1        The submitted Data Processing Agreement ("DPA") is an agreement between you and the companies on whose behalf you are acting (possibly referred to as "Customer" or "you") on one side and CoolOrca Inc. and CoolOrca Ltd. on the other side. This document is part of a written or electronic agreement between you and CoolOrca Inc. and CoolOrca Ltd. Pursuant to its terms, CoolOrca Inc. and CoolOrca Ltd. have the right to process your personal information ("Personal Customer Information"). An exception may be any other agreement under which you and CoolOrca Inc. and CoolOrca Ltd. have agreed to the rules of the information processing process with respect to the subject matter hereof. Said DPA is an integral part of the entire set of Documentation for the services provided as set forth in the Agreement.

Customer Personal Data Processing

1.1 Processor designation. Both Parties agree that with respect to the Customer Personal Data that CoolOrca Inc. and CoolOrca Ltd. administration processes for the purpose of providing the Transaction Services, which may for example include the processing described in detail in the Customer Personal Data Processing Details, CoolOrca Inc. and CoolOrca Ltd. shall act as "Processor" under the rules of the Applicable Personal Data Protection Law, whose provisions shall apply to Customer requirements.

1.2 Approval to Process. The processor will expose Customer Personal Data for the purpose of providing a range of Transaction Services. In turn, Processor is obliged to process Customer Personal Data strictly for the following reasons:

1.2.1      Under the rules and regulations of the applicable Agreement, including, without limitation, all types of schedules, price scales, attachments, for Transaction Services, and other types of data processing, which are required to be conducted under the rules of law and the spectrum of regulations;

1.2.2      Considering Customer's instructions and at the moment of applying Transaction Services CoolOrca Inc. and CoolOrca Ltd. shall transfer Customer Personal Data to banks (acquirers and issuers) and payment processors that personally provide services on behalf of acquiring banks, credit, and debit card printing companies, or direct providers of payer authentication services applicable to Customer (including Verified by Visa, MasterCard Identity ID Check);

1.2.3      To the extent permissible, allowing CoolOrca Inc. and CoolOrca Ltd. to adhere to established guidelines, or instructions suggested by Customer; and

1.2.4      Contribute to the development of security solutions and fraud protection guarantees by CoolOrca Inc. and CoolOrca Ltd. for the purpose of Client and/or other Coolorca.com project user applications. Designated models allow offering Customer fresh scoring in the format of Transaction Services.

2      In accordance with Law.

Each member of the CoolOrca Inc. and CoolOrca Ltd. team, at the stage of providing services to the Customer, as well as directly to the Customer during the use of the services, is obliged to process the Customer's personal data according to the rules of the Applicable Law on the protection of this data.

3      Customer commitments

3.1  The Client shall provide his End-User(s) with all necessary Personal Information and privacy notices, several options to choose from, and in return shall obtain the required consent in order for both parties to comply with Applicable Data Protection Laws;

3.2 If so required by Applicable Data Protection Laws, the Client shall notify the Processor of the need to correct, update or delete part or all of the Client's Personal Information;

3.3 Customer shall ensure that at the time of sending any Personal Information to Processor, Customer's Personal Information is accurate, relevant clearly consistent with what is requested for processing reasons, within the scope of the Agreement and this DPA; and

3.4 Customer shall strictly adhere to (and in doing so ensure compliance by third party auditors) Processor's appropriate security policies and the appropriate confidentiality obligations listed in the Agreement.

4      CoolOrca Inc. and CoolOrca Ltd. commitments

4.1 Relevant Data Protection Law. To the extent necessary to enable the Customer to adhere to and comply with its core obligations set forth in the Applicable Data Protection Laws, CoolOrca Inc., and CoolOrca Ltd. subsequently promises to comply with all important provisions referred to in the GDPR Annex (the exception may be situations where it operates under the regulations of Section 1.2 (Approval to Process) of this DPA) and/or the CCPA Annex each to the extent necessary.

4.2 Data Subject Rights. To the extent permitted by law, Processor will be able to provide the Customer with an adequate amount of assistance in responding to End-User(s) requests to exercise their rights under the rules of the Applicable Data Protection Act in a manner appropriate to the particulars and functionality of the Transaction Services. If CoolOrca Inc. and CoolOrca Ltd. receive a request of this type, they will notify the Client, who, in turn, is responsible for handling such requests by the End-User under the rules of the Applicable Data Protection Act.

4.3 Engaging with Sub-Processors. Processor shall make sure that at the time of engaging a third party data processor, such as affiliates, hereinafter referred to as Sub-Processor. In order to carry out a series of actions aimed at processing the Client's name, a written contract shall be drawn up between the Processor and the Sub-Processor. Such documents shall guarantee a similarly high degree of protection of the Client's Personal Data as specified in this DPA.

4.3 Engaging with Sub-Processors. Processor shall ensure that at the time it invites a third-party data processor, such as an Affiliate or "Sub-Processor," to engage in certain activities to process the Customer's name, there is a written contract between Processor and Sub-Processor. Such written evidence provides a similarly high level of protection for Customer's Personal Information as is offered in this DPA.

4.4 Staff. The processor needs to ensure that individuals authorized to process Customer's Personal Information maintain their confidentiality or act following a legal obligation to maintain confidentiality rules.

4.5 Security of Processing. Considering the state of the art, the associated financial costs, the purposes of the processing, and the risks to the rights and freedoms of individuals, Processor shall take all necessary measures to maintain security and protect against risks. In assessing the level of security, the Processor must also assess the risks inherent in the Processing (its illegal types), accidental destruction or disclosure of stored or transmitted Personal Information of the customer. The Processor's objective is to comprehensively assist the Customer to enable the Customer to meet its personal obligations to comply with these security measures.

4.6 Security Breach.

4.6.1 If a Security Breach (defined precisely below) relating to Customer's Personal Information is identified and included in Processor's systems, Processor shall (i) conduct a thorough investigation of the circumstances, identify the causes of the Security Breach and notify Customer of the results of the investigation. Processor shall also notify Customer of the progress of the investigation process up to the point of successful resolution; and (ii) cooperate with Customer in the format of any legally significant notification by Customer of the End Users involved. These obligations shall not apply to security breaches occurring because of Customer or Customer's End Users.

4.6.2      Processor shall promptly and without delay notify Customer when Processor or Sub-Processor becomes aware of an actual security breach that could harm Customer's Personal Information. In doing so, the Customer shall be provided with full information and adequate assistance to help the Customer meet its obligations under the Applicable Data Protection Law to (i) notify the Supervisor of the Security Breach; and (ii) report the Security Breach commensurate with the Data Subjects.

4.6.3      Notification of the Client under the norms of Section 4.6.2 of this Agreement is made by sending an e-mail or plain text letter to the cell phone or e-mail that was used in the process of Client's registration in the Coolorca.com Trading Interface.

4.6.4      The exception to this are situations in which the law or regulations stipulate that the notifying party will not make statements (or allow a third party to make statements) relating to safety violations that directly or indirectly refer to the other party. Exceptions are situations in which the other party is willing to provide personal authorization in writing.

4.7 Deletion and Retention. Due to the Client's request, Processor shall promptly delete or return in full the Client's Personal Information at the end of the term of this Agreement, deleting available copies if the retention procedure is not required by law.

5      Miscellaneous. The rules and requirements of the submitted DPA shall be used to the extent determined by Applicable Law related to the defense of rights issues. Including, but not limited to, the provisions of the Agreement (limitation of liability, no limitation, performance and explanation, and indemnification) shall apply to this DPA. In the event of conflicting situations between the provisions of the designated DPA and the provisions of the applicable Agreement, the terms of the DPA shall be deemed to apply strictly to the data processing conditions (if so required by the Applicable Data Protection Act). In other situations, the terms of the Agreement shall apply. Notwithstanding the terms and conditions of the DPA, this DPA shall not apply to information or data not applicable to a person or persons not aggregated and reviewed under the regulations of the Applicable Data Protection Act or to the extent that Coolorca.com and you have fixed a specific set of conditions for data processing directly related to the subject of the agreement.

6 Definitions. Unless otherwise stated in the designated Agreement and the DPA, all terminology has the definitions suggested in the Applicable Data Protection Act.

“Applicable Data Protection Law”

Represents any regulation or legislation relating to the process of data protection, privacy, and/or processing of Personal Information at a level consistent with the parties' obligations under this Agreement and the DPA.  Applicable data protection statutes in this regard include (directly for illustration) - the General Data Protection Regulation (Regulation (EU) 2016/679 (the "GDPR"), UK Data Protection Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. ("CCPA"), Swiss DP Laws, and other relevant laws and regulations.

"EEA Standard Contractual Clauses."

Standard Contractual Clauses" means the standard contractual clauses as defined in the European Implementing Decision (EU) 2021/914 on traditional contractual requirements and terms for the transfer of personal data to third countries under the Regulation (EU) 2016/679 with the amendments or complete substitution that can be made by the strictly competent authority under the rules and provisions of the Applicable Data Protection Act.

"End-User(s)"

The person who orders goods or services from the Customer. His or her personal information is submitted by the Customer to Cybersource in the process of applying Clint's Transactional Services under the rules and requirements of this Agreement.

“Personal Information”

1.1        The term "Data Subject" refers to all data or information, regardless of format and nature, that identifies and may relate directly or indirectly to a particular consumer (the so-called "Data Subject") or any other data that falls within the category of "personal data" or in other words is protected by Applicable Data Protection Law. For the avoidance of doubt and inaccuracies, the Agreement already contains the entire scope of information that can and must be applied to the end-user.

"Process" or "Processed" or "Processing".

Means any operation or operations implemented in conjunction with Personal Information through automated and other tools (collection, access, recording, storage, modification, disclosure, duplication, sending, deletion, etc.).

"Security Breach."

Indicates the detection of a security breach, resulting in the recording of accidental or unlawful alteration, loss, destruction, or unauthorized access to Personal Data. Security Breach means "breach of Personal Data security", "system security breach", or any other term or event that could expose the privacy and security of Personal Information to risks and threats.

“Swiss DP Laws”

- this is the Federal Act on Data Protection of June 19, 1992, and any additional regulations relevant to its implementation.

"Transfer".

Solutions for the transfer and other processing of the Customer's Personal Information across national borders in the circumstances limited by Applicable Data Protection Laws.

"UK Data Protection Laws."

Identifies the GDPR transposed into UK national law by section 3 of the 2018 Act confirming exit from the European Union and as adjusted by the Data Protection, Privacy and Digital Communications (Exit from EU) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Data Protection, Privacy and Digital Communications (Exit from EU) Regulations 2019 and other legislation on the protection and safekeeping of digital information approved and in force from time to time at DPA submitted under several circumstances, to a similar extent as applicable in the current UK GDPR, all references to the GDPR and its additional provisions shall be construed as references to the UK GDPR and similar provisions.

“UK Standard Contractual Clauses”

Denotes jointly: the classic contractual provisions in force between the controller and the processor as detailed in Commission Decision C(2010)593 of 05.02. 2010, which was approved under Directive 95/46/EC of the European Parliament and of the Council ("UK C2P SCCs") and between controller and processor (approved under Commission Joint Decision 2004/915/EC of 27.12.2004 on the regulations of Directive 95/46/EC of the European Parliament and of the Council, as amended from time to time by other provisions or fully amended) ("UK C2C SCCs").

SCHEDULE A

CALIFORNIA CONSUMER PRIVACY ACT

The CCPA Schedule provided herein may be applied as a supplemental tool to any terms described in the underlying DPA text when the CCPA is relevant to your use of the Transaction Services. All capitalized terms not identified herein are given the meaning and meaning assigned to them in the DPA. In situations where there is any conflict or misunderstanding between this CCPA Application and the DPA, the CCPA Application shall prevail.

1 Coolorca.net should not: (i) sell Customer Personal Information; or (ii) store, disclose or use such information contrary to the requirements noted in the details in the DPA. Exceptions may be situations where required or permitted by Applicable Data Protection Law.

2 As Coolorca.com provides or opens access to Personal Data, the Customer agrees to declassify or share strictly those Personal Data requested by Coolorca.com in order to fulfill its obligations under this Agreement (or Agreements).

3 At the level required by Applicable Data Protection Laws, the designated CCPA Schedule is a certification of the data processing limits noted herein.

SCHEDULE B

GENERAL DATA PROTECTION REGULATION

This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to your use of Transaction Services. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.

1      Processor Obligations

1.1         Handling of Customer Personal Information. The Processor is obliged to process Customer Personal Data strictly in accordance with the documented instructions of the Customer (including instructions to send the Customer Personal Data to a third country, if permitted) if this is one of the requirements of the Applicable Law on Data Protection. At the same time, the Processor is obliged to inform the Client about the relevant legal requirement in advance, before the start of the processing, if such law prohibits this information according to relevant public interest regulations.

1.2  Use of Sub-Processor

1.2.1      Under the terms of Section 1.2.1 of the GDPR Schedule, Customer allows Processor to interact with Sub-Processors marked in the Coolorca.com Trading Interface. The processor shall have the right to control its list of Sub-processors by posting it online.

1.2.2 The Processor shall notify the Client of any planned adjustments regarding the change or change of other Subprocessors in order to give the Client a chance to oppose such adjustments, if necessary. If the Client disagrees with adjustments or the addition of a SubProcessor by the Processor, the Client must notify the Processor of its disagreement in writing promptly. It is important to do so within 10 business days of receiving information from the Processor about the relevant adjustments.

1.2.3      The Processor may, at its sole discretion, make various efforts and attempts to provide adjustments to the Transaction Services to the Client or to propose commercially reasonable adjustments to the rules of use of the Transaction Services by the Client to prevent the processing of the Client's Personal Data by a new Sub-processor with which the Client has not agreed. If the Processor fails to provide such adjustments within a reasonable time frame (not exceeding 30 days), the Client may terminate the concluded Agreement regarding those nuances of the Transaction Services that cannot be provided by the Processor without involving a new SubProcessor not approved by the Client, by sending a written notice to the Processor. If the Transaction Services cannot be provided without engaging a new Subprocessor. The client may simply terminate the entire Agreement.

1.2.4      The Processor agrees not to penalize the Client for termination, guided by the provisions in section 1.2.3 of this GDPR list.

2      Data Protection Impact Assessments and Prior Consultation with Regulator

2.1  The Processor shall notify the Client immediately if the Processor believes that the Client's instructions would violate the Applicable Data Protection Laws in any way. The Client agrees that the Processor should not act in order to directly create such an opinion.

2.2 The Processor shall adequately support and assist the Client in the implementation of legally permissible and permitted assessments of (a) impact on the data protection process; and (b) consultations arranged by the Client with the regulatory authority because of such assessments of the impact on the data protection process. This support shall be limited to the processing of the Client's personal information by the Processor on behalf of the Client in accordance with the rules of the Agreement and taking into account the related nuances of the processing of the information to which the Processor has access.

3      Showing Compliance with this DPA

3.1  Processor shall provide Customer with access to the data necessary to show and prove compliance with all requirements under this DPA and to allow audits, including verification events, to be arranged at Customer's initiative or by another auditor ordered by Customer to prove compliance with the regulations noted in this DPA.

3.2 Customer's right under Section 3.1 of this GDPR Schedule is applicable to the following:

3.2.1 If the Processor is able to demonstrate compliance with the assigned obligations outlined in this DPA by complying with the recorded code of conduct if certified, or by showing the Client an audit report performed by an independent third-party auditor (subject to the conditions that the Client adheres to the agreed confidential obligations noted in the Agreement and refuses to review the proposed audit report), Client agrees that it does not plan to initiate an audit or other verification activities under the rules of Section 3.1;

3.2.2      in consideration of the time, expense, and likelihood of business disruption resulting from arranging audits and inspections, including interviews and on-site visits, the Customer agrees to arrange for such audits and inspections only if the Customer can demonstrate that such audits and inspections are urgently needed beyond the data announced by the Processor under Section 3.1. Such audits should be arranged at adequate time intervals (recommended no more than once every 12 months) after giving at least 60 days advance notice of the actual audit date and on a date jointly agreed upon and approved by both Parties. The audit shall not disrupt Processor's plans and activities; (ii) be organized at the Client's expense and directly during business hours; (iii) will not disrupt the interests of other Clients of the particular Processor; and (iv) will not last longer than two business days (consecutively).

4      Cross-Border Transfers

4.1  The Processor shall strictly comply with the Client's instructions (pre-documented) regarding the transfer of the Client's Personal Data to a third country.

4.2 The Processor undertakes to process or transfer the Client's Personal Data outside ("EEA" - Eurasian Economic Area), Switzerland, and the United Kingdom by all available means strictly according to the rules approved by the Applicable Data Protection Act.

4.3 Client agrees and acknowledges that Processor sends and stores certain amounts of Client's Personal Data in the United States (those data relating to people geographically located in the United Kingdom and/or Switzerland).

4.3.1 Transfers Impacted by the GDPR or Swiss DP Laws: Module 2 (Transfer of Controller to Processor) of the EEA Standard Contractual Provisions shall apply to any procedure for transferring Customer Data from the EEA or Switzerland to Coolorca.com and each of its affiliates operating in the United States or other third countries ("Coolorca.com Affiliates"). Both Parties agree to the fact that Module 2 (Transfer of Controller to Processor) of the EEA Standard Contractual Provisions is incorporated by reference:

GDPR or Swiss DP Laws: Module 2 (Transfer controller to the processor) of the EEA Standard Contractual Cases shall apply to any procedure for sending Customer's personal format data via the EEA or Switzerland to Coolorca.com and each of its affiliates in the United States or other third countries (referred to as "Coolorca.com Entities"). The parties agree that Module 2 (Transfer controller to the processor) of the EEA Standard Contractual Provisions given this document is incorporated by reference and:

4.3.1.1 Customer and all of its traditionally owned and affiliated persons who have left their signature for Transaction Services ("Customer Entities") shall be perceived and treated as "data exporters" and the Coolorca.com Entities - as the "data importer";

4.3.1.2 Clause 7 - Docking clause shall be used;

4.3.1.3 Clause 9 - Apply of subprocessors Option 2 shall imply and the "time span" shall be 10 business days;

Compensation optional language shall not be utilized

4.3.1.4 Clause 11(a) - Compensation the optional language shall not be used;

4.3.1.5 Clause 13(a) - Supervision

(i) If the exporter of the information has been approved in an EU Member State, the following shall apply: "The supervisory authority responsible for guaranteeing strict compliance by the exporter of the information with Regulation (EU) 2016/679, as referred to in Annex I.C, shall act as the competent and responsible supervisory authority".

(ii) If the information exporter is not approved by a Member State but is included in the territorial scope of Regulation (EU) 2016/679 under the rules of its Article 3(2) and has approved a representative under Article 27(1) GDPR, the following statement is relevant: "The supervisory authority of the Member State in which the representative is recognized under Article 27(1) of Regulation (EU) 2016/679, as noted earlier in Annex I.C, is considered to be a fully authorized supervisory authority."

(iii) If the exporter of the information is not recognized in a Member State but enters the territorial scope of the GDPR under the rules of its Article 3(2) without the need to identify a specific representative under the rules of Article 27(2) GDPR, the following statement is relevant: "The supervisory authority of a Member State where the subjects of the information whose personal data are sent under the rules of these provisions on the grounds or services or products or whose behavior and activity is controlled, as defined in Annex I.C, shall be understood to be a supervisory authority.

4.3.1.6           The full responsible supervisory authority is the authority responsible for guaranteeing the compliance of the information exporter with the provisions of Regulation (EU) 2016/679 on the transfer of information, as set out in Annex I.C.

4.3.1.7 Clause 17 - Regulatory Law Option 1 shall apply, with Ireland as the "Member State";

4.3.1.8 Clause 18 - Choice of forum and jurisdiction Member State is Ireland; and

4.3.1.9           the information reflected in Appendix 1 (Table 1) of the GDPR list provided is contained in Appendices 1, 2, and 3 of the EEA Standard Contractual Supplements.

4.3.2 Transfers that are made under UK GDPR controls. The UK C2P SCCs apply to any procedure for Transfers of Customer Personal Information from the UK to Coolorca.com affiliates. All parties approve and agree that:

4.3.2.1 the UK C2P SCCs are incorporated herein by reference;

4.3.2.2           Customer's institutions are deemed to be "data exporters" and Coolorca.com's institutions are deemed to be "data importers";

4.3.2.3 the information reflected in Exhibit 1 (Table 2) of the submitted GDPR Checklist is reflected in Annex 1 and 2 of the UK C2P SCCs; and

4.3.2.4 in the event that the UK Government or the Information Commissioner approves the EEA Standard Contractual Addenda for UK GDPR purposes, the EEA Standard Contractual Addenda will apply following the regulations set out in Section 4.3.1 (Transfers procedures, falling under the control of the GDPR or the Swiss DP Code) above (but will be perceived as those involving any amendments and adjustments required under the UK GDPR rules or recommended by the Data Commissioner, and the full supervisory authority will be the UK Data Commissioner's Office and England and Wales will be accepted as the governing law).

4.3.3    In the event of any misunderstanding, conflict, or inconsistency between a term as defined in this DPA, the Agreement and a term in Module 2 (Transfer of Controller to Processor) of the EEA Standard Contractual Clauses (or, as the case may be, the UK C2P SCCs) which are also contained in this DPA, the term in Module 2 (Transfer of Controller to Processor) of the EEA Standard Contractual Clauses (or, as the case may be, the UK C2P SCCs) shall prevail and be deemed to be more important.

EXHIBIT 1
INFORMATION REQUIRED FOR THE EEA and UK STANDARD CONTRACTUAL CLAUSES

EXHIBIT 2
DETAILS OF PROCESSING CUSTOMER PERSONAL INFORMATION