2.3 Service Provider’s Processing of Personal Data. Effective as of 25 May 2018, RELAYTO LIMITED shall Process Personal Data in accordance with the GDPR requirements directly applicable to RELAYTO LIMITED’s provision of its Services. Personal Data shall be considered Customer’s Confidential Information under the Agreement. RELAYTO LIMITED shall only Process Personal Data on behalf of and in accordance with Customer’s instructions set forth in this DPA and the Agreement for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. The subject-matter and purpose of Processing of Personal Data by RELAYTO LIMITED is solely so RELAYTO LIMITED can provide the Services to Customer pursuant to the Agreement. 2.4 Personnel. RELAYTO LIMITED shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written industry standard confidentiality agreements. RELAYTO LIMITED shall ensure that RELAYTO LIMITED’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement. RELAYTO has implemented a formal training program as part of the onboarding process, which includes a dedicated section on cybersecurity & information security to ensure all RELAYTO developers are informed and aligned with our security policies and practices. 2.5 Data Protection Officer. RELAYTO LIMITED has appointed a data protection officer. The appointed person may be reached at [email protected] 3. Rights of data subjects RELAYTO LIMITED shall, to the extent legally permitted, promptly notify Customer if RELAYTO LIMITED receives a request from a Data Subject to exercise the Data Subject’s under the GDPR (“Data Subject Request”). Taking into account the nature of the Processing, RELAYTO LIMITED shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, RELAYTO LIMITED shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent RELAYTO LIMITED is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from RELAYTO LIMITED’s provision of such assistance. 18 of 54