🗣️

DPA

Data Processing Agreement

International Data Protection Addendum

This Data Protection Addendum ("Addendum") between: (i) Coachello SAS, 103 Rue du Temple, Paris, France, registered at the Chamber of Commerce under 899565709 ("Vendor") acting on its own behalf and as agent for each Vendor Affiliate; and (ii) Vendor’s customer, either as defined under “Client” on the signature page or otherwise the customer defined in the Coachello terms or other terms or a framework agreement ("Company") acting on its own behalf and as agent for each Company Affiliate, forms part of all existing and future obligations related to Services (as defined below).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Subscription and Credit Purchase Agreement (the “Principal Agreement”).

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly :

1.1.1 "Applicable Laws" means (a) European Union or Member State laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect of which any Company Group Member is subject to any other Data Protection Laws;

1.1.2 "Controller": means the Company which determines the purposes and means of the processing of personal data and ordering services from the Vendor under the Principal Agreement.

1.1.3 "Processor": means the Vendor providing services to the Company (controller) under the Principal Agreement and processing personal data on behalf of the Company.

1.1.4 "DPA": means this Data Processing Agreement or Addendum.

1.1.5 "EU": means the European Union.

1.1.6 "In writing" includes electronic text form such as email, pdf or fax.

1.1.7 "Company Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.8 "Company Group Member" means Company or any Company Affiliate;

1.1.9 "Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of a Company Group Member pursuant to or in connection with the Principal Agreement. For the avoidance of doubt, this may include Personal Data of employees of Company Group Members;

1.1.10 "Contracted Processor" means Vendor or a Subprocessor;

1.1.11 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.12 "EEA" means the European Economic Area, namely the EU Member States along with Iceland, Liechtenstein and Norway;

1.1.13 "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR, (b) laws replacing the GDPR in the UK after the UK leaves the EU, and (c) decisions by competent EU or EEA bodies or authorities including the European Data Protection Supervisor and the European Data Protection Board, as interpreted by the European Court of Justice;

1.1.14 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);

1.1.15 "Principal Agreement" means the Main Principal Agreement from the signature page to this Addendum including any related contractual relationships, instructions, and obligations including any subsequent agreement replacing a Principal Agreement.

1.1.16 "Restricted Transfer" means:

1.1.16.1 a transfer of Company Personal Data from any Company Group Member to a Contracted Processor; or

1.1.16.2 an onward transfer of Company Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor,

in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under section 14 below.

For the avoidance of doubt: (a) without limitation to the generality of the foregoing, the parties to this Addendum intend that transfers of Personal Data from the UK to the EEA or from the EEA to the UK, following any exit by the UK from the European Union shall be Restricted Transfers for such time and to such extent that such transfers would be prohibited by Data Protection Laws of the UK or EU Data Protection Laws (as the case may be) in the absence of the Standard Contractual Clauses to be established under section 14; and (b) where a transfer of Personal Data is of a type authorised by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland) or scheme (such as formerly the EU-US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer;

1.1.17 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company Group Members pursuant to the Principal Agreement. Services may include the Coachello’s platform for digital coaching including Coachello Slack Apps, MS Teams apps, Coachello Web Apps, Coachello Customer Support including any setup and servicing of the Coachello Platform such as configuring systems, trainings, demonstrations, fixing bugs, and importing, exporting, or deleting data sets at Company Group Member’s request;

1.1.18 "Subprocessor" means any person appointed by or on behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of any Company Group Member in connection with the Principal Agreement including any third party and any Vendor Affiliate, but excluding (a) employees of Vendor and independent contractors of Vendor closely integrated into Vendor’s organization; and

1.1.19 "Vendor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 The word "include" shall be construed to mean “include without limitation”, and cognate terms shall be construed accordingly.

2. Scope, Duration and Specification of Processing

2.1 The scope and duration and the detailed stipulations on the type and purpose of Processing, namely types and categories of personal data, categories of concerned data subjects as well as the extent and nature of the collection, processing and use of personal data under this Addendum shall be governed by the Main Principal Agreement (“Agreement”) described on the signature page of this Addendum.

2.2 The Addendum applies to all data processing operations conducted by the Vendor (Processor), its employees or sub contractors (as applicable) which may come into contact with personal data processed by the Vendor on behalf of the Company (Controller) as part of the provision of services under the Principal Agreement.

2.3 Company Group Members act as Controller and Vendor acts as Processor: Company Group Members (in this paragraph always including persons working for a Company Group Member) determine the purpose and means of processing: Company has full control over Company Personal Data. Within the limits of applicable law, Company Group Members have full access to all Company Personal Data. Vendor may notify and reject following an instruction to the extent Vendor has serious doubts such instruction would contravene applicable law. Vendor only accesses Company Personal Data for a Company Group Member and as directed by such (including via the apps and web interfaces). Company Group Members determine who uses the Service. Company Group Members determine how to use the Service and what to share with it. Company Group Member decides, how and when who receives coachings and what the coaching goals are. Company Group Members decide which devices are used for accessing the Service (for example, iOS or Android or Web Apps). Company Group Member is the benefactor of the Service - commercial and otherwise. Vendor doesn’t monetize Company Personal Data.

2.4 Special adjustments by Vendor regarding the means of Processing are generally available with possible impact on costs and time. Vendor reserves the right to reject request for special adjustments without reason, for example if they are incompatible with Vendor’s business.

2.5 Persons providing coaching services via the Service (“Coaches”) are Vendor’s freelancers and thus part of Vendor, not subprocessors (Art. 28 GDPR) or Third Persons (Art. 4.10 GDPR). This Addendum only applies to Coaches as a fallback in case and to the extent there is a final determination - not subject to appeal or preliminarily enforceable - that Coaches must be regarded as as Subprocessor or Third Persons. In this case, Coaches who provide Services to a Company Group Member automatically join this Addendum.We've confirmed there is a controller-processor-relationship between us with:

● European Data Protection Board guidance

● our data protection officer,

● our certification authority, and

● several attorneys

and last but not least of course

● our customers and their legal departments.

You (always including your employees, who will make some choices themselves) determine the purpose and means of processing:

● You have full control over your personal data. We only work as directed by you. Within the limits of the GDPR, you have full access to all personal data - we only access it for you and as directed by you (including via the apps and web interfaces).

● We generally don’t obtain justification for processing from your employees as we don’t have a direct legal or other relationship with your employees. We are generally a business to business service and not e.g. an employee benefit provider, which would typically directly charge the

employees.

● You determine who uses our services. You determine how to use the digital coaching platform and what to share with it.

● You decide, how and when you receive coachings and what the goals are. For example, you decide which devices you use for coaching.

● You are the benefactor of coachings - commercial and otherwise. We don't receive a commercial advantage from the personal data of your employees itself, but from your payments.

● If you need special adjustments regarding the means of processing, let us know. However, please be aware implementation of special adjustments in the means of processing will increase costs so we can remain profitable and will take additional time. Also, we reserve the right to reject request for special adjustments, for example if they are incompatible with our business.

In relation to the recent EDPB guidance on controllers and processors, we understand we would be considered processor and you controller:

Processor

● is who processes “personal data on behalf of the controller.”

● “The processor must not process the data otherwise than according to the controller’s instructions. (...) The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means.“

● Controller is who determines the means and purposes. Determine means to have “influence over the processing, by virtue of an exercise of decision-making power”, ‘e.g. "why is this processing taking place?” and “who decided that the processing should take place for a particular purpose?”’

● “In practice, certain processing activities can be considered as naturally attached to the role or activities of an entity ultimately entailing responsibilities from a data protection point of view. (....) for example an employer in relation to processing personal data about his employees”.

As reference, the ICO's gym printing example: "A gym engages a local printing company to produce invitations to a special event the gym is hosting. The gym gives the printing company the names and addresses of its members from its member database, which the printer uses to address the invitations and envelopes. The gym then sends out the invitations."

● You engage us to coach your employees. You give us names and addresses. We use that to coach employees.

● "The gym is the controller of the personal data processed in connection with the invitations. The gym determines the purposes for which the personal data is being processed (to send individually addressed invitations to the event) and the means of the processing (mail merging the personal data using the data subjects’ address details). The printing company is a processor processing the personal data only on the gym’s instructions."

● You are the controller for data processed in connection with the coaching. You determine the purposes for which the personal data is being processed (to coach your employees to help their personal development in the business context) and the means of the processing (web app, iPhone app, and/or Android app, number of sessions, session topics and so on). We are the processor processing the personal data only on your instructions."

Even in light of the recent Fashion ID case, Coachello is not controller for data processing, as we process personal data exclusively for your purposes. As comparison, the Fashion ID case:

Facebook makes money from advertizing by using personal data from third party web sites and Facebook pages. Facebook decides how and why it processes whose personal data. Facebook does not allow significant influence of other companies. Hence Facebook is controller for most processing.

In our case, you (and your employees, part of you) decide how and why we processes whose personal data.

● Facebook's customers are controllers for the purpose of allowing Facebook this processing. ● In our case, you are also the controller for the purpose of allowing us this processing. Without you, we would not coach your employees. We don't even offer that as an option.

3. Processing of Company Personal Data on behalf of the Company

3.1 The Vendor shall collect, process and use personal data only within the scope of the Principal Agreement and on the Company’s documented instructions. This shall not apply to backup copies where these are required to ensure proper data processing, or to any data required by the Vendor to comply with statutory obligations.

3.2 The Company’s instructions are defined in the Principal Agreement. Further than defined in the Principal Agreement, the Company is not entitled to issue additional instructions, unless the Vendor is able to carry out such instruction without unreasonable efforts and the Company pays compensation for these additional efforts according to the Vendor’s then current rates.

3.3 Additional Instructions must be issued by the Company and confirmed by the Vendor in writing.

3.4 The Vendor shall inform the Company immediately if he considers an instruction to violate applicable data protection laws. The Vendor shall then be entitled to suspend the execution of the relevant instructions until the Company confirms or changes them.

3.5 Each Company Group Member:

3.5.1 instructs Vendor and each Vendor Affiliate (and authorizes Vendor and each Vendor Affiliate to instruct each Subprocessor) to:

3.5.1.1 Process Company Personal Data; and

3.5.1.2 in particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement;

3.5.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Company Affiliate.

4. Vendor and Vendor Affiliate Personnel

4.1 Vendor warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.51 on behalf of each relevant Company Affiliate.

4.2 Vendor and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings within the meaning of section 4.3 or professional or statutory obligations of confidentiality.

4.3 Vendor and each Vendor Affiliate shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements, which survive the termination of the personnel engagement.

5. Obligations of the Vendor (Processor)

5.1 The Company Group Member shall correct, delete or block personal data in the scope of this Addendum. Vendor shall take such action where the Company Group Members are unable and the Company issues such instruction. The Company shall compensate the Vendor for these efforts according to the Vendor’s then current rates.

5.2 The Vendor’s personnel engaged in performing processing operations under this Addendum have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.

5.3 The Vendor shall notify the Company the point of contact listed in the Signature Page as Data Privacy and Data Protection Contact for all issues related to data privacy and protection within the scope of the Principal Agreement.

5.4 The Vendor shall periodically monitor the internal processes and the technical and organizational measures to ensure

that processing within his area of responsibility is in accordance with the applicable data protection laws.

5.5 Vendor shall reasonably support Company at the Company’s expense according to the then current rates of the Vendor on a time and material basis in complying with his obligations according to Articles 33 to 36 of the GDPR.

5.6 The Vendor will generally process personal data exclusively within a Member State of the EU, the EEA or Switzerland, except: Each and every transfer of data to a state which is not a Member State of either the EU, the EEA or Switzerland shall only occur if the specific conditions of Articles 44 et seq. GDPR have been fulfilled.

5.7 The Vendor will make available to the Company all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

6. Obligations of the Company

6.1 The Company shall ensure compliance with all applicable data protection laws, in particular with the GDPR.

6.2 The Company shall inform the Vendor immediately in case the Company detects any errors or irregularities of the data processing operations which affect the compliance with the applicable data protection laws.

7. Technical and Organizational Measures

7.1 Taking into account applicable EU Data Protection Laws, the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, the rights of the Data Subjects as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor and each Vendor Affiliate shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR (“TOMs”).

7.2 Company acknowledges and agrees that the technical and organizational provide a level of security appropriate to the risk in respect of the Company Personal Data.

7.3 The technical and organisational measures are subject to technical progress and further development. The Vendor may amend the technical and organizational measures, provided that the new measures do not fall short of the level of security provided by the specified measures.

7.4 Company Group Members in due time inform Vendor of unusual and potentially unexpected risks presented by Processing including the Processing of special categories of personal data (Art. 9 (1) GDPR), confidential information, or trade secrets.

8. Subprocessing

8.1 The Vendor may not subcontract any or a portion of the collection, processing and/or use of personal data to Subprocessors without the Company’s prior consent. .

8.2 The Vendor shall notify the Company about any substitution of or addition to the Subprocessors. The Company may object to a new Subprocessor on basis of reasonable grounds by notice to the Vendor in writing within fourteen (14) days as of the receipt of the Vendor’s notification. The notice shall include sufficient information on the reasonable grounds so that Vendor is able to evaluate whether it is able to address the concerns. If Vendor does not receive any notice within fourteen (14) days as of the receipt of the Vendor’s notification, this shall be deemed as consent of the Company.

8.3 If the Company objects to a substitute or additional subprocessor with reasonable ground, the Vendor is entitled to either address the concerns, or to inform the Company that the new Subprocessor will be added as originally proposed. In the latter case, the Company may terminate this Addendum by providing written notice to the Vendor.

8.4 In case of a termination of the Addendum by the Vendor or the Company in accordance with this section 8, the Principal Agreement shall terminate concurrently.

8.5  When engaging Subprocessors in the collection, processing and/or use of personal data on behalf of the Company, the

Vendor shall ensure the fulfilment of the following conditions:

8.5.1 The sub-processing contract of each Subprocessor must reflect comparable data protection obligations agreed between the Company and the Vendor in this Addendum;

8.5.2 The Vendor is responsible for the conduct and performance of each approved Subprocessor, and will be the Company’s sole point of contact regarding the processing of personal data by the Subprocessor.

8.5.3 The Vendor’s Subprocessors may further sub-contract any or a portion of the processing to a sub Subprocessor, subject to the Vendor’s express consent. The Subprocessor is responsible for the conduct and performance of each approved sub-Subprocessor, and the Vendor remains the Company’s sole point of contact regarding any portion of the Services performed by sub-Subprocessors.

9. Data Subject Rights

9.1 The Vendor is not obliged to directly respond to any enquiries of data subjects and shall refer such data subjects to the Company, if the information provided by the data subject suffices to identify the Company as the one the enquiry relates to. The foregoing applies accordingly, where a data subject requests the Vendor to correct, delete or block data.

9.2 If the Company is obliged to answer any data subjects’ enquiry related to the collection, processing and/or use of personal data, the Vendor shall reasonably support the Company in providing the required information. The Vendor shall only be obliged to provide the information upon the Company’s documented instruction, and where the Company reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support. The Vendor shall not be liable if the Company fails to correctly or timely respond to the request of the concerned data subject, or if the Company does not respond to the data subject’s enquiries at all.

9.3 If claims pursuant to Art. 82 GDPR are brought by the data subject against the Vendor, the Company Group Members assist the Vendor’s defence against such claims.

10. Personal Data Breach

10.1 The Vendor shall notify the Company without undue delay if the Vendor becomes aware of any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data (“Personal Data Breach”. These incidents will not include unsuccessful attempts or activities that do not compromise the security of the Company Personal Data of Company, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. The Company instructs the Vendor to take all measures the Vendor deems necessary or helpful to secure the data processed on behalf of the Company and to minimize any possible adverse consequences to the data subject, and where the Company reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support.

11. Data Protection Impact Assessment and Prior Consultation

Vendor and each Vendor Affiliate shall provide reasonable assistance to each Company Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of any Company Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors, and where the Company reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support.

12. Deletion or return of Company Personal Data

12.1 Subject to section 12.2 Vendor and each Vendor Affiliate shall promptly and in any event within 6 months of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.

12.2 Each Contracted Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor and each Vendor Affiliate shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other

purpose.

13. Audit Rights

13.1 Company hereby consents to the appointment of an independent external auditor by Vendor, provided that Company reasonably requests an audit and Vendor provides a copy of the audit report to Company. Vendor shall be entitled to requesting remuneration for Vendor’s support in conducting inspections. Vendor’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.

13.2 Where a data protection supervisory authority or another supervisory authority with statutory competence for Company conducts an inspection, 13.1 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.

14. Restricted Transfers

14.1 Subject to section 14.3, each Company Group Member (as "data exporter") and each Vendor and Vendor Affiliate, as appropriate, (as "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Company Group Member to that Vendor or Vendor Affiliate.

14.2 The Standard Contractual Clauses shall come into effect under section 14.1 on the later of: 14.2.1 the data exporter becoming a party to them;

14.2.2 the data importer becoming a party to them; and

14.2.3 commencement of the relevant Restricted Transfer.

14.3 Section 14.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps, which, for the avoidance of doubt, do not include obtaining, consents from Data Subjects, is to allow the relevant Restricted Transfer to take place without a significant breach of applicable Data Protection Law and in accordance with Art. 44 et seqq. GDPR.

15. Costs and Liability

15.1 Subject to the following provisions of this section, Vendor and Vendor Affiliates may charge a fee based on reasonable costs for its actions for a Company Group Member according to sections 9, 11 and 13.

15.2 Vendor and Vendor Affiliates may not charge a fee for deleting or returning data.

15.3 Vendor shall give Company Group Member reasonable notice of the expected costs.

15.4 All Company Group Members are responsible for fees charged under this Addendum.

15.5 Company and Vendor shall be liable to data subject in accordance with Article 82 of the GDPR. 16. California Consumer Privacy Act (CCPA)

16.1 “CCPA” shall mean the California Consumer Privacy Act, as amended, and any successor legislation. All terms defined in CCPA shall have the meaning set forth in CCPA. For purposes of CCPA, Vendor is the Service Provider and the Company is the Business.

16.2 Whereas “personal data” for purposes of CCPA, it also refers to “personal information”: (a) Service Provider receives the personal information from the Business for the business purpose, (b) Details of processing Data subjects and the details of the processing for CCPA, and (c) security measures described shall include those required of a Service Provider by CCPA.

16.3 For purposes of CCPA and to the extent the CCPA is applicable: (a) Service Provider will comply with all contractual restrictions of CCPA, and will not “sell” (as defined under CCPA) personal information, (b) Supplier shall retain, use or disclose such personal information only for the specific purpose of performing the services and within the direct business relationship with the Business.

17. General Terms

Miscellaneous

17.1 In the event of any contradictions, the provisions of this Addendum shall take precedence over the provisions of the Principal Agreement or other contractual agreements between Vendor and Company.

Governing law and jurisdiction

17.2 All contractual or other obligations arising out of or in connection with it are governed by French Law under exclusive jurisdiction and venue of the courts of Paris, France.

Order of precedence

17.3 In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

17.4 Subject to section 17.3, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including except where explicitly agreed otherwise in writing, signed on behalf of the parties agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Effective Date and Termination

17.5 The Addendum comes into force at the same time as the Principal Agreement. The Addendum stays in force until the end of the day on which all processing under the Principal Agreement has ceased. For sake of clarification, it shall not automatically terminate upon termination or expiration of a Principal Agreement unless all relevant processing has also been completed.

Immediate Intermediary Effect by Conclusive Conduct

17.6 Other than by signature or by incorporation into the Main Principal Agreement, the Addendum may come into force by conclusive conduct before the parties have formally signed the Addendum, if and to the extent processing of Personal Data regulated by this Addendum would be significantly less permissible under Applicable Laws without this Addendum.

17.6.1 Conclusive conduct under this clause may include

17.6.1.1 initial or continued Processing of Personal Data,

17.6.1.2 deletion of Personal Data,

17.6.1.3 use of Services,

17.6.1.4 Restricted Transfers, and

17.6.1.5 the request for or acceptance of any of the above,

if processing of Personal Data regulated by this Addendum would be less permissible under Applicable Laws without this Addendum and the party does clearly object to this clause.

17.6.2 Unless the Addendum comes into force sooner according to section 17.5, the Addendum shall come into force on the end of the day before a Vendor or Vendor Affiliate first Processed Personal Data falling under this Addendum.

17.6.3 Once the parties have finally negotiated and signed this Addendum or another data processing agreement to take the place of the Addendum, such agreement will retroactively replace this Addendum, unless otherwise agreed therein.

17.6.4 A terminated Addendum may become effective again according to this section 17.6.

17.6.5 The purpose of this clause is to minimize periods of unlawful processing of data in the interest of both parties. This clause shall be interpreted in the light of this purpose.

Electronic Signature

17.7 Notwithstanding section 17.6, the parties agree that the electronic signature of a party to this Addendum shall be as valid as an original signature of such party and shall be effective to bind such party to this Addendum or any related amendment, appendix or Order Form. The parties agree that any electronically signed document (including this Addendum) shall be deemed (i) to be "written" or "in writing," (ii) to have been signed and (iii) to constitute a record established and maintained in the ordinary course of business and an original written record when printed from electronic files.

Interpretation, Living Document

17.8 Any obligations arising out of this Addendum shall be interpreted in accordance with the purpose of the Addendum to require and facilitate compliance with Data Protection Laws. Where further actions are required for compliance with Data Protection Laws, the parties shall take all reasonable required measures in reasonable time.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above. The customer in the Principle Agreement is the Company and Coachello is the Vendor under this Addendum,