Terms and Conditions

CARUSO Dataplace
between

Company: PROMOTIVE S.A.

Address: OLAZABAL 1515 - BA

Country: ARGENTINA

(hereinafter referred to as “Customer”)

and

Caruso GmbH
Steinheilstraße 10
85737 Ismaning
Germany

(hereinafter referred to as "CARUSO")

Customer and CARUSO are hereinafter jointly referred to as “Parties” or individually as “Party”.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 1/30
Preamble

A. Caruso GmbH is a company with limited liability (GmbH) established under the laws of Germany
registered with the commercial register (Handelsregister) maintained at the lower court
(Amtsgericht) of Munich, Germany, under registration number HRB 233 669, having its corporate
domicile (Sitz) in Ismaning.

B. PROMOTIVE S.A. is a company with ANONIMOUS SOCIETY

established under the laws OF ARGENTINA registered with the

of commercial register of 33-71031650-9 , under registration number

33-71031650-9 , having its corporate domicile in OLAZABAL 1515- Bs As.

Definitions

Unless otherwise defined in the Agreement, all capitalized terms used in this Terms and Conditions and
its Annexes will have the meanings given to them as described below:

Data shall mean any kind of discrete, objective facts, information, logs about events, entities,
transactions, or activities required by CARUSO to operate the CARUSO Dataplace. This includes in
particular In-Vehicle Data from connected vehicles but also about Data from and about its Data
Suppliers and/or its Customers.

Personal Data shall mean any information relating to an identified or identifiable natural person, a
Data Subject.

Data Subject has the meaning of Art. 4 GDPR and refers to an identifiable natural person who can
be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Protection Law means all applicable laws and regulations relating to data protection and
privacy including (without limitation) the EU General Data Protection Regulation (2016/679)
(“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in
each jurisdiction, European Union Member State laws regulating security breach notification and
imposing data security requirements, and any amending, implementing or replacement legislation
from time to time.

Data Controller shall be the legal entity that determines the purposes and means of the processing
of personal data (e.g., when processing an employee’s personal data, the employer is considered to
be the controller). It is possible to have joint data controllers in certain circumstances.

Data Processor shall be the legal entity that processes personal data on behalf of a Data Controller
and is thus acting on behalf of its Customer or Client). The key responsibility of the processor is to
ensure that conditions specified a Data Processing Agreement signed with the Data Controller are
always met, and that obligations stated in GDPR are complied with.

In-Vehicle Data shall mean Data generated from or within a connected vehicle which may be stored
on a Data Supplier’s server and which is subject to be provided to Data Consumers via the CARUSO
Dataplace. In-Vehicle Data is considered to be personal data according to the Data Protection Law.

In-Vehicle Data Packages shall mean a set of custom-defined or predefined In-Vehicle Data which
is offered to Customers.

Data Supplier shall mean a legal entity that provides In-Vehicle Data to a Customer via CARUSO.
CARUSO is acting a reseller for the Data Supplier.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 2/30
 Customer or Data Consumer shall mean a legal entity representing a Customer of CARUSO
Dataplace. The Customer may have an interest in or is already having a Subscription to consume
In-Vehicle Data from one or several Data Suppliers.

Platform User shall mean any employees, representative, or vicarious agent that represents
and acts on behalf of the Customer.

Technical User shall mean a non-personal account on CARUSO Marketplace. A technical user has
the same rights and functionalities as a Platform User.

CARUSO Dataplace, or Platform (hereinafter also referred to as “Dataplace”) is a cloud-based

mobility data platform connecting OEMs, workshops, part manufacturers, leasing and
fleet management systems, automobile insurances and other market players. The CARUSO
Dataplace consists out of a Marketplace, a Developer Portal, and a Delivery Engine.

Marketplace is a web-based marketplace portal for presenting and viewing Offers about the
data available and management of Subscriptions of a Customer.

Developer Portal is a web-based portal with technical information for Data Suppliers and Data
Consumers. The Developer Portal describe how to integrate with the Platform and the APIs of the
Delivery Engine.

Delivery Engine provides access to In-Vehicle Data for customers with a valid Subscription via the
CARUSO API. The Delivery Engine performs the Data Delivery and by doing so, it may also apply
Harmonization and Caching of In-Vehicle Data. The customer needs to technically integrate the
APIs of CARUSO to get In-Vehicle Data from the Dataplace. The Customer has in particular
access to APIs to request harmonized In-Vehicle Data items and APIs to trigger the consent flow
for a Data Subject.

Data Delivery shall mean the process of delivering In-Vehicle Data from a Data Supplier to
a Customer. Data Delivery may use different technical means to do so (e.g., pull, push, or stream
of In-Vehicle Data). Data Delivery is based on the Vehicle Identification Number (VIN) and may be
done for Individual Vehicles or Fleet Vehicles.

CARUSO API shall mean the API (Application Programming Interface), i.e., the interface for the
request and delivery of In-Vehicle Data to the Customer.

API Call shall mean each single attempt by a system of the Consumer to use the CARUSO
API based on a Subscription by the Consumer for the purpose of obtaining In-Vehicle Data. API
Calls may be limited by Rate Limits.

Rate Limit shall mean the upper threshold of allowed requests within a certain time frame from
Customer to CARUSO.

Harmonization shall mean to transform the Data of a certain Data Supplier to the
harmonized CARUSO data format. This means inbound data of Data Supplier solely is changed in
a way to make the data conformant to the CARUSO data catalog. This may include changing (1)
the name of the data item (e.g., odometer to mileage), (2) the unit of the data items (e.g., miles to
kilometer), (3) the granularity of the data item (e.g., front left door lock state and front right door lock
state to front door state), or (4) data provisioning mechanisms (e.g., push, stream, pull-based to
one of the other).

Caching shall mean to temporary hold Data in a cache to provide a better experience to Data
Consumers. A cache means a temporary storage area that has a copy of the last received In-
Vehicle Data and (1) is only used to temporary hold Data at the CARUSO Dataplace in case of
invalid/not available Data or error, (2) is only accessed if Data requests by a Customer leads to
invalid Data or a technical error (e.g. error 500, 503); and (3) is deleted if the caching time-to-live
expires.

Individually owned Vehicle: Any vehicle owned, leased, or used by one or more individuals or
a family.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 3/30
 Company-owned Vehicle: Any vehicle or a fleet of vehicles owned or leased by a business,
company, government agency, or other organizations rather than by one or more individuals or
family. In some jurisdictions and countries, fleet vehicle may also mean a vehicle that is privately
owned by employees, or on novated leases, but is being used for work or commercial purposes.

Offer is a description of the In-Vehicle Data or the In-Vehicle Data Packages to which any Customer
may request a Subscription.

Subscription shall mean an agreement between Customer and CARUSO Dataplace about Data
Delivery. A Subscription describes the Data delivered and provides the necessary information to
consume the In-Vehicle Data for the Data Consumer. A subscription may use one or several Data
Delivery Agreements to expose Data Supplier specific information that may apply for Data Delivery.

Data Delivery Agreement shall mean the Data Supplier specific terms and conditions that apply
for Data Delivery. It may state In-Vehicle Data Items, the permitted purpose and scope of use of
the In-Vehicle Data, the price and price model and technical limitations for Data Delivery, if
applicable. Such limitations and restrictions may be imposed by the Data Supplier selling the
In-Vehicle Data to CARUSO in granting or limiting rights for data scope and data usage for the
Customer.

Confidential Information means, without limitation, any information and data, whether protected
or not, likely to be protected or not by an intellectual property right, which are disclosed by the
Discloser to the Receiver within the Purpose, of any nature (technical, commercial, economical,
etc.) and on any support (in particular experience, know-how, method, tool design, process,
specific component, software, etc.), whether orally, in writing, visually or in any other form
(including, without limitation, documents, devices and computer readable media). Confidential
Information also includes all copies made thereof.

Material Breach: Breach of contractual obligation, in particular including but not limited to any act
that compromised, jeopardized or misused the commercial or private data of the other Party during
the planned transaction (or CARUSO Customers) or, any act that is considered to be against the
substantial manner (cardinal obligation) of the provisions of this Agreement.

Written: A reference to writing or written also includes e-mail, except explicitly stated otherwise
as “e-mail excluded”.

NOW, THEREFORE, the Parties agree on the following:

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 4/30
1 Subject and Purpose of this Agreement

1.1 CARUSO operates the CARUSO Dataplace (hereinafter referred to as “Dataplace”), a cloud-
based mobility data platform connecting OEMs, workshops, part manufacturers, leasing and
fleet management systems, automobile insurances and other market players. The Dataplace
is operated during the term of this agreement in the territory of the European Union.

1.2 CARUSO acts always as the owner of the CARUSO Dataplace for which this agreement
provides the term and conditions.

1.3 Customer signs up for one of the membership packages whose remuneration details and terms
of payment for the as set out in Annex 1 – Pricing and Remuneration.

1.4 Customers may buy In-Vehicle Data from various Data Suppliers via CARUSO, whereby
CARUSO is acting as a reseller for various Data Supplier. In-Vehicle Data may be offered in a
variety of pricing model, data formats, data quality, mainly dependent on the performance of
the Data Supplier.

1.5 Specific terms and conditions that apply for Data Delivery through the Dataplace shall be
covered by a separate Data Delivery Agreement. Customer accepts the Data Delivery
Agreement when making a Subscription. Subscription is hence the Conclusion of a contract
between Customer and CARUSO.

1.6 Any exchanged data in Dataplace remains property of the supplying Party unless otherwise
stated in the respective Data Delivery Agreement (see Annex 2 for a sample Data Delivery
Agreement).

1.7 The Customer acknowledges that the Dataplace and its features and functionalities may
change and evolve over time observing the Change Management Process as described in
Annex 3.

1.8 If either Party develops any ideas, functionalities, or concepts in the course of the negotiations
and under the execution of the Agreement, they shall remain free to use such initiative actions
as long as they are not contradictory to any foreseeable legal requirements or terms and the
conditions of this agreement. If such ideas, functionalities, or concepts are developed jointly by
both Parties in the course of the negotiations and under the execution of this Agreement, both
Parties will endeavor to find an amicable solution enabling free use of such jointly developed
ideas, functionalities or concepts for both Parties.

2 Performance of CARUSO

2.1 CARUSO is responsible for provision, operation, and maintenance of the Dataplace. It is the
Customer’s responsibility to be technically able to use the Dataplace. In particular, CARUSO
is not responsible for providing the Customer with any hardware and/or software except the
Dataplace.

2.2 Regarding the Customer’s use of the Dataplace, CARUSO shall be the sole contractual partner
of the Customer.

2.3 CARUSO will provide the Customer with information which is necessary to use the Dataplace
and to consume In-Vehicle Data (details can be found below under Section 3).

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 5/30
2.4 The annual availability of the Dataplace shall be at least 99 % on average. Necessary
maintenance outside of the normal business hours (see Section 9.7) and downtimes which
could not be averted with reasonable efforts due to technical problems outside the
responsibility of CARUSO (Force Majeure and/or malfunctions due to faulty operation and
configuration by the Customer), shall not be taken into account.

2.5 CARUSO shall notify the Customer of planned maintenance in text form in advance. Such
notification shall include the duration of the maintenance including the foreseeable scope of
impairment in using the Dataplace. However, CARUSO expressly reserves the right for
unannounced maintenance if necessary, especially for reasons of data security and/or
operational security. The Customer must be notified of any maintenance or downtime without
undue delay and any maintenance must be carried out in such a way as to minimize
malfunctions in operational processes as far as possible.

2.6 CARUSO is entitled to modify, expand, and evolve the functions and services of the Dataplace.
CARUSO also reserves the right to change the set of functionalities of the Dataplace in a
manner acceptable to the Customer. In that sense it shall be deemed a "significant reason", in
particular, if the change is needed for security-related reasons. Unless the changes are mere
expansions of the functionalities or insignificant modifications of the performance to be
rendered by CARUSO (e. g. minor design changes), or unless security-related reasons call for
immediate action, CARUSO shall inform the Customer in writing about the changes as
described in Annex 3 - Change Management Process.

2.7 CARUSO reserves the right to make expansions and further developments available against
additional charges only. The provisions of this Terms and Conditions shall apply
correspondingly if the Customer decides to book these expansions and developments. If
CARUSO provides additional services and/or functionalities free of charge after this Terms and
Conditions have been accepted, these are deemed voluntary services of CARUSO.

2.8 CARUSO warrants only the suitability of the Dataplace for use to the agreed extent and not the
timeliness, correctness and completeness of the information provided by the Data Suppliers.

2.9 CARUSO assures that when operating/using the Dataplace, it will observe all applicable legal
regulations, in particular the laws on fair competition, data protection, copyright and data-base
rights.

3 Marketplace Portal Account

3.1 The login information (username and password, hereinafter referred to as “Marketplace
Account”) provided by CARUSO to the Customer is required for the Platform User’s individual
access to the Marketplace of the Dataplace.

3.2 For any way of participation in the Marketplace the Platform User needs to be logged into their
account on the Marketplace via a web-browser. Via the Marketplace the Customer has directly
or indirectly access to view Offers, subscribe, and manage Subscriptions, and access to the
Developer Portal.

3.3 Platform Users act on the Marketplace always on behalf of the Customer and its corresponding
legal entity.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 6/30
3.4 The Customer may request one Technical User. The Technical User acts on behalf of the
Customer as stated in Section 7.4 and it is the obligation of the Customer to ensure that the
Technical User account is only accessible by eligible personnel.

3.5 CARUSO is acting as a reseller for Data Suppliers, which the Customer accepts and
acknowledges when entering into Data Delivery Agreement. with CARUSO restrictions and/or
limitations as contained in the listing may apply for the data delivered. These limitations and
restrictions may be imposed by the Party originally selling the data to CARUSO in granting or
limiting rights for data usage and data scope for the Customer.

4 Data Delivery

4.1 CARUSO shall provide access to In-Vehicle Data as stated in the respective Data Delivery
Agreement. The permitted scope of use of the In-Vehicle Data is also regulated in the Data
Delivery Agreement.

4.2 API documentation is made available to the Customer via the Developer Portal including
technical information on Data Delivery, data dictionary, and error handling. Customer confirms
the approval for the suitability of the CARUSO API for the fulfilment of the purposes of this
Agreement.

4.3 The credentials (e.g., webservice endpoint URL, API key, Subscription Id) provided by
CARUSO to the Customer are required for the Customer’s individual access to Delivery Engine
of the Dataplace.

4.4 CARUSO may limit the possible number of API calls within a certain time frame as further
specified in the respective Data Delivery Agreement.

4.5 The Customer acknowledges that the Data Supplier may impose limitations and restrictions on
the provisioning of data and Customer will carry out any business in conformance to such
limitations and restrictions.

4.6 Data will only be delivered if following preconditions are fulfilled by the Data Supplier:

– Vehicle is equipped with telematics control unit and has an activated SIM Card

– Vehicle is registered at Data Supplier(s) backend

– Brand is supported and Market/Country is supported by the Data Supplier

4.7 The Data is provided by the Data Supplier on an "as-is" and "as available" basis and without
any warranty or representation for quality, quantity, completeness, accuracy, availability, error-
free and fitness for any particular purpose. The Data Supplier does not guarantee a certain
quality of requested In-Vehicle Data due to the following reasons:

– Data Supplier only collects Data when a connection to the vehicle is established. In case
of connection loss, no information can be transmitted.

– If the connection is transient or instable, data may be inaccurate or limited for reasons
beyond data supplier control.

– Not all vehicles of Data Supplier are capable of transmitting data.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 7/30
 – The user may have the option to stop data transmission in the vehicle at any time
(privacy mode). Data supplier has no influence on this user decision. Vehicles with
activated privacy mode do not send data.

4.8 Should the Customer misappropriate Data Supplier’s Data in any way, the Customer shall
promptly inform CARUSO of such misappropriation and disclose to CARUSO the information
of the misuse.

4.9 Customer shall not gain or try to gain access to In-Vehicle Data or any other Data through any
means other than through the API.

4.10 Prior to Data Delivery, Customer shall accept the corresponding terms and conditions as stated
Data Delivery Agreement of the Subscription (see Annex 2 for a sample Data Delivery
Agreement). This information is accessible for the customer via the Marketplace.

– The Data Delivery fee, pricing model, and period of validity of the fee or Data Delivery
via CARUSO.

– The Data Items and the permitted purposes of use of the Data.

– The Rate Limits that may apply for Data Delivery.

– Details on the roles according to Art. 6 Regulation (EU) 2016/679 ("GDPR") of the Data
Supplier(s), CARUSO, and Customer (see outlined possible option of Section 6.2).

4.11 CARUSO may use the name, trademark, and logo of the Customer without any modifications
as a reference towards Data Subjects in the process of consent provisioning. Any further usage
of name, trademark, logo requires Customer´s prior written permission to do so.

4.12 Data Delivery for Individually-Owned Vehicles

4.12.1 CARUSO may give access to In-Vehicle Data of individual vehicles connected through the
Data Supplier.

4.12.2 Customer shall ensure that the registered keepers or drivers of the vehicle have consented
the provisioning of personal data in compliance to GDPR. This requires informing the Data
Subject.

4.12.3 The Data Subject can confirm CARUSO's request, which is made on behalf of the Customer,
thus approving the transmission of the queried In-Vehicle Data for the disclosed purpose. The
Data Subject can terminate the In-Vehicle Data delivery at any time.

4.12.4 It is the Customer’s responsibility to trigger the consent flow for data release of the Data
Subject. Any use of data that deviates from the purpose of use provided within the consent low
to Data Subject shall constitute a violation of Clause 6.3.

4.13 Data Delivery for Company-Owned Vehicles

4.13.1 CARUSO may give access to In-Vehicle Data for fleet vehicles for Customers acting in the
role of a fleet owner or acting on behalf of fleet owners to obtain In-Vehicle Data of respective
fleet vehicles without the explicit consent of each individual driver. Explicit consent means any
measure taken by CARUSO to individually collect consent of each individual driver. In that

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 8/30
 case CARUSO acts as independent data intermediary on behalf of the Customer. The fleet
owner is a Data Controller in the sense of Art. 4 No. 7 GDPR.

4.13.2 Vehicles joining the fleet are allocated to a Subscription for fleet vehicles. The vehicles joining
and leaving the fleet must be provided truthfully by the Customer. The Customer is obligated
to keep the documentation of the vehicles in Data Delivery up-to-date at all times. Customer
must particularly ensure that they are authorized to do so. At CARUSO’s request, the
Customer must provide documentary evidence to this effect (e.g., copy of the vehicle’s
confirmation of registration, copy of the leasing contract, confirmation of the leasing company).

4.13.3 Customer is obligated to ensure that the Personal Data is used exclusively in compliance to
GDPR with the applicable data protection regulations. In particular, this includes the
Customer’s obligation to inform the users of the fleet vehicles of the fact that their personal
data shall be processed in the context of the use of the fleet service to the extent required by
law and, insofar as doing so is necessary, the Customer’ obligation to obtain appropriate
consent from the users. At CARUSO’s request, the Customer shall provide CARUSO with
proof of the legitimacy of personal data processing activities using the fleet service, including
sufficient information for the users.

4.13.4 CARUSO reserves the right to verify compliance with the above specifications at any time and
to take appropriate steps in the case of non-compliance. Depending on the breach, this also
includes the temporary or permanent exclusion of the Customer responsible for the breach
from the fleet service.

5 Notices

5.1 Any notices or other records to be delivered by one of the Parties pursuant to this Agreement
must be done in writing and are deemed to have been delivered as email to the address of the
other Party as below.

– Notices to CARUSO: [email protected]

– Notices to Customer: [email protected]

6 Data Protection and IT Security

6.1 The Customer is a separate Data Controller or a Data Processor on behalf of a Data Controller
under data privacy laws and shall be responsible for compliance with data protection law when
retrieving and handling data at the CARUSO API. Customer shall ensure that all use of
personal data complies with Art. 6 Regulation (EU) 2016/679 ("GDPR") towards the Data
Subject.

6.2 The Parties are bound to comply with all data protection laws and data protection regulations
and to ensure compliance by all members of their Personnel. Details may be established in the
respective Data Delivery Agreement between Data Supplier, CARUSO and Customer, in
particular the roles of the parties according to Art. 6 Regulation (EU) 2016/679 ("GDPR").

– Controller-Controller-Controller: Data Supplier is a Data Controller, CARUSO is a Data

Controller, and Customer is a Data Controller.

– Processor-Controller-Controller: Data Supplier is a Data Processor, CARUSO is a Data

Controller, and Customer is a Data Controller.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 9/30
 – Controller-Processor-Controller: Data Supplier is a Data Controller, CARUSO is a Data
Processor of the Customer, and Customer is a Data Controller. In addition, a Data
Processing Agreement (DPA) between Customer and CARUSO is necessary (see
Annex 5).

– Processor-Processor-Controller: Data Supplier is a Data Processor of CARUSO,

CARUSO is a Data Processor of the Customer, and Customer is a Data Controller. In
addition, a Data Processing Agreement (DPA) between Customer and CARUSO is
necessary (see Annex 5).

6.3 The Customer is obliged to comply with the GDPR and any other applicable data protection
regulations. A violation of data protection regulations is considered a violation of essential
contractual obligations. This includes in particular data protection requirements for IT security
in the Customer's area of responsibility.

6.4 At the request of CARUSO, the Customer shall provide unrestricted and comprehensive
information on all measures relevant to data protection in connection with the handling of data
as well as on compliance with and control of data protection regulations. For this purpose, the
Customer shall provide and explain the relevant documents and data, including, if applicable,
Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR.

6.5 In case of personal data breach by the Customer, CARUSO shall have the right to terminate
this Agreement immediately and stop any further Data Delivery to the Customer.

6.6 CARUSO shall have the right to inform the Data Supplier about any violations by the Customer
and the name of the Customer in case of data breaches in order to create a blacklist.

6.7 CARUSO implements and maintains technical and organizational measures to protect Data
against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
CARUSO may update or modify these measures from time to time if such updates and
modifications do not result in the degradation of the overall security of the Dataplace.

6.8 CARUSO has no obligation to protect copies of Data of the Customer that the Customer stores
or transfers outside of the Dataplace (e.g., offline or on-premises storage at the Customer).

6.9 The Customer is solely responsible for the use of the security functionalities provided by the
Dataplace, including, but not limited to secure handling of passwords and other credentials, to
delete expired Platform Users and to apply appropriate password policies.

6.10 The Customer is solely responsible for securing the account and authentication credentials, as
well as systems and devices the Customer uses to access the Dataplace, securing its server
resources and infrastructure, securing any account and Customer system authentication
credentials obtained from other Customers on CARUSO as part of a subscription to such a
Customer’s service, backing up its Data as appropriate.

6.11 The Customer agrees not to adapt or circumvent the systems in place in connection with the
Dataplace, nor access the Dataplace other than by using the credentials assigned to the
Customer and its Platform Users and by following the instructions that CARUSO has provided
for that type of connection.

6.12 Any breach of security, such as loss, theft or unauthorized use of your security credentials must
be notified to CARUSO immediately.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 10/30
6.13 CARUSO has the right to disable any username or password at any time, if in CARUSO’s
opinion the Customer failed to comply with any of the obligations listed in Section 7 or where
we suspect illegal, fraudulent activity or unauthorized use of your account or contact
information.

7 Rights and Obligations of the Customer

7.1 Customer is obligated to have at least one registered Platform User.

7.2 Customer is obligated to provide a contact email address via the platform to receive any
notices, information, announcements, or other records from CARUSO.

7.3 Customer must keep the login information to the Dataplace and data delivery credentials to
access CARUSO APIs secure and may only make them available to authorized employees.
The Customer undertakes to obligate their employees to handle the access data confidentially
and to inform CARUSO immediately if it is suspected that the login information may have
become known to unauthorized persons.

7.4 Customer is responsible for any operation and configuration made under their account, inter
alia their data.

7.5 Customer shall be responsible to regularly secure their own data. This applies both to the Data
on the local systems or servers of the Customer.

7.6 With regard to all contents the Customer transfers to the servers of CARUSO, the Customer
grants CARUSO a simple right to use the contents in the context of the use of the Dataplace
during the term of this agreement as far as this is necessary for the fulfilment of this Agreement.
In particular, CARUSO is entitled to duplicate the contents for purposes of operating the online
platform.

7.7 CARUSO is also entitled to grant sublicenses to its vicarious agents, insofar as this is
necessary for the fulfilment of this Agreement. Otherwise, the right of use is not transferable.
CARUSO shall be entitled to retain the Customer's contents beyond the duration of the
contract, insofar as this is technically or legally necessary.

7.8 Customer assures that when using the Dataplace, it will observe all applicable legal
regulations, in particular the laws on fair competition, data protection, copyright and database
rights.

7.9 Customer shall use the Data Supplier’s Data only as far as and as long as such use is in
accordance with this agreement and the Data Delivery Agreement (irrespective of whether the
Data Supplier’s Data is personal or non-personal data).

7.10 Customer may use the Data exclusively for the purposes as presented to and consented by
the Data Subject. Consumer may also anonymize Data Supplier’s Data for his own purposes.

7.11 Customer may combine Data Supplier’s Data with comparable data generated by vehicles
other than Data Supplier’s Vehicles. The Parties agree that Combined Data shall be used only
for the purposes for which and to the extent to which Data Supplier’s Data may be used. The
creation of further Data Supplier’s Data Derivatives is not permitted.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 11/30
7.12 Consumer shall delete In-vehicle Data after the end of this Agreement, unless the storage of
Data Supplier’s Data is required by law or for the Customer to comply with contractual
obligations vis-à-vis the Data Subjects.

7.13 The Customer may use the name of the Data Suppliers as a reference towards Data Subjects.

– This means Customer is only entitled to use the company name of the Data Supplier in
the same form and font as the surrounding text of the end customer reference.

– Any highlighting by color, by writing in a different font, or in any other way is prohibited.

– Neither the Customer nor any 3rd Party shall use the trademark, logo and identity of
Data Supplier for marketing or similar purposes without Data Supplier´s prior written
consent.

– Any further permitted usage of name, trademark, logo and identity of Data Supplier for
marketing or similar purposes is regulated in the respective Data Delivery Agreement.

7.14 Customer shall comply with the Platform Code of Conduct (see Annex 4 – Platform Code of
Conduct) and ensure that all Platform User of the Customer comply with it.

8 Audit Rights

8.1 CARUSO is entitled to review Customer’s compliance with the obligations under this
Agreement, in particular with the obligation stated in Sections 4 and 7. CARUSO may carry out
related audits by itself or through a designated, independent, reputable, recognized third party
auditor bound to confidentiality under professional privileges during business hours after
reasonable prior notice. In this respect, Customer agrees to CARUSO and its authorized
representatives to view and audit, during normal business hours upon advance written notice
to Customer, any facility, process or entity used to fulfill Customer’s obligations stated in
Sections 4.13 and 7 to determine compliance with the requirements of this Agreement.

8.2 If an audit reveals any cases of non-compliance with Customer’s obligations, CARUSO will
inform the Customer accordingly and CARUSO may, at its sole discretion, either

a) require the Customer to ensure compliance without undue delay and/or

b) withhold any transfer of Data Supplier data to the Customer until the Customer has
demonstrated compliance, and/or

c) in severe cases terminate this Agreement upon written notice to the Customer.
CARUSO may also disclose such issues to the respective Data Supplier.

8.3 CARUSO shall bear the costs of such audit measures, unless a non-contractual use, especially
a non-compliance with sections 4.13 and 7, is discovered, in which case the Customer shall
bear the cost.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 12/30
9 Liability

9.1 CARUSO is liable for willful intent, gross negligence and in the case of deceit without restriction.
In the case of mild negligence, CARUSO shall be liable insofar as it has infringed a duty which
is of material significance to the achievement of the contractual purpose (cardinal duty, inter
alia the provision of the Dataplace), restricted to the foreseeable damage typical of the
agreement. Irrespective of the reason for the claim, CARUSO shall assume no further liability
insofar as nothing to the contrary has been agreed between the Parties.

9.2 CARUSO does not accept responsibility for any loss the Customer or anybody else may suffer
because any instructions or information sent by the Customer or CARUSO are sent in error,
fail to reach the recipient or are distorted unless such loss results from our negligence, failure
to exercise reasonable skill and care, fraud or our deliberate fault.

9.3 CARUSO may rely on all communications given or made by the Customer or anyone else using
the Customers username, account number and password which we reasonably believe to have
been made by you or on your behalf. The Customer will be bound by any agreement entered
into or expense incurred on your behalf in reliance upon such a communication.

9.4 CARUSO reserves the right not to act on your instructions where we suspect illegal, fraudulent
activity or unauthorized use of your account or contact information.

9.5 CARUSO does not accept responsibility for any payments from the Customer’s bank account
or any loss you may suffer caused by your failure to keep your registration details confidential,
or your failure to comply with these Terms and Conditions. In particular, CARUSO will not be
responsible for any act, omission, failure, fraud, delay, negligence, insolvency or default of any
bank, financial institution, clearing or payments system, or regulatory, governmental or supra-
national body or authority, nor for any failure or any disruption to any communications systems
required to operate in order for any monies to be transferred. CARUSO does not accept
responsibility if it is or becomes unlawful for CARUSO to give any instruction or make any
payment required by these Terms and Conditions.

9.6 If CARUSO is not Party to contracts that Customer concludes using the Dataplace, CARUSO
shall not be liable for damages that occur directly in the relation between the Customer and
other Customers of CARUSO Dataplace.

9.7 CARUSO shall not be liable for the temporarily disrupted access to the Dataplace caused by
necessary maintenance, which shall be carried out outside normal business hours (08:00-
20:00 CET/CEST or as agreed between the parties for services, that require shorter
maintenance windows) and the disrupted access could not be averted with reasonable efforts.

9.8 The liability restrictions and exclusions mentioned above shall not apply to claims based on the
damage arising from the injury to life, limb or health and to claims based on the Product Liability
Act. Insofar as the liability of CARUSO is restricted or ruled out, the personal liability of the
vicarious agents of CARUSO shall similarly be restricted or ruled out.

10 Confidentiality

10.1 If the Parties have agreed upon a Non-Disclosure Agreement (hereinafter referred to as
“NDA”), the NDA shall remain in full force and effect.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 13/30
10.2 The confidentiality obligations set forth in the NDA shall apply with regard to all confidential
information disclosed during the performance of this, under this Agreement and other
agreements between the Parties with regard to the Dataplace (in particular any letter of intent).

10.3 In any case both parties agree to protect all disclosed Confidential Information from access by
third parties and keep it at least with the same diligence with which it treats its own Confidential
Information, at least, however, with the diligence that is usual in such cases. Confidential
Information may not be disclosed to any third party unless expressly permitted by the discloser
or applicable statutory laws.

10.4 The Parties agree that the confidentiality obligation under the NDA, if applicable, as well as the
confidentiality agreement set forth in Section 10 above shall remain valid for the period of five
years after termination of this Agreement.

11 Publicity

11.1 Unless otherwise agreed, prior written approval must be obtained from the Customer before
CARUSO is allowed to name the Customer and use its logo in the market communication of
the ‘CARUSO Ecosystem’ and respective media like the CARUSO Website.

11.2 The Customer is allowed to name CARUSO and use its logo in the market communication and
respective media like the Customer Website. Also, the Customer is allowed to use name and
logo of CARUSO reference towards Data Subject, a user of the provided service or application
of the Customer or a Third Party, to which the Customer is delivering a service or application.

12 Term and Termination

12.1 The Agreement comes into force upon signature by both Parties and shall regularly be valid
for 12 months in the first instance (exception s. 12.2). The Agreement shall be automatically
extended for another year respectively, provided it has not been terminated by one Party in
writing 3 months prior to its expiration.

12.2 If the Customer has signed a Trial membership (s. 1.3), this Agreement will remain in effect
only until the end of the Trial Period. Upon termination of a Trial membership, the Customer
may sign up for one of the membership packages as listed in Section 1.3 except for another
Trial membership package. In the event of a relevant breach of contract (as per the definition
below), the other Party may (at its own discretion) terminate this Agreement without notice or
at a term of notice of its own choosing by written notice to the Party having breached the
Agreement.

In that sense a "relevant breach of contract" means one or several of the following
circumstances:

a) if a Material Breach of contract is not cured within 30 business days after the submission
of a respective request by the other Party to cure the breach,

b) either Party has committed a Material Breach of this Agreement which makes the
continuation of the Agreement impossible for both Parties

c) either Party fails to fulfil its obligations under this contract over a period of at least three
months after receiving the first notice from the other Party, or ceases its business
operation, or there threatens to cease operations.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 14/30
12.3 After the effective date of a termination of this Agreement either Party must not use any
software, service, or product (in particular interfaces) which have been provided by the other
Party in course of the onboarding procedure or execution of the Agreement (also including any
negotiations prior to signing either agreement).

12.4 Termination of this agreement shall have no effect on existing contractual obligations of the
Customer towards other Customers. The Customer may fulfil these obligations using the
Dataplace even after termination of this agreement.

12.5 The provisions of this agreement shall apply respectively with the restriction that, the Customer
shall not (and will technically not be able to) enter into new agreements with other Customers
or renew the existing ones.

13 Force Majeure

13.1 Neither Party shall be liable for any delay in performing or failure to perform its obligations
under this Agreement due to any cause outside its reasonable control. Such delay or failure
shall not constitute a breach of this Agreement and the time for the performance of the affected
obligations shall be extended by such period as is reasonable.

14 Right of Modification

14.1 The provisions of this Agreement and its Annexes may be modified between CARUSO and the
Customer for valid reasons (among others change in law and jurisprudence affecting the
respective provisions) by corresponding agreement as set out below:

– CARUSO shall provide the Customer with the changed provisions in text form and point
out the changes as well as the date for the planned coming into force.

– At the same time, CARUSO shall allow the Customer an appropriate grace period of at
least two months for them to declare if they accept the changed provisions for continuing
the execution of this Agreement.

– If the Customer does not make a declaration within the grace period granted, which
starts with reception of the notice in text form, the changed provisions shall be deemed
as agreed upon. CARUSO shall separately and expressly point out to the Customer the
legal consequences, viz. the right to object, the objection period and the consequences
of silence.

15 Entire Contract

15.1 This Agreement, including all appendices and documents attached to it or referred to within its
scope constitute the entirety of the contractual agreements between the Parties in respect of
the object of this Agreement. In the event of contradictions between the terms and conditions
of this Agreement and the attached Appendices, the provisions of this Agreement take
precedence.

15.2 Any earlier expressed or tacit agreements as well as any written or oral assurances,
declarations, negotiations, understandings and promises which are not expressly identified as
an integral part of this Agreement, are excluded from and superseded by this Agreement.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 15/30
16 Final Provisions

16.1 This Agreement cannot be transferred as a whole or in parts by either Party.

16.2 There are no oral declarations, no representations or side agreements to this Agreement.
Changes and/or additional agreements are only valid if agreed in writing and with legally
binding signature. This also applies to any agreements relating to the written form requirement
itself.

16.3 If individual or several provisions of this Agreement are or become unenforceable or invalid,
the remaining provisions shall nonetheless be valid. In the event of invalidity of any clause,
such clause shall be replaced by a valid clause as mutually agreed by both Parties.

16.4 This Agreement is governed and interpreted in accordance with the laws of the Federal
Republic of Germany with the exclusion of International Private Law and the UN Convention
on Contracts for the International Sale of Goods (CISG). The place of jurisdiction for any and
all disputes arising in connection with this Agreement or its validity is Munich, Germany.

17 Components of this contract

17.1 The Parties agree on the following Annexes to be an integral part of this contract:

– Annex 1 – Pricing and Remuneration

– Annex 2 – Sample Data Delivery Agreement

– Annex 3 – Change Management Process

– Annex 4 – Platform Code of Conduct

– Annex 5 – Data Processing Agreement

– Annex 6 – Technical and Organizational Measurements

– Annex 7 – List of Subprocessors

18 Signatures

Buenos Aires, 19/07/2021, Location Date Signature CARUSO

Location, Date Location, Date

RODOLFO CRIBELLINI Name CARUSO

Name: _____________________________ Name: _____________________________
PRESIDENT Function CARUSO
Function: _____________________________ Function: _____________________________

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 16/30
 Annexes

1 Annex 1 – Pricing and Remuneration

1.1 Membership Packages

Customer signs up for one of the membership packages as listed below, which grants
Customer access to the CARUSO Dataplace

TRIAL

BUSINESS

BUSINESS PLUS

INNOVATOR

Membership Description Membership Fee

Package
TRIAL - Access to the marketplace and developer portal 3-month trial period
- Access to the data catalog & standardized API free of charge
- Access to the ‘Virtual OEM’ with simulated data to
build & test your solution
- Access to multi-brand In-Vehicle Data (fees apply)

BUSINESS Everything from TRIAL plus 1.500 € / year

- Access to marketplace with unlimited number of
corporate accounts
- Access to developer portal
- Access to data catalog & standardized API
- Access to the virtual OEM with simulated data to
build & test your solution
- Access to multi-brand In-Vehicle Data for
productive usage (data fee applies)
- Guaranteed business SLAs
- Unified user consent flow for all Data Suppliers
- Email and phone support

BUSINESS PLUS Everything from BUSINESS package plus 15.000 € / year

- Single point of contact via personal onboarding
manager
- Initial 1-day workshop
- Expert support for technical integration
- Expert support for B2X use case ideation and
realization
- Data fee for 50 vehicles per month included

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 17/30
 Membership Description Membership Fee
Package
INNOVATOR Everything from BUSINESS PLUS package plus On demand
- Access to innovation hub for mobility solutions
- Access to OEM data lab
- Flat data fee for fixed number of vehicles per year
- Realization and support of one customized Proof
of Concept
- Access to all CARUSO reports and studies

1.2 Payment Terms

The annual Membership Fee shall be invoiced in advance for the respective contractual year and be
payable in one payment within 30 calendar days from the date of the invoice without any discount.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 18/30
2 Annex 2 – Sample Data Delivery Agreement

Data Delivery Agreement

Terms & Conditions for In-Vehicle Data Delivery
between

Caruso GmbH
Steinheilstraße 10
85737 Ismaning, Germany
(hereinafter referred to as ”CARUSO”)

and

Subscriber via CARUSO Dataplace

(hereinafter referred to as “Customer”)

CARUSO and Customer are hereinafter jointly referred to as the ”Parties” and each a “Party”.

Preamble

The purpose of this agreement is to define the terms and conditions under which CARUSO provides
access to in-vehicle data for the Customer. The Parties therefore enter into the following Data Delivery
Agreement:

1. Access and scope of use of the Data

1.1 The Data Supplier provides access to vehicles via CARUSO. The Data Supplier and the Data
Items included are stated in the Subscription on the CARUSO Dataplace.

1.2 Customer may store the Data Supplier’s Data during the term of the agreement.

1.3 Customer may use the Data exclusively for the purposes as presented to and consented by
the Data Subject.

1.4 The roles of the involved parties according to the GDPR are
Data Supplier: Data Controller
CARUSO: Data Controller
Customer: Data Controller

1.5 The number of API Calls per time frame may be restricted due to technical limitations. It is
allowed to make a maximum of 30 API Calls per Minute.

2. Remuneration

2.1 Customer shall pay CARUSO the Data Delivery fee: Monthly fee per VIN of 6.50 €

2.2 The period of validity of this fee is until 2021-12-31.

2.3 All fees are due on receipt of the CARUSO invoice. Please note that your payment will be
executed as defined in your payment method in your company account on CARUSO
Dataplace.

3. Commencement of access, term and termination

3.1 The Term of this Agreement shall begin on the date of the acceptance (decisive
click/checkmark logged in the CARUSO Dataplace) by the Customer of this agreement.

3.2 Each party shall have the right to terminate this Agreement upon three (3) months’ notice.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 19/30
3 Annex 3 – Change Management Processes

The following process describes how CARUSO shall inform the Customer of changes to the technical
functionalities of the Dataplace in accordance with clause 2.6 of the Terms and Conditions:

– CARUSO shall send a Deprecation Note to the Customer. This Deprecation Note by CARUSO
provides a detailed technical description of the intended change and names any deprecated
functionality. It may further announce replacement functionality or describe a functionally
equivalent mapping to other platform functionality and/or other Customer services available on
the Dataplace.

– If a replacement functionality has been announced, it will become available one month after the
Deprecation Note by CARUSO.

– CARUSO will send an End-of-Life Note of the deprecated functionality two months after the
Deprecation Note by CARUSO.

– After yet another month (three months after the Deprecation Note by CARUSO, one after the
End-of-Life Note) the deprecated functionality will not be supported anymore.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 20/30
4 Annex 4 – Platform Code of Conduct

4.1 Scope, Summary and Purpose

All Customers are expected to comply with all applicable laws, rules and regulations and to adhere to
this Code of Conduct when using the Dataplace.

All Customers must conduct their business carried out via the Dataplace or with In-Vehicle Data
provisioned via the Dataplace with honesty, integrity and in full compliance with all laws and regulations.

Maintaining CARUSO as a trusted and neutral marketplace for data suppliers and data consumers shall
be a top priority for both CARUSO, its Data Suppliers, and its Customers. CARUSO strives to constantly
innovate on behalf of its Customers to improve the Dataplace, its offering, and its operation.

4.2 General Guidelines for the Use of the Dataplace

This Code of Conduct is a general set of rules pertaining to the use of the Dataplace by all involved
Parties. It forms the basis for any participation in the Dataplace. It also aims at keeping the Dataplace
environment safe and secure.

– Customers shall ensure that any usage of data consumed via the Dataplace is factually correct
and, if necessary, up-to-date with regard to the respective purpose of processing.

– The reselling, sharing or further transfer to third parties of data or services purchased on
CARUSO without the approval of the original data provider is prohibited, if not otherwise stated
in the Data Delivery Agreement.

– If Customers repeatedly use the service in an excessive or unreasonable way, CARUSO may
in its sole discretion restrict or block the Customer’s access to the Dataplace or any other
functions that are being misused until the Customer stops its misuse.

– Unsolicited emails to CARUSO Customers (other than as necessary for order fulfilment and
related customer service) and emails related to marketing communications of any kind are
prohibited.

– When Customers use CARUSO’s search engine and browse structure, they expect to see
relevant and accurate results. Any attempt to manipulate the search engine is therefore
prohibited.

– Any attempt to circumvent the established CARUSO sales or reselling process or to divert other
Customers to another platform or sales process is prohibited.

– Any advertisements, marketing messages (special offers) or "calls to action" that lead, prompt,
or encourage Customers of CARUSO to leave the CARUSO Dataplace are prohibited. This may
include the use of email or the inclusion of hyperlinks, URLs, or web addresses within any
provider-generated confirmation email messages or any product/listing description fields.

4.3 Governance and review of the code of conduct

If Customers identify possible infringements of this Code of Conduct, they should first contact CARUSO
support. CARUSO will then investigate the matter and take appropriate measures within a reasonable
timeframe.

CARUSO is responsible for the governance of this code of conduct. CARUSO will regularly review the
Code of Conduct based on changes to applicable EU data protection law. CARUSO Customers will be
informed of any future change of this Code of Conduct.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 21/30
5 Annex 5 – Data Processing Agreement

Agreement on Order Processing

pursuant to Art. 28 GDPR

between

Customer
(Responsible Party - hereinafter referred to as Data Controller or Customer)

and

Caruso GmbH
Steinheilstraße 10
85737 Ismaning, Germany
(Contractor, hereinafter referred to as Data Processor or ”CARUSO”)

5.1 Subject Matter and Duration of the Contract

5.1.1 Subject and Duration

Subject and duration of the agreement are bound to the services from the agreement "Terms
and Conditions CARUSO Dataplace”

5.2 Concretization of the Order Content

5.2.1 Nature and Purpose of the proposed Processing of Data

The nature and purpose of the proposed processing of data are described in the following
Sections of this agreement "Terms and Conditions CARUSO Dataplace”:

– Section 3 “Marketplace Portal Account”

– Section 4 “Data Delivery”

– Annex 2 " Data Delivery Agreement - Terms & Conditions for In-Vehicle Data”

The provision of the contractually agreed data processing takes place exclusively in a member
state of the European Union or in another contracting state of the Agreement on the European
Economic Area.

Any relocation to a third country shall require the prior consent of the contracting authority and
may take place only if the special conditions of Art. 44 et seq. of the EC Treaty are fulfilled and
if GDPR regulations for transfer of personal data to third countries or to international
organizations are met.

5.2.2 Type of Data

The type of personal data used is specifically described in the service agreement in Section 3
“Marketplace Portal Account” and Section 4 “Data Delivery”.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 22/30
5.2.3 Categories of Data Subjects

The categories of data subjects involved in the processing are specifically described in the
service agreement in Section 3 “Marketplace Portal Account” and in Section 4 “Data Delivery”.

5.3 Technical-Organizational Measures (TOMs)

5.3.1 CARUSO shall document the implementation of the technical and organizational measures
outlined and required prior to the award of the contract prior to commencement of processing,
in particular with regard to the concrete execution of the contract, and shall hand them over to
the Customer for inspection. If accepted by the Customer, the documented measures become
the basis of the order. If the inspection/audit of the Customer reveals a need for adjustment,
this must be implemented by mutual agreement.

5.3.2 CARUSO shall provide the security pursuant to Art. 28 para. 3 lit. c, 32 GDPR in particular in
conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data
security measures and measures to ensure a level of protection appropriate to the risk in terms
of confidentiality, integrity, availability and resilience of the systems. In doing so, the state of
the art, the implementation costs and the type, scope and purpose of the processing as well
as the different probability of occurrence and severity of the risk for the rights and freedoms of
natural persons within the meaning of Art. 32 para. 1 GDPR shall be taken into account

5.3.3 The technical and organizational measures shall be subject to technical progress and
development. In this respect, CARUSO is permitted to implement alternative adequate
measures. The safety level of the defined measures must not be undercut. Material changes
must be documented.

5.3.4 The technical and organizational measures of CARUSO are set out in Annex 6 of this
agreement.

5.4 Correction, Limitation and Deletion of Data

5.4.1 CARUSO may not correct, delete or restrict the processing of the data processed on behalf of
the Customer without authorization, but only in accordance with documented instructions from
the Customer. If a person concerned directly addresses CARUSO in this respect, CARUSO
shall immediately forward this request to the Customer.

5.4.2 As far as included in the scope of services, the deletion concept, right to be forgotten,
correction, data portability and information are to be ensured directly by CARUSO according
to documented instructions of the Customer.

5.5 Quality Assurance and other Obligations of the Contractor

5.5.1 In addition to compliance with the provisions of this contract, CARUSO shall have statutory
obligations pursuant to Art. 28 to 33 GDPR; to this extent, CARUSO shall in particular ensure
compliance with the following requirements:

a) Written appointment of a data protection officer who carries out his duties in accordance
with Art. 38 and 39 GDPR. You can reach the data protection officer via the e-mail address
[email protected] or our postal address with the addition "Data protection".

b) Maintaining confidentiality pursuant to Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4

GDPR. In carrying out the work, CARUSO shall only employ employees who are obliged

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 23/30
 to maintain confidentiality and who have been familiarized beforehand with the relevant
data protection provisions. CARUSO and any person under its authority who has access
to personal data may process such data only in accordance with the instructions of the
Customer, including the powers conferred by this Agreement, unless they are required to
do so by law.

c) The implementation of and compliance with all technical and organizational measures
required for this contract pursuant to Art. 28 para. 3 sentence 2 lit. c, 32 GDPR..

d) The contracting authority and CARUSO shall, on request, cooperate with the Supervisory
Authority in the performance of its tasks.

e) Immediate information to the contracting authority on control actions and measures taken
by the supervisory authority in so far as they relate to this contract. This shall also apply if
a competent authority investigates the processing of personal data in the course of an
administrative offence or criminal proceeding at CARUSO's premises.

f) Insofar as the Customer is subject to inspection by the supervisory authority, administrative

offence or criminal proceedings, the liability claim of a person concerned or a third party or
any other claim in connection with the processing of the order by CARUSO, CARUSO shall
support the Customer to the best of its ability.

g) CARUSO shall regularly monitor internal processes and technical and organizational
measures in order to ensure that processing within its sphere of responsibility is carried
out in accordance with the requirements of the applicable data protection legislation and
that the rights of the data subject are protected.

h) Verifiability of the technical and organizational measures taken vis-à-vis the Customer
within the scope of his control powers in accordance with Section 7 of this contract.

5.6 Subcontracting Relationships

5.6.1 For the purposes of this regulation, subcontracting shall mean services which relate directly to
the provision of the principal service. This does not include ancillary services which CARUSO
uses, e.g. as telecommunications services, postal/transport services, maintenance and user
services or the disposal of data carriers as well as other measures to ensure the confidentiality,
availability, integrity and resilience of the hardware and software of data processing systems.
CARUSO shall, however, be obliged to take appropriate and legally compliant contractual
agreements and control measures to guarantee the data protection and data security of the
Customer's data even in the case of outsourced ancillary services.

5.6.2 CARUSO may only commission subcontractors (further contract processors) with the prior
express written or documented consent of the Customer. The Customer agrees to the
commissioning of the subcontractors named in Annex 7: List of subcontractors under the
condition of a contractual agreement in accordance with Art. 28 para. 2-4 GDPR: Outsourcing
to sub-contractors or changing the existing sub-contractor is permissible, insofar as CARUSO
notifies the Customer of such outsourcing to subcontractors in writing or in text form a
reasonable period in advance, and the customer does not object to the planned outsourcing in
writing or in text form to CARUSO up to the time the data is transferred, and a contractual
agreement in accordance with Art. 28 para. 2-4 GDPR is applied.

5.6.3 The passing on of personal data of the Customer to the subcontractor and his first action are
only permitted when all requirements for subcontracting have been met.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 24/30
5.6.4 If the subcontractor renders the agreed service outside the EU/EEA, CARUSO shall ensure
that it is permissible under data protection law by taking appropriate measures. The same
applies if service providers within the meaning of para. 1 sentence 2 are to be used.

5.6.5 Further outsourcing by the subcontractor requires the express consent of the main contractor
(at least in text form) all contractual regulations in the contract chain must also be imposed on
the further subcontractor.

5.7 Control Rights of the Customer

5.7.1 The Customer shall have the right to carry out inspections in consultation with CARUSO or to
have them carried out by inspectors to be appointed in individual cases. He shall have the right
to convince himself of CARUSO's compliance with this Agreement in his business operations
by means of spot checks, which as a rule must be notified in good time.

5.7.2 CARUSO shall ensure that the Customer can satisfy himself that the obligations of CARUSO
under Art. 28 GDPR have been complied with. CARUSO undertakes to provide the Customer
with the necessary information upon request and, in particular, to prove the implementation of
the technical and organizational measures.

5.7.3 Evidence of such measures, which do not relate only to the specific contract, may be provided
by compliance with approved rules of conduct pursuant to Art. 40 GDPR or certification in
accordance with an approved certification procedure pursuant to Art. 42 GDPR or current
certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data
protection officers, IT security department, data protection auditors, quality auditors) or a
suitable certification through an IT security or data protection audit.

5.8 Notification of Infringements by the Contractor

5.8.1 CARUSO shall assist the Customer in complying with the obligations set out in Articles 32 to
36 of the GDPR regarding the security of personal data, reporting obligations in the event of
data breakdowns, data protection impact assessments and prior consultations. This includes
among others

a) ensuring an adequate level of protection through technical and organizational measures

which take into account the circumstances and purposes of the processing and the
predicted likelihood and severity of a possible breach of rights due to security vulnerabilities
and allow the immediate detection of relevant breach events

b) the obligation to report violations of personal data to the Customer without delay

c) the obligation to assist the contracting authority within the framework of its duty to inform
the data subject and to make all relevant information available to the data subject without
delay in this connection

d) the support of the Customer for his data protection impact assessment

e) the support of the Customer within the framework of prior consultations with the supervisory
authority

5.8.2 CARUSO may claim remuneration for support services which are not included in the service
description or which are not attributable to a misconduct on the part of CARUSO.

5.9 Authority of the Customer to issue Instructions

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 25/30
5.9.1 Oral instructions shall be confirmed by the Customer without delay (at least in text form).

5.9.2 CARUSO shall inform the customer immediately if he is of the opinion that an instruction
violates data protection regulations. CARUSO is entitled to suspend the execution of the
corresponding instruction until it has been confirmed or changed by the Customer.

5.10 Deletion and return of personal data

5.10.1 Copies or duplicates of the data shall not be made without the knowledge of the Customer.
Excluded from this are backup copies, insofar as they are necessary to ensure proper data
processing, as well as data which are necessary with regard to compliance with statutory
storage obligations.

5.10.2 Upon completion of the contractually agreed work or earlier upon request by the Customer - at
the latest upon termination of the performance agreement - CARUSO shall hand over to the
Customer all documents, processing and usage results as well as data stocks which have
come into his possession and which are connected with the contractual relationship, or destroy
them in accordance with data protection regulations after prior consent. The same applies to
test and scrap material. The deletion log shall be provided on request.

5.10.3 Documentations which serve as proof of the orderly and proper data processing shall be stored
by CARUSO beyond the end of the contract in accordance with the respective retention
periods. He may hand them over to the Customer to discharge him at the end of the contract.

5.11 Entry into force

5.11.1 This annex (Agreement on Order processing pursuant to Art. 28 DSGVO) shall enter into force
upon signature of the agreement "Terms and Conditions CARUSO Dataplace".

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 26/30
6 Annex 6 – Technical and Organizational Measurements

Technical and Organizational Measures of Caruso GmbH

according to Art. 25 Para. 1 and Art. 32 Data Protection Regulation (GDPR)
Version: 01.04 / Status: Feb. 2021

6.1 Confidentiality
(Art. 32 para. 1 lit. b GDPR)

6.1.1 Entry Control

CARUSO controls access to company properties through a combination of access control

system, personal control at reception, manual locking system and security locks. Visitors are
controlled in the building by escorts. Outside personnel, cleaning staff, etc. are carefully
selected.

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as
well as data storage. AWS data centers are protected and controlled using AWS technical
organizational measures.

6.1.2 Access Control

All access to data systems is secured by identifying and authenticating users via strong
passwords and behavioral instructions to lock down and confidentially handle sensitive data.
Only appropriately authenticated users are granted access to systems.

Unauthorized activities in the Data Processor’s systems are prevented by restricted

authorizations. Users are granted only those authorizations and accesses that are required for
the performance of their activities; guest accesses in the system and network are accordingly
separated, respectively restrictively regulated. Accesses are blocked or deleted after the need
for access has expired. In principle, two-factor authentication is required for all accesses.

CARUSO uses Amazon Web Services (AWS) as a cloud service provider for application
hosting and data storage. Access via the Internet is, in addition to the measures described
above, protected and controlled by AWS using the technical organizational measures of AWS.

6.1.3 Separability

CARUSO separates data collected for different purposes by storing it in separate systems.
Within the same system, access control and authorizations ensure that access to data that is
not required or unauthorized access is not possible. Development, test and production systems
do not exchange data with each other that has not been subjected to prior pseudonymization
(see there).

For special purposes, Customers may be provided with sandbox systems for development and
testing, to which only restricted and limited access is granted.

6.1.4 Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)

Data used from the productive system for testing purposes is pseudonymized before use,
anonymized if possible. In the production system, personal data is only processed with
reference to individuals if this is required for the fulfillment of the purpose.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 27/30
6.2 Integrity
(Art. 32 (1) (b) GDPR)

6.2.1 Transfer Control

Data is transferred and passed on via the Internet using protected and secure communication
(certificate-based). Data is not passed on via data carriers.

6.2.2 Input Control

The data processing systems of CARUSO are subject to the usual logging according to the
standard of the systems used.

6.3 Availability and Resilience

(Art. 32 (1) (b) GDPR)

6.3.1 Availability control

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as
well as data storage. The technical organizational measures of AWS ensure availability and
resilience for this data.

CARUSO does not operate any company-owned servers on company premises. All premises
are equipped with fire protection facilities in accordance with statutory regulations.

6.3.2 Recoverability (Art. 32 para. 1 lit. c GDPR)

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as
well as data storage. The technical organizational measures of AWS ensure recoverability for
this data.

6.4 Procedures for regular Review, Assessment and Evaluation

(Art. 32 (1) (d) GDPR; Art. 25 (1) GDPR)

6.4.1 Data Protection Management

An external data protection officer is appointed to perform the advisory and control functions.

Employee sensitization includes data protection instruction at the start of employment, and
personal sensitization by the external data protection officer in individual cases.

As part of the internal procedure directory, the data flows are documented and the permissibility
of the processing and use is proven in accordance with the GDPR. Any necessary prior checks
are already integrated at the planning stage.

6.4.2 Incident Response Management

IT relevant aspects of a data protection compliance audit:

– Documented processes to ensure data subject rights are in place.

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 28/30
 – Documentation of notification processes for breaches in accordance with Art 33, 34
DSGVO is available

– An emergency plan exists

6.4.3 Data Protection-friendly Default Settings (Art. 25 (2) GDPR)

The controller takes appropriate technical and organizational measures to ensure that, by
means of default settings, only personal data whose processing is necessary for the respective
specific processing purpose is processed as a matter of principle.

– Specifications in the system development process or in the system adaptation

– Differentiated authorization concept

– Storage periods are part of the contractual regulation

6.4.4 Order Control

No commissioned data processing within the meaning of Art. 28 GDPR without corresponding
instructions from the Customer:

– Clear contract design in accordance with Art. 28 GDPR - Commissioned processing.

– Formalized order management

– Obligation of CARUSO's employees to maintain confidentiality

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 29/30
7 Annex 7 – List of Subprocessors

List of subprocessors of Caruso GmbH for the purpose of operating and maintaining the
CARUSO Dataplace

Name Address Purpose GDPR Regulation

Amazon Web 38 Avenue John F. Hosting the platform, Data Privacy Agreement
Services EMEA Kennedy, services and work
SARL L-1855 Luxemburg environments
Luxemburg
Atlassian. Pty Ltd Level 6, 341 George Provision and operation Data Privacy Agreement /
Street of the support platform. EU Model Clauses
Sydney NSW 2000
Australia
Auth0, Inc. 10800 NE 8th Street, Holding of authentication Data Privacy Agreement
Suite 600, Bellevue, information and verifying
WA 98004, access credentials
U.S.A. (IDaaS)
Microsoft One Microsoft Way, Provision and operation Data Privacy Agreement /
Corporation Redmond, WA 98052, of the Microsoft 365 EU Model Clauses
U.S.A. platform.
Stripe Payments The One Building; 1 Charging and crediting Data Privacy Agreement
Europe, Limited Grand Canal Street payment transactions on
Lower; Dublin 2; Co. the CARUSO Dataplace
Dublin; Ireland
Zuora, Inc. 3050 S. Delaware Invoicing business Data Privacy Agreement
Street, Suite 301; San transactions on the
Mateo, CA 94403; CARUSO Dataplace and
U.S.A. managing the product
catalogue

Terms and Conditions CARUSO Dataplace

Last updated on 2021-03-01 30/30