EXHBIT TO THE TERMS AND CONDITIONS SAAS SERVICES - MALANTAI DATA PROCESSING AGREEMENT

This Data Processing Agreement (together with its Annexes, "DPA") forms part of the Terms and Conditions SaaS Services (the "Agreement") between Malantai Ltd. ("Malantai") and the entity who acquires the Services under the Agreement ("Customer") (each a "Party" and together the "Parties") and is applicable only if and to the extent that relevant Data Protection Laws apply to the Processing of any Personal Data by Malantai on behalf of and under the instructions of the Customer in connection with the Services ("Customer Personal Data").

All capitalized terms not defined herein will have the meaning set forth in the Agreement or under the Data Protection Laws.

DATA PROCESSING TERMS

In the course of providing the Services to Customer pursuant to the Agreement, Malantai may Process Personal Data on behalf of and under the instruction of the Customer. The Parties agree to comply with the following provisions with respect to Personal Data Processed by Malantai as part of the Services to the Customer.

1. DEFINITIONS

1.1. "Data Subject" means the identified or identifiable individual to whom the Personal Data relates, and shall also include "Consumer" as such term is defined under the CCPA.

1.2. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

1.3. "Personnel" means persons authorized by Malantai to Process Personal Data.

1.4. "Data Protection Laws" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR"), and California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (collectively referred to herein as "CCPA").

1.5. "Services" shall have the meaning ascribed to it in the Agreement.

1.6. "Subprocessors" means any entity appointed by Malantai to Process Personal Data on behalf of Customer in connection with the Services.

1.7. "Process" or "Processing", "Controller", "Processor", "Personal Data" and "Supervisory Authority" shall have the meanings given to them in the GDPR. For the purpose of clarity, within this DPA "Controller" shall also mean "Business", "Processor" shall also mean "Service Provider", and "Personal Data" shall also mean "Personal Information", to the extent that the CCPA applies.

2. DATA PROCESSING

2.1. Scope and Roles. This DPA applies when Personal Data is Processed by Malantai as part of Malantai’s provision of the Services. In this context, for the purposes of the GDPR, Customer is the Controller of the Personal Data and Malantai is the Processor of the Personal Data, and for the purposes of the CCPA, Customer is a Business and Malantai is the Service Provider.

2.2. Details of Processing. The details of the Processing of Personal Data are set forth in Annex I-B of this DPA.

2.3. Instructions for Malantai's Processing of Personal Data. Malantai will only Process Personal Data on behalf of and in accordance with Customer's instructions, described in this DPA. Customer instructs Malantai to Process Personal Data for the following purposes: (i) Processing related to the Services in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Any other Processing shall only be permitted in the event that such Processing is required by law or binding order of a governmental body to which Malantai is subject, in which case Malantai shall inform Customer of that requirement before engaging in such Processing, unless applicable law prohibit such information on important grounds of public interest. Customer undertakes to provide Malantai with lawful instructions only. Malantai will inform Customer immediately, if in Malantai's opinion an instruction infringes any provision under Data Protection Laws and will be under no obligation to follow such instruction, until the matter is resolved in good faith between the Parties.

2.4. CCPA Provisions. Malantai will not (1) "Sell" or "Share" Personal Information as those terms are defined under the CCPA, (2) retain, use or disclose Personal Information (i) for any purpose other than for the specific purpose of performing the Services, or (ii) outside of the direct business relationship between Customer and Malantai, except as permitted under the applicable Data Protection Laws, and (3) combine Personal Information that Malantai receives or accesses to it from the Customer, or receives from the Data Subject directly or which Malantai collects from its own interaction with a Data Subject with that of another person, except as permitted under the applicable Data Protection Laws. Customer will not transfer and/or disclose "Sensitive Personal Information" (as defined under the CCPA) to Malantai, unless (i) it has expressly notified Malantai in writing; (ii) Customer provides Malantai specific instructions regarding such Sensitive Personal Information, and in such a case, Malantai will not retain or use such Sensitive Personal Information other than in accordance with such instructions.

2.5. Notice and Legal Basis. Customer will document and provide all necessary notices to Data Subjects and receive all necessary permissions and consents, to the extent required under applicable Data Protection Laws or otherwise implement and document the required lawful basis of Processing, as necessary for Malantai to Process Customer Personal Data lawfully pursuant to the applicable Data Protection Laws.

3. ASSISTANCE

3.1. Data Subject Requests. To the extent legally permitted, Malantai shall promptly notify Customer if Malantai receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s rights provided under Data Protection Laws. Taking into account the nature of the Processing, Malantai will assist Customer by reasonable technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations regarding Data Subjects' requests pursuant to Data Protection Laws.

3.2. Data Protection Impact Assessment and Prior Consultation. Upon Customer’s reasonable request, Malantai shall provide reasonable assistance to Customer to conduct data protection impact assessment and prior consultation with Supervisory Authorities as required by Data Protection Laws, all in relation to Malantai’s Processing of Customer Personal Data.

3.3. Government Inquiries. In the event Malantai receives any subpoena, warrant or other judicial order by a government or other regulatory authority requiring access to or disclosure of Customer Personal Data ("Government Authority Request"), and unless required by a valid court order or if otherwise Malantai may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Personal Data, or where the access is requested in the event of imminent threat to lives, Malantai will notify Customer of such Government Authority Request to enable the Customer to take necessary actions, to communicate directly with the relevant authority and to respond to the request. If Malantai is prohibited by law to notify the Customer of such Government Authority Request, Malantai will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer's expense and, to the extent possible, will provide only the minimum amount of information necessary.

4. PERSONNEL

Malantai will ensure that (i) access to Customer Personal Data by its Personnel is limited to need to know and/or access basis to perform the Agreement, and (ii) such Personnel are subject to written confidentiality undertakings or statutory obligations of confidentiality.

5. MALANTAI SUBPROCESSORS

5.1 General Authorization and Existing Subprocessors. Customer hereby grants a general authorization to Malantai to engage Subpocessors for the provision of the Services. The current list of Malantai Subprocessors is included in Annex III to this DPA and Malantai has concluded an agreement no less onerous that the provision of this DPA .

5.2. Appointment of New Subprocessors. Malantai may replace or engage with a new Subprocessor to Process Customer Personal Data on behalf of Customer and Malantai shall notify the Customer in writing of such intended changes, thereby giving the Customer ten (10) days following the written notification to object to such changes on reasonable grounds relating to the protection of Personal Data. In the event the Customer objects to the addition or replacement of a Subprocessor, the Parties shall cooperate in good faith to reach a resolution. In the absence of agreement, the Customer may terminate its use of the Services under the Agreement terms and Malantai shall not refund the Customer for any prepaid amounts for the terminated period of the Services. If the Customer does not object within ten (10) days after notification, the Customer is deemed to have accepted the new Subprocessor. Malantai will enter into appropriate data processing agreements with the new Subprocessors no less onerous that the provision of this DPA.

5.3. Liability. Malantai shall remain liable for the omission or performance of any Subprocessors in relation to the Processing of Customer Personal Data.

5.4. Provision of Subprocessor Agreements. The Parties agree that the copies of the Malantai Subprocessor agreements that must be provided by Malantai to the Customer upon Customer’s reasonable request, may have commercial information, removed by Malantai beforehand to protect business secrets or other confidential information, including Personal Data; and, that such copies will be provided by Malantai, in a manner to be determined in its sole discretion, only upon reasonable Customer’s written request.

6. CROSS-BORDER DATA TRANSFER AND ONWARD TRANSFERS

6.1. To the extent the GDPR applies and Malantai Processes any Personal Data originating from the European Economic Area ("EEA") in a country that has not been recognized by the European Commission, as providing an adequate level of protection for Personal Data, the Personal Data shall be transferred by virtue of the following lawful transfer mechanism:

6.1.1. For the purpose of this DPA, the parties agree that the standard contractual clauses as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes thereto, as may be amended or replaced from time to time ("SCCs") are incorporated herein by reference and the Parties are deemed to have accepted and signed the EU SCCs where necessary in their entirety. For all intents and purposes, Annexes I, II and III of this DPA, shall be deemed to be Annexes I, II and III of the SCCs. If and to the extent the SCCs conflict with any provision of this DPA, the SCCs will prevail to the extent of such conflict.

6.1.2. For the purpose of this DPA, the Parties agree that Module Two (Controller to Processor) of the SCCs will apply.

6.2. The Parties agree that with respect to the election of specific terms and/or optional clauses required by the SCCs, the following shall apply and any optional clauses not expressly selected are not included: (i) The Customer will be deemed the "data exporter" and Malantai will be deemed the "data importer". (ii) In Clause 7, the optional docking clause will not apply. (iii) In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section ‎5.2 of this DPA. (iv) In Clause 11, the optional language will not apply. (v) In Clause 17, Option 1 will apply, and the SCCs will be governed by the Irish law. (vi) In clause 18(b), disputes will be resolved before the courts of Ireland. (vii) In Annex I of the SCCs the Customer is the ‘data exporter’, Malantai is the ‘data importer’ and the competent Supervisory Authority is the Irish DPC.

6.3. Onward Transfers. Where Malantai transfers Customer Personal Data originating from the EEA to Subprocessor based in a third country outside the EEA and to the extent the GDPR applies, Malantai shall transfers Customer Personal Data to a country considered by the European Commission as providing an adequate level of protection of Personal Data; or in the absence of an adequacy decision, in compliance with any other data transfer mechanisms under the GDPR, such as standard contractual clauses.

7. INFORMATION SECURITY

Malantai will implement and maintain appropriate technical and organizational measures to ensure a level of security of Personal Data appropriate to the risk, taking into account the nature, scope and context of the Processing and the costs of implementation, including as set out in Annex ‎II to this DPA. Malantai may review and update such technical and organizational measures from time to time provided that it will not materially decrease the overall security of the Services during the term of the Agreement.

8. PERSONAL DATA BREACH

8.1. Personal Data Breach Communication. Malantai will notify the Customer without undue delay after becoming aware of a Personal Data Breach and provide the Customer with available information about the Personal Data Breach. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without further delay.

8.2. Personal Data Breach Remediation. Malantai will take reasonable steps to identify and implement reasonable measures to contain, investigate and mitigate the Personal Data Breach.

8.3. Personal Data Breach Notification. In the event of a Personal Data Breach, any notification to the relevant Supervisory Authorities or Data Subjects, if required, will be the sole responsibility of the Customer and Malantai shall reasonably assist Customer upon request.

9. AUDIT AND INSPECTION

9.1. Requested Material and Information. Upon reasonable request, Malantai shall make reasonable commercial efforts to provide the Auditor with requested materials and available information necessary for the Customer to demonstrate compliance with the Data Protection Laws. To the extent required under applicable Data Protection Laws, upon Customer's reasonable written request (not more frequently than annually), and subject to confidentiality obligations, Malantai will make available to the Customer a copy of any available audit reports, certifications and summaries of audit reports.

9.2. Audit and Inspection. To the extent that Malantai's provision of an audit report does not provide sufficient information, or if there is no audit report or the Customer is required to respond to a regulatory authority audit and subject to the conditions of Section ‎9.3, Malantai shall reasonably cooperate with audits or inspections (the "Audit") conducted by the Customer or any independent third-party appointed by the Customer which is not a competitor of Malantai (the Customer or its appointee shall be referred to as the "Auditor"), in order to verify Malantai’s compliance with this DPA.

9.3. Conditions. Malantai’s cooperation with any such Audit shall be subject to the following conditions: (i) the Audit will be pre-scheduled in writing with Malantai, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach), (ii) the Auditor shall sign, prior to the Audit, a confidentiality undertaking covering all information which the Auditor and/or its personnel may have access to in performance of the Audit; (iii) the Audit shall be conducted at Malantai’s normal working hours and at a minimal disturbance to Malantai’s operations and business; (iv) the Auditor will first deliver a draft report to Malantai and allow Malantai reasonable time and no less than ten (10) business days, to review and respond to the Auditor’s findings, before submitting the report to the Customer; (v) the Customer will receive only the Auditor's report, without any Malantai 'raw data' materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the Audit under this section; (vi) as soon as the purpose of the Audit is completed, the Customer will permanently dispose of the audit report; and (v) the audit findings shall be deemed Malantai’s confidential information and shall be shared with Malantai.

10. DATA RETENTION

10.1. Personal Data Deletion. Within reasonable time after the end of the provision of the Services or upon Customer reasonable request, Malantai will return Customer Personal Data to the Customer or delete such Customer Personal Data, at Customer’s choice.

10.2. Data Retention. Notwithstanding, the Customer acknowledges and agrees that Malantai may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain Customer Personal Data pursuant to legal requirements and to use such Customer Personal Data to protect Malantai and any person on its behalf in court and administrative proceedings.

10.3. Anonymized and Aggregated Data. The Customer authorizes Malantai to fully anonymize, de-identify and aggregate Personal Data for Malantai's legitimate business purposes, including for testing, development, improvement, security, controls, and operations of the Services, and to share and retain such Personal Data at Malantai's discretion.

11. PERSONAL DATA PROCESSED BY EACH PARTY FOR PURPOSES OF MANAGING THE AGREEMENT

Each Party shall Process separately and independently the Personal Data of the representatives of the Parties for purposes of managing the Agreement. With respect to such Personal Data, each Party shall be responsible to fulfil all of its obligations under the Data Protection Laws and shall cooperate with the other Party as reasonably necessary to assist with the fulfilment of the other Party's obligations under the Data Protection Laws.

12. TERM

This DPA will commence on the later of the date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.

13. MISCELLANEOUS

Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

ANNEX I

A. LIST OF PARTIES

Name: __________

Address: __________

Contact details for data protection matters: __________

Activities relevant to the data transferred: to receive the Services pursuant to the Agreement.

Signature and date: By entering into the Agreement, data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.

Role: Controller

Name: Malantai Ltd.

Address: 21, HaMelachot st., Modi’in, Israel

Contact details for data protection matters: [email protected]

Activities relevant to the data transferred: to provide the Services pursuant to the Agreement.

Signature and date: By entering into the Agreement, data importer is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.

Role: Processor

B. DESCRIPTION OF TRANSFER

• Categories of data subjects whose personal data is transferred:

Customer's users, as determined by the Customer including Customer’s employees (Malantai has no control over the categories of Data Subjects).

• Categories of personal data transferred:

• Identification data: i.e. first name and last name, country

• Contact details: i.e. work email address, phone number

• Professional information: i.e. company’s name, job title

• Technical data i.e. IP addresses, domain names

• i.e. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

N/A

• The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous basis.

• Nature of the processing:

All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

• Purpose(s) of the data transfer and further processing:

The provision of the Services in accordance with the Agreement.

• The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section ‎10 of the DPA.

• For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The subject matter of the Processing is Customer Personal Data, the nature of the Processing is the performance of the Services under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

In the course of Processing Customer Personal Data, Malantai will implement and maintain commercially reasonable, industry standard technical and organizational measures to protect Customer Personal Data, consistent with applicable laws, that meet the measures described below, or an equivalent standard of protection appropriate to the risk of Processing Customer Personal Data in the course of providing the Services, and regularly carry out, test, review, and update all such measures:

Digital data from internet-exposed assets is collected through the malanta.ai services and displayed in the secure malanta.ai SaaS web management console.

malanta.ai services are hosted on AWS and utilize AWS services. For details about AWS security measures, see AWS Data Center Controls.

malanta.ai services implement multiple security measures, including data segregation, encryption for both stored and transmitted data, and comprehensive access control policies and procedures.

malanta.ai utilizes technologies and platforms to detect, mitigate and prevent DDoS attacks, as well as Web Application Firewall (WAF) protection.

ANNEX III

LIST OF SUB-PROCESSORS

The Customer has authorized the use of the following Sub-processors: