GLOBAL THIRD-PARTY DPA

LAST UPDATED: February 1, 2026

Data Processing Agreement including applicable Annex(es) (collectively, the “DPA”)

This DPA is subject to the applicable agreement (“Agreement”) executed by and between Real Chemistry, LLC and/or one or more of its Affiliates (each an “Agency” or such corresponding terms as defined in the applicable Agreement) and the counterparty entering into such Agreement as “Vendor”, “Producer”, or “Partner Agency”, or such other corresponding terms (each a “Third‑Party”), corresponding terms (each a “Third-Party”), (including all applicable amendments, order forms, statement of work (“SOW”), work orders, exhibits or other applicable executed agreements), under which Third-Party will provide to Agency, directly or acting as agent to a principal (“Client”), certain services and/or materials and/or data (collectively, the “Services”), to which this DPA may be referenced. This DPA is effective as of the effective date of the Agreement, and amends and is incorporated into the Agreement.

The purpose of this DPA is to ensure that the parties Process all Personal Data in a manner that complies with the parties’ respective duties under this DPA and applicable Data Privacy Laws.

Each party agrees to appoint a single point of contact (“Representative”) as soon as this DPA has been entered into and provide the other party with the contact details of its Representative as soon as he/she has been appointed. The parties shall procure that the Representatives work together to reach an agreement with regard to any issues arising from the data sharing described in this DPA and to actively monitor the effectiveness of the data sharing.

Third-Party representative contact : As provided in the applicable Agreement

Agency representative contact: privacy@realchemistry.com

Definitions and interpretation

Capitalized terms used in this DPA shall have the following meanings, or as may be defined, including corresponding terms, by Data Privacy Laws:

“Adequate Country“means a country or territory that is recognized by the relevant Supervisory Authority in the European Union (“EU”) or the United Kingdom (“UK”), or other applicable Supervisory Authority, as providing an adequate level of protection for Personal Data.

“Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).

“Agency Personal Data” means Personal Data provided by Agency or by a third party at Agency’s direction to Third-Party in connection with Third-Party’s provision of Services under the Agreement, and for which Agency acts as Data Controller. For the avoidance of doubt, Agency Personal Data does not include Personal Data Processed by Third-Party independent of Third-Party’s provision of Services under the Agreement, or for which Third-Party acts as Data Controller, or which was obtained by Third-Party not solely for the purpose of providing Services to Agency (collectively “Third-Party Personal Data”). “Client Personal Data” means Personal Data provided by Client or by a third party at Client’s direction, or Personal Data otherwise Processed solely in connection with Agency and/or Third-Party’s provision of Services to Client, and for which Client is the Data Controller and/or Business, Agency is  the Client’s agent and/or Data Processor, and Third-Party is the Data Sub-processor.

“Control” means an entity Controls another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

“Data Privacy Laws” mean all laws, rules, regulations, and orders of any jurisdiction or subdivision thereof in force relating to the privacy, security, confidentiality and/or integrity of Personal Data that are applicable to Services under the Agreement.

“Data Privacy Framework” or (“DPF“) means the EU-U.S. Data Privacy Framework (“EU-U.S. DPF“), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF“) as set forth by the U.S. Department of Commerce collectively.

“Data Subject Request” means any communication from a Data Subject or authorized agent regarding the exercise of Data Subject rights pursuant to Data Privacy Laws.

“Instructions” means documented instructions issued by Agency to Third-Party directing Third-Party to perform a specific or general action with regard to Client Personal Data and/or Agency Personal Data.

“Personal Data“, “Process/Processing“, “Data Controller”, “Business“, “Data Processor“, “Data Sub-processor”, “Service Provider“, and “Data Subject” and corresponding terms, as defined under applicable Data Privacy Laws, shall have the meanings as defined therein. In particular, “Personal Data” shall also include “Personal Information“, “Health Information“, “Personal Identifiable Information“, and “Protected Health Information” (“PHI“) as defined by Applicable Data Privacy Laws, including the Health Insurance and Portability and Accountability Act (“HIPAA“) respectively. “Data Subject” shall also include a “Person”, “Consumer” or “Individual” as defined by Applicable Data Protection and Privacy Laws, including an “Individual” as defined by HIPAA.

“SCCs” means (i) where the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural person with regard to the Processing of Personal Information and on the free movement of such data, and repealing Directive 95|46/EC (the “General Data Protection Regulation” or “GDPR”) applies, the relevant clauses annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCC Decision”); (ii) where the version of GDPR retained by the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) and the UK Data Protection Act 2018 (“UK GDPR”) applies, the International Data Transfer Agreement adopted under section 119A(1) of the Data Protection Act 2018 on 21 March 2022 or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) adopted under section 119A(1) of the Data Protection Act 2018 on 21 March 2022; (iii) and where the Federal Data Protection Act of 19 June 1992 (Switzerland) (“Swiss FADP”) applies, the relevant clauses annexed to the SCC Decision, as amended by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) to cover transfers of Personal Information from Switzerland, each as may be amended or replaced from time to time by a competent authority under the relevant Data Privacy Laws.

“Security Breach” means any suspected or actual breach of (i) security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data and/or Agency Personal Data transmitted, stored or otherwise Processed in connection with the Agreement by Third-Party or any of Third-Party Data Sub-processors, or any other identified or unidentified third party, or (ii) this DPA or any data protection, confidentiality or security provisions of the Agreement.

“Third-Party Data Sub-processor” (or “Third-Party Service Provider”) means a third party engaged by Third-Party to Process Client Personal Data and/or Agency Personal Data on behalf of Agency, in accordance with Agency and/or Client Instructions.

“Restricted Transfer” means a transfer of Personal Data to a party or a Data Sub-processor; or an onward transfer of Personal Data by a party or Data Sub-processor, or between two establishments of a party or Subprocessor, in each case where such transfer would be conditioned upon or prohibited by applicable Data Privacy Laws in the absence of SCCs with applicable addendums, the DPF, or other data transfer agreements or mechanisms as required by applicable Data Privacy Laws.

“Supervisory Authority” means any competent regulatory authority or other government body responsible for the administration, implementation and enforcement of the Data Privacy Laws as it relates to the Processing under this DPA.

1. Status of the parties

1.1. In respect of the parties’ rights and obligations regarding Client Personal Data, Client is the Data Controller and/or Business, Agency acting as agent is the Data Processor and/or Service Provider, and Third-Party is Data Processor / Data Sub-processor and/or Service Provider, as applicable. In respect of the parties’ rights and obligations regarding Agency Personal Data, the parties hereby acknowledge and agree that Agency is the Data Controller and/or Business, and that Third-Party is the Data Processor and/or Service Provider. In respect of the parties’ rights and obligations regarding Third-Party Personal Data, the parties hereby acknowledge and agree that Third-Party is the Data Controller and/or Business, and if Third-Party Personal Data is Processed pursuant to this DPA, that each party is acting as an independent and separate Data Controllers. Accordingly, the parties agree that they shall Process all Client Personal Data, Agency Personal Data, and Third-Party Personal Data in accordance with their obligations pursuant to this DPA and applicable Data Privacy Laws.

1.2. In the event of a contradiction between Data Privacy Laws and the provisions of this DPA or any related Agreements executed between the parties, Data Privacy Laws shall prevail.

2. Third-Party obligations

2.1. With respect to Client Personal Data and Agency Personal Data, Third-Party shall:

1. only Process Client Personal Data and Agency Personal Data in order to provide the Services, and shall act in accordance with this DPA, Data Privacy Laws, and Agency’s lawful written instructions. Third-Party is prohibited from retaining, using, selling, sharing or disclosing Client Personal Data and Agency Personal Data for any purpose other than providing the Services to Agency as detailed in the Agreement, unless permitted or required to do so by applicable Data Privacy Laws, in which case the Third-Party shall inform Agency of such legal requirement before Processing, unless such disclosure is prohibited by law;
   
2. not combine Client Personal Data or Agency Personal Data with Third-Party Personal Data or Personal Data Third-Party receives from or on behalf of another person or persons or that Third-Party collects from its own interaction with a Consumer;
   
3. not retain, use, sell, transfer or disclose Client Personal Data or Agency Personal Data outside the direct relationship between the Third-Party and Agency under the Agreement, unless expressly permitted by Data Privacy Law;
   
4. in cases where pseudonymous, tokenized or encrypted Client Personal Data or Agency Personal Data is used, make no attempt to re-identify the data or join data with other data sources for purposes of identifying an individual, creating pseudonymous profiles, or otherwise identifying a person in any way, and publicly commit to maintain and use the information in deidentified form and not to attempt to reidentify the information, and contractually obligate any recipients of the information to comply with the same requirements;
   
5. immediately inform Agency if, in Third-Party’s opinion, any instructions provided by Agency infringes upon or violates Data Privacy Laws or if any changes to Data Privacy Laws may adversely affect Third-Party’s performance under the Agreement, or if Third-Party is no longer able to meet its obligations under Data Privacy Laws;
   
6. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the Processing of Client Personal Data and Agency Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data and/or Agency Personal Data transmitted, stored or otherwise Processed;
   
7. comply with all sections of applicable Data Privacy Laws, providing the same level of privacy protection as required of Agency by applicable Data Privacy Laws;
   
8. take reasonable steps to ensure that only authorized personnel have access to Client Personal Data and/or Agency Personal Data and that any persons whom it authorizes to have access to the Client Personal Data and/or Agency Personal Data are subject to these same obligations along with any confidentiality obligation set forth in the Agreement;
   
9. upon reasonable suspicion or becoming aware of  a Security Breach, notify Agency without undue delay by sending an email to rcinfosec@realchemistry.com and privacy@realchemistry.com;
   
   1. the notification will include, insofar as it is known
      
      1. the nature of the Security Breach including where possible the categories and approximate number of data subjects and/or records concerned
         
      2. the name and contact details of the data protection officer or other contact where more information can be obtained
         
      3. the likely consequences of the Security Breach, and a description of the measures taken or proposed to be taken to address the Security Breach including, where appropriate, measures to mitigate its possible effects.
         
   2. where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay;
      
10. promptly provide Agency with reasonable cooperation and assistance in respect of a Security Breach and information in Third-Party’s possession concerning such Security Breach insofar as it affects Agency;
    
11. not notify any third-party about a Security Breach without the prior written consent of Agency, unless otherwise required by applicable Data Privacy Laws. Third-Party further agrees that Client and/or Agency (as applicable) shall have the sole right to determine (i) whether notice of a Security Breach is to be provided to any third-party (including but not limited to data subjects, regulators, or law enforcement agencies) and (ii) the content and form of such notice;
    
12. promptly notify Agency if it receives a Data Subject Request relating to Client, Client Personal Data, Agency or Agency Personal Data. Third-Party shall not respond to a Data Subject Request without Agency’s prior written consent except to confirm that such request relates to Agency, to which Agency hereby agrees.  To the extent that Agency does not have the ability to address a Data Subject Request, upon Agency’s written request, and taking into account the nature of the Processing, Third-Party shall provide reasonable assistance to the extent Third-Party is able to consistent with Data Privacy Laws to Agency to facilitate Agency responding to a Data Subject Request within the deadlines set out under Data Privacy Laws;
    
13. upon Agency request Third-Party shall provide a copy of or access to all or part of the Client Personal Data and/or Agency Personal Data Processed by Third-Party on behalf of Client and/or Agency;
    
14. grant the Agency the right, upon notice, to take reasonable and appropriate steps to stop and remediate any Third-Party unauthorized use of Client Personal Data and/or Agency Personal Data, including requiring Third-Party to provide documentation that it no longer retains or uses the Client Personal Data and/or Agency Personal Data of Consumers that have made a valid request to delete with Client and/or Agency;
    
15. other than to the extent required to comply with Data Privacy Laws, as soon as reasonably practicable following termination or expiry of the Agreement or completion of the Services, or upon Agency notice, Third-Party will delete all Client Personal Data and Agency Personal Data (including copies thereof) Processed pursuant to this DPA, and upon Agency request provide documentation that verifies that Third-Party no longer retains or uses Client Personal Data and/or Agency Personal Data;
    
16. provide to Agency such assistance as Agency reasonably requests in writing in relation to Client’s, Agency’s obligations under Data Privacy Laws, in each case solely in relation to the Processing of Client Personal Data and/or Agency Personal Data by the Third-Party (as Data Sub-processor or Data Processor) on behalf of Agency (as Data Processor (acting on behalf of Client as Data Controller), or Data Controller) and taking into account the nature of the Processing and information available to Third-Party with respect to:
    
    1. Client’s and Agency’s compliance with their respective obligations under Data Privacy Laws with respect to the security of Processing of Client Personal Data and/or Agency Personal Data;
       
    2. notifications to the Supervisory Authority under Data Privacy Laws and/or communications to data subjects by Agency in response to any Security Breach; and
       
    3. data protection impact assessments, records of processing activities (as such terms and corresponding terms are defined in Data Privacy Laws), risk assessment questionnaires and other documentation;
       
    4. responding to lawful Data Subject Requests pursuant to Data Privacy Laws that Agency must comply with;
       
17. make available to Agency relevant information necessary to demonstrate compliance with Third-Party obligations under this DPA and Data Privacy Laws;
    

2.2. With respect to Third-Party Personal Data:

1. Third-Party warrants and represents that it has obtained prior written consents, permissions and releases from all applicable Data Subjects and/or third-parties to supply Third-Party Personal Data to Agency which are legally sufficient for Agency’s use in activities as may be described in the applicable SOW, the Agreement and/or in Annex I.
   
2. Prior to transferring any Third-Party Personal Data to Agency, Third-Party warrants, represents and agrees that Third-Party: (i) has adequate data and privacy policies and practices in place ; (ii) is in compliance with all applicable Data Privacy Laws; (iii) has appropriate legal mechanisms in place to transfer such Third-Party Personal Data to Agency; and (iv) is responsible for any fees, costs and expenses associated with the transfer of Third-Party Personal Data to Agency. Third-Party further agrees that it is solely responsible for the accuracy, quality and legality of Third-Party Personal Data and the means by which Third-Party acquired Third-Party Personal Data.

3. Specification of the Personal Data and Processing Activities

3.1. The subject-matter, nature, purpose and duration of the Processing are defined in Annex I.

3.2. The parties agree that no PHI as defined by HIPAA will be Processed as part of this DPA. Should the Services provided to Agency by Third-Party under the Agreement contemplate the Processing of PHI, the parties agree to negotiate a separate agreement in good faith.

4. Restricted Transfers

4.1. If applicable and to the extent any Processing of Personal Data requires a Restricted Transfer of Personal Data of Data Subjects who are in the EEA, and/or the United Kingdom (and Gibraltar), and/or Switzerland, to outside the EEA, the United Kingdom (and Gibraltar), or Switzerland, except if to an Adequate Country, in regards to such Restricted Transfers, Third-Party represents to Agency that Third-Party complies with the DPF, as applicable.

1. In the event that (i) the applicable DPF is replaced, amended or repealed under Data Privacy Laws, (ii) if Third-Party withdraws or is removed at any time from the applicable DPF, (iii) if Third-Party has not certified to the applicable DPF, the parties agree that if applicable and to the extent any Processing of Personal Data requires a Restricted Transfer, except if to an Adequate Country, the parties agree that where necessary to comply with Data Privacy Laws, the relevant SCCs apply in respect of that Processing and shall be deemed incorporated by reference and form an integral part of this DPA as follows:
   
2. To the extent that Agency and Third-Party are independent Data Controllers, Module 1 (controller to controller) will apply, and to the extent that Third-Party acts as a Data Sub-processor on behalf of Agency (as a Data Processor on behalf of Client acting as a Data Controller), Module 3 (processor to processor) will apply, and to the extent that Third-Party acts as a Data Processor on behalf of Agency acting as Data Controller, Module Two (controller to processor) will apply, and are completed as follows;
   
   1. Clause 7, the optional docking clause shall not apply;
      
   2. for Module 2 and Module 3, Clause 9, Option 2 shall apply, and the time period for prior notice of Data Sub-processor changes shall be thirty (30) days;
      
   3. in Clause 11, the optional language shall not apply;
      
   4. for Module 1 Clause 17, Option 1 shall apply and for Module 2 and Module 3, Clause 17, Option 2 shall apply, and the SCCs will be governed by the law of the EEA country specified in Annex 1.C;
      
   5. in Clause 18(b), disputes shall be resolved before the courts of the EEA country specified in Annex 1.C; and
      
   6. Annex I, II and III of the SCCs shall be deemed completed with the information set out in Annex I, II and III to this DPA, respectively;
      
3. in relation to Personal Data that is protected by the UK GDPR, the relevant SCCs: (i) shall apply as completed in accordance with paragraph (a) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “either party”.
   
4. in relation to transfers of Personal Data protected by the Swiss FADP, the relevant SCCs shall apply in accordance with paragraph (a) above, and (b) in accordance with the statement of the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) of August 27, 2021, recognizing the SCCs as a valid transfer mechanism in Switzerland with the following adjustments: 
   
   1. The SCC references to GDPR are understood as references to the FADP insofar as the data transfers are subject to the FADP;
      
   2. References to the EU and EU Member States will be interpreted to mean Switzerland, to the extent applicable.
      
   3. Clause 13 – the FDPIC shall be the competent supervisory authority insofar as the data transfer is governed by the Swiss FADP;
      
   4. Clause 17 – the law of the EEA country specified in Annex 1.C shall be the governing law; 
      
   5. Clause 18 – the courts of the EEA country as specified in Annex 1.C shall be the choice of forum, but this shall not exclude individuals in Switzerland from the possibility of bringing a claim in their place of habitual residence in Switzerland, in accordance with Clause 18(c);
      

4.2. in relation to Restricted Transfers where Quebec Law 25 applies, the relevant SCCs shall apply in accordance with paragraph (a) above with the following adjustments:

1. References to the Supervisory Authority are to be understood as references to the Commission for the Protection of Personal Information of Quebec (“CPQPI”);
   
2. References to the GDPR are to be understood as references to Quebec Law 25;
   
3. Applicable law for contractual claims under Clause 17: Canadian (or the law of a country that allows and grants rights as a third-party beneficiary for contractual claims regarding data transfers pursuant to the Quebec Law 25);
   
4. References to Member State / European Union: Canada is to be considered as a Member State within the meaning of the SCCs so that data subjects among others are entitled to file claims according to Clause 18c of the SCCs at their habitual residence in Quebec;
   

4.3. In the event that any provision of this DPA contradicts, directly or indirectly, the SCCs as amended, the SCCs as amended shall prevail.

4.4. If, in the performance of this DPA a Third-Party conducts a Restricted Transfer to a Third-Party Data Sub-processor, or permits Processing of any Client Personal Data and/or Agency Personal Data by a Third-Party Data Sub-processor which requires a Restricted Transfer (without prejudice to clause 6), Third-Party shall in advance of any such transfer ensure appropriate safeguards are in place such as applicable SCCs, certification approved by applicable Supervisory Authority, or other legal mechanisms approved by the appropriate authorities under Data Privacy Laws.

5. Other data transfers

5.1. In the event that the Services require the transfer of Client Personal Data and/or Agency Personal Data from a jurisdiction requiring a different legal transfer mechanism than is otherwise described in this DPA, the parties shall work together in good faith to enter into such a data transfer mechanism, or to negotiate a solution to enable compliant transfers of Client Personal Data and/or Agency Personal Data.

6. Third-Party Affiliates and Third-Party Data Sub-processors

6.1. Agency hereby provides general authorization for Third-Party use of Third-Party Data Sub-processors and Third-Party Affiliates as set out in Annex III. Third-Party shall inform the Agency in writing at least thirty (30) days in advance of any intended changes to the list of Third-Party Data Sub-processors and Third-Party Affiliates. If Agency has a reasonable objection to any new or replacement Third-Party Data Sub-processor or Third-Party Affiliate, it shall notify Third-Party of such objections in writing and the parties will seek to resolve the matter in good faith. If Agency does not provide an objection within thirty days of receipt of notification of any new or replacement Third-Party Data Sub-processor or Third-Party Affiliate in accordance with this clause, Agency will be deemed to have consented to the Third-Party Data Sub-processor or Third-Party Affiliate and waived its right to object. In the event Agency, acting reasonably, does not approve of the use, addition or replacement of a Third-Party Data Sub-processor or Third-Party Affiliate, Agency may terminate this DPA or the Agreement in accordance with the terms of the Agreement. 

6.2. Third-Party will ensure that any Third-Party Affiliate, Third-Party Data Sub-processor or Third-Party Service Provider is bound by written agreement requiring such Third-Party Affiliate, Third-Party Data Sub-processor or Third-Party Service Provider to adhere to the same data protection obligations as those applicable to Third-Party under this DPA and Data Privacy Laws.

6.3. Where Third-Party Data Sub-processor or Third-Party Affiliate fails to fulfil its obligations under their written agreement with Third-Party, Third-Party remains fully liable to Agency for the Third-Party Data Sub-processor’s or Third-Party Affiliate’s performance of its obligations with respect to Processing Client Personal Data and/or Agency Personal Data.

6.4. Third-Party shall conduct appropriate due diligence of its Third-Party Data Sub-processors.

7. Audit

7.1. Agency or Agency-mandated auditor may audit Third-Party’s activities in relation to the Processing of Client Personal Data and/or Agency Personal Data covered by this DPA, taking into account the categories of Client Personal Data and/or Agency Personal Data and the nature of the Processing, and insofar as is commercially reasonable. Third-Party shall provide Agency with all reasonable information and assistance in connection with any such audit. The aforementioned frequency and notice requirements shall not apply in case of a Security Breach (unless Security Breach was caused solely by Agency’s and/or Client’s acts or omissions) or if the audit is at the request of a Supervisory Authority.

8. Record retention, return and destruction

8.1. Third-Party will retain Client Personal Data and/or Agency Personal Data only as necessary for the provision of the Services.

8.2. At any time during the term of the Agreement at Agency’s or Client’s request, or upon termination or expiration of the Agreement for any reason, within 30 days Third-Party will, at Agency or Client’s election return or securely delete all Client Personal Data and/or Agency Personal Data.

8.3. If Third-Party is required by applicable law to retain copies of Client Personal Data and/or Agency Personal Data, Third-Party will (i) not use Client Personal Data and/or Agency Personal Data for any other purpose and (ii) Third-Party remains bound by its obligations under the Agreement and this DPA.

9. Resolution of disputes with data subjects or the Supervisory Authority

 9.1. Each party agrees to provide reasonable assistance as is necessary to the other party to respond within a reasonable time to any enquiries from the Supervisory Authorities in relation to their Processing of Client Personal Data and/or Agency Personal Data.

9.2. In the event of a dispute or claim brought by a Data Subject or a Supervisory Authority concerning the Processing of Client Personal Data and/or Agency Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will reasonably cooperate with a view to settling them amicably in a timely fashion.

10. General

10.1. Notwithstanding anything to the contrary in this DPA, or the Agreement, Third-Party hereby indemnifies and holds Client and Agency harmless against any and all claims, costs, actions, third-party claims, losses, damages, and expenses (“Losses”) incurred by Client and/or Agency, including but not limited to any claims or actions asserted against Client and/or Agency, whether arising directly or indirectly out of, or in connection with, the Third-Party’s breach of this DPA or violation of Data Privacy Law.

10.2. Nothing in the foregoing section 9.1 is intended to limit or exclude a party’s liability for Losses that cannot be limited or excluded under applicable Data Privacy Laws or any other applicable law, rule or regulation.

10.3. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail only to the extent the subject matter concerns the Processing of Client Personal Data and/or Agency Personal Data. Nothing in this document is intended to vary or modify applicable Data Privacy Law. In the event of a conflict between the terms of this DPA and the terms of applicable Data Privacy Laws, the terms of applicable Data Privacy Laws shall prevail.

10.4. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The parties shall work together in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.

10.5. Upon written agreement by both parties, this DPA may be amended as necessary to comply with updates to Data Privacy Laws.

10.6. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail only to the extent the subject matter concerns the Processing of Client Personal Data and/or Agency Personal Data. Nothing in this document is intended to vary or modify applicable Data Privacy Law. In the event of a conflict between the terms of this DPA and the terms of applicable Data Privacy Laws, the terms of applicable Data Privacy Laws shall prevail.

10.7. In addition to the applicable Agreement between the parties, this DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it.

APPENDIX

SCC ANNEXES

ANNEX I

1. LIST OF PARTIES
   MODULE ONE: Transfer controller to controller
   MODULE TWO: Transfer controller to processor
   MODULE THREE: Transfer processor to processor
   
   Data exporter(s):

1. Name: Real Chemistry, LLC
   Address: 199 Water Street, New York, NY 10038
   Contact person’s name, position and contact details: Dan Linton, Global Data Privacy Officer, privacy@realchemistry.com
   Activities relevant to the data transferred under these Clauses: Services as described in the applicable Agreement and/or SOW
   Signature and date: As set forth in the applicable Agreement
   Role (controller/processor): Data Controller, Business, Data Processor as applicable
   
   Data importer(s) (Third-Party Information):
2. Name: As stated in the applicable Agreement
   Address: As provided in the applicable Agreement
   Contact person’s name, position and contact details: As stated in the applicable Agreement
   Activities relevant to the data transferred under these Clauses: Services as described in the applicable Agreement and/or SOW.
   Signature and date: As set forth in the applicable Agreement
   Role (controller/processor): Data Processor, Data Sub-Processor, Service Provider, Data Controller as applicable

2. DESCRIPTION OF TRANSFER
   MODULE ONE: Transfer controller to controller
   MODULE TWO: Transfer controller to processor
   MODULE THREE: Transfer processor to processor

As described below or in the applicable Agreement and/or SOW between the parties.

Categories of data subjects whose personal data is transferred

• As described in the applicable Agreement and/or SOW, which may include:
  • Health care professionals
  • General public / consumers
  • Press and Media
  • Agency and Third-Party employees
  • Client employees
  • Production Talent and Crew

Categories of personal data transferred

• As described in the applicable Agreement and/or SOW, which may include:
  • Personal identification data (name, title, contact information, email etc.)
  • Personal details (age, gender etc.)
  • Educational information
  • Professional qualifications
  • Employment history
  • Photo, video, audio recording information
  • Membership or participation in professional organizations
  • Publications (books, articles, reports etc.)Electronic identifiers (device identifiers, cookies etc.)
  • Location
  • Information manifestly made public by the data subject (social media posts etc.)
  • Other categories as may be described in applicable Statements of Work

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• Data concerning health
• Other categories as may be described in applicable Statements of Work

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuously in the course of the applicable Agreement and/or SOW

Nature of the processing

• Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, combination – as described in the applicable Agreement and/or SOW

Purpose(s) of the data transfer and further processing

• Performance of the parties’ obligations under the applicable Agreement and/or SOW, including but not limited to production, analytics, advertising, marketing, public relations and other related services.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

• As independent Controllers, the parties retain Personal Data for as long as they have a business purpose for it, or as permitted by applicable Data Privacy Law.
• As Processor, Third-Party retains Client Personal Data and/or Agency Personal Data for the duration of the applicable Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• Subject matter, nature and duration of the processing for sub-processor(s) are described in the applicable Agreement and/or SOW and/or Annex III below.

3. COMPETENT SUPERVISORY AUTHORITY, FORUM AND JURISDICTION
   MODULE ONE: Transfer controller to controller
   Supervisory Authority: Irish Data Protection Commission (DPC)
   Member state, forum and jurisdiction: Ireland
   
   MODULE TWO: Transfer controller to processor
   Supervisory Authority: Irish Data Protection Commission (DPC)
   Member state, forum and jurisdiction: Ireland
   
   MODULE THREE: Transfer processor to processor
   Supervisory Authority: As determined by the Client and applicable Agreement
   Member state, forum and jurisdiction: As determined by the Client and applicable Agreement

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

• Real Chemistry Technical & Organisational Measures – https://www.realchemistry.com/technical-organisational-measures
• Third-Party Technical and Organization Measures – As applicable and taking into account the categories of Client Personal Data and/or Agency Personal Data and the nature of the Processing, Third-Party represents and warrants that it complies with THIRD PARTY: MINIMUM SECURITY REQUIREMENTSas described in the Real Chemistry Third party Code of Conduct as published at https://www.realchemistry.com/pdf/thirdpartycodeofconduct.pdf, as may be updated from time to time.

ANNEX III – LIST OF APPROVED VENDOR AFFILIATES AND VENDOR DATA SUB-PROCESSORS

Not applicable for MODULE ONE: Transfer controller to controller.

MODULE TWO: Transfer controller to processor

• The data importer has the data exporter’s general authorisation for the engagement of Data Sub-Processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of Data Sub-Processors at least 30 days in advance.
• Third-Party agrees to provide a list of its Data Sub-Processors immediately upon request.
• Subject matter, nature, and duration of the processing for Sub-Processors is only as necessary for the provision of the Services.

MODULE THREE: Transfer processor to processor

• Real Chemistry Sub-Processors listed at https://www.realchemistry.com/service-providers, as may be updated from time to time.
• Subject matter, nature, and duration of the processing for sub-processors is only as necessary for the provision of the Services.