Global DPA Controller to Controller

This Data Processing Addendum(“DPA”) forms part of the Agreement. WHEREAS Quadient, on behalf of itself and its Affiliates (“Quadient”) and the counterparty agreeing to this Data Protection Addendum (“Company”) have entered into an agreement and/or signed an order form for the provision of the Controller Services, as amended from time to time (the “Agreement”). This Data Protection Addendum (‘DPA”) is intended to comply with the parties’ obligations under Data Privacy Laws with respect to the Processing of Controller Personal Data pursuant to the Agreement. Quadient and Company are Individually referred to as a “Party” or together as “Parties”. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail.

1. DEFINITIONS.

a. “Adequate Country” means a country or territory that is recognized under EU Data Protection Law as providing adequate protection for Personal Data; b. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with Quadient. “Control,” for purposes of this definition, means direct or indirect ownership or control of 50% or more of the voting interests of the subject entity or the ability to direct or control the management decisions of such entity. c. “AI-enabled Processing" means any Processing activities performed by either Party in connection with the Agreement that involve an Artificial Intelligence System, including machine learning, automated decision-making, or generative AI. Each Party should remain responsible for assessing its own role under applicable artificial intelligence laws, including whether it acts as a provider, deployer, importer, distributor, or authorised representative in relation to any AI System used under the Agreement.d. "Artificial Intelligence System" means a machine-based system designed to operate with varying levels of autonomy that may generate outputs such as predictions, recommendations, classifications, or content that can influence physical or virtual environments, as defined under applicable artificial intelligence laws and regulations, including the EU Artificial Intelligence Act where relevant. e. “Business” or “Controller” means (i) the person or entity which determines the purposes and means of the Processing of Personal Data, and (ii) a person or entity defined as a “Controller”, “Business” or similar terms under Data Protection Laws. f. “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Agreement in connection with the providing Party’s provision or use (as applicable) of the Controller Services. g. “Controller Services” means the services as described in the Agreement. h. “Data Privacy Framework” means the EU-U.S Data Privacy Framework, as defined by the Decision (UE) 2023/1795 of the European Commission, and the Swiss-U.S Data Privacy Framework as defined by the Federal Act on Data Protection (FADP), SR 235.1 and the Decision of the Swiss Federal Council dated 14 August 2024. i. “Data Privacy Laws” shall mean all applicable laws governing the handling of Personal Data, including without limitation (EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”). j. “Data Subject” means a natural person to whom any Controller Personal Data pertains. k. “EEA” means the European Economic Area. i. “Personal Data” or the equivalent ‘personal information’ means any information relating, directly or indirectly, to an identified or identifiable natural person or otherwise as defined in applicable Data Privacy Laws. m. “Personal Data Breach” means unauthorized, accidental or unlawful Processing, access, loss, or disclosure of Controller Personal Data. n. “Personnel” means all officers, directors and employees, independent contractors or service providers of a Party or its Affiliates. o. “Process, Processing and Processed” means any operation or set of operations which is performed on Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. p. “Service Provider” or “Processor” shall mean an entity that Processes Personal Information on behalf of a Business or Controller. q. “Third Party” shall have the meaning assigned to it under Data Privacy Laws. r. “UK GDPR” means the UK General Data Protection Regulations 2018, Data Protection Act 1998 (collectively, “EU Data Protection Law”); the local law of the place(s) where Processing by a Party and its Personnel takes place; the California Consumer Privacy Act of 2018 (“CCPA“); the California Privacy Rights Act (the “CPRA”), in each case, all of the foregoing as and when applicable and as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries or jurisdictions.

2. Role of the Parties.

Each Party is an independent Controller of the Controller Personal Data that it collects or Processes pursuant to the Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Privacy Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data listed in Annex 1. For purposes of the CCPA, and other applicable Data Privacy Laws, each Party is considered to be a “Third Party”.

3. Obligations of the Parties.

a. Each Party should comply with all applicable requirements of Data Privacy Laws and, where relevant to any AI-enabled Processing under the Agreement, applicable artificial intelligence laws and regulations, including the EU Artificial Intelligence Act. Each Party represents and warrants at all times that: (i) it has the necessary right and authority to enter into this DPA and to perform its obligations herein; (ii) its execution and performance under this DPA and the Agreement will not violate any agreement to which it is a party; (iii) and it has provided all required information to Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes of the Agreement. b. Before deploying or materially changing any AI-enabled Processing in connection with the Agreement, each Party should assess whether the relevant use case could fall within a prohibited AI practice, a high-risk AI system category, or another regulated category under applicable AI law, and should document the outcome of that assessment.c. Without limiting the foregoing, each Party will maintain a publicly-accessible privacy policy on its website that is in compliance with Data Privacy Laws. d. Where a Party uses an AI System to interact directly with individuals or to generate synthetic content in connection with the Agreement, that Party should provide notices or labels where required by applicable law so that affected persons are appropriately informed.e. Each Party will notify the other Party in writing of any action or instruction of the other Party under this DPA or the Agreement which, in its opinion, infringes applicable Data Privacy Laws. f. Subject to this DPA, each Party, acting as a Controller, may Process the Controller Personal Data in accordance with, and for the purposes permitted in, the Agreement (the “Permitted Purposes”). g. A Party that has made Controller Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to: (i) take reasonable and appropriate steps to help ensure that such other Party (“Receiving Party”) uses such Controller Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Privacy Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Controller Personal Data under and as required by applicable Data Privacy Laws. Receiving Party will notify Disclosing Party if Receiving Party determines that it can no longer meet its obligations under applicable Data Privacy Laws. Receiving Party acknowledges and agrees that it is receiving Controller Personal Data only for the limited and specified purposes set forth in the Agreement. Receiving Party shall provide not less than the same level of privacy protection as is required by Data Privacy Laws for such Controller Personal Data.

4. Security and Confidentiality.

Each Party shall implement appropriate technical and organisational measures as defined in Annex II to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction. In the event that a Party suffers a Personal Data Breach, it shall notify the other Party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both Parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Laws prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay. Each Party shall ensure that all of its Personnel who have access to and/or Process Controller Personal Data are obliged to keep the Controller Personal Data confidential.

5. Data Transfers.

5.1 Where the Controller Services involve the storage and/or Processing of Controller Personal Data which transfers Controller Personal Data out of the EU, European Economic Area, Switzerland, or the UK to a jurisdiction that is not an Adequate Country, and EU Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that such transfers shall be governed as follows: (a) for data subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU (MODULE ONE: Transfer Controller to Controller) (the “EU SCC”); The parties agree to rely on appropriate data transfer mechanisms as required by Data Protection Laws, which may include the Data Privacy Framework, the Standard Contractual Clauses, or other legally recognized mechanisms. If a party is unable or becomes unable to comply with these requirements, Personal Data will only be Processed as permitted by Data Protection Laws. The parties shall work together to implement a data transfer mechanism to the extent required by Data Protection Laws with respect to Personal Data. (b) In the event the Service is covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (i) the Data Privacy Frameworks; (ii) the applicable Standard Contractual Clauses; and, if neither of the preceding is applicable, then (iii) other alternative data Transfer Mechanisms permitted under Applicable Laws will apply. (c) To the extent the Quadient processes Personal Data originating from the EEA, United Kingdom, or Switzerland, Quadient declares that it is self-certified under the Data Privacy Frameworks and adheres to the Data Privacy Principles. (d) Both Controllers agree that where transfer of personal data occurs between two data Controllers within the meaning of Chapter V of Regulation (EU) 2016/679 and Chapter 12 of UK DPA 2018, the Controllers should use Module 1 of standard contractual clauses as adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, and UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (2022) provided the conditions for the use of those standard contractual clauses are met. The applicable Standard Contractual Clauses and the UK Addendum are available at the following link : Standard Contractual Clauses | Quadient

6. Data Subject Requests.

Each Party will process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale of Personal Information pursuant to CCPA, the parties will collaborate to honor such objections or opt-out requests.

7. Compliance Cooperation.

Both Parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the Parties.

8. Allocation of Costs.

Each Party shall perform its obligations under this DPA at its own cost, except as otherwise specified herein.

9. Liability.

The liability of the Parties under or in connection with this Agreement will be subject to the exclusions and limitations of liability in the Agreement.

10. Miscellaneous.

If any provision or condition of this DPA is held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid, unlawful or unenforceable part had never been contained in this DPA. This DPA shall be governed by and construed in accordance with the laws governing the Agreement, and any disputes shall be resolved by the courts agreed for resolution of disputes under the Agreement.

ANNEX I

A. LIST OF PARTIES

1. Name: Quadient Address: as defined in the Agreement Contact person’s name, position and contact details: privacyteam@quadient.com Role: Controller (data Exporter in case SCCs and UK addendum is applicable) 2. Name: Company Address: as defined in the Agreement Contact person’s name, position and contact details: as designated in the Agreement Activities relevant to the data transferred under these Clauses as defined in the Agreement. Role Controller (data importer in case SCCs and UK addendum is applicable)

B. DESCRIPTION OF TRANSFER / PROCESSING ACTIVITIES

CATEGORIES OF DATA SUBJECTS. The personal data transferred concern the following categories of data subjects unless otherwise modified in the Agreement: a). leads, prospects, suppliers, and customers and their respective employees, agents, and end users b). Quadient employees, agents, and end users as well as Quadient’s contractors. CATEGORIES OF PERSONAL DATA PROCESSED. The personal data transferred concern the following categories of data unless otherwise modified in the Agreement: First and last name, contact information (email, phone, physical address), and financial data (bank account numbers). SENSITIVE DATA (if appropriate). The personal data transferred concern the following categories of sensitive data: None FREQUENCY. The transfer of personal data will occur with the following frequency: Periodically during the term of the Agreement until Supplier completes the Services for Quadient. NATURE. The nature of the personal data transfer is as follows: Supplier will process Quadient Personal Data for the purposes of providing the Services and as set forth in the Agreement or DPA. PURPOSES OF THE TRANSFER(S). The transfer is made for the following purposes: The transfer is intended to enable the relationship and performance of the Agreement between the parties. ADDITIONAL USEFUL INFORMATION (storage limits and other relevant information). Any personal data transferred between the parties may only be retained for the period of time permitted under the Agreement between the parties. For transfers to (sub) processors, list of Subprocessors needs to be communicated by Supplier: also specify subject matter, nature and duration of the processing Please check Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

France’s Commission Nationale de l’Informatique et des Libertés.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Notwithstanding any additional measures agreed to in the Main Contract, both Parties agreed to implement and maintain for both Corporate and Customer Data (‘Data’) the following security measures, which in conjunction with the security commitments in this Data Processing Agreement (‘DPA’) (including the GDPR Terms), are Party’s only responsibility with respect to the security of that data.