Alira Data Processing Addendum (EU/UK)

1. Overview

1.1 This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Subscriber Data (as defined below). This Addendum will be effective on the Addendum Effective Date (as defined below) and will replace any terms previously applicable to the processing and security of Subscriber Data. Capitalized terms used but not defined in this Addendum have the meaning given to them in the SaaS Terms.

2. Definitions and Interpretation

2.1 In this Addendum:

1. “Addendum Effective Date” means the later of the date on which Subscriber accepted, or the parties otherwise agreed to, this Addendum.
2. “Additional Security Controls”means security resources, features, functionality, and controls that Subscriber may use at its option and as it determines, including the encryption, logging and monitoring, identity and access management, security scanning, and firewalls.
3. “Agreement” means the agreement under the SaaS Terms.
4. “Applicable Privacy Law” means, as applicable to the processing of Subscriber Personal Data, any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation. For clarity, Applicable Privacy Laws include but are not limited to the laws mentioned in Appendix 2 (Specific Privacy Laws).
5. “Audited Services”means the then-current Services indicated as being in-scope
6. “Data Incident” means a breach of Kocho’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber Data on systems managed by or otherwise controlled by Kocho.
7. “EMEA”means Europe, the Middle East and Africa.
8. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
9. “European Data Protection Law” means the GDPR.
10. “European Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Subscriber Personal Data); or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Subscriber Personal Data).
11. “GDPR” means, as applicable: (a) the EU GDPR; or (b) the UK GDPR.
12. “Kocho’s Third-Party Auditor” means a Kocho-appointed, qualified and independent third-party auditor, whose then-current identity Kocho will disclose to the Subscriber.
13. “Instructions” has the meaning given in Section 5.2 (Compliance with Subscriber’s Instructions).
14. “Notification Email Address” means the email address(es) designated by the Subscriber in the Admin Console or Order Form to receive certain notifications from Kocho.
15. “Security Documentation” means the Compliance Certifications and the SOC Reports.
16. “Security Measures” has the meaning given in Section 7.1.1 (Kocho’s Security Measures).
17. “Services” means the applicable services defined in the Agreement.
18. “SOC Reports” has the meaning given in Section 7.4 (Compliance Certifications and SOC Reports).
19. “Subscriber Data”, has the meaning given in the Agreement.
20. “Subscriber Personal Data” means the personal data contained within the Subscriber Data, including any special categories of personal data or sensitive data defined under Applicable Privacy Law.
21. “Sub-processor” means a third party authorized as another processor under this Addendum to process Subscriber Data in order to provide parts of the SaaS and Services.
22. “Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; or (b) the “Commissioner” as defined in the UK GDPR.
23. “Term” means the period from the Addendum Effective Date until the end of Kocho’s provision of SaaS and the Services, including, if applicable, any period during which provision of SaaS and/or the Services may be suspended and any post-termination period during which Kocho may continue providing SaaS and/or the Services for transitional purposes.
24. “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this Addendum have the meanings given by Applicable Privacy Law or, absent any such meaning or law, by GDPR.

2.3 The terms “data subject”, “controller” and “processor” include “consumer”, “business”, and “service provider”, respectively, as required by Applicable Privacy Law.

2.4 Order of Precedence. To the extent of any conflict between:

1. Appendix 2 (Specific Privacy Laws) and the remainder of the Addendum, Appendix 2 will prevail; and
2. this Addendum and the remainder of the Agreement, this Addendum will prevail.

2.5 For clarity, if Subscriber has more than one Agreement, this Addendum will amend each of the Agreements separately.

2.6 Section References. Unless indicated otherwise, section references in any Appendix to this Addendum refer to sections of these terms of the Addendum.

3. Duration

3.1 Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, all Subscriber Data is deleted as described in this Addendum.

4. Roles; Legal Compliance

4.1 Roles of Parties. Kocho is a processor and Subscriber is a controller or processor, as applicable, of Subscriber Personal Data.

4.2 Processing Summary. The subject matter and details of the processing of Subscriber Personal Data are described in Appendix 1 (Subject Matter and Details of Data Processing).

4.3 Compliance with Law. Each party will comply with its obligations related to the processing of Subscriber Personal Data under Applicable Privacy Law.

4.4 Additional Legal Terms. To the extent the processing of Subscriber Personal Data is subject to an Applicable Privacy Law described in Appendix 2 (Specific Privacy Laws), the corresponding terms in Appendix 2 will apply in addition to these terms and prevail as described in Section 2.4 (Precedence).

5. Data Processing

5.1 Subscriber as Processor. If Subscriber is a processor:

1. Subscriber warrants on an ongoing basis that the relevant third-party controller has authorized:
   • the Instructions;
   • Subscriber’s engagement of Kocho as another processor; and
   • Kocho’s engagement of Sub-processors as described in Section 11 (Sub-processors).
2. Subscriber will forward to the third-party controller promptly and without undue delay any notice provided by Kocho under Section 7.2.1 (Incident Notification), 9.2.1 (Responsibility for Requests), or 11.4 (Opportunity to Object to Sub-processors); and
3. Subscriber may make available to the third-party controller any other information made available by Kocho under this Addendum about the locations of data centers where Subscriber Data is stored or the names, locations and activities of Sub-processors.

5.2 Compliance with Subscriber’s Instructions. Subscriber instructs Kocho to process Subscriber Data in accordance with the applicable Agreement (including this Addendum) only as follows:

1. to provide, secure, and monitor SaaS and the Services; and
2. as further specified via:
   • Subscriber’s use of SaaS and/or the Services; and

5.3 Any other written instructions given by Subscriber and acknowledged by Kocho as constituting instructions under this Addendum

(collectively, the “Instructions”).

1. Kocho will comply with the Instructions unless prohibited by UK Law, where UK Data Protection Law applies, or prohibited by applicable law, where any other Applicable Privacy Law applies.

6. Data Deletion

6.1 Deletion by Subscriber. Kocho will accept requests from Subscriber to delete Subscriber Data during the Term in a manner consistent with the functionality of SaaS and the Services. If Subscriber uses SaaS functionality and/or the Services to delete any Subscriber Data during the Term and that Subscriber Data cannot be recovered by Subscriber, this use will constitute an Instruction to Kocho to delete the relevant Subscriber Data from SaaS and Kocho’s systems (if applicable). Kocho will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless UK Law requires storage, where UK Data Protection Law applies, or applicable law requires storage, where any other Applicable Privacy Law applies.

6.2 Return or Deletion When Term Ends. If Subscriber wishes to retain any Subscriber Data after the end of the Term, it may instruct Kocho in accordance with Section 9.1 (Access; Rectification; Restricted Processing; Portability) to return that data during the Term. Subject to Section 6.3 (Deferred Deletion Instruction), Subscriber may instruct Kocho to delete all remaining Subscriber Data (including existing copies) from SaaS and/or Kocho’s systems (if applicable) at the end of the Term. After a recovery period of up to 30 days from that date, Kocho will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless UK Law requires storage, where UK Data Protection Law applies, or applicable law requires storage, where any other Applicable Privacy Law applies.

6.3 Deferred Deletion Instruction. To the extent any Subscriber Data covered by the deletion instruction described in Section 6.2 (Return or Deletion When Term Ends) is also processed, when the applicable Term under Section 6.2 expires, in relation to an Agreement with a continuing Term, such deletion instruction will take effect with respect to such Subscriber Data only when the continuing Term expires. For clarity, this Addendum will continue to apply to such Subscriber Data until its deletion by Kocho.

7. Data Security

7.1 Kocho’s Security Measures, Controls and Assistance.
7.1.1 Kocho’s Security Measures. Kocho will implement and maintain appropriate technical, organizational, and physical measures to protect Subscriber Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (the“Security Measures”). The Security Measures include measures to encrypt Subscriber Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Kocho’s systems and services; to help restore timely access to Subscriber Data following an incident; and for regular testing of effectiveness. Kocho may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of SaaS and/or the Services.

7.1.2 Access and Compliance. Kocho will:

1. authorize its employees, contractors and Sub-processors to access Subscriber Data only as strictly necessary to comply with Instructions;
2. take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance; and
3. ensure that all persons authorized to process Subscriber Data are under an obligation of confidentiality.

7.1.3 Additional Security Controls. Kocho will make Additional Security Controls available to:

1. allow Subscriber to take steps to secure Subscriber Data; and
2. provide Subscriber with information about securing, accessing and using Subscriber Data.

7.2 Kocho’s Security Assistance. Kocho will (taking into account the nature of the processing of Subscriber Personal Data and the information available to Kocho) assist Subscriber in ensuring compliance with its (or, where Subscriber is a processor, the third-party controller’s) obligations relating to security and personal data breaches under Applicable Privacy Law, by:

1. implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Kocho’s Security Measures);
2. making Additional Security Controls available in accordance with Section 7.1.3 (Additional Security Controls);
3. complying with the terms of Section 7.2 (Data Incidents);
4. making the Security Documentation available in accordance with Section 7.5.1 (Reviews of Security Documentation) and providing the information contained in the applicable Agreement (including this Addendum); and
5. if subsections (a)-(d) above are insufficient for Subscriber (or the third-party controller) to comply with such obligations, upon Subscriber’s request and cost, providing Subscriber with additional reasonable cooperation and assistance.

7.3 Data Incidents.
7.3.1 Incident Notification. Kocho will notify Subscriber promptly and without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Subscriber Data.

7.3.2 Details of Data Incident. Kocho’s notification of a Data Incident will describe: the nature of the Data Incident including the Subscriber resources impacted; the measures Kocho has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Kocho recommends that Subscriber take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Kocho’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.3.3 No Assessment of Subscriber Data by Kocho. Kocho has no obligation to assess Subscriber Data in order to identify information subject to any specific legal requirements.

7.3.4 No Acknowledgement of Fault by Kocho. Kocho’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Kocho of any fault or liability with respect to the Data Incident.

7.4 Subscriber’s Security Responsibilities and Assessment.
7.4.1 Subscriber’s Security Responsibilities. Without prejudice to Kocho’s obligations under Sections 7.1 (Kocho’s Security Measures, Controls and Assistance) and 7.2 (Data Incidents), and elsewhere in the applicable Agreement, Subscriber is responsible for its use of SaaS and/or the Services and its storage of any copies of Subscriber Data outside Kocho’s or Kocho’s Sub-processors’ systems, including:

1. using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Subscriber Data;
2. securing the account authentication credentials, systems and devices Subscriber uses to access SaaS and/or the Services; and
3. backing up or retaining copies of its Subscriber Data as appropriate.

7.4.2 Subscriber’s Security Assessment. Subscriber agrees that SaaS, the Services, Security Measures, Additional Security Controls, and Kocho’s obligations under this Section 7 (Data Security) provide a level of security appropriate to the risk to Subscriber Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Subscriber Data as well as the risks to individuals).

7.5 Compliance Certifications and SOC Reports. Kocho will maintain at least the following for the Audited Services to verify the continued effectiveness of the Security Measures:

1. certificates for ISO 27001 and any additional certifications as Kocho may deem fit (the “Compliance Certifications”); and
2. SOC 2 and SOC 3 reports produced by Kocho’s Third-Party Auditor and updated annually based on an audit performed at least once every 12 months (the “SOC Reports”).

Kocho may add or modify standards at any time. Kocho may replace a Compliance Certification or SOC Report with an equivalent or enhanced alternative.

7.6 Reviews and Audits of Compliance.
7.6.1 Reviews of Security Documentation. To demonstrate compliance by Kocho with its obligations under this Addendum, Kocho will make the Security Documentation available for review by Subscriber and, if Subscriber is a processor, allow Subscriber to request access to the SOC Reports for the third-party controller in accordance with Section 7.5.3 (Additional Business Terms for Reviews and Audits).

7.6.2 Subscriber’s Audit Rights.

1. Subscriber Audit.Kocho will, if required under Applicable Privacy Law, allow Subscriber or an independent auditor appointed by Subscriber (not being a competitor of Kocho) to conduct audits (including inspections) to verify Kocho’s compliance with its obligations under this Addendum in accordance with Section 7.5.3 (Additional Business Terms for Reviews and Audits). During an audit, Kocho will reasonably cooperate with Subscriber or its auditor as described in this Section 7.5 (Reviews and Audits of Compliance).
2. Subscriber Independent Review. Subscriber may conduct an audit to verify Kocho’s compliance with its obligations under this Addendum by reviewing the Security Documentation (which reflects the outcome of audits conducted by Kocho’s Third-Party Auditor).

7.6.3 Additional Business Terms for Reviews and Audits.

1. Subscriber must contact Kocho’s Application Team to request:
   • access to the SOC Reports for a third-party controller under Section 7.5.1 (Reviews of Security Documentation); or
   • an audit under Section 7.5.2(a) (Subscriber Audit).
2. Following a Subscriber request under Section 7.5.3(a), Kocho and Subscriber will discuss and agree in advance on:
   • security and confidentiality controls applicable to any access to the SOC Reports by a third-party controller under Section 7.5.1 (Reviews of Security Documentation); and
   • the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.5.2(a) (Subscriber Audit).
3. Kocho may charge a fee (based on Kocho’s reasonable costs) for any audit under Section 7.5.2(a) (Subscriber Audit). Kocho will provide Subscriber with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Subscriber will be responsible for any fees charged by any auditor appointed by Subscriber to execute any such audit.
4. Kocho may object in writing to an auditor appointed by Subscriber to conduct any audit under Section 7.5.2(a) (Subscriber Audit) if the auditor is, in Kocho’s reasonable opinion, not suitably qualified or independent, a competitor of Kocho, or otherwise manifestly unsuitable. Any such objection by Kocho will require Subscriber to appoint another auditor or conduct the audit itself.
5. Any Subscriber requests under Appendix 2 (Specific Privacy Laws) for access to any SOC reports for a third-party controller or for audits will also be subject to this Section 7.5.3 (Additional Business Terms for Reviews and Audits).

8. Impact Assessment and Consultations

8.1 Kocho will (taking into account the nature of the processing and the information available to Kocho) assist Subscriber in ensuring compliance with its (or, where Subscriber is a processor, the third-party controller’s) obligations relating to data protection assessments, risk assessments, prior regulatory consultations or equivalent procedures under Applicable Privacy Law, by:

1. making Additional Security Controls available in accordance with Section 7.1.3 (Additional Security Controls) and the Security Documentation available in accordance with Section 7.5.1 (Reviews of Security Documentation);
2. providing the information contained in the applicable Agreement (including this Addendum); and
3. if subsections (a) and (b) above are insufficient for Subscriber (or the third-party controller) to comply with such obligations, upon Subscriber’s request and cost, providing Subscriber with additional reasonable cooperation and assistance.

9. Access; Data Subject’s Rights; Data Export

9.1 Access; Rectification; Restricted Processing; Portability. During the Term, Kocho will enable Subscriber, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Subscriber Data, including via the deletion request facility provided by Kocho as described in Section 6.1 (Deletion by Subscriber), and to export Subscriber Data. If Subscriber becomes aware that any Subscriber Personal Data is inaccurate or outdated, Subscriber will be responsible for using such functionality to rectify or request deletion of that data if required by Applicable Privacy Law.

9.2 Data Subject Requests.
9.2.1 Responsibility for Requests. During the Term, if Kocho’s Application Team receives a request from a data subject that relates to Subscriber Personal Data and identifies Subscriber, Kocho will:

1. advise the data subject to submit their request to Subscriber;
2. promptly notify Subscriber; and
3. not otherwise respond to that data subject’s request without authorization from Subscriber.

Subscriber will be responsible for responding to any such request including, where necessary, by using the functionality of SaaS or the Services.

9.2.2 Kocho’s Data Subject Request Assistance. Kocho will (taking into account the nature of the processing of Subscriber Personal Data) assist Subscriber in fulfilling its (or, where Subscriber is a processor, the third-party controller’s) obligations under Applicable Privacy Law to respond to requests for exercising the data subject’s rights by:

1. making Additional Security Controls available in accordance with Section 7.1.3 (Additional Security Controls);
2. complying with Sections 9.1 (Access; Rectification; Restricted Processing; Portability) and 9.2.1 (Responsibility for Requests); and
3. if subsections (a) and (b) above are insufficient for Subscriber (or the third-party controller) to comply with such obligations, upon Subscriber’s request and cost, providing Subscriber with additional reasonable cooperation and assistance.

10. Data Processing Locations

10.1 Data Storage and Processing Facilities. Subject to Kocho’s data location commitments under the Service Specific Terms (if any applicable) and data transfer commitments under Appendix 2 (Specific Privacy Laws), if applicable, Subscriber Data may be processed in any country where Kocho or its Sub-processors maintain facilities.

10.2 Data Center Information. The locations of data centers are described in Appendix 2 (Sub-processors and Data Centre Locations).

11. Sub-processors

11.1 Consent to Sub-processor Engagement. Subscriber specifically authorizes Kocho’s engagement as Sub-processors of those entities disclosed as described in Section 11.2 (Information about Sub-processors) as of the Addendum Effective Date. In addition, without prejudice to Section 11.4 (Opportunity to Object to Sub-processors), Kocho generally authorizes Kocho’s engagement of other third parties as Sub-processors (“New Sub-processors”).

11.2 Information about Sub-processors. Names, locations, and activities of Sub-processors are described in Appendix 3 (Sub-processors and Data Centre Locations).

11.3 Requirements for Sub-processor Engagement. When engaging any Sub-processor, Kocho will:

1. ensure via a written contract that:
   • the Sub-processor only accesses and uses Subscriber Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and
   • if required under Applicable Privacy Laws, the data protection obligations described in this Addendum are imposed on the Sub-processor (as may be further described in Appendix 2 (Specific Privacy Laws)); and
   • remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
2. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.

11.4 Opportunity to Object to Sub-processors.

1. When Kocho engages any New Sub-processor during the Term, Kocho will, at least 30 days before the New Sub-processor starts processing any Subscriber Data, notify Subscriber of the engagement (including the name, location and activities of the New Sub-processor).
2. Subscriber may, within 90 days after being notified of the engagement of a New Sub-processor, object by immediately terminating the applicable Agreement for convenience:
   • in accordance with that Agreement’s termination for convenience provision; or
   • if there is no such provision, by notifying Kocho.

12. Kocho Application Team; Processing Records

12.1 Kocho Application Team. Kocho Application Team will provide prompt and reasonable assistance with any Subscriber queries related to processing Subscriber Data under the applicable Agreement and can be contacted as described in the Notices section of the applicable Agreement.

12.2 Kocho’s Processing Records. Kocho will keep appropriate documentation of its processing activities as required by Applicable Privacy Law. To the extent any Applicable Privacy Law requires Kocho to collect and maintain records of certain information relating to Subscriber, Subscriber will use SaaS or other means identified in the Agreement to supply such information and keep it accurate and up to date. Kocho may make any such information available to competent regulators, including a Supervisory Authority, if required by Applicable Privacy Law.

12.3 Controller Requests. During the Term, if Kocho Application Team receives a request or instruction from a third-party purporting to be a controller of Subscriber Personal Data, Kocho will advise the third party to contact Subscriber.

13. Notices

13.1 Notices under this Addendum (including notifications of any Data Incidents) will be delivered to the Notification Email Address. Subscriber is responsible for using SaaS, or otherwise notifying Kocho, to ensure that its Notification Email Address remains current and valid.
***** ***** ***** ***** *****

Appendix 1

Subject Matter and Details of Data Processing

Subject Matter

Kocho’s provision of SaaS and/or the Services to Subscriber.

Duration of the Processing

The Term plus the period from the end of the Term until deletion of all Subscriber Data by Kocho in accordance with this Addendum.

Nature and Purpose of the Processing

Kocho will process Subscriber Personal Data for the purposes of providing SaaS and/or the Services to Subscriber in accordance with this Addendum.

Categories of Data

Data relating to individuals provided to Kocho via SaaS and/or the Services, by (or at the direction of) Subscriber or by its end users.

Data Subjects

Data subjects include the individuals about whom data is provided to Kocho via SaaS and/or the Services by (or at the direction of) Subscriber or by its end users.

***** ***** ***** ***** *****

Appendix 2

Specific Privacy Laws

The terms in each subsection of this Appendix 2 apply only where the corresponding law applies to the processing of Subscriber Personal Data.

European Data Protection Law
1. Additional Definitions

1. “Adequate Country” means” (i) for data processed subject to the EU GDPR: the European Economic Area, or a country or territory recognized as ensuring adequate protection under the EU GDPR; or (ii) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; in each case, other than on the basis of an optional data protection framework.
2. “Alternative Transfer Solution” means, for purposes of these European Data Protection Law terms, a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
3. “SCCs” means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Processor), or the SCCs (Processor-to-Controller), as applicable.

2. Instruction Notification. Without prejudice to Kocho’s obligations under Section 5.2 (Compliance with Subscriber’s Instructions) or any other rights or obligations of either party under the applicable Agreement, Kocho will immediately notify Subscriber if, in Kocho’s opinion:

1. European Law prohibits Kocho from complying with an Instruction;
2. an Instruction does not comply with European Data Protection Law; or
3. Kocho is otherwise unable to comply with an Instruction,

in each case unless such notice is prohibited by European Law.

If Subscriber is a processor, Subscriber will immediately forward to the third-party controller any notice provided by Kocho under this section.

3. Subscriber’s Audit Rights. Kocho will allow Subscriber or an independent auditor appointed by Subscriber (not being a competitor of Kocho) to conduct audits (including inspections) as described in Section 7.5.2(a) (Subscriber Audit). During such an audit, Kocho will make available all information necessary to demonstrate compliance with its obligations under this Addendum and contribute to the audit as described in Section 7.5 (Reviews and Audits of Compliance) and this section.

4. Data Transfers

5. Requirements for Sub-processor Engagement. European Data Protection Law requires Kocho to ensure via a written contract that the data protection obligations described in this Addendum, as referred to in Article 28(3) of the GDPR, if applicable, are imposed on any Sub-processor engaged by Kocho.

***** ***** ***** ***** *****

Appendix 3

Sub-processors and Data Centre Locations

List of approved Sub-processors for the Alira Project powered by Kocho: