This DPA supplements the main service agreement between the parties (the "Main Agreement") and governs the processing of Personal Data by the Processor on behalf of the Controller.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including, where applicable, the EU General Data Protection Regulation +1 831 301 0687 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act/California Privacy Rights Act ("CCPA/CPRA").
• "Controller" has the meaning defined in Data Protection Laws (e.g., the party determining the purposes and means of processing).
• "Processor" has the meaning defined in Data Protection Laws (e.g., the party processing Personal Data on behalf of the Controller).
• "Sub-processor" means any third-party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Roles and Scope of Processing

2.1. Roles: The parties acknowledge and agree that, for the purposes of the Data Protection Laws, the Controller is the Controller of the Personal Data, and Video Aegis Inc. is the Processor.

2.2. Scope: The Processor shall only process Personal Data to the extent necessary to provide the Services pursuant to the Main Agreement and the instructions of the Controller. Exhibit A (Details of Processing) specifies the subject matter, duration, nature, and purposes of the processing, as well as the types of Personal Data and categories of Data Subjects.

2.3. Controller's Instructions: The Controller instructs the Processor to process Personal Data for the purposes specified in the Main Agreement and this DPA. The Processor shall inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

3. Processor's Obligations

3.1. Compliance: The Processor warrants that it shall process Personal Data in compliance with the Controller's instructions and all applicable Data Protection Laws.

3.2. Confidentiality: The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security Measures: The Processor shall implement and maintain appropriate technical and organizational measures ("Security Measures") to ensure a level of security appropriate to the risk, as detailed in Exhibit B (Security Measures).

3.4. Assistance: The Processor shall provide reasonable assistance to the Controller in fulfilling the Controller's obligations under Data Protection Laws, including: * Responding to requests from Data Subjects (individuals whose data is processed). * Conducting Data Protection Impact Assessments (DPIAs) where required.

3.5. Data Transfers: The Processor shall not transfer Personal Data outside of the location agreed upon by the parties (e.g., EU/EEA, US) unless adequate safeguards (such as Standard Contractual Clauses, where required) are in place, and the Controller has been notified.

4. Sub-processing

4.1. Authorization: The Controller provides a general authorization for the Processor to engage Sub-processors, provided the Processor informs the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.

4.2. Obligations: Where the Processor engages a Sub-processor, the Processor shall impose the same data protection obligations as set out in this DPA on the Sub-processor by way of a contract. The Processor remains fully liable to the Controller for the performance of the Sub-processor’s obligations.

5. Data Subject Rights and Requests (CCPA/GDPR)

5.1. Controller Responsibility: The Controller is responsible for handling all requests from Data Subjects (e.g., access, deletion, correction, opt-out).

5.2. Processor Assistance: The Processor shall, taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.

5.3. CCPA/CPRA Compliance: * The Processor acknowledges that it is a Service Provider/Contractor under CCPA/CPRA and processes Personal Data only on the Controller's behalf. * The Processor shall not sell or share (for cross-context behavioral advertising) the Personal Data received from or processed on behalf of the Controller. * The Processor shall not retain, use, or disclose the Personal Data for any commercial purpose other than providing the Services, as specified in the Main Agreement and this DPA.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay, and where feasible, within 12-48hours of becoming aware of a Personal Data Breach. The notification shall include at least the information required under Data Protection Laws.

7. Termination and Data Return/Deletion

Upon termination or expiry of the Main Agreement, the Processor shall, at the option of the Controller, either return or delete all Personal Data processed on behalf of the Controller, unless required by Data Protection Laws to retain the data. The Processor shall certify the deletion or return upon request.

8. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the State of California, and the parties agree to submit to the exclusive jurisdiction of the courts located in California.