Data Processing Addendum

This Data Processing Addendum (the “DPA”) supplements the Terms and Conditions including any related Order Form(s) (the “Agreement”) entered into by and between the customer identified on the Order Form (“Customer”) and Fauna Robotics Inc. (“Fauna”). This DPA incorporates the terms of the Agreement. Any capitalized terms that are used but not defined herein shall have the definitions set forth in the Agreement. Where there is a conflict between the Agreement and this DPA, this DPA will control. By executing the Agreement, the Parties are deemed to have entered into this DPA.

1. Definitions.
   
   1. “Authorized Subprocessor” means a third-party party entity engaged by Fauna to process Personal Data in order to provide the Services and that has been approved by Customer in accordance with Section 6.
   2. “Account Data” means personal data that relates to Fauna’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account.
   3. “Usage Data” means Service usage, performance, and diagnostic data collected and processed by Company in connection with the provision of the Services, including without limitation sensor data, battery data, data used to identify the source and destination of a communication, activity logs, and similar backend data about the use of the Services.
   4. “Consumer Request” means a request from a Consumer to exercise their rights over Personal data afforded pursuant to Privacy Laws.
   5. “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing Personal Data. “Controller” includes the term “Business” or equivalent term under Privacy laws.
   6. “Personal Data” means any information that relates to an identified or identifiable Consumer that is processed on behalf of Customer and constitutes “personal data,” “personal information,” or equivalent term under Privacy Laws.
   7. “Privacy Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data. Privacy Laws includes but are not limited to U.S. state comprehensive privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), in each case as updated, amended or replaced from time to time. The terms “consumer,” “affiliates,” “business purpose,” “Controller,” “Personal Data Breach,” “Processor,” “process” or “processing,” “sell,” or “share,” shall have the meaning set forth for that or any equivalent term under Privacy Laws. For the avoidance of doubt, the terms “Controller” and “Processor” include “Business” and “Service Provider,” respectively, as defined in the CCPA.
   8. “Services” means the Products and services provided by Fauna to Customer pursuant to the Agreement.
2. Description of Processing.
   
   1. Nature and Purpose of Processing: Except with respect to Account Data and Usage Data, Fauna shall process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.
   2. Duration of Processing: Fauna shall process Personal Data provided by Customer as long as required to provide the Services to Customer under the Agreement, or by applicable law or regulation.
   3. Categories of Consumers: The Consumers whose Personal Data Fauna processes is at the sole discretion of Customer.
   4. Categories of Personal Data: Fauna may process any Personal Data that Customer provides or is otherwise submitted to the Services by or on behalf of Customer.
3. Customer’s Obligations. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Fauna to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Fauna by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Fauna regarding the processing of such Personal Data. Customer shall not provide or make available to Fauna any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Fauna from all claims and losses in connection therewith.
4. Use of Personal Data. Fauna shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Fauna’s direct business relationship with Customer or for any purpose other than to perform the Services and other obligations under the Agreement, which constitutes a business purpose under the Privacy Laws, except as otherwise permitted in Agreement or by Privacy Laws; and (iii) combine Personal Data received from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another party or person, except as necessary to provide the Services or as otherwise instructed by Customer.
5. Audit. To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Fauna shall either (i) make available for Customer’s review copies of certifications or reports demonstrating Fauna’s compliance with prevailing data security standards applicable to the processing of Personal Data provided by Customer under the Agreement, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of Fauna’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Fauna’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Fauna for any time expended for on-site audits. To the extent permitted under Privacy Laws, if Customer determines that Fauna is processing Personal Data in an unauthorized manner, Customer may, taking into account nature of Fauna’s processing and the nature of the Personal Data processed by Fauna on behalf of Customer, and upon providing prior written notice, take commercially reasonable and appropriate steps to stop and remediate such unauthorized processing.
6. Authorized Subprocessors.
   
   1. A list of Fauna’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto (See, Annex A), at a link provided to Customer, via email or through another means made available to Customer.  Such List may be updated by Fauna from time to time.  Fauna may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Fauna will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Fauna within ten (10) days of receipt of the aforementioned notice to Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. If Customer does not object during this period, that third party will be deemed an Authorized Subprocessor. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Fauna from offering the Services to Customer.
   2. If Customer reasonably objects to an engagement in accordance with Section 6.1, and Fauna cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Fauna.  Discontinuation shall not relieve Customer of any fees owed to Fauna under the Agreement.
   3. Fauna will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Fauna under this DPA with respect to the protection of Personal Data.  In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Fauna, Fauna will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

1. Confidentiality and Security of Personal Data.
   
   1. Fauna shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Fauna’s confidentiality obligations in the Agreement. Customer agrees that Fauna may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.
   2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fauna shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.
2. Personal Data Breach.
   
   1. In the event of a Personal Data Breach, Fauna shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Fauna in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach, to the extent that remediation is within Fauna’s reasonable control.
   2. In the event of a Personal Data Breach, Fauna shall, taking into account the nature of the processing and the information available to Fauna, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Privacy Laws with respect to notifying (i) the relevant regulatory agency and (ii) Consumers affected by such Personal Data Breach without undue delay.
   3. The obligations described in Sections 8.1 and 8.2 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Fauna’s obligation to report or respond to a Personal Data Breach under Sections 8.1 and 8.2 will not be construed as an acknowledgement by Fauna of any fault or liability with respect to the Personal Data Breach.  
3. Data Protection Assessments. Taking into account the nature of Fauna’s processing and the information available to Fauna, Fauna shall reasonably cooperate with Customer to conduct any data protection or privacy impact assessments as required by Privacy Laws, including by providing Customer with information and documents necessary for such assessments that Customer cannot otherwise obtain without Fauna’s assistance. Notwithstanding the foregoing, Customer and Fauna each remain responsible only for the measures respectively allocated to them under Privacy Laws pertaining to any such assessment.

1. Consumer Request. Fauna shall, to the extent permitted by Privacy Laws, notify Customer upon receipt of a Consumer Request. If Fauna receives a Consumer Request in relation to Personal Data, Fauna will advise the Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Consumer Requests communicated to Fauna, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.
2. Return or Destruction of Personal Data. Upon the termination or expiration of the Agreement, at Customer’s choice, Fauna shall return or delete Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Fauna shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
3. Fauna’s Role as a Controller. The parties acknowledge and agree that with respect to Account Data and Usage Data, Fauna is an independent Controller, not a joint Controller with Customer. Fauna will process Account Data and Usage Data as a Controller (i) to manage the relationship with Customer; (ii) to carry out Fauna’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Fauna is subject; and (vi) as otherwise permitted under Privacy Laws and in accordance with this DPA and the Agreement. Fauna may also process Usage Data as a Controller to provide, optimize, and maintain the Services, to the extent permitted by Privacy Laws. Any processing by Fauna as a Controller shall be in accordance with Fauna’s privacy policy.

‍