Exhibit A — Lucky Orange Data Processing Addendum

THIS DATA PROCESSING ADDENDUM ("DPA") forms part of the Terms of Service (the "Agreement") between Lucky Orange and Customer and reflects the parties' agreement with regard to the processing of Customer Personal Data (defined in Section 1). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

A. Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Authorized Affiliates, if and to the extent Lucky Orange processes Personal Data for which such Authorized Affiliates qualify as the Controller; and

B. in providing the Service to Customer pursuant to the Agreement, Lucky Orange may Process Customer Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.

C. Lucky Orange and Customer hereby enter into this DPA effective as of the last signature date below. This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and Standard Contractual Clauses, the Standard Contractual Clauses will control.

1. Definitions

"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Customer Personal Data in connection with the provision of the Service under the Agreement, including where applicable, the GDPR, UK GDPR, CCPA (as amended by the CPRA), and other applicable U.S. state privacy laws, in each case as amended or replaced from time to time.

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to Applicable Data Protection Laws, and (b) is permitted to use the Service pursuant to the Agreement between Customer and Lucky Orange, but has not signed its own Order with Lucky Orange and is not a "Customer" as defined under the Agreement.

"Breach" means any confirmed breach of security of Lucky Orange's systems that results in the unauthorized or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data processed by Lucky Orange under the Agreement.

"CCPA" is defined in Section 14 of this DPA.

"Customer Personal Data" means Personal Data which is Processed by Lucky Orange on behalf of Customer in connection with the Service.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, applicable as of 25 May 2018, and repealing Directive 95/46/EC (General Data Protection Regulation). As used herein, "GDPR" includes the United Kingdom GDPR and its companion and successor clauses as applicable.

"Service" means the software and services that Lucky Orange provides to Customer as further detailed in the Agreement.

"Standard Contractual Clauses" means the transfer mechanisms set forth in Section 15 of this DPA.

"Controller", "Data Subject", "Personal Data", "Processing", "Processor", "Sensitive Data", "Subprocessor", and "Supervisory Authority" have the meanings set out in Applicable Data Protection Laws.

2. Processing of Personal Data

2.1 The Parties' Roles. The parties agree that with regard to the Processing of Customer Personal Data, Customer is the Controller, Lucky Orange is the Processor, and that Lucky Orange is authorized to engage Subprocessors pursuant to the requirements of this DPA.

2.2 Customer's Instructions. By entering into this DPA, Customer instructs Lucky Orange to Process Customer Personal Data only in accordance with Applicable Data Protection Laws: (a) to provide the Service; (b) as documented in the Agreement, including this DPA; and (c) as further documented in any other lawful written instructions given by Customer and acknowledged by Lucky Orange as constituting instructions for purposes of this DPA.

2.3 Lucky Orange's Responsibilities. Lucky Orange shall keep Customer Personal Data confidential and shall only Process Customer Personal Data on behalf of and in accordance with Customer's documented instructions for Processing, as set forth in the Agreement and this DPA. Lucky Orange shall promptly inform Customer if, in its opinion, any instruction of Customer infringes Applicable Data Protection Laws or if Lucky Orange is required by applicable law to Process Customer Personal Data in a manner which violates those instructions, in which case Lucky Orange will inform Customer of such requirement before Processing unless prohibited by law. Lucky Orange shall not be required to comply with or observe Customer's instructions if such instructions would violate Applicable Data Protection Laws.

2.4 Details and Scope of the Processing. The subject-matter of the Processing of Customer Personal Data by Lucky Orange is the performance of the Service pursuant to the Agreement. The duration of the Processing, the nature, and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects Processed, are further specified in Annex 1 to the Standard Contractual Clauses.

3. Rights of Data Subjects

3.1 Data Subject Requests. To the extent legally permitted, Lucky Orange shall promptly notify Customer if it receives a request from a Data Subject to exercise its rights under Applicable Data Protection Law ("Data Subject Request"). Taking into account the nature of the Processing and at Customer's request, Lucky Orange shall assist Customer through appropriate commercially reasonable organizational and technical measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject Request. To the extent legally permitted, Customer shall be responsible for any costs arising from Lucky Orange's provision of such assistance.

4. Lucky Orange Personnel

4.1 Confidentiality. Lucky Orange shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Personal Data and have executed written confidentiality agreements.

4.2 Limitation. Lucky Orange shall ensure that Lucky Orange's access to Customer Personal Data is limited to those personnel assisting in the provision of the Service in accordance with the Agreement.

5. Subprocessors

5.1 Lucky Orange's Subprocessors. Customer authorizes Lucky Orange's use of Subprocessors with respect to the performance of Lucky Orange's obligations under the Agreement. An up-to-date list of Lucky Orange's Subprocessors is available https://www.luckyorange.com/legal/subprocessors. Lucky Orange shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to reasonably object to such changes. In the event of such an objection, the parties shall work together in good faith to address Customer's concerns. Lucky Orange shall enter into a contract with the Subprocessor whereby Lucky Orange shall require the Subprocessor to comply with obligations no less protective than Lucky Orange's obligations under this DPA.

5.2 Liability for Subprocessors. Lucky Orange shall be liable for the acts and omissions of its Subprocessors to the same extent Lucky Orange would be liable if performing the Service of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Customer Obligations

6.1 Compliance with Applicable Data Protection Laws. Customer shall, in its use of the Service, Process Customer Personal Data in accordance with Applicable Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws, and Customer further acknowledges and agrees that its transfer of Customer Personal Data to Lucky Orange for Processing pursuant to this DPA and the Agreement shall comply with Applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

6.2 Nature of Personal Data. Customer acknowledges and agrees that, except as otherwise set forth in this Section 6 or as expressly set forth in Annex 1 of the Standard Contractual Clauses, Customer Personal Data provided or made available to Lucky Orange for Processing in connection with the Service shall consist of information relating to Customer Data (defined in Section 1 of the Agreement). The categories of Customer Personal Data Processed in connection with the Service are set forth in Annex 1 of the Standard Contractual Clauses.

6.3 Disclosure of Additional Customer Personal Data. To the extent Customer, in its sole discretion, deems it necessary to disclose or otherwise provide to Lucky Orange Customer Personal Data other than the Customer Personal Data set forth in Annex 1, Customer shall: (a) notify Lucky Orange in writing and in advance that it intends to disclose such Customer Personal Data to Lucky Orange, pursuant to a process as specified by Lucky Orange; and (b) ensure that such disclosure is permitted under Applicable Data Protection Laws. Lucky Orange shall have no obligation to Process such Customer Personal Data unless otherwise agreed in writing.

6.4 Sensitive Data. Notwithstanding any provision to the contrary in this DPA, Customer shall not, and shall not permit any third party to, provide Lucky Orange with any Sensitive Data or other high risk Personal Data (including without limitation, special categories of Personal Data under Article 9 of the GDPR), unless otherwise expressly agreed in writing by Lucky Orange. The Service is not designed to Process Sensitive Data, and Lucky Orange shall have no obligation to implement additional safeguards specific to such data. To the extent Customer provides Sensitive Data to Lucky Orange in violation of the foregoing, Customer does so at its own risk and shall be solely responsible for compliance with Applicable Data Protection Laws.

6.5 Lawful Basis. Customer will ensure that it has a lawful basis (as defined under Article 6 of GDPR or, with respect to Sensitive Data, as additionally defined in Article 9 of GDPR), has provided all necessary notices and has obtained all necessary consents and authorizations for all Customer Personal Data it provides to Lucky Orange. If at any time during the Term of this Agreement, Customer discovers that it does not have a lawful basis to provide Lucky Orange any Customer Personal Data, then it shall notify Lucky Orange in writing immediately.

6.6 Indemnity. Customer shall defend, indemnify and hold Lucky Orange harmless from and against all losses, damages, costs, charges, fines, fees, awards or other expenses, (including, without limitation, fines imposed by any Supervisory Authority or other regulator), arising out of or in connection with any action, claim, proceeding or allegation related to (a) Customer's disclosure of Customer Personal Data to Lucky Orange (including Sensitive Data in violation of Section 6.4), or (b) Lucky Orange's Processing of such Personal Data in accordance with the Agreement and the terms of this DPA.

7. Security

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, both Lucky Orange and Customer will implement technical and organizational measures designed to ensure a level of security appropriate to the risk related to the Processing of the Personal Data and to protect Personal Data against any Breach. Lucky Orange shall ensure that Customer Personal Data is properly separated from Personal Data from other customers.

8. Personal Data Breach

8.1 Lucky Orange shall take the following actions in the event of any Breach: (a) Lucky Orange shall notify the Customer about any Breach without undue delay, and in any event within seventy-two (72) hours, after becoming aware of it; (b) provide Customer with reasonable assistance in relation to Customer's obligations to notify any Supervisory Authority or other regulator of the Breach and to the Data Subjects as the case may be; (c) maintain any records relating to the Breach, including the results of its own investigations and authorities' investigations; (d) cooperate with the Customer and take reasonable measures as necessary to prevent the Breach from occurring again; and (e) where Customer reasonably determines that a Breach notification is required under Applicable Data Protection Laws and to the extent the Breach was directly caused by Lucky Orange's breach of Applicable Data Protection Laws, Lucky Orange shall, as its sole liability and Customer's sole remedy under this DPA, reimburse Customer for the direct, verifiable, necessary and reasonably incurred third-party costs of the Customer in the (i) investigation of such Breach, (ii) preparation and mailing of notices to such Data Subjects and any Supervisory Authority or other regulator as required by Applicable Data Protection Laws and (iii) mitigation of any adverse effects of such infringement on a Data Subject.

9. Audits

9.1 Upon not less than thirty (30) days prior written notice by Customer, and not more than once in any twelve (12) month period, Lucky Orange shall permit Customer and/or its authorized agents to audit its written records to the extent reasonably required in order to confirm that Company is complying with its obligations under this DPA or any Applicable Data Protection Law. Any audit shall be conducted in a manner that does not unreasonably interfere with Lucky Orange's business operations, subject to applicable confidentiality obligations in the Agreement.

10. Data Protection Impact Assessments

10.1 Taking into account the nature of the Processing and to the extent required by Applicable Data Protection Laws, upon Customer's reasonable request and at Customer's cost, Lucky Orange shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligations to carry out a data protection impact assessment related to Customer's use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Lucky Orange. Lucky Orange shall provide reasonable assistance to Customer in the cooperation or prior consultation with a Supervisory Authority or other regulator in the performance of its tasks related to this Section 10.1, to the extent required under Applicable Data Protection Laws and taking into account the nature of the Processing and the information available to Lucky Orange.

11. Retention and Deletion of Customer Personal Data

11.1 At the Customer's written election, Lucky Orange shall delete or return all Customer Personal Data, and, in any event, shall delete all copies of Customer Personal Data within ninety (90) days after Lucky Orange's completion of the applicable Service, or unless otherwise required by Applicable Data Protection Law.

12. Authorized Affiliates

12.1 Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates.

12.2 Communication. Customer shall remain responsible for coordinating all communication with Lucky Orange under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

12.3 Rights of Authorized Affiliates. Except where Applicable Data Protection Laws require an Authorized Affiliate to exercise a right or seek any remedy under this DPA against Lucky Orange directly by itself, the parties agree that Customer shall (a) exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (b) exercise any such rights under this DPA in a combined manner for all of its Authorized Affiliates together.

13. Indemnity; Limitation of Liability

13.1 Indemnity. In the event a Data Subject brings a claim against Customer and/or Lucky Orange for alleged infringement of the Applicable Data Protection Law, each party shall at its own expense control the defense of any such claim (or its portion of the defense) and remain solely responsible for any costs, expenses and liabilities related thereto, including legal fees or any amounts awarded against it by a court or made by it in settlement; provided however, that where each party is responsible for a portion of the damages suffered by a Data Subject for the same incident or series of incidents, and the Data Subject has recovered full compensation from only one party (the "Compensating Party"), then the Compensating Party shall be entitled to claim back from the other party that portion of the compensation corresponding to the damage caused by such other party.

13.2 Limitation of Liability. For the avoidance of doubt, except as set forth in this Section 13.2, neither party shall be liable to the other party resulting from such other party's infringement of Applicable Data Protection Law. By way of example and not of limitation, in the event a Supervisory Authority or other regulator imposes any fines, penalties or other sanctions on or against a party (the "Infringing Party"), the non-infringing party shall not indemnify or otherwise hold the Infringing Party harmless and the Infringing Party shall not seek indemnification, contribution or other recovery from the non-infringing party in connection therewith.

14. U.S. Specific Provisions

14.1 This Section 14.1 is intended to provide guidance on Lucky Orange's compliance with Cal. Civ. Code § 1798.100 et. seq., otherwise known as the "California Consumer Privacy Act of 2018" or "CCPA" as amended by the California Privacy Rights Act of 2020, in addition to all other Applicable Data Protection Laws in the United States, in the performance of the Service. Capitalized terms used throughout this Section 14.1 but undefined elsewhere shall have their respect meanings under Applicable Data Protection Laws. In performing the Service, Lucky Orange operates as Customer's "service provider" or "processor" under Applicable Data Protection Laws. As Customer's service provider or processor, Lucky Orange processes certain personal information, in accordance with Customer's instructions, to fulfill a legitimate business purpose for Customer. The business purpose(s) for which Customer has retained Lucky Orange for include any one or more of the following activities: maintaining or servicing Lucky Orange accounts, providing customer service in connection with the Service, processing or fulfilling orders and transactions involving Customer's website patrons, providing advertising or marketing services through the Lucky Orange proprietary tools, providing analytic services, or providing similar services on Customer's behalf. Customer will have the right to take reasonable and appropriate steps to (a) in accordance with Section 9 of this DPA, ensure that Lucky Orange uses Customer Personal Data in a manner consistent with Customer's obligations under the Applicable Data Protection Laws in the United States; and (b) upon reasonable notice to Lucky Orange, stop and remediate the unauthorized Processing of Customer Personal Data by Lucky Orange. Except as otherwise permitted by Applicable Data Protection Laws in the United States, Lucky Orange shall not (x) retain, use or disclose Customer Personal Data outside of its direct business relationship with Customer or retain, use or disclose Customer Personal Data for any purposes other than the business purposes specified in this DPA or the Agreement; (y) combine Customer Personal Data of Data Subjects that Lucky Orange receives from, or on behalf of, Customer with Customer Personal Data that Lucky Orange receives from, or on behalf of, another person or persons or collects from its own interaction with Data Subjects; and (z) sell or share Personal Data, as those terms are defined by Applicable Data Protection Laws in the United States. To the extent Lucky Orange receives deidentified data from Customer or the Services allow for the deidentification of Customer Personal Data, Lucky Orange represents and warrants that it shall not reidentify, attempt to reidentify, or direct any other party to reidentify any Customer Personal Data that has been deidentified.

15. European Specific Provisions

15.1 EU Standard Contractual Clauses. The Standard Contractual Clauses, published on June 4, 2021 and available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj ("EU Standard Contractual Clauses") apply to transfers of Customer Personal Data by Customer and its Authorized Affiliates from the European Economic Area for Processing directly to Lucky Orange in a third country not deemed by the European Commission to provide an adequate level of data protection. For the purpose of the EU Standard Contractual Clauses, the Customer and its Authorized Affiliates shall be deemed "data exporters." The parties hereby acknowledge and agree that by executing the Agreement and this DPA, the parties have entered into the EU Standard Contractual Clauses with Lucky Orange as the "data importer". The parties further agree that Module 2 (Transfer from Controller to Processor) of the Standard Contractual Clauses is selected with the following in effect: Clause 7 (Docking Clause) shall not apply. The audits described in Clause 8.9 shall be performed in accordance with Section 9 of this DPA. In Clause 9(a) (Use of Subprocessors) – Option 2 shall apply, and the specified time period for providing notice shall be fifteen (15) days. In Clause 11(a) (Redress) – the Optional provision shall not apply. In Clause 17 (Governing Law) – Option 1 shall apply, and Irish law shall govern. In Clause 18(b) (Choice of Forum and Jurisdiction) – the courts of Ireland shall have jurisdiction.

15.2 UK International Data Transfer Addendum. The United Kingdom's International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022 ("UK Addendum") applies to transfers of Customer Personal Data by Customer and its Authorized Affiliates from the United Kingdom for Processing directly to Lucky Orange in a third country not deemed by the UK's Information Commissioner's Office to provide an adequate level of data protection. For the purpose of the UK Addendum, the Customer and its Authorized Affiliates shall be deemed "data exporters." The parties hereby acknowledge and agree that by executing the Agreement and this DPA, the parties have entered into the UK Addendum with Lucky Orange as the "data importer". The parties further agree that the UK Addendum shall be completed as follows: Reference to Table 1 shall be satisfied by the information in Section A of Annex I to this DPA. For Table 2, the version of the Approved EU SCCs shall be the EU Standard Contractual Clauses, Controller to Processor module. Reference to Table 3 shall be satisfied by the information in Annexes, I, II, and III. For Table 4, neither party shall have the rights outlined in Section 19 of the UK Addendum.

15.3 Swiss Transfers. For transfers from Switzerland, references in the EU Standard Contractual Clauses shall be interpreted to include the following applicable terminology and statutory terms: The Federal Data Protection and Information Commissioner is the competent Supervisory Authority. Swiss law (or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the Swiss Federal Act on Data Protection of 19 June 1992, as amended ("FADP")) shall be the applicable law for contractual claims under Clause 17 of the EU Standard Contractual Clauses. Switzerland is to be considered as a Member State within the meaning of the EU Standard Contractual Clauses. Data Subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the EU Standard Contractual Clauses. References to the GDPR are to be understood as references to the FADP.

Annex I to the Standard Contractual Clauses

This Annex forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Annex.

A. List of Parties

Data exporter:

  • Name: …

  • Address: …

  • Contact person's name, position and contact details: …

  • Activities relevant to the data transferred under these Clauses: …

  • Signature and date: …

  • Role (controller/processor): Controller

Data importer:

  • Name: Lucky Orange LLC

  • Address: 8665 W 96th St Suite #100, Overland Park, KS 66212

  • Contact person's name, position and contact details: Danny Wajcman, Chief Operating Officer, 8665 W 96th St Suite #100, Overland Park, KS 66212

  • Activities relevant to the data transferred under these Clauses: Performance of Service to Customer under the Agreement.

  • Signature and date: …

  • Role (controller/processor): Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects:

  • Customer's website visitors and users

Categories of personal data transferred

The categories of personal data transferred include:

  • the pages visited

  • the visitor's mouse movements and clicks

  • keystroke data

  • HTML data on a page visited by a visitor (if such HTML data includes Personal Information)

  • IP address and header information, which includes:

    • browser type

    • geolocation

    • operating system

    • language

    • screen resolution

    • referring URL

  • Freeform text collected from chat features

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None

Nature of processing

The personal data transferred will be subject to the following basic processing activities:

  • The objective of Processing of Personal Data by the data importer is the performance of the Service pursuant to the Agreement, in particular to provide Lucky Orange's Service. The Processing of Personal Data will be performed in the United States.

Purpose(s) of the data transfer and further processing

  • See above

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • Retention shall be as set forth in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Transfer to Subprocessors is for the performance of processing functions in accordance with instructions of Lucky Orange. Subprocessors shall process for only so long as needed to complete their processing obligations.

C. Competent Supervisory Authority

The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. The supervisory authority is established in Ireland.

EU Business Partners
10 Ashe Street, Clonakilty, County Cork, P85 E4303, Ireland
info@eubusinesspartners.com
Flor McCarthy, Director

Annex II to the Standard Contractual Clauses

This Annex forms part of the Clauses and must be completed and signed by the parties and sets forth a description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The data importer implements the following measures:

  • pseudonymization and encryption of personal data

  • ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • user identification and authorization

  • measures for the protection of data during transmission

  • protection of data during storage

  • measures for ensuring physical security of locations at which personal data are processed

  • measures for ensuring events logging

  • ensuring system configuration, including default configuration

  • internal IT and IT security governance and management

  • measures for certification/assurance of processes and products

  • ensuring data minimization

  • ensuring data quality

  • measures for ensuring limited data retention

  • ensuring accountability

  • allowing data portability and ensuring erasure

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

The measures set forth above are required of sub-processors to the extent, and based upon, the nature of the processing carried out by the particular sub-processor.

Version 3/15/24. Copyright © Lucky Orange LLC 2024. All rights reserved.