Term & Conditions — Novel Wallet Pass

TERMS AND CONDITIONS

1. SERVICES AND SUPPORT

1.1 Subject to the terms and conditions of this Agreement, Novel will provide Customer with access to the Services. The Services are hosted software and therefore subject to modification from time to time at Novel’s sole discretion, provided that if Novel reasonably believes a modification will materially adversely affect Customer, Novel will provide Customer prior notice of the applicable modification and Customer may exercise its right to terminate this Agreement for convenience pursuant to

Section 7.1. Novel reserves the right to suspend Customer’s access to the Services in the event Customer is in breach of this Agreement, including failure to pay any amounts due to Novel.

1.2 Subject to the terms hereof, Novel will use commercially reasonable efforts to provide reasonable support to Customer for the Services from Monday through Friday during Novel’s normal business hours.
Novel does not promise that it can fix any problem Customer may be having, and the foregoing shall not be construed as a representation or warranty.

2. THIRD PARTY SERVICES

2.1 Customer acknowledges and agrees that the Services are dependent on the e-commerce storefront services offered to Customer by platforms such as Shopify Inc. (“Shopify”) and the API offered to Novel by such platforms (collectively, the “E-commerce Platform Services”). Novel is not responsible or liable for the E-commerce Platform Services, and it is not a breach of this Agreement if Novel is not able to perform the Services due to unavailability of or errors in the E-commerce Platform Services.

2.2 Wallet passes are dependent on the infrastructures of Apple and Google wallets, which are beyond Novel's control. Novel is not responsible for functioning of these wallets.

2.3 NFTs and Storefront Sales are respectively minted and recorded on the Polygon blockchain protocol and network (the “Polygon Network”) that is outside the control of Novel and subject to many risks and uncertainties. The Polygon Network solely operates on the Ethereum blockchain network (the “Ethereum Network”) and as such is heavily reliant on the functioning of the Ethereum Network.

2.4 Secondary Sales are recorded on the Ethereum Network that is outside the control of Novel. Novel is not responsible or liable for the functioning of the Ethereum Network or the Polygon Network, nor for the acts or omissions of any contributor to the Ethereum Network or Polygon Network that may affect the NFTs, Storefront Sales or Secondary Sales. It shall not be a breach of this Agreement if Novel is unable to perform the Services due to any error or failure on part of the Polygon Network or the Ethereum Network.

2.5 Upgrades to the Ethereum Network, a hard fork in the Ethereum Network, or a change in how transactions are confirmed on the Ethereum Network may have unintended, adverse effects on all blockchains using the Ethereum Network’s NFT standard, including Novel’s Services and the Polygon Network.

2.6 Novel does not give advice or recommendations regarding NFTs, including the suitability and appropriateness of, and investment strategies for, NFTs. Customer understands that Novel will not be responsible for any communication failures, disruptions, errors, distortions or delays Customers may experience when using NFTs, however caused.

2.7 NOVEL DISCLAIMS ALL LIABILITY OF ANY KIND RELATING TO THE ACTS OR OMISSIONS OF THIRD PARTIES THAT ARE OUTSIDE THE CONTROL OF NOVEL, INCLUDING THOSE RELATED TO THE E-COMMERCE PLATFORM SERVICES, APPLE AND GOOGLE WALLETS, THE POLYGON NETWORK, AND THE ETHEREUM NETWORK.

3. RESTRICTIONS AND RESPONSIBILITIES

3.1 Access to the Services may require the Customer to download and/or install certain Novel content, such as a mobile app or other downloadable content from the internet. Such content is part of the Services and subject to all restrictions set forth herein.

3.2 Customer will not, and will not permit any third party to: use the Services to sell or transact any NFTs not originally created or minted on the Services; reverse engineer (except that the foregoing restriction shall not apply to the limited extent applicable law expressly prohibits such a restriction), decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to the Services; modify, translate, or create derivative works based on the Services; use the Services for any purpose other than its own internal business purposes; use the Services other than in accordance with this Agreement and in compliance with all applicable laws and regulations (including but not limited to any applicable privacy laws), or in any manner that infringes or violates the intellectual property rights or proprietary rights of any third party; or use the Services in any manner that is harmful, fraudulent, deceptive, threatening, abusive, obscene, libelous, or otherwise objectionable.

3.3 Customer will cooperate with Novel in connection with the performance of this Agreement by making available such personnel and information as may be reasonably required, and taking such other actions as Novel may reasonably request. Customer will also cooperate with Novel in establishing a password or other procedures for verifying that only designated employees of Customer have access to any administrative functions of the Services.

3.4 Customer will designate an employee who will be responsible for all matters relating to this Agreement (“Primary Contact”). Customer may change the individual designated as Primary Contact at any time by providing written notice to Novel.

3.5 Customer will be responsible and liable for maintaining the security of Customer account, passwords and files, and for all uses of Customer’s account with or without Customer’s knowledge or consent.

4. CONFIDENTIALITY; PRIVACY; INTELLECTUAL PROPERTY RIGHTS

4.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose information relating to the Disclosing Party’s technology or business (hereinafter referred to as “Confidential Information” of the Disclosing Party).

4.2 The Receiving Party agrees: (i) not to divulge to any third person any such Confidential Information, (ii) to give access to such Confidential Information solely to those employees with a need to have access thereto for purposes of this Agreement, and (iii) to take the same security precautions to protect against disclosure or unauthorized use of such Confidential Information that the party takes with its own confidential information, but in no event will a party apply less than reasonable precautions to protect such Confidential Information. The Disclosing Party agrees that the foregoing will not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public without any action by, or involvement of, the Receiving Party, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Confidential Information of the Disclosing Party. Nothing in this Agreement will prevent the Receiving Party from disclosing the Confidential Information pursuant to any judicial or governmental order, provided that the Receiving Party gives the Disclosing Party reasonable prior notice of such disclosure to contest such order.

4.3 Customer acknowledges that Novel does not wish to receive any Confidential Information from Customer that is not necessary for Novel to perform its obligations under this Agreement, and, unless the parties specifically agree otherwise, Novel may reasonably presume that any unrelated information received from Customer is not Confidential Information. Customer’s Ethereum Network public address will be made publicly available whenever it engages in a transaction in connection with the Novel Services, and Customer agrees this address is not Customer Confidential Information.

4.4 The terms of this Agreement (including pricing information) are the Confidential Information of Novel, deemed disclosed by Novel.

4.5 As part of the Services, Novel may obtain access to content or data provided by or on behalf of Customer (“Content”), including information about or related to Customer, and/or Wallet Pass holder, and/or NFT Buyers, such as personally identifiable and/or business information. The Content includes the NFTs themselves, along with any underlying material or data associated or used to create the NFTs. The use of Novel’s NFT products by the Customer hereby grants Novel an irrevocable, perpetual, non-exclusive, worldwide, royalty- free right and license to use and exercise all rights in the Content in connection with providing and improving the Services. If the Customer only uses Novel’s other services (such as wallet passes) then this same license is temporarily granted for the duration of the services provided. Notwithstanding anything to the contrary, Novel may collect, use and disclose any information collected in connection with the Services in an aggregate manner in compliance with GDPR regulation.

4.6 As between the parties, Novel (and its licensors, where applicable) will retain all intellectual property rights relating to the Services, including any downloadable content, and any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or any third party relating to the Service, which Customer hereby assigns to Novel. Customer will not copy, distribute, reproduce or use any of the foregoing except as expressly permitted under this Agreement.

4.7 As between the parties, until a Storefront Sale is completed, Customer retains intellectual property rights in any NFTs created and minted through the Services and the Polygon Network, subject to the obligations set forth herein.

4.8 Applicable to Customers of NFT services only:
For Customer and its licensors shall, and Customer hereby represents and warrants that they do, (i) have and retain all right, title and interest (including, without limitation, sole ownership of) all Content distributed through and in connection with the Services (including all NFTs created and minted that are the subject of Storefront Sales, until the applicable Storefront Sale is completed and ownership thereof transfers to the applicable NFT Buyer) and all intellectual property rights with respect to that Content; (ii) have in place a privacy policy concerning its collection and use of personally identifiable information, including that of NFT Buyers, that complies with all applicable laws and does not conflict with the terms of this Agreement in any way; (iii) have and retain all consents necessary in connection with disclosing any Content directly or indirectly to Novel or otherwise in connection with the Services; and (iv) make all disclosures described in (iii) in accordance with all applicable laws, including any applicable privacy laws. As between the parties, Customer shall be solely responsible for ensuring it has obtained consents pursuant to (iii) above. Customer will indemnify Novel from all liability, damages, losses, settlements and other costs and expenses (including without limitation, attorneys’ fees) incurred in connection with any action arising from an alleged violation of this Section

4.8. Although Novel has no obligation to monitor the Content provided by Customer or Customer’s use of the Services, Novel may do so and may remove or block any Content or prohibit any use of the Services it reasonably believes may be (or is alleged to be) in violation of this Agreement (including without limitation by refusing to facilitate a Storefront Sale).

5. PROFESSIONAL SERVICES

5.1 Novel may from time to time perform Professional Services as agreed upon by the parties. Such Professional Services shall be set forth in a separate Statement of Work (“SOW”), that shall include the scope of implementation of services, the anticipated schedule, the fee structure, and the deliverables (if any) to be provided as part of the Professional Services. All SOWs executed pursuant to this Agreement shall be deemed incorporated herein and be subject to the terms and conditions of this Agreement. Any change to the scope of any deliverable, milestone or payment obligation contained in a SOW shall be made only in writing and signed by authorized representatives of Novel and Customer. Customer shall provide Novel with (i) one (1) designated contact for all questions and issues relating to Professional Services; (ii) access to Customer’s facilities and office support as may be reasonably requested by Novel; and (iii) the services of sufficiently qualified Customer personnel as may be reasonably necessary to enable Novel to perform the Professional Services. Customer hereby grants to Novel all rights, licenses and permissions necessary and/or useful in connection with its performance of the Professional Services. Unless otherwise provided in a SOW, Customer acknowledges and agrees that any and all work product resulting from a SOW shall be and remain the sole and exclusive property of Novel, and Novel grants Customer a non-exclusive, non-transferable license to use such work product solely as part of the Services for its internal use consistent with the terms of this Agreement.

6. PAYMENT OF FEES

6.1 Customer will pay Novel the applicable fees as set forth on the Order Form (the “Fees”). Unpaid Fees are subject to a finance charge of one percent (1.0%) per month, or the maximum permitted by law, whichever is lower. Monthly Subscription Fees under this Agreement are exclusive of all taxes, including national, state or provincial and local use, sales, value-added, property and similar taxes, if any. Customer agrees to pay such taxes (excluding U.S. taxes based on Novel’s net income). In the case of any withholding requirements, Customer will pay any required withholding itself and will not reduce the amount paid to Customer on account thereof.

6.2 The revenue share provisions set forth in the Order Form continue indefinitely, including with respect to any Secondary Sale that may occur after the termination of this Agreement. Customer is responsible for informing all NFT Buyers of the amounts owed to Novel hereunder for all Secondary Sales. Customer will not (and will not permit any third party to) attempt to circumvent, by any action or omission, the payment obligations of Customer hereunder (including by concealing any Secondary Sales).

6.3 The Monthly Subscription Fee may change upon at least thirty (30) days’ prior notice to Customer and will become effective upon the next monthly “anniversary” following such thirty (30) day period.

6.4 The Storefront Sale revenue share amount for NFTs may change upon at least thirty (30) days’ prior notice to Customer, provided however that it will only apply with respect to Storefront Sales that occur after the end of such notice period. The Secondary Sale revenue share amount may change upon at least thirty (30) days’ prior notice to Customer, provided however that it will only apply to Secondary Sales of NFTs for which the initial Storefront Sale occurs after the end of such notice period; for clarity, if a Storefront Sale of an NFT has already occurred, Novel may not change the Secondary Sale revenue share amount for such NFT.

7. TERMINATION

7.1 Either party may terminate this Agreement at any time for convenience upon thirty (30) days’ prior written notice to the other party. Either party may also terminate this Agreement at any time for the other party’s material breach, upon fifteen (15) days’ prior written notice to the other party (unless such breach is cured within such notice period). No refunds are granted except as expressly set forth in the Order Form.

7.2 The following provisions shall survive termination of this Agreement: Sections 2, 3.2, 4, 7, 8, 9, 10, and 11.

8. WARRANTY DISCLAIMER
The Services and Novel Confidential Information and anything provided in connection with this Agreement are provided “as-is,” without any warranties of any kind. Novel (and its licensors and suppliers) hereby disclaim all warranties, express or implied, including, without limitation, all implied warranties of merchantability, fitness for a particular purpose, title, non- infringement, or that use of the Services will have a particular result, including the meeting of Customer’s sales goals or those of the NFT Buyers.

9. LIMITATION OF LIABILITY In no event will Novel (or any of its licensors or suppliers) be liable for any indirect, punitive, incidental, special, or consequential damages, or cost of procurement of substitute goods, services or technology, in any way connected with the use of the Services or anything provided in connection with this Agreement, the delay or inability to use the Services or anything provided in connection with this Agreement, including without limitation, loss of revenue or anticipated profits or lost business or lost sales, whether based in contract, tort (including negligence), strict liability or otherwise, even if Novel has been advised of the possibility of damages. The total liability of Novel under any circumstances will not exceed, in the aggregate, the lesser of (i) ten thousand (10,000) dollars, or (ii) the fees paid to Novel hereunder in the twelve (12) month period ending on the date that a claim or demand is first asserted. The foregoing limitations will apply notwithstanding any failure of essential purpose of any limited remedy.

10. U.S. GOVERNMENT MATTERS
Not with standing anything else, Customer may not provide to any person or export or re-export or allow the export or re-export of the Services or any software or anything related thereto or any direct product thereof (collectively “Controlled Subject Matter”), in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. Without limiting the foregoing Customer acknowledges and agrees that the Controlled Subject Matter will not be used or transferred or otherwise exported or re-exported to countries as to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. Use of the Service is representation and warranty that the user is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. The Controlled Subject Matter may use or include encryption technology that is subject to licensing requirements under the U.S. Export Administration Regulations. As defined in FAR section 2.101, any software and documentation provided by Novel are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.

11. MISCELLANEOUS
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Customer except with Novel’s prior written consent; any assignment or transfer without such consent is void. Novel may transfer and assign any of its rights and obligations under this Agreement with written notice to Customer. Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Novel in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; and upon receipt, if sent by certified or registered mail (return receipt requested), postage prepaid. Novel will not be liable for any loss resulting from a cause over which it does not have direct control. This Agreement will be governed by the laws of the State of California, U.S.A. without regard to its conflict of laws provisions. The federal and state courts sitting in San Francisco County, California, U.S.A. will have proper and exclusive jurisdiction and venue with respect to any disputes arising from or related to the subject matter of this Agreement, provided that either party may seek injunctive relief in any court of competent jurisdiction.

DATA PROCESSING ADDENDUM

This Novel Data Processing Addendum (“Addendum”) amends and forms a part of the written or electronic agreement(s) (the “Agreement”) by and between the legal entity subject to the Agreement (“Customer”) and Novel Commerce Inc. (“Novel”), a Delaware, United States corporation with offices in New York, NY, governing the Customer’s use of Novel’s products and services (the “Service”). Capitalized terms not otherwise defined in this Addendum shall have the same definitions as in the Agreement or the meaning ascribed to the corresponding terms in the applicable Data Protection Legislation.

Definitions

“Business”, “Controller”, “Processor”, “Processing/Process/ Processed”, and “Service Provider” shall be given the meanings given to them by the applicable Data Protection Legislation.

“Data Subject” means the identified or identifiable natural person to whom Personal Information relates.

“Data Subject Request” means the exercise by Data Subjects of their rights in accordance with applicable Data Protection Legislation in respect of Personal Information.

“Data Protection Legislation” means, collectively: (i) the GDPR, (ii) the California Consumer Privacy Act. as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §§ 1798.100 – 1798.199.100, and the California Consumer Privacy Act Regulations issued thereto, Cal. Code Regs. tit. 11, div. 6, ch. 1, as amended (together, the “CCPA”), (iii) any other data protection laws, including regulations implementing or made pursuant to those laws, including those which amend, replace, re-enact, or consolidate any data protection laws, (iv) applicable data breach notification statutes, and (v) all other applicable laws relating to Processing of Personal Information and privacy that may exist in any relevant jurisdiction, to the extent applicable to the relevant Personal Information or Processing thereof under the Agreement.

“EEA” means the European Economic Area.

“GDPR” stands for “General Data Protection Regulation” and means: (i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).

“Personal Information” means information that constitutes “Personal Data,” “Personal Information,” “Personally Identifiable Information,” or similar information as defined by applicable Data Protection Legislation that Novel Processes pursuant to the Agreement.

“Personal Data Breach” means a breach of Novel’s security that has resulted in the accidental or unlawful destruction, acquisition, loss, alteration, unauthorized disclosure of, or access to, Personal Information in Novel’s possession, custody, or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Relevant Body” (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or (ii) in the context of the EEA and EU GDPR, means the European Commission.

“Restricted Country” (i) in the context of the UK, means a country or territory outside the UK; and (ii) in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), that the Relevant Body has not deemed to provide an “adequate“ level of protection for Personal Information pursuant to a decision made in accordance with Article 45(1) of the GDPR.

“Restricted Data Transfer” means the disclosure, grant of access, or other transfer of Personal Information to: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision by the European Commission pursuant to Article 45 of the GDPR; and (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision by the UK Information Commissioner’s Office pursuant to Article 45 of the GDPR.

“Security Measures” means the technical and organizational security measures to be applied by Processor in respect of Personal Information, as set out in Appendix 2.

“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU SCCs”); and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) Data Protection Act 2018 (“UK IDTA“) (in each case, as updated, amended or superseded from time to time).

“Supervisory Authority” means: (i) in the context of the EU GDPR, any authority within the meaning of Article 4(21) of the EU GDPR; and (ii) in the context of the UK GDPR, the UK Information Commissioner’s Office.

“UK” means the United Kingdom of Great Britain and Northern Ireland.

Data Protection

In the course of Novel providing the Service under the Agreement, Customer may from time-to-time provide or make available Personal Information to Novel for the limited and specific purposes of providing the Service under the Agreement. The Parties acknowledge and agree that, in relation to any such Personal Information provided or made available to Novel for Processing by Novel under the Agreement, the Customer will be the Controller and Novel will be the Processor for the purposes of the GDPR and the Customer will be the Business and Novel will be the Service Provider for purposes of the CCPA.

When Novel Processes Personal Information in the course of providing the Service, Novel will:

1) process the Personal Information as a Data Processor, for the purpose of providing the Service in accordance with documented instructions from the Customer (provided that such instructions are commensurate with the functionalities of the Service), to perform Novel’s obligations and exercise Novel’s rights under the Agreement, including to maintain records relating to the Service and comply with any legal or self-regulatory obligations relating to the Service, and as may subsequently be agreed to by the Customer. Novel is prohibited from retaining, using, or disclosing Personal Information provided by the Customer (“Customer Data”) for any purpose other than for the specific purpose of performing the Services specified in the Agreement, unless otherwise expressly permitted by applicable Data Protection Legislation. If Novel is required by applicable laws to Process the Personal Information for any other purpose, Novel will provide the Customer with prior notice of this requirement, unless Novel is prohibited by such laws from providing such notice;

2) notify the Customer if it cannot follow the Customer’s instruction for the Processing of Personal Information because, in Novel’s opinion, the instruction infringes applicable Data Protection Legislation;

3) notify the Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Novel’s Processing of the Personal Information;

4) upon Customer’s written request, provide Customer with such assistance as may be reasonably necessary and technically feasible in fulfilling its legal obligations under Data Protection Legislation, including data protection impact assessments and prior consultations with Supervisory Authorities which Novel reasonably considers to be required of it by Data Protection Legislation, in each case solely in relation to Processing of Personal Information by, and taking into account the nature of the Processing by, and information available to, Novel;

5) upon the Customer’s written request, provide the Customer with such reasonable assistance as may be necessary and technically possible, taking into account the nature and circumstances of the processing and Novel’s role as a processor, to allow the Customer to fulfill its obligation to respond to Data Subject Requests;

6) upon receipt of any Data Subject Request that relates to Personal Information that Novel Processes for the Customer, Novel may advise the Data Subject to submit the request to Customer and Customer is solely responsible for responding to any such requests. Novel’s notification of or response to a Data Subject Request under this Section is not an acknowledgment by Novel of any fault or liability with respect to the Data Subject Requests;

7) implement and maintain appropriate technical and organizational measures designed to protect Personal Information and ensure a level of security appropriate to the risk. Novel’s measures comprise those documented in the Security Measures listed in Appendix 2;

8) provide the Customer, upon the Customer’s reasonable written request, with up-to-date attestations, reports or extracts thereof, where available, from a source charged with auditing Novel’s data protection practices (e.g., external auditors, internal audit, data protection auditors), or suitable certifications, to enable the Customer to assess compliance with the terms of this Addendum;

9) comply with applicable obligations under Data Protection Legislation and reasonably ensure its employees, agents, and service providers, comply with the obligations and restrictions applicable to Novel under applicable Data Protection Legislation. Novel shall reasonably notify Customer if it decides it can no longer meet its obligations. Upon such notification, Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Data;

10) notify the Customer promptly upon becoming aware of any confirmed Personal Data Breach impacting Customer Data. The Customer is solely responsible for complying with Data Breach notification laws applicable to the Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Novel’s notification of, or response to, a Personal Data Breach under this Section is not an acknowledgment by Novel of any fault or liability with respect to the Personal Data Breach;

11) ensure that its personnel who access the Personal Information have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; and

12) upon termination of the Agreement or expiry of Service involving the Processing of Personal Information, Novel shall cease all Processing of Personal Information related to such Service except as set out in this Section. If the Customer requests a copy of such Personal Information within 30 days of termination, Novel will provide the Customer with a copy of such Personal Information.

The Customer shall ensure that it is entitled to give access to the relevant Personal Information to Novel so that Novel may lawfully Process Personal Information in accordance with the Agreement on the Customer’s behalf. The Customer shall:

1) Comply with its obligations under the Data Protection Legislation which arise in relation to this Addendum, the Agreement, and the receipt of the Service; and

2) Not do or omit to do anything which causes Novel (or any Subprocessor) to breach any of its obligations under the Data Protection Legislation.

3) Reasonably inform Novel of any inquiry or request and any necessary information regarding Novel’s compliance with Data Protection Legislation, should the Customer receive an inquiry or request.

In the course of providing the Service, the Customer acknowledges and agrees that Novel may use subprocessors to Process Personal Information. Novel’s use of any specific Subprocessor to Process Personal Information must be in compliance with Data Protection Legislation and must be governed by a contract between Novel and the Subprocessor. Customer acknowledges its obligation to review the list after being notified. Customer may object to such changes in writing setting out its reasonable concerns in detail within 14 days from the date of the notification. If the Customer does not object to such changes, Novel shall have the right to continue to Process the Personal Information in accordance with the terms of this Addendum, including using the relevant subprocessors. If the Customer objects, Novel shall consult with the Customer, consider the Customer’s concerns in good faith, and inform the Customer of any measures taken to address the Customer’s concerns. If the Customer upholds its objection and/or demands significant accommodation measures which would result in a material increase in cost to provide the Services, Novel shall be entitled to increase the fees for the Service following a 30-day notice or, at its option, terminate the Agreement.

As part of providing the Service, Data Subject’s Personal Information will be Processed in the United States. Such Processing will be completed in compliance with relevant Data Protection Legislation.

Customer acknowledges and hereby agrees that Novel may transfer to, access and Process Personal Information in a Restricted Country, as necessary to provide the Service in accordance with the Agreement. Novel will make any such Restricted Data Transfers in compliance with the applicable Data Protection Legislation. If Novel’s compliance with Data Protection Legislation applicable to Restricted Data Transfers is affected by circumstances outside of Novel’s control, including if a legal instrument for Restricted Data Transfers is invalidated, amended, or replaced, then Customer and Novel will work together in good faith to reasonably resolve such non-compliance.

Solely to the extent required to ensure the legality of Restricted Transfers, in the event that the transfer of Personal Information from Controller to Novel involves a transfer of Personal Information, that is subject to GDPR or UK GDPR, to a Restricted Country, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Controller as “data exporter” and Novel as “data importer.” For the purposes of the EU SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) Clause 7 (Docking Clause) shall not apply; (iii) in Clause 9, Option 2 shall apply and the “time period” shall be 14 days; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17 (Option 1) the EU SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex 1 and 3 of the EU SCCs shall be populated with the information set out in Appendix 1; and (viii) Annex 2 of the EU SCCs shall be deemed populated with the information set out in Appendix 2. For the purposes of the UK IDTA: (i) the Appendices or Annexes of the UK IDTA shall be populated with the relevant information set out in this DPA; and (ii) the UK IDTA shall be governed by the laws of, and disputes shall be resolved before the courts of, England and Wales. If and to the extent the applicable SCCs conflict with any provision of this Addendum regarding the transfer of Personal Information from Customer to Novel, the SCCs shall prevail to the extent of such conflict.

Miscellaneous

In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement.

The Customer acknowledges and agrees that Novel may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Novel’s website, available at https://novel.com/terms/ and such amendments to the Addendum are effective as of the date of posting. The Customer’s continued use of the Service after the amended Addendum is posted to Novel’s website constitutes the Customer’s agreement to, and acceptance of, the amended Addendum. If the Customer does not agree to any changes to the Addendum, the Customer should cease use of the Service immediately.

Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the State of California and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of California with respect to any dispute or claim arising out of or in connection with this Addendum.

Appendix 1 – Data Processing Details

This Appendix includes certain details of the Processing of Personal Information: (i) as required by Article 28(3) of the GDPR; and (ii) where applicable, to populate Appendix 1 to the Standard Contractual Clauses.

Novel’s activities and purpose of the Processing

Novel provides a wallet pass distribution and management platform and integrations and services associated with merchant loyalty and referral programs.

The nature and purpose of the Processing of Personal Information

The processing of certain Personal Information by the Processor on behalf of the Controller in relation to allowing access of the Controller’s users to the Processor’s platform.

The categories of Personal Information to be Processed

Personal Information that Novel receives as described at: https://novel.com/terms.

The categories of Data Subjects to whom Personal Information relates

Data Subjects about whom Novel collects Personal Information in its provision of Service as a Processor, including Customer’s customers (“End-Customers”).

Data Subjects about whom Personal Information is transferred to Novel in connection with its Service as a Processor by, at the direction of, or on behalf of Customer, including End-Customers.

Subject matter and duration of the Processing of Personal Information

The subject matter and duration of the Processing of Personal Information as part of the Service under the Agreement. Start date is the date of installation of Novel by the Customer and is the date Personal Information is first Processed by Processor. End date is the date of termination or expiry of the Agreement. The frequency of the processing is continual and ongoing during the term of the Agreement. Point-in-time data such as End-Customer orders (“Orders”) from Customers from prior to the Start date will not be accessed in at an unaggregated level unless Novel is explicitly requested to do so by the Customer.

Appendix 2 – Security Measures

Novel will implement and maintain the security measures set out in this Appendix 2.

Physical Access Control: Novel shall take reasonable measures to prevent physical access by unauthorized persons to facilities where Personal Information is Processed. Safeguards implemented at data processing facilities are controlled by third-party vendors and may include security personnel, alarm systems, access control systems, and video/CCTV surveillance.

System Access Control: Novel shall take reasonable measures to prevent unauthorized access to systems processing Personal Information. Safeguards implemented may include multi-factor authentication, change management processes, and system-level logging.

Data Access Control: Novel shall take reasonable measures to allow for Personal Information to be accessed and/or managed by authorized personnel only and protect against Personal Information being read, modified, or removed without authorization.

Transmission Control: Novel shall take reasonable measures to prevent the disclosure of Personal Information during transmission. Safeguards implemented will include encryption over public networks.

Data Availability Control: Novel shall take reasonable measures to protect against accidental destruction or loss of Personal Information, Safeguards implemented may include regular backups of Personal Information, restoration testing of Personal Information backups, replication of Personal Information backups across multiple sites, and disaster recovery plans.

Data Segregation Control: Novel shall take reasonable measures to segregate Personal Information on a per customer basis. Safeguards implemented may include application-level controls for logical separation of Personal Information.

Novel may update or modify such Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service.