Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Use or the Mouseflow Subscription Agreement (hereinafter referred to as “Agreement”) entered by and between the Customer (collectively, “you”, “your”, “Customer”), and such Mouseflow entity (Mouseflow ApS or Mouseflow, Inc.) identified in the Terms of Use or the Mouseflow Subscription Agreement (“Mouseflow”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Mouseflow solely on behalf of the Customer, unless Customer and Mouseflow agreed on different terms in writing. Both parties shall be referred to as the “Parties” and each, a “Party”.

Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable, or as ascribed to them in the Applicable Privacy Laws, as applicable in the relevant jurisdictions.

For the purposes of this DPA:

1.1. “Affiliate” means any person or entity that controls, is controlled by, or is under common control with such entity, whether as of the date of the DPA or the Agreement or thereafter.

1.2. “Applicable Privacy Laws” means all applicable privacy and data protection laws and regulations, including, where applicable, Regulation 2016/679/EU (“GDPR”), the EU Directive 2002/58/EC on privacy and electronic communications (in all cases, as amended, superseded or replaced), the Data Protection Act 2018 (the “UK GDPR”), and the US Privacy Laws, including the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act of 2020 in effect beginning January 1, 2023 (“CPRA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Connecticut Data Privacy Act (“CDPA”), the Utah Consumer Privacy Act (“UCPA”); and any corresponding or similar United States state or federal laws or regulations relating to the use or protection of data including any amendment, update, modification to or re-enactment of such laws.

1.3. “Controller” means the natural or legal person or entity who determines the purposes and means of the processing of Personal Data. Controller is also a “business”, as that term is defined in the CCPA/CPRA.

1.4. “Data Breach” means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing of Personal Data, provided that it was caused by Mouseflow’s failure to comply with its obligations under the Agreement and this DPA.

1.5. “Customer Data” means anonymous, aggregated data concerning the characteristics and activities of visitors of the Customer’s website(s) collected by Mouseflow, forwarded to the servers, and analyzed by the Mouseflow Software. Parties agree and understand that Customer intends to use the Service in a way that only anonymous information is collected from website visitors, so that no information collected can be used to identify individual website visitors. 2 MOUSEFLOW_ DPA_EU_US

1.6. “New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Annex 1 to this DPA.

1.7. “Personal Data” means information specifically listed in Annex 1 of this DPA, that was transmitted to or collected by Mouseflow by or on behalf of the Customer in compliance with the terms of this DPA and the Agreement, provided that such information is considered “personal data” or equivalent under the Applicable Privacy Laws relevant to the jurisdiction in which the Processing occurs.

1.8. “Processing” means the activities of Mouseflow defined in s. 2.2. below.

1.9. “Processor” means an entity that processes Personal Data on behalf of, and in accordance with the instructions of, a Controller. Processor is also a “service provider”, as that term is defined in the CCPA/CPRA.

1.10. “Sub-processor” means any Processor engaged by Mouseflow that processes Personal Data under the instruction and supervision of Mouseflow.

1.11. “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.

2.1. Scope of the DPA. This DPA applies if and to the extent Mouseflow processes Personal Data (as defined in s. 1.7. above) on behalf of the Customer. The Parties acknowledge and agree that any incidental and unintentional collection or transmittal of personal data, especially but not exclusively in breach of the Agreement, that is not explicitly defined or agreed upon in this DPA shall not fall under the scope of this DPA. For the purposes of this DPA, Customer acts as a Controller, and Mouseflow acts as a Processor.

2.2. Processing activities. Processing under this DPA covers collection, storage and processing of Personal Data, including technical characteristics and activities of visitors on the Customer’s website(s) where such data is defined to be Personal Data, and where processing is a part of providing the Services under the Agreement.

2.3. Purpose and Limitations. By agreeing to this DPA, Customer authorizes and directs Mouseflow to process Personal Data: (i) to deliver the Service and related technical support; (ii) as otherwise allowed or required by Customer’s use of the Service or its technical support requests; (iii) as otherwise permitted or required under the Agreement or this DPA; and (iv) as additionally documented in any other written instructions mutually agreed upon by the Parties. Mouseflow will process Personal Data according to the documented lawful instructions given by the Customer. Mouseflow will not process Personal Data for any other purpose unless mandated by Customer or the Applicable Privacy Laws. 3 MOUSEFLOW_ DPA_EU_US

2.4. Customer authorization and instructions. The Parties agree that, among others, the Agreement, this DPA, any use of the Software by the Customer, its employees, agents, or any other individual or entity acting on its behalf and Customer’s instructions and requests to Mouseflow representatives constitute Customer’s processing instructions. Any processing beyond these instructions requires prior written agreement between the Parties. The Customer must ensure its instructions are lawful and that processing Personal Data per these instructions does not breach Privacy Laws. If Mouseflow is of the opinion that an instruction given by the Customer infringes this DPA or the Applicable Privacy Law, Mouseflow is, after informing the Customer, entitled to suspend the execution of the instruction until the Customer confirms the instruction. Parties agree that the sole responsibility for the processing of the Personal Data in accordance with the instructions lies with the Customer.

2.5. Customer compliance. Customer, within the scope of the Agreement and in its use of the Services shall comply with the Applicable Privacy Laws and the Agreement, with respect to Customer’s processing of Personal Data and Customer’s instructions to Mouseflow. Customer shall establish and have any and all required legal basis in order to collect, process and transfer to Mouseflow the Personal Data, and to authorize the Processing by Mouseflow, and for Mouseflow’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as under the CCPA (to the extent applicable). Customer shall have sole responsibility for the accuracy, quality and the means by which the Customer acquired Personal Data. Customer shall publish and keep on Customer’s site a privacy notice which accurately reflects and provides all required information under any Applicable Privacy Laws concerning the processing of Personal Data by Customer and Mouseflow under the Agreement. Customer shall obtain all consent required, under any Applicable Privacy Laws, by Website Visitors to its Websites, and will maintain a record of such consents.

2.6. Exclusion of other personal data. Incidental or unintentional transmission of other personal data. It is agreed and acknowledged by Customer, that notwithstanding anything to the contrary under the Agreement, the Services provided by Mouseflow under the Agreement are not intended for the processing of PII or personal data other than Personal Data defined in s. 1.7. above. For such purpose, as agreed to and detailed in the Agreement, the Customer agrees to ensure that no PII or personal data other than Personal Data defined in s. 1.7. above is collected, processed, or transmitted to Mouseflow using the Mouseflow Service and Software. Mouseflow has informed the Customer on how to comply with this obligation via its public help center at https://help.mouseflow.com and via the Visual Privacy Tool. The Customer is solely responsible for the implementation of measures and processes to exclude all PII from being captured or transmitted to Mouseflow and Customer understands and certifies that it has or will exclude all PII and personal data other than Personal Data defined in s. 1.7. above, prior to utilizing Mouseflow’s Services. In the event that such personal data is incidentally or unintentionally collected or transmitted, Parties shall promptly notify each other of such collection and shall delete or anonymize the data without undue delay upon discovery.

2.7. Prohibition of Sensitive Data. Customer will not submit, store, or send any sensitive personal information or special categories of personal data (collectively, “Sensitive Data”) to Mouseflow for processing, and will not permit nor authorize any of its employees, agents, contractors or data subjects to submit, store or send any Sensitive Data to Mouseflow for processing. Customer acknowledges that Mouseflow does not request or require Sensitive Data as part of providing the Service to Customer, that Mouseflow does not wish to receive or store Sensitive Data, and that Mouseflow’s obligations in 4 MOUSEFLOW_ DPA_EU_US this DPA will not apply with respect to Sensitive Data. The terms “sensitive personal information” and “special categories of personal data” have the meanings given in Privacy Laws. Mouseflow will have no liability whatsoever for Sensitive Data, whether in connection with a Data Breach or otherwise.

2.8. Term of the DPA. This DPA will enter into force at the effective date of the Agreement and will remain in effect for as long as Mouseflow carries out Processing activities on behalf of Customer or until termination of the Agreement (and all Personal Data has been returned or deleted in accordance with this DPA).

2.9. Duration of the processing. The duration of the processing is determined in Annex 1.

2.10. Type of Personal Data processed: The types of Personal Data are listed in Annex 1.

2.11. Data Subjects: The group of persons/categories of data subjects affected by the handling of the Personal Data within the framework of the underlying Agreement comprises of the Website Visitors of the Customer’s Website(s), where Mouseflow’s Software is installed.

3.1. Cooperation in fulfilling Data Subject requests. To the extent that Mouseflow has the ability and possibility, Mouseflow will provide Customer, at Customer’s expense, with all reasonable and timely assistance to enable Customer to respond to the Data Subjects, or data protection authorities, and Mouseflow shall, within the bounds of what is reasonable and necessary, enable the Customer to correct, delete or restrict the further processing of Personal Data. If a Data Subject contacts Mouseflow directly concerning a request, Mouseflow will immediately forward the Data Subject’s request to the Customer and recommend to the Data Subject to contact the Customer as Controller directly.

3.2. Cooperation with authorities. Mouseflow shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the competent data protection authority in the performance of its tasks relating to this DPA, to the extent required under the GDPR.

3.3. US specific obligations. In US jurisdictions where such prohibitions are mandated by the Applicable Privacy Law, Mouseflow shall not:

a. Sell any Personal Data disclosed to it by Customer;

b. Share Personal Data disclosed to it by Customer for the purposes of cross-context behavioral advertising;

c. Retain, use, or disclose any Personal Data disclosed to it by Customer for any purpose other than for the specific purpose of performing the services set out in the Agreement or as otherwise permitted in the Applicable Privacy Laws;

d. Retain, use, or disclose any Personal Data outside of the direct business relationship between Mouseflow and Customer, except as may be permitted in the Applicable Privacy Laws; and

e. Combine Personal Data disclosed to it by Customer with Personal Data that Mouseflow has received from another business or that Mouseflow has independently collected, except where such combination is permitted by this DPA or by Applicable Privacy Laws

4.1. Confidentiality. Mouseflow entrusts Personal Data only to employees bound to confidentiality under this DPA and the Agreement and previously familiarized with the data protection provisions relevant to their work. Mouseflow and any person acting under its authority and with access to the Personal Data, shall not process it unless under instructions from the Customer, which includes the powers granted by this DPA and the Agreement, unless required to do so by law.

4.2. Security measures. Mouseflow shall ensure it implements and maintains throughout the term of the DPA, or duration of its Services to Customer, appropriate, industry-standard technical and organizational measures to ensure that Processing within its area of responsibility is in accordance with the requirements of Applicable Privacy Laws and to protect Personal Data, including protection against Data Breaches. The measures to be taken are measures among others (i) of data security and (ii) to guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. Customer acknowledges that the security measures are subject to technical progress and development and that accordingly Mouseflow may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

4.3. Data Protection Officer. Mouseflow’s appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR:

Name: RA Axel Dreyer, LL.M.
Company: Schürmann Rosenthal Dreyer
Address: Uerdinger Straße 62, 40474 Düsseldorf, Germany
Phone: +49 (0) 211 4155868 0
Fax: +49 (0) 211 4155868 20
Email: dreyer@srd-rechtsanwaelte.de

5.1. General authorization. Customer authorizes Mouseflow, its Affiliates and Sub-processors to make international data transfers of Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.

5.2. Transfer to adequate countries. Personal Data may be transferred to countries outside the European Union (EU) and the European Economic Area (EEA) (“Third Countries”) that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of Europe, the Member States or the European Commission, without any further safeguard being necessary.

5.3. Transfer to the US. With respect to any transfer of any personal data from the EU, UK or Switzerland to the United States, Mouseflow shall primarily rely on Mouseflow’s, Affiliates’ and Sub-processors’ certification under the EU-U.S. Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK-US Data Privacy Framework (together, the “DPF”) operated by the U.S. Department of Commerce. To the extent that the DPF is invalidated or ceases to be an appropriate safeguard under 6 MOUSEFLOW_ DPA_EU_US Article 46 GDPR for transfers to the United States, then, such transfer shall be subject to the appropriate Standard Contractual Clauses, as detailed below.

5.4. EEA Transfers. With respect to Personal Data transferred from the European Economic Area (“EEA”) to Third Countries which have not been subject to an adequacy decision or the DPF, and such transfer or disclosure is not permitted through alternative means approved by Applicable Privacy Laws, Parties agree that the New EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA to the extent of conflict. Customer hereby agrees to enter into the New EU SCCs, which are incorporated into this DPA by this reference and completed as follows:

i. Customer is acting as Controller and Mouseflow as Processor, Module Two of the New EU SCCs shall apply.

ii. Mouseflow is the Data Importer and Customer is the Data Exporter.

iii. The Parties agree to the following:

1. In Clause 7, the optional docking clause will apply;

2. In Clause 9, Option 2 (General Authorization) will apply and provide for a 30-day advance notice;

3. In Clause 11, the optional language will not apply

iv. In Clauses 17 and 18, the Parties choose the law of Denmark and the courts of Denmark. Annexes. The Parties agree that Annex I to the New EU SCCs shall be completed by Annex I to this DPA.

5.5. Switzerland Transfers. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, (i) references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner; and (ii) as so amended, the New EU SCCs are incorporated herein by reference and shall apply, form a part of this DPA, and take precedence over the rest of this DPA to the extent of conflict.

5.6. UK Transfers. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCC Addendum forms part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCC Addendum, unless the United Kingdom issues updates to the UK SCC Addendum, in which case the updated UK SCC Addendum will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCC Addendum. Customer hereby agrees to enter into the UK SCC Addendum, which is incorporated into this DPA by this reference and completed as follows:

i. In Table 1, the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I to this DPA.

ii. In Table 2, the New EU SCCs as executed by the Parties pursuant to this DPA.

iii. In Table 3, Annex 1A, 1B, and Annex II shall be as set forth in Annex I to this DPA. 7 MOUSEFLOW_ DPA_EU_US

iv. In Table 4, either party may end this DPA as set out in Section 19 of the UK SCC Addendum.

5.7. Accounts with EU data residency. For the Accounts with EU data residency, storage and automated processing shall be carried out exclusively within a Member State of the European Union (EU) or the European Economic Area (EEA). Any transfer of data to a state which is not a Member State of either the EU or the EEA shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled.

6.1. General authorization. The Customer acknowledges and agrees that Mouseflow may engage Subprocessors in connection with the provision of the Services, all in accordance with and under the terms of this section.

6.2. Current Sub-processors. Currently, Mouseflow applies the Sub-processors listed here who collaborate in the Processing of Personal Data. Customer hereby authorizes the Sub-Processor list as of the date of first use of the Services.

6.3. Change of Sub-processors. Mouseflow may update the Sub-processor’s list from time to time to reflect any changes in Sub-processors. We will provide thirty (30) days’ prior written notice to Customer via email or in-App notification. Customer may object in writing to Mouseflow’s appointment of a new Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable ground that the Sub-processor does not or cannot comply with the requirements set forth in this DPA. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. Failure to object to such a new Sub-processor in writing within the deadline shall be deemed as acceptance of the new Sub-Processor by Customer.

6.4. Agreements with Sub-processors. Mouseflow has entered into a written agreement with each Subprocessor containing appropriate safeguards to the protection of Personal Data. Where Mouseflow engages a new Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such news Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Privacy Laws.

7.1. Mouseflow is regularly audited against various information security standards in internal processes. Upon request, Mouseflow shall provide written responses (on a confidential basis) to all reasonable requests for information necessary to confirm our compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year.

7.2. While the Parties intend to rely on the provision of the above information to verify Mouseflow’s compliance with this DPA, Mouseflow will permit an internationally-recognized independent auditor 8 MOUSEFLOW_ DPA_EU_US selected by the Customer to conduct audits to verify compliance with its obligations under this DPA. The Customer must send any audit requests under this section to privacy@mouseflow.com. Upon receipt of such a request, the Parties will discuss and agree in advance on the reasonable start date, scope, duration, and applicable security and confidentiality controls for the audit. The Customer will be responsible for any costs associated with the audit. The Customer acknowledges and agrees that the audit rights under this section can be exercised (i) if and to the extent required by a competent data protection authority; (ii) if and to the extent an audit is necessary due to a Data Breach; and (iii) no more than once in a twelve (12) month period. The Customer’s audit or inspection cannot include actions or access, physically or electronically, that could potentially violate Mouseflow’s privacy or compliance obligations towards other customers, affiliates, or employees.

8.1. Assistance with data protection obligations. Mouseflow shall assist the Customer in complying with
the obligations concerning the security of Personal Data, reporting requirements for Data Breaches, data protection impact assessments and prior consultations with the competent authorities. These include, to the extent required under the Applicable Privacy Laws:

a. Ensuring an appropriate level of protection through technical and organizational measures referred to in Section 4 (Confidentiality and Data Security), that take into account the circumstances and purposes of the Processing as well as the projected probability and severity of a possible infringement of the Applicable Privacy Law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.

b. The obligation to notify Customer via email of a Data Breach in a timely manner after becoming aware of the Data Breach.

c. The duty to assist the Customer with regard to the Customer’s obligation to provide information to the Data Subject concerned and to immediately provide the Customer with all relevant information in this regard.

d. Supporting the Customer with its data protection impact assessment.

e. Supporting the Customer with regard to prior consultation of the Supervisory Authority.

8.2. Compensation. Mouseflow may claim compensation for support services which are not included in the description of the Services and which are not attributable to failures on the part of Mouseflow.

8.3. Notification. For the purposes of this Agreement, all written communications from Mouseflow to the Customer will be sent to the Account Owner’s email address

Upon termination or expiry of this DPA and the provision of the Services, Mouseflow shall delete without unreasonable delay all Personal Data in its possession, in accordance with the duration period set out in Annex 1, unless any applicable law requires Customer to retain Personal Data. Mouseflow may keep documentations, which serve as evidence of the orderly and accurate Processing of Personal Data, also after termination of the Agreement
or the DPA.

The indemnity and liability regulation agreed between the Parties in the Agreement also applies to this DPA. Each Party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the Standard Contractual Clauses) will be subject to the exclusions and limitations of liability set forth in the Agreement. Any claims made against Mouseflow under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) will be brought solely by Customer entity that is a party to the Agreement. Mouseflow shall only be held liable for damages resulting from Processing activities if it: (i) failed to comply with the obligations in the Agreement and of the Applicable Laws that specifically apply to data processors, or (ii) acted outside or contrary to the lawful written instructions of the Customer. In cases where both Mouseflow and the Customer are involved in Processing under the Agreement (including this DPA) that results in damage to a data subject or results in penalties and administrative fines, the Customer will initially cover the full indemnification (or any other compensation) owed to the data subject or the authority. Subsequently, the Customer may seek reimbursement from Mouseflow for the portion of the compensation or fines that correspond to Mouseflow’s responsibility for the damage, as outlined in this section and subject to the limitation of liability specified in the Agreement.

Notwithstanding anything to the contrary in the Agreement, including this DPA, Mouseflow and its Affiliates will not be liable for any claim made by an authority, court or a Data Subject arising from or related to Mouseflow’s or any of its Affiliates’ acts or omissions, to the extent that Mouseflow was acting in accordance with Customer’s instructions. The Customer acknowledges that any use, exporting or sharing of data accessed through the Mouseflow Software by the Customer, its employees, agents, or any other individuals or entities acting on its behalf is beyond the control and responsibility of Mouseflow. Mouseflow shall have no liability whatsoever for any such use, exporting or sharing of data.

11.1. Reimbursements. Mouseflow may require the Customer to reimburse the costs incurred by Mouseflow through the audits, controls, data extinguishments and execution of instructions of the Customer specified in this DPA.

11.2. Severability. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.

11.3. Modifications. Except for the changes made by this DPA, the Agreement and/or any other agreements related to the Services remain unchanged and in full force and effect.

11.4. Precedence of Agreements. In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, the terms of the Agreement shall prevail, except for matters strictly related to the processing and protection of personal data. In such cases, the terms of the DPA shall take precedence, provided that the provisions related to the exclusion of personal data, limitation of liability, and indemnification as set forth in the Agreement shall continue to apply and govern. 10 MOUSEFLOW_ DPA_EU_US

11.5. Governing Law and Jurisdiction. This DPA and any dispute(s) or claim(s) arising out of or in connection with it or its subject matter or formation (including non-contractual dispute(s) or claim(s)) shall be governed by and construed in accordance with the laws of Denmark, without giving effect to any choice or conflict of law provisions or rule. In relation to any dispute(s) or claim(s), each Party irrevocably agrees that the courts of Copenhagen, Denmark shall have exclusive jurisdiction to settle any such dispute(s) or claim(s).

I. Data exporter(s):

i. Name: As provided under the Agreement as Customer or Controller.

ii. Address: As provided under the Agreement for Customer or Controller.

iii. Contact person’s name, position and contact details: As provided under the Agreement between data exporter and data importer.

iv. Activities relevant to the data transferred under these Clauses: Transferring and accessing the data and any other activities related to receipt of the Services described under the Agreement.

v. Signature and date: The data exporter’s signature to the DPA and date of that signature shall constitute the signature and date for this Annex.

vi. Role (controller/processor): Data Controller.

II. Data importer(s):

i. Name: As provided under the Agreement as Mouseflow.

ii. Address: As provided under the Agreement for Mouseflow.

iii. Contact person’s name, position and contact details: As provided under the Agreement between data exporter and data importer.

iv. Activities relevant to the data transferred under these Clauses: Processing in order to provide the Services to Mouseflow as described in the Agreement between data exporter and data importer, including as described under the DPA and its annexes.

v. Signature and date: The data importer’s signature to the DPA and date of that signature shall constitute the signature and date for this Annex.

vi. Role (controller/processor): Data Processor.

Categories of data subjects whose personal data is transferred:

• Visitors of the Customer’s websites

Categories of personal data transferred:

• Session data collected by Mouseflow, in relation to the specific website on which the Customer installed the Software: mouse movements/hovers, scrolling, clicks, duration (time on site), visitor type (first time/returning), visited webpages, browser, operating system, language, device type (desktop, tablet, phone), screen resolution, page content (HTML), navigation URL, referrer URL, replies in feedback tool, approximated geographical location (country and city), IP address fragment in anonymized form. Being an internet-based tool, the Mouseflow platform infrastructure makes use of the necessary HTTP protocol information (including the IP address) required to communicate with the Visitors’ browser, while data is in transit. This information is encrypted while in transit, and it is not stored by the Mouseflow Software or used for analytics 12 MOUSEFLOW_ DPA_EU_US
• Technical data generated by Mouseflow, in relation to the specific website on which the Customer installed the Software, if enabled by Customer: Mouseflow 1st party session cookie (transient, making it possible to relate individual pageviews to the current website visit (session)), Mouseflow current user cookie (for the specific website, recognizes whether the visitor is a new or recurrent visitor on the same website, using the same device and browser).
• Data provided or transmitted by the Customer to the Software: custom variables or tags.

According to the Agreement, Customer shall exclude from the collected/transmitted data (for example from HTML data, custom variables, tags, navigation URLs, answers required in the feedback tool, etc.) all information that identifies an individual or household (such as, but not limited to, usernames, names, email addresses, IP addresses, or other online identifiers), so that neither Mouseflow nor any third party would be able to identify any individual or household based on all the data Mouseflow holds.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• No sensitive data is processed. Customer determines and controls the data transferred to Mouseflow and is solely responsible for ensuring not to transfer Sensitive Data to Mouseflow. This DPA includes an express prohibition on the transfer of Sensitive Data to Mouseflow.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

• Continuously, for the duration of the Agreement between the parties.

Nature of the processing:

Data will be collected, stored, and analyzed to provide web analytics services, including collecting user interactions, generating user behavior reports, and optimizing website performance.

Purpose(s) of the data transfer and further processing:

• For Mouseflow to provide the Services to Customer pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

• Personal Data shall be retained for the duration necessary to provide the Services under the Agreement, or as otherwise required by applicable law. Personal Data will be deleted no later than by thirteen (13) months following its collection.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

• Mouseflow’s sub-processors will process Personal Data to assist Mouseflow in providing the Services pursuant to the Agreement, for as long as needed for Mouseflow to provide the Services.

The competent supervisory authority shall be the Danish Data Protection Authority: Datatilsynet (Danish Data
Protection Agency), Carl Jacobsens Vej 35, 2500 Valby, Denmark.