Cooper - AI-Powered Insurance Assistant

This addendum ("Addendum") is entered into as of the last dated signature provided below, and is incorporated and forms a part of the Master Services Agreement ("Agreement") entered into by and between Cooper AI Tech, Inc. ("Cooper AI") and the other party listed on the signature block below ("Customer"). Any terms not defined in this Addendum shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control with respect to the subject matter provided herein.

01. Processor and Subprocessor Relationships

Cooper AI as Processor. In situations where Customer is a Controller of the Customer Personal Data, Cooper AI will be deemed a Processor that is Processing Personal Data on behalf of Customer.

Cooper AI as Subprocessor. In situations where Customer is a Processor of the Customer Personal Data, Cooper AI will be deemed a Subprocessor of the Customer Personal Data.

Limited and Specified Purpose. Cooper AI shall collect, retain, use, disclose, and otherwise process Personal Information solely to perform the Services for, and on behalf of, Customer for the limited and specified purposes described in this Agreement and any documented instructions from Customer (collectively, the "Business Purpose"). Cooper AI shall not process Personal Information for any purpose other than the Business Purpose or as otherwise permitted by applicable law.

02. Processing

Processing Details. The table on the attached Exhibit A describes the subject matter, nature, purpose, and duration of the Processing, as well as the Categories of Personal Data collected and Categories of Data Subjects.

Processing Instructions. Customer instructs Cooper AI to Process Customer Personal Data: (a) to provide and maintain the Services; (b) as may be further specified through Customer's use of the Services; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Cooper AI about Processing Customer Personal Data under this Addendum. Cooper AI will abide by these instructions unless prohibited from doing so by Applicable Laws. Cooper AI will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

Processing by Cooper AI. Cooper AI will only Process Customer Personal Data in accordance with this Addendum, including the details on Exhibit A, and in accordance with Applicable Law. Cooper AI will not: (a) Sell or Share Customer Personal Data, (b) store, retain, access, use, disclose, Transfer or otherwise Process Customer Personal Data outside of its direct business relationship with the Customer or for any other commercial or business purpose other than the Business Purpose, or (c) combine Customer Personal Data with personal data that Cooper AI receives from, or on behalf of, other persons, or collects from its own interaction with the data subject, except as expressly permitted under Applicable Data Protection Laws. Cooper AI shall provide the same level of privacy protection with respect to Customer Personal Data as required of businesses under the Applicable Data Protection Laws. If Cooper AI updates the Services to update existing or include new products, features, or functionality, Cooper AI may change the Categories of Data Subjects, Categories of Personal Data, Frequency of Transfer, Nature and Purpose of Processing, and Duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.

Customer Processing. Where Customer is a Processor and Cooper AI is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer's Processing of Customer Personal Data. Customer's agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer's agreement with its Controller.

03. Subprocessors

Cooper AI will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. Cooper AI will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before Cooper AI begins using the new Subprocessor(s). Cooper AI will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Cooper AI will cooperate in good faith to resolve Customer's objection or concern.

When engaging a Subprocessor, Cooper AI will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.

Cooper AI remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Cooper AI will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Cooper AI and the Subprocessor.

04. Restricted Transfers

Cooper AI is currently only operational within the United States, and does not Process any Personal Data of individuals located within the European Union, United Kingdom or Switzerland. If this changes, this Addendum will be amended to incorporate the restrictions provided under other applicable data protection and privacy legal regimes.

05. Security Incident Response

Upon becoming aware of any Security Incident, Cooper AI will: (a) notify Customer without undue delay when feasible, but no later than 48 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Cooper AI's notification of or response to a Security Incident as required by this Addendum will not be construed as an acknowledgment by Cooper AI of any fault or liability for the Security Incident.

06. Audit and Reports

Audit Rights. Cooper AI will give Customer all information reasonably necessary to demonstrate its compliance with this Addendum and Cooper AI will allow for and contribute to audits, including inspections by Customer, to assess Cooper AI's compliance with this Addendum. However, Cooper AI may restrict access to data or information if Customer's access to the information would negatively impact Cooper AI's intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this Addendum and any audit rights granted by Applicable Data Protection Laws by instructing Cooper AI to comply with the reporting and due diligence requirements below. Cooper AI will maintain records of its compliance with this Addendum for 3 years after the Addendum ends.

Security Reports. Customer acknowledges that Cooper AI is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, Cooper AI will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify Cooper AI's compliance with the standards defined in the Security Policy.

Security Due Diligence. In addition to the Report, Cooper AI will respond to reasonable requests for information made by Customer to confirm Cooper AI's compliance with this Addendum, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the Provider Security Contact and may only be made once a year.

07. Coordination and Cooperation

Response to Inquiries. If Cooper AI receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Cooper AI will notify Customer about the request and Cooper AI will not respond to the request without Customer's prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, Cooper AI will follow Customer's reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer's giving of Customer Personal Data to Cooper AI, Cooper AI will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Cooper AI will cooperate with and provide reasonable assistance to Customer, at Customer's expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Cooper AI's Processing of Customer Personal Data under this Addendum.

Security Assessments and ADMTs. If required by Applicable Data Protection Laws, Cooper AI will reasonably assist Customer in completing Customer's cybersecurity audit, risk assessment, and ADMT requirements.

08. Deletion of Customer Personal Data

Deletion by Customer. Cooper AI will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. Cooper AI will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.

Deletion at Addendum Expiration. Upon the termination or expiration of this Addendum, which shall be coterminous with the Subscription Term under the Agreement, Cooper AI will return or delete Customer Personal Data at Customer's instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Cooper AI will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require Cooper AI to continue hosting or Processing Customer Personal Data.

09. Limitation of Liability

Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability to the other party arising out of or related to this Addendum will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

Related-Party Claims. Any claims made against Cooper AI or its Affiliates arising out of or related to this Addendum may only be brought by the Customer entity that is a party to the Agreement.

Exceptions. This Addendum does not limit any liability to an individual about the individual's data protection rights under Applicable Data Protection Laws.

10. Term

This Addendum will start when Cooper AI and Customer agree to an Exhibit A for the Addendum and shall be coterminous with the Agreement. However, Cooper AI and Customer will each remain subject to the obligations in this Addendum and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Cooper AI and Cooper AI stops Processing Customer Personal Data.

11. Definitions

"Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.

"Applicable Data Protection Laws" means the Applicable Laws that govern how the Services may process or use an individual's personal information, personal data, personally identifiable information, or other similar term.

"Controller" will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.

"Customer Personal Data" means Personal Data that Customer uploads or provides to Cooper AI as part of the Services and that is governed by this Addendum.

"Personal Data" will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.

"Processing" or "Process" will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.

"Processor" will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.

"Report" means audit reports prepared by another company according to the standards defined in the Security Policy on behalf of Cooper AI.

"Security Incident" means any actual or reasonably suspected unauthorized use, disclosure or acquisition of, or access to, any unencrypted Customer Personal Data, or encrypted Customer Personal Data with the means to unencrypt, including: (i) discovery of the presence of malware, viruses, logic bombs, trojan horses, etc. in its systems; (ii) the unauthorized disclosure of any Customer Personal Data; (iii) Customer Personal Data being in possession of an unauthorized third party; and (iv) any security incident relating to Customer Personal Data which would constitute a violation of Applicable Law.

"Sell" means exchanging, disclosing, making available, transferring or otherwise providing or communicating Personal Data to a third party for monetary or other valuable consideration, or as otherwise defined by Applicable Data Protection Laws.

"Services" means the product and/or services described in the Agreement.

"Share" means sharing, releasing, disclosing, making available, transferring or otherwise providing or communicating Personal Data to a third party for cross-context behavioral advertising, as defined in Applicable Data Protection Laws, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-contextual behavioral advertising for the benefit of a business in which no money is exchanged, or as otherwise defined by Applicable Data Protection Laws.

"Subprocessor" will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.

Exhibit A

Customer Role: Data Processor and Data Controller (for different processing activities)

Cooper AI Role: Data Processor

Subject Matter of Processing: Cooper AI will process Personal Data for the purpose of completing insurance-related tasks. Examples of such tasks include: (a) comparing insurance policies, (b) facilitating submission of requests for insurance quotes, (c) managing policy renewals, (d) comparing insurance quotes, (e) automated submission intake, (f) compliance verification, (g) claims recovery analysis, (h) managing claims intake and claims adjudication and processing.

Duration of Processing: Subscription Term as defined in the Agreement

Nature and Purpose of Processing: To facilitate the Customer's provision of services to its customers, as well as for internal business purposes such as operations, analytics, and reporting

Types of Personal Data: Personal information (name, date of birth, gender, nationality); Contact information (address, email, telephone number); Professional information (employer, job title); Financial information (bank account information, payout from policies, claims information); National or unique identification numbers; Sensitive personal data; Personal life information (dependents or family members); Technical data (IP address, log files); Location data (GPS, geolocation)

Categories of Data Subjects: Customer's customers (which may be consumers) and business contacts; Customer's employees and contingent workers

Cooper AI's Authorized Subprocessors: View current list

Data Processing Addendum