This U.S. Data Processing Addendum (“U.S. DPA”) amends and forms part of the Trial Agreement (the “Agreement”) by and between VTVK, INC. D/B/A RHYTHMS (“RHYTHMS”)) and the customer executing the Agreement to which this U.S. DPA attaches (“Customer”) and is effective as of the last signature date on the Agreement. In the event of a conflict between this U.S. DPA and the Agreement with respect to the subject matter of this U.S. DPA, this U.S. DPA will prevail to the extent of such conflict.  Capitalized terms used but not defined in this U.S. DPA will have the meanings given to them by the Agreement.

1. Definitions. For the purposes of this U.S. DPA-- 

1. “Consumer” means a natural person.  Where applicable, Consumer shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.

2. “Controller” means a person or entity that collects individuals’ Personal Information and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Information.  Where applicable, Controller shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.

3. “Customer Data” shall have the meaning set forth in the Agreement, and shall include Customer Personal Information as defined in this U.S. DPA.“Customer Personal Information” means Customer Data that constitutes Personal Information subject to U.S. Privacy Laws.

4. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person.  Where applicable, Personal Information shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.

5. “Process,” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.  Where applicable, “Processing,” “Process,” and “Processed” shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

6. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in U.S. Privacy Laws.

7. “Sale” and “Selling” have the meaning defined in U.S. Privacy Laws.

8. “Share,” has the meaning defined in the CCPA.

9. “U.S. Privacy and AI Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Information and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information), in each case where applicable to the Processing of Customer Personal Information by RHYTHMS pursuant to the Agreement.  U.S. Privacy Laws may include, but are not limited to, the following:

1.     California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);

2.     Colorado Privacy Act;

3.     Connecticut Personal Data Privacy and Online Monitoring Act;

4.     Delaware Personal Data Privacy Act;

5.     Indiana Consumer Data Protection Act;

6.     Iowa Consumer Data Protection Act;

7.     Montana Consumer Data Privacy Act;

8.     Nevada Consumer Health Data Privacy Act (Senate Bill 370, 82nd Session, 2023);

9.     Oregon Consumer Privacy Act;

10.   Tennessee Information Privacy Act;

11.   Texas Data Privacy and Security Act;

12.   Utah Consumer Privacy Act; and

13.   Virginia Consumer Data Protection Act.

10. In the event of a conflict in the meanings of defined terms in U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.

2. Scope, Roles, and Termination.

1. Applicability - This U.S. DPA applies only to RHYTHMS’s Processing of Customer Data for the nature, purposes, and duration set forth in Appendix A.

2. Roles of the Parties - For the purposes of the Agreement and this U.S. DPA, Customer is the Controller with respect to Customer Data and appoints RHYTHMS as a Processor to Process Customer Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.

3. Obligations at Termination - Upon termination of the Agreement, except as set forth therein or herein, RHYTHMS will discontinue Processing and destroy or return Customer Data in its or its subcontractors’ and sub-processors’ possession without undue delay. RHYTHMS may retain Customer Personal Information to the extent required by law but only to the extent and for such period as required by such law and always provided that RHYTHMS shall take steps to ensure the confidentiality of all such Customer Personal Information. 

3. Compliance.

1. Compliance with Obligations – RHYTHMS will take steps to ensure that its employees, agents, subcontractors, and sub-processors shall: (a) comply with applicable obligations of U.S. Privacy Laws, (b) provide the level of privacy protection for Customer Personal Information required by applicable U.S. Privacy Laws, and (c) provide Customer with reasonable assistance to enable Customer to fulfill its own obligations under applicable U.S. Privacy Laws. Upon the reasonable request of Customer, RHYTHMS shall make available to Customer information in RHYTHMS’s possession necessary to demonstrate RHYTHMS’s compliance with this subsection.

2. Compliance Monitoring and Assurance - No more than once per calendar year, RHYTHMS will provide to Customer, upon Customer’s written request, information and documentation in RHYTHMS’s possession and control necessary to demonstrate RHYTHMS’s compliance with its obligations under this U.S. DPA.

3. Compliance Remediation – RHYTHMS shall notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from RHYTHMS in accordance with this subsection, Customer may direct RHYTHMS to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.

4. Security - The Parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, designed to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure, which will include, at a minimum, those set forth in the Security Measures. RHYTHMS shall keep Customer Data logically separated from data of RHYTHMS’ other customers.

4. Restrictions on Processing.

1. Limitations on Processing - RHYTHMS will Process Customer Data as instructed in the Agreement. Except as expressly permitted by U.S. Privacy Laws, RHYTHMS is prohibited from (i) Selling or Sharing Customer Personal Information, (ii) retaining, using, or disclosing Customer Personal Information for any purpose other than for the specific purpose of providing the Service specified in Appendix A, (iii) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the Parties, and (iv) combining Customer Data with other data (including Personal Information) obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws. 

2. Confidentiality - RHYTHMS shall take steps to ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Data.

3. Subcontractors: Sub-processors –RHYTHMS shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, RHYTHMS shall ensure that RHYTHMS’s subcontractors or sub-processors who Process Customer Data on RHYTHMS’s behalf agree in writing to the same or materially equivalent restrictions and requirements that apply to RHYTHMS in this U.S. DPA and the Agreement with respect to Customer Data, as well as to comply with applicable laws, including applicable U.S. Privacy and AI Laws. 

4. Right to Object – Customer may object in writing to RHYTHMS’s appointment of a new subcontractor or sub-processor on reasonable grounds by notifying RHYTHMS in writing within 30 calendar days of receipt of notice. In the event Customer objects, Customer shall have the right to terminate for cause 

5. Consumer Rights.

1. RHYTHMS shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to U.S. Privacy Law-related Consumer rights requests regarding Customer Personal Information. 

2. Where applicable, Customer shall inform RHYTHMS of any Consumer request made pursuant to U.S. Privacy Laws with which RHYTHMS must comply with. Customer shall provide RHYTHMS with the information necessary for RHYTHMS to comply with the request.

3. RHYTHMS shall not be required to delete any Customer Personal Information to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, RHYTHMS shall not use Customer Personal Information retained for any purpose other than provided for by that exception.

4. GDPR Data Subject Rights: Where applicable, RHYTHMS shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to data subjects’ requests under Regulation (EU) 2016/679 (GDPR), including by providing appropriate technical and organizational measures to fulfill such requests within 1 month.

6. Changes to Applicable Laws.

1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, U.S. Privacy or AI Laws.

Appendix A - Processing Details