Niantic Spatial Controller-to-Controller Data Processing Agreement

This Niantic Spatial Controller-to-Controller Data Processing Agreement (including its Attachments) (the “DPA”) forms part of and is subject to the terms and conditions of the Niantic Spatial Business and Developer Terms (the “Terms”) by and between the Niantic Spatial customer that has executed the Terms (“you” or “Developer”) and Niantic Spatial.

Capitalized terms not defined in this DPA have the meaning set forth in the Terms.

1. DEFINITIONS

1. “Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.

2. “Applicable Data Protection Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this DPA is subject and which is applicable to a party’s Processing of Covered Personal Data under the Terms. For the avoidance of doubt, Applicable Data Protection Law may include, without limitation, the CCPA, other comprehensive US state privacy laws, EU GDPR, the FADP, and the UK GDPR (each as defined below).

3. “CCPA” means the California Consumer Privacy Act (as amended).

4. “Covered Personal Data” means any Personal Data collected through your Application(s) and Processed by a party under the Terms.

5. “EU GDPR” means the General Data Protection Regulation (Regulation 2016/679).

6. “FADP” means the Swiss Federal Act on Data Protection of 25 September 2020.

7. “Niantic Spatial” means Niantic Spatial, Inc.

8. “Niantic Spatial Privacy Policy” means the Niantic Spatial Privacy Policy available at: https://www.nianticspatial.com/privacy (as updated from time-to-time).

9. “Security Incident” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Personal Data in a party’s possession or control.

10. “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018.

11. The terms “Controller”, “Personal Data”, and “Processing” as used in this DPA have the meanings given in the EU GDPR irrespective of whether or not the EU GDPR is applicable.

2. ROLES AND OBLIGATIONS

Each party to this DPA: (a) is an independent Controller of Covered Personal Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its Processing of Covered Personal Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the Processing of Covered Personal Data. You will process Covered Personal Data solely and exclusively for the purposes specified in the Terms. Niantic Spatial may Process Covered Personal Data in accordance with the Niantic Spatial Privacy Policy.

3. INTERNATIONAL DATA TRANSFERS

If Covered Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by you to Niantic Spatial in a country that has not been found to provide an adequate level of protection under Applicable Data Protection Law, the parties agree that the transfer shall be governed by Module One’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Attachment 1 attached hereto, the terms of which are incorporated herein by reference. Each party’s execution of the Terms shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

4. SECURITY AND CONFIDENTIALITY

Each party shall implement appropriate technical and organisational measures designed to protect the Covered Personal Data from a Security Incident. Each party shall ensure that all of its personnel who have access to and/or Process Covered Personal Data are obliged to keep the Covered Personal Data confidential..

In the event that a party experiences a Security Incident, it shall notify the other party without undue delay, but in any event within seventy-two (72) hours of it confirming same. The notifying party shall be solely responsible for remediating the Security Incident, including the provision of any legally required notice to affected individuals required under Applicable Data Protection Law. Notwithstanding the foregoing, if a Security Incident affects both parties, the parties agree to coordinate with respect to any communications or notifications that are sent to government authorities and/or individuals regarding such Security Incident.

5. ASSISTANCE AND COOPERATION

Upon Niantic Spatial’s request, you will provide all reasonable cooperation and assistance to Niantic Spatial as may be required by Niantic Spatial to ensure compliance with the Terms, Applicable Data Protection Law, and/or industry standards.

In the event of an inquiry, dispute, or claim brought by a third party including, without limitation, a government authority, concerning the Processing of Covered Personal Data against either or both parties, the parties will inform each other about any such inquiry, dispute, or claim, and will cooperate with a view to resolving them within a reasonable time.

6. TERM AND TERMINATION

This DPA shall be effective as of the effective date of the Terms. Notwithstanding anything to the contrary in the Terms, (i)your obligations pursuant to this DPA shall survive termination or expiration of the Terms for as long as you hold or process Covered Personal Data, and (ii) the last sentence of Section 2 shall survive termination or expiration of the Terms.

MISCELLANEOUS

Nothing in this DPA limits your obligations under the Terms.

The liability of the parties under or in connection with this DPA will be subject to the exclusions and limitations of liability in the Terms.

The parties agree that Affiliates are intended third party beneficiaries of this DPA and that the provisions of this DPA are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all Processing and transfer provisions of this DPA as if each was a signatory to this DPA.

ATTACHMENT 1

This Attachment 1 forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Attachment 1 have the meaning set forth in the DPA or the Terms.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) the optional text in Clause 11 is deleted; and (v) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties

Data Exporter: Developer.

Address: As set forth in the Notices section of the Terms.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Terms.

Activities relevant to the data transferred under these Clauses: As set forth in the DPA.

Role: Controller.

Data Importer: Niantic Spatial.

Address: As set forth in the Notices section of the Terms.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Terms.

Activities relevant to the data transferred under these Clauses: As set forth in the DPA.

Role: Controller.

B. Description of the Transfer:

Categories of data subjects whose personal data is transferred: Data exporter may provide personal data to data importer, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include, but is not limited to, personal data relating to the following categories of data subjects: end users of data exporter’s Application and other individuals whose personal data is collected by data exporter’s Application.

Categories of personal data transferred: Data exporter may provide personal data to data importer, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include, but is not limited to, the following categories of personal data: name, email address, and precise geolocation data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties’ knowledge, no sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Business and Developer Resources, or as otherwise agreed upon by the parties.

Nature of the processing: As set forth in the DPA.

Purpose(s) of the data transfer and further processing: As set forth in the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Niantic Spatial Privacy Policy.

C. Competent Supervisory Authority:

The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall implement and maintain technical and organizational measures designed to protect the personal data that it processes. Such measures shall include:

• Measures designed to prevent unauthorized persons from gaining access to personal data processing systems (physical access control);

• Measures designed to prevent personal data processing systems being used without authorization (logical access control);

• Measures designed to ensure that persons entitled to use a personal data processing system gain access only to such personal data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control);

• Measures designed to ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of personal data by means of data transmission facilities can be established and verified (data transfer control);

• Measures designed to ensure the establishment of an audit trail to document whether and by whom personal data have been entered into, modified in, or removed from personal data processing (entry control);

• Measures designed to ensure that personal data is protected against accidental destruction or loss (availability control); and

• Measures designed to ensure that personal data collected for different purposes can be processed separately (separation control).

4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that neither party may end the UK Addendum as set out in Section 19.

5. Clarifying Terms. The parties agree that the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses.