidentiality of all Personal Data and will not “sell” or “share” (as defined under the Privacy and Data Protection Requirements) the Personal Data, or disclose it to third parties without specific authorization from the Customer or this DPA, unless required by law. If a law requires Lamina to process or disclose Personal Data, Lamina must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 Lamina will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, accounting for the nature of Lamina's Processing and the information available to Lamina.

3.5 Lamina will promptly notify the Customer of its ability to meet the obligations under applicable Privacy and Data Protection Requirements that may adversely affect Lamina's performance of the Master Agreement or this DPA.

3.6 Customer acknowledges that Lamina is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Data other than as required under the Privacy and Data Protection Requirements.

4. Lamina's Employees

4.1 Lamina will limit Personal Data access to:

(a) those employees who require Personal Data access to meet Lamina's obligations under this DPA and the Master Agreement; and

(b) the part or parts of the Personal Data that those employees require for the performance of their duties.

4.2 Lamina will ensure that all employees:

(a) are obliged to keep the Personal Data confidential;

(b) and have undertaken training with respect to personal information privacy.

4.3 Lamina will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, all of Lamina's employees with access to the Personal Data.

5. Security

Lamina will maintain appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or illegal access, destruction, use, modification, or disclosure, including the security measures set out at https://www.laminafs.com/securitymeasures. Lamina will periodically review its security measures and may adjust them in its discretion to maintain appropriate safeguards for the Personal Data.

6. Security Incidents

6.1 Lamina will, within 72 hours of discovery, notify Customer if it becomes aware of any Security Incident.

6.2 Promptly following any Security Incident, Lamina will take reasonable steps to contain, investigate, remedy, and mitigate the Security Incident and shall keep Customer informed of all material developments in connection therewith. Lamina will reasonably co-operate with the Customer in the Customer's handling of the matter and provide all information reasonably required by Customer for it to comply with any requirements under applicable Privacy and Data Protection Requirements. The obligations herein shall not apply to Security Incidents that are caused by Customer or Customer Authorized Users.

6.3 Lamina will not inform any third party of a Security Incident without first obtaining the Customer's prior written consent, except when such notification is required by applicable law.

6.4 Lamina agrees that, except as set forth above, the Customer has the sole right to determine:

(a) except as provided under section 6.3 of this DPA, whether to provide notice of the Security Incident to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Sub-Processors

7.1 Subject to the terms and conditions set forth in this DPA, Customer generally authorizes Lamina to continue to use and disclose Personal Data to Sub-Processors engaged by Lamina. Customer acknowledges that Affiliates of Lamina may be engaged as Sub-Processors. Lamina shall not engage a Sub-Processor unless such Sub-Processor is subject to an agreement with Lamina that contains data protection terms not less protective as those provided for by this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the service provided by such Sub-Processor. Lamina shall remain liable for any breach of its obligations under this DPA that is caused by an act, error, or omission of its Sub-Processors to the same extent it would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

7.2 The current list of Sub-Processors that may be engaged in Processing Personal Data is listed at https://www.laminafs.com/subprocessors. Lamina will provide Customer with prior notice, via email, of the addition or replacement of Sub-Processors before authorizing any new Sub-Processor(s) to Process Customer’s Personal Data in connection with the Master Agreement. Such email will be sent either to Designated Contacts (as defined in the Lamina Support Services and Availability Terms incorporated into the Master Agreement) or to the user who accepted the terms and conditions of the Lamina Limited Access Platform Agreement on behalf of Customer (collectively, the “Privacy Contact(s)”). Customer must notify Supplier within five (5) business days of receipt of Lamina’s notice of a new Sub-Processor if it objects to the addition or replacement of a Sub-Processor; if Customer does not object, then Sub-Processor is deemed accepted by Customer. Customer’s objection should be sent to [email protected] and include the grounds for its objection. If Customer objects to Supplier's appointment of a Sub-Processor on reasonable grounds relating to the protection of Personal Data, and Supplier is unable to adequately address such objection within a reasonable period of time, not to exceed thirty (30) days (such as by using reasonable efforts to make available a change in the configuration of Customer’s access to the Lamina Loan Platform), then Customer may elect to suspend or terminate the applicable Order Addendum(s) with respect to those aspects of the Lamina Loan Platform which Lamina cannot provide without the use of the objected-to Sub-Processor without penalty by providing written notice to Lamina. Lamina will refund Customer prepaid fees covering the remainder of the term of such Order Addendum(s) following the effective date of termination.

8. Data Subject Requests, Complaints, and Third Party Rights

8.1 Lamina will notify the Customer promptly if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Data, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

8.2 Lamina will give the Customer reasonable co-operation and assistance in responding to any Data Subject request, accounting for the nature of the Processing and information available to Lamina.

9. Term and Termination

9.1 This DPA will remain in full force and effect so long as:

(a) the Master Agreement remains in effect; or

(b) Lamina retains Personal Data related to the Master Agreement in its possession or control.

9.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement to protect Personal Data will remain in full force and effect.

9.3 In the event that Lamina receives any regulatory inquiry or correspondence regarding Personal Data in which Customer is named (an “Inquiry”), Lamina shall, to the extent not prohibited by applicable law or any regulatory authority:

(a) Notify Customer of such Inquiry in writing within three (3) calendar days of receiving such Inquiry;

(b) Provide Customer with all copies of documents and correspondence relating to the Inquiry without unduly delay after receipt or delivery of such documents or correspondence;

(c) Provide Customer with a written certification at the conclusion of the Inquiry that action required by the Privacy and Data Security Requirements has been taken in response to such Inquiry;

(d) Not disclose any confidential information of Customer or any affiliated party to the applicable authority without Customer’s prior written consent.

10. Data Destruction

10.1 On termination of the Master Agreement for any reason or expiration of its term, Lamina will securely destroy and not retain all or any Personal Data for which Lamina services as a Processor under the Master Agreement in its possession or control, except to the extent required by applicable law, regulation or government or regulatory body or as required by its internal backup policies and procedures, provided that such backup copies are deleted in the normal course of business.

11. Audit

11.1 Upon Customer’s written request, and no more than once per 12-month period, Lamina will make relevant, existing third-party audit reports available to the Customer for review, including as applicable: Lamina's latest Service Organization Controls (SOC) 2 Type 1 audit report. Lamina shall also provide other information reasonably requested by Customer as may be necessary to demonstrate compliance with this DPA.

11.2 Where the information available pursuant to Section 11.2 does not suffice to demonstrate compliance with this DPA or in the event of a Security Incident or pursuant to requirement under applicable Privacy and Data Protection Requirements, Customer may schedule an audit with Lamina, which may be conducted by Customer or a third-party auditor acting on its behalf, to acquire the necessary information. Such audits will be limited to the Lamina Systems directly operated by Lamina or its Affiliates. Nothing in the Master Agreement or DPA gives Customer the right to access the information of other Lamina customers.

11.3 Customer will treat audit reports and information provided pursuant to Section 11 as Lamina's confidential information under the Master Agreement. Lamina reserves the right to require execution of a confidentiality agreement between it and any third parties engaged by Customer in connection with exercise of its rights under this Section.

12. Notice

12.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing (email being sufficient) and delivered to:

For the Customer: Customer’s Privacy Contacts.

For Lamina: [email protected].

12.2 Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

13. Interpretation.

13.1 The appendices to this DPA form a part of it and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the appendices.

13.2 In the case of conflict or ambiguity between:

(a) any provision contained in the body of this DPA and any provision contained in the appendices, the provision in the body of this DPA will prevail;

(b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the appendices, the provision contained in the appendices will prevail; and

(c) any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail. The parties agree that the limitations on liability set forth in the Master Agreement are not in conflict and apply to Lamina’s obligations under this DPA.

APPENDIX A

Personal Data Processing Purposes and Details