US Data Protection Law Addendum

PART 1: DEFINITIONS (applicable to this exhibit only)

a) “Consumer” means a natural person whose personal information is Processed.

b) “Personal Information” means personal information or personal data (as such terms are defined under the US Data Protection Laws) concerning visitors that Optimizely, in its capacity as Customer’s Service Provider, processes on behalf of Customer through the Software Services, and excluding any personal information that Optimizely processes in its capacity as a Business.

c) “Instructions” means Customer’s instructions to Optimizely: (i) to provide the Software Service to Customer in accordance with the features and functionalities of the Software Service and related Documentation; (ii) through Authorized User-initiated actions on and through the Software Service or otherwise based on Customer’s configuration and use of the Software Service; (iii) contained in the Agreement and/or any applicable Order Form; and (iv) mutually agreed by the Parties in writing.

d) “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Information.

e) “US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including, but not limited to, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”), the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, and any regulations promulgated pursuant to any such Act, as applicable.

f) “Verifiable Consumer Request” means the rights asserted by any individual in relation to Personal Information under the US Data Protection Laws.

g) “Business”,“Controller”, “Service Provider”,“Processor”, “Process”, “Sale”, and “Share” shall have the meanings set forth in the US Data Protection Laws.

PART 2: MANDATORY CLAUSES

1. RELATIONSHIP AND OVERVIEW OF PROCESSING . With respect to the Software Service, the Parties agree that: (i) Customer is considered the Business or Controller and will comply with its obligations as a Business and Controller under the US Data Protection Laws; and (ii) Optimizely is considered a Service Provider or Processor and will comply with its obligations as a Service Provider and Processor under the US Data Protection Laws. Customer will provide Personal Information to Optimizely only to the extent permitted by, and in compliance with, the Agreement, and it will ensure that it has all necessary rights and permissions needed to permit Personal Information to be collected and processed in accordance with the Instructions.

2. INSTRUCTIONS FOR PROCESSING .

2.1 Optimizely will process the Personal Information only on behalf of and under the Instructions of Customer and in accordance with US Data Protection Laws. The Agreement and this US Addendum will generally constitute Instructions for the Processing of Personal Information. Customer may issue further written Instructions in accordance with this US Addendum.

2.2 Without limiting the foregoing, Optimizely will not: (i) Sell Personal Information to third-parties or otherwise make Personal Information available to any third party for monetary or other valuable consideration; (ii) Share Personal Information with any third party (this excludes Optimizely Affiliates and Sub-processors); (iii) retain, use, or disclose Personal Information for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws; (iv) retain, use, or disclose Personal Information outside of the direct business relationship between the Parties; or (v) except as otherwise permitted by US Data Protection Law, combine Personal Information with Personal Information that Optimizely receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer.

2.3 Optimizely will limit access to Personal Information to personnel who have a business need to access such Personal Information, and will ensure that personnel handling Personal Information are subject to adequate confidentiality obligations that persist beyond the contractual relationship with the personnel.

2.4 Optimizely will provide Customer with information and support to enable Customer to conduct and document any data protection assessments as required under US Data Protection Law. In addition, Optimizely will notify Customer promptly if Optimizely determines that it can no longer meet its obligations under US Data Protection Laws.

2.5 Customer will have the right to take reasonable and appropriate steps to ensure that Optimizely uses Personal Information in a manner consistent with Customer’s obligations under US Data Protection Law.

3. AUDIT OBLIGATIONS .

3.1 Customer has the right to audit Optimizely's compliance with this US Addendum and US Data Protection Laws, including by way of inspections, and Optimizely shall reasonably cooperate in this regard. The Parties agree that all such audits will be conducted: (i) upon reasonable written notice to Optimizely; (ii) only once per year or more frequently if any audit indicates that Optimizely is in non-compliance with this US Addendum; (iii) only during Optimizely's normal business hours if conducted in form of an inspection; (iv) in a manner that does not disrupt Optimizely's business if conducted in form of an inspection; and (v) only upon entering into a confidentiality agreement with Optimizely.

3.2  To conduct such audit, Customer may engage a third-party auditor subject to such auditor complying with the requirements under Section 3.1 and provided that such auditor is suitably qualified, independent and not a competitor of Optimizely.

3.3 Customer will bear the costs for any audit initiated by Customer, unless the audit reveals material non-compliance with the requirements of this US Addendum.

4. VERIFIABLE CONSUMER REQUESTS . Optimizely has implemented technical and organizational measures to assist Customer with its obligation to respond to Verifiable Consumer Requests for the access and erasure of Personal Information. Optimizely will make this functionality available to Customer during Customer’s Subscription Term. If Optimizely receives a Verifiable Consumer Request from a Consumer that identifies Customer, it will promptly forward that request to Customer. Customer agrees to follow Optimizely’s documented procedures, provide sufficient information to identify records containing relevant Personal Information, and otherwise cooperate with Optimizely’s reasonable requests. Customer must not send duplicative or unnecessary requests to Optimizely (for example, requests for Personal Information not processed by the Software Services).

5. DEIDENTIFIED DATA . If, under US Data Protection Laws, Optimizely receives deidentified data from or on behalf of Customer, then Optimizely will: (i) take reasonable measures to ensure the information cannot be associated with a Consumer; (ii) publicly commit to Process deidentified data solely in deidentified form and not attempt to reidentify the information; and (iii) contractually obligate any recipients of deidentified data to comply with the foregoing requirements and US Data Protection Law.