1. Definitions.

a) For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

b) “Affiliates” means any entity under the control of a Party where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.

c) “Applicable Data Protection Law(s)” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”) and the Data Protection Act 2018 (together the “UK Privacy Laws”); (v) the Swiss Federal Data Protection Act (“Swiss DPA”);

d) “Customer Personal Data” means any data (including personal data) submitted by or on behalf of Customer to the Services and the output of the Services that incorporates such content or data or is otherwise specific to Customer.

e) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

f) “Europe” means for the purposes of this DPA, the European Economic Area and/or its member states, the United Kingdom and/or Switzerland.

g) “Personal Data” shall have the meaning assigned to the terms “personal data”, “personal information”, or “personally identifiable information” under Applicable Data Protection Law(s), which SkySpecs processes as Customer Data on behalf of Customer under the Agreement.

h) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

i) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.

j) “Product Data Sheets” means the applicable document that describes the Processing activities in relation to the Service(s) supplied to Customer under this Agreement.

k) “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

l) “Security Incident(s)” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data or Personal Data transmitted, stored or otherwise processed by SkySpecs under this Addendum. “Security Incident shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

m) “Services” means unless otherwise defined in the Agreement, the SkySpecs services to which the Customer has subscribed under and as more particularly described in the Agreement. t.

n) “Standard Contractual Clauses” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 and currently located at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf (“EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”).

o) “Sub-processor” means any third party that has access to Personal Data and which is engaged by SkySpecs to assist in fulfilling its obligations with respect to providing the Services under the Agreement. Sub-processor’s may include SkySpecs Affiliates but shall exclude SkySpecs employees, contractors and consultants.

2. Subject Matter and Duration.

a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data or Personal Data in connection with SkySpecs’ execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

b) Duration and Survival This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date upon which both Parties have signed this Addendum, if it is completed after the Effective Date of the Agreement. SkySpecs will Process Personal Data until the relationship terminates as specified in the Agreement. SkySpecs’ obligations and Customer’s rights under this Addendum will continue in effect so long as SkySpecs Processes Customer Personal Data.

3. Processing of Personal Data.

a) Permitted Purposes. SkySpecs shall process Personal Data in accordance with Customer’s documented lawful instructions, except where required by applicable law(s), and the applicable Privacy Data Sheets. For these purposes, Customer instructs SkySpecs to process Personal Data for the following purposes: (a) to perform any steps necessary for the performance of the Agreement; (b) to provide, maintain and improve the Services provided to Customer in accordance with the Agreement; (c) processing initiated by end users in their use of the Services; (d) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (including this DPA; and (e) to comply with SkySpecs’ legal obligations under applicable law, including Data Protection Law (collectively and individually the “Permitted Purpose”).

b) Processing Instructions. The Parties agree that the Agreement (including this DPA), and Customer’s use of the Services in accordance with the Agreement, set out Customer’s complete and final processing instructions and any processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and SkySpecs. Customer shall ensure its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate Data Protection Laws.

4. Customer Responsibilities.

a) Customer is responsible for determining whether the Services are appropriate for the storage and processing of Personal Data under Data Protection Law. Customer further agrees that: (a) it will comply with its obligations under Data Protection Law regarding its use of the Services and the processing of Personal Data; (b) it has provided notice and obtained all consents, permissions and rights necessary for SkySpecs and its Sub-processors to lawfully process Personal Data for the purposes contemplated by the Agreement (including this DPA); and (c) it will notify SkySpecs if it is unable to comply with its obligations under Data Protection Law or its processing instructions will cause SkySpecs or its Sub-processors to be in breach of Data Protection Law. Sub Processors

b) Sub-processors. Customer acknowledges and agrees that SkySpecs may engage Sub-processors in order to provide the Services. Customer specifically authorizes the engagement of those Sub-processors listed at https://app.gitbook.com/o/-LDh5MHOfjTs3TcQFb0f/s/-MblJpd8vSYJpCD–9zc/sub-processors (or such other successor URL notified to Customer from time to time) (”Sub-Processor List”). SkySpecs will restrict Sub-processors’ access to Personal Data to what is necessary to assist SkySpecs in providing or maintaining the Services and will remain responsible for any acts or omissions of Sub-processors to the extent they cause SkySpecs to breach its obligations under this Addendum.

c) Right to Object. Prior to engaging any new Sub-Processor that Process Customer Personal Data, SkySpecs will notify Customer via email and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Sub-Processor, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by SkySpecs without use of the objectionable SkySpecs.

d) Confidentiality. Any person or Sub-processor authorized to ProcessPersonal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.

5. Security Measures and Data Breach Response.

a) Security Measures. SkySpecs shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and preserve the security and confidentiality of Personal Data, in accordance with the measures described in Annex B (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that SkySpecs may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

b) Access and Confidentiality. SkySpecs restricts its personnel from processing Personal Data without authorization and shall ensure that any person who is authorized by SkySpecs to process Personal Data is under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

c) Customer Responsibilities. Notwithstanding the above, Customer is responsible for reviewing the information made available by SkySpecs relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Law. Customer further agrees that Customer is responsible for its secure use of the Services, including securing its account authentication credentials Customer and taking any appropriate steps to backup any Personal Data processed in connection with the Services.

d) Security Incidents. Upon becoming aware of a Security Incident, SkySpecs shall notify Customer without undue delay and, where feasible, within seventy-two (72) hours. SkySpecs shall provide Customer with timely information relating to the Security Incident as it becomes known or is reasonably requested by Customer to fulfil its obligations under Data Protection Law. SkySpecs will also take reasonable steps to contain, investigate, and mitigate any Security Incident.

6. Audits.

a) Right to Audit; Permitted Audits. SkySpecs shall make available to Customer and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect SkySpecs’ architecture, systems, and documentation which are relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator:

i) Following any notice from SkySpecs to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data;

ii) Upon Customer’s reasonable belief that SkySpecs is not in compliance with Applicable Data Protection Laws, this Addendum or its security policies and procedures under the Agreement;

iii) As required by governmental regulators;

iv) For any reason, or no reason at all, once annually.

b) Audit Terms. Any audits described in this Section shall be:

i) Conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties, and to whom SkySpecs does not reasonably object.

ii) Conducted during reasonable times.

iii) Conducted upon reasonable advance notice to SkySpecs.

iv) Of reasonable duration and scope and shall not unreasonably interfere with SkySpecs’ day­to­day operations.

v) Conducted in such a manner that does not violate any agreement between SkySpecs and its service providers, including cloud providers, or violate or cause SkySpecs to violate its reasonable policies related to security and confidentiality.

c) Third Parties. In the event that Customer conducts an audit through a third-party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non­disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect SkySpecs’ and SkySpecs’ customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non­disclosure agreement.

d) Audit Results. Upon SkySpecs’ request, after conducting an audit, Customer shall notify SkySpecs of the manner in which SkySpecs does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, SkySpecs shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow­up audit within six (6) months of SkySpecs’ notice of completion of any necessary changes. To the extent that a Customer audit identifies any material security vulnerabilities, SkySpecs shall promptly remediate those vulnerabilities

7. International Transfers.

a) Customer acknowledges and agrees that SkySpecs may transfer and process Personal Data to and in the United States and the other locations in which SkySpecs, its Affiliates or its Sub-processors maintain data processing operations as more particularly described in the Sub-Processor List. SkySpecs shall ensure that such transfers are made in compliance with Data Protection Law and this DPA.

8. Deletion Requests.

a) Data Deletion. SkySpecs will abide by the following with respect to deletion of Customer Personal Data:

i) Within ninety (90) calendar days of the Agreement’s expiration or termination, SkySpecs will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).

ii) Upon Customer’s request, SkySpecs will promptly return to Customer a copy of all Customer Personal Data within thirty (30) calendar days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.

iii) All deletion of Customer Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.

iv) Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider.

v) Upon Customer’s request, SkySpecs will provide evidence that SkySpecs has deleted all Personal Data. SkySpecs will provide the “Certificate of Deletion” of Personal Data described in Clause 8.5 and 16.(d) of EU SCCs shall be provided by SkySpecs to Customer only upon Customer’s written request.

vi) Personal Data Inquiries and Requests. SkySpecs agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, SkySpecs agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible.

9. Limitation of Liability.

a) Any claim or remedy Customer or its Affiliates may have against SkySpecs, its employees, agents and Sub-processors, arising under or in connection with this Addendum (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under and in connection with the Agreement and this Addendum together.

10. Cooperation

a) Data subject requests. To the extent that Customer is unable to independently access the relevant Personal Data within the Services, SkySpecs shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer in responding to any requests from individuals relating to the processing of Personal Data under the Agreement. In the event that any such request is made to SkySpecs directly, SkySpecs shall promptly notify Customer and shall not respond to the request directly except to direct the data subject to the Customer without Customer’s prior authorization, unless and to the extent legally compelled to do so.

b) Law enforcement requests. If a law enforcement agency sends SkySpecs a demand for Personal Data (for example, through a subpoena or court order), SkySpecs will attempt to redirect the law enforcement agency to request that Personal Data directly from Customer. As part of this effort, SkySpecs may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then SkySpecs will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless SkySpecs is legally prohibited from doing so.

c) General cooperation. Each Party will reasonably cooperate with the other in any activities contemplated by this DPA and to enable each Party to comply with its respective obligations under Data Protection Law.

11. Europe

a) To the extent that Personal Data is subject to European Data Protection Law, the terms in this Article 11 shall apply in addition to the terms in the remainder of this DPA.

b) Processing Instructions. Without prejudice to Section 3.3 (Customer Responsibilities), SkySpecs shall notify Customer in writing, unless prohibited from doing so under Data Protection Law, if it becomes aware or believes that any processing instructions from Customer violate European Data Protection Law.

c) Sub-processor Obligations. SkySpecs shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Personal Data as required by this DPA (to the extent applicable, considering the nature of the services provided by the Sub-processor). Application of the Standard Contractual Clauses The Parties agree that when the transfer of personal data from Customer (as “data exporter”) to SkySpecs (as “data importer”) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form a part of this DPA, as follows:

o the EU SCCs shall apply, completed as follows:

▪ Module Two (Controller to Processor) will apply;

▪ in Clause 7, the optional docking clause will not apply;

▪ in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 11.4 of this DPA;

▪ in Clause 11, the optional language will not apply;

▪ in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

▪ in Clause 18(b), disputes shall be resolved before the courts of Ireland;

▪ Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA; and

▪ Subject to section 5.3 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA;

o In relation to transfers of Personal Data protected by the UK Privacy Laws or the Swiss DPA, the EU SCCs will also apply in accordance with paragraph (a) above, with the following modifications:

▪ references to “Regulation (EU) 2016/679” shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);

▪ references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);

▪ references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to the “UK” or “Switzerland”, or “UK law” or “Swiss law” (as applicable);

▪ the term “member state” shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

▪ Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

▪ references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable);

▪ in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

▪ with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”, and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland,

▪ unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such personal data in compliance with the UK Data Privacy Laws or Swiss DPA in which case the UK SCCs or the Swiss SCCs (as applicable) shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs or the Swiss SCCs shall be populated using the information contained in Annexes A and B of this DPA (as applicable);

▪ It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the extent of such conflict.

d) Data Protection Impact Assessments. To the extent SkySpecs is required under applicable European Data Protection Law, SkySpecs shall provide reasonably requested information regarding SkySpecs’ processing of Personal Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

12. General

a) This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

b) In the event of a conflict between the Agreement and this DPA, this DPA shall control with respect to any terms as they relate to SkySpecs’ processing of any Personal Data. Each Party acknowledges that the other Party may disclose the Standard Contractual Clauses, this DPA and any privacy related provisions in the Agreement to any European or US regulator upon request.

c) Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

d) Notwithstanding anything else to the contrary in the Agreement and without prejudice to Sections 3.2, SkySpecs may periodically make modifications to this DPA as may be required to comply with Data Protection Law.

e) The provisions of this DPA are severable. If any phrase, clause or provision or Annex (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA or the remainder of the Agreement, which shall remain in full force and effect.

f) This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Law.

Annex A

Annex A(1): List of parties
Data exporter	Name of the data exporter: The entity identified as the Customer in this DPA. Address: The address for the Customer associated with its SkySpecs account or otherwise specified in this DPA or the Agreement. Contact person’s name, position and contact details: The contact details associated with Customer’s account, or otherwise specified in this DPA or the Agreement. Activities relevant to the data transferred: The activities specified in Annex A(2) below. Role (Controller/Processor): Controller Signature and date: See front end of this DPA.
Data importer	Name of the data importer: SkySpecs, Inc. Address: 312. S. Ashley St., Ann Arbor, Michigan 48104 Contact person’s name, position and contact details: Hannah Pianko Hannah.Pianko@skyspecs.com Activities relevant to the data transferred: The activities specified in Annex A(2) below. Role (Controller/Processor): Processor Signature and date: See front end of this DPA.
Annex A(2): Description of the processing / transfer
Categories of Data Subjects whose Personal Data is transferred	Current and former employees and other personnel of the Customer.
Categories of Personal Data transferred	The types of Personal Data processed by SkySpecs are determined and controlled by the Customer in its sole discretion and may include, but is not limited to the following categories of Personal Data: ● Contact information (name, email address) ● Professional data (employer, position, title) ● Tasks data (including date when task was created)
Sensitive Data Transferred (if appropriate) and applied Restrictions or Safeguards:	The types of Personal Data processed by SkySpecs are determined and controlled by the Customer in its sole discretion. SkySpecs does not intentionally collect any special categories of data in connection with the Services. Any sensitive data (if any) will be protected in accordance with the Security Measures described in Annex B of this DPA.
Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis):	Personal Data may be transferred on a continuous or one-off basis depending on the Customer’s use of the Services and the Customer’s processing instructions.
Subject matter of the processing:	The Personal Data.
Nature of the Processing:	The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
Duration of the Processing:	The duration of the Agreement plus the period from the expiry of the Agreement until deletion of the Personal Data by Customer in accordance with the Agreement.
Purposes of the data transfer and further processing:	The Permitted Purposes (as defined in this DPA)
Period for which the Personal Data will be retained, or if that is not possible the criteria used to determinate that period, if applicable:	The Customer determines the duration of processing in accordance with the Agreement and this DPA.
Annex A(3): Competent supervisory authority
Competent supervisory authority	The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

Annex B

Technical and Organizational Security Measures Implemented by SkySpecs

SkySpecs will implement and maintain technical and organizational measures appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. The measures SkySpecs has taken include, as appropriate and without limitation:

1. Implementing an information security program including administrative, technical, and physical safeguards appropriate to the nature of the Personal Information and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to a customer, its clients or employees; and any anticipated threats or hazards to the security or integrity of such information;

2. Adopting and implementing written policies and reasonable procedures related to security;

3. Assigning responsibility for information security management and data protection;

4. Devoting adequate personnel resources to information security;

5. Using commercially reasonable efforts to ensure employees, vendors and others with access to Personal Data are subject to confidentiality obligations;

6. Conducting background checks on employees.

7. Conducting training to make employees and others with access to Personal Data aware of information security risks and to enhance compliance with policies and procedures related to data protection;

8. Preventing unauthorized access to Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, logging, use of secure passwords or other access controls, including multi- factor authentication where feasible, encryption at rest and in transit, authentication technology, secure log-on procedures, monitoring compliance with its policies and standards related to data protection on a periodic basis. In particular, SkySpecs (or its service providers) have implemented with, as appropriate and without limitation:

▪ Physical access control measures to prevent unauthorized access to data processing systems;

▪ Denial-of-use control measures to prevent unauthorized use of data protection systems by technical and organizational measures concerning user identification and authentication (e.g., automatically enforced password complexity (inter alia special characters, minimum length), automatic disabling (e.g., keyword or screensaver password activation) and change requirements;

▪ Role-based access controls, and monitoring of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access;

▪ Measures to ensure that data collected for different purposes can be processed separately including, as appropriate and without limitation, physical or adequate logical separation of client data (e.g., “internal client capability”/purpose limitation, separation of functions as production and test).

▪ Using commercially reasonable anti-virus and malware software for the detection of malicious code.

9. Incident/problem management procedures designed to allow SkySpecs to investigate, respond to, mitigate and notify of events related to SkySpecs technology and information assets.

10. Promptly responding to material vulnerabilities that we become aware of through monitoring and public disclosure.

11. Conducting due diligence of vendors, service providers and other subprocessors of Personal Data to ensure such parties implement and maintain adequate measures to protect Personal Data.

Taking such other steps as may be appropriate under the circumstances.