a. Nomic has agreed to provide Services to Customer in accordance with the terms of the Agreement. In providing Services, Nomic will process Personal Data on behalf of Customer. Nomic will process and protect such Personal Data in accordance with the terms of this State DPA, the Agreement, and documented lawful instructions of the Customer under applicable State Data Protection Laws specified in the Agreement. The description of Personal Data is set out in Exhibit A to this State DPA.

b. With respect to Personal Data under this State DPA, the parties agree that Customer is the 'data controller' and Nomic is the 'data processor'. Customer will comply with its obligations as a Controller and Nomic will comply with its obligations as a Processor under this State DPA.

c. Where a Customer's Affiliate or a Customer client is the controller with respect to certain Personal Data, Customer represents and warrants to Nomic that it is authorized to instruct Nomic and otherwise act on behalf of such Customer's Affiliate or a Customer's client in relation to Personal Data in accordance with the Agreement and this State DPA.

a. In providing Services to Customer pursuant to the terms of the Agreement, Nomic will treat Personal Data as confidential and only process Personal Data on behalf of Customer, and only to the extent necessary to provide Services and in accordance with Customer's instructions in this State DPA.

b. Nomic and Customer must take steps to ensure that any natural person acting under the authority of Customer or Nomic who has access to Personal Data does not process the Personal Data except as specified in this State DPA unless required to do so by State Data Protection Laws.

a. General Limits. Nomic will limit Personal Information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve Services.

b. Specific Limits. Nomic may not:

• Retain, use, or disclose any Personal Information provided by or on Customer's behalf or collected by Nomic on Customer's behalf for any purpose other than (i) providing Services as directed by Customer under the terms of the Agreement; (ii) complying with Nomic's legal obligations; or (iii) as allowed by applicable State Data Protection Laws.
• Sell or share Personal Information, and
• Combine Personal Information with any Personal Information it receives from another entity or collects on its own, except as allowed under the Agreement.

c. Non-Compliance Notice. Nomic will advise Customer if Nomic determines it can no longer meet its obligations under the applicable State Data Protection Laws.

a. Customer's Additional Rights. To the extent required by State Data Protection Laws, Customer has the right to take reasonable and appropriate steps to: (i) help ensure that Nomic uses Personal Information transferred in a manner consistent with the Customer's obligations under State Data Protection Laws; and (ii) upon notice (including under Section 4(c) above), stop and remediate unauthorized use of Personal Information.

b. Confidentiality. Nomic will ensure through a nondisclosure agreement that any persons accessing or processing Personal Information are subject to a duty of confidentiality with respect to the Personal Information.

c. Sub-processors. Customer authorizes Nomic to disclose or transfer Personal Information to or allow access to Customer's Personal Information by Sub-processors (i.e., subcontractors) solely for purposes of providing Services under the Agreement. The current list of Sub-processors is set out in the Nomic Security Center: www.nomic.ai/security.

• Flow down. Prior to any disclosure, Nomic will impose on the Sub-processor, in writing, obligations concerning Personal Information as required by the State Data Protection Laws.

d. Assistance. To the extent Customer, in its use of Services, cannot address a consumer's request from within the Services, Nomic must, upon Customer's request, and to the extent possible, provide commercially reasonable efforts to assist Customer in responding to such consumer request, to the extent Nomic is legally permitted to do so and the response to such consumer request is required under the State Data Protection Laws. Nomic must also assist Customer in meeting its obligations under the State Data Protection Laws.

a. Compliance. Customer represents and warrants, in its use of Services, that it will comply with applicable State Data Protection Laws, including any applicable requirements to provide notice to or obtain consent from consumers for processing by Nomic. All Affiliates of Customer who use Services will comply with the obligations of Customer set out in this State DPA.

b. Demonstrating compliance. Upon Customer's reasonable request, Nomic will make available to Customer all information in its possession necessary to demonstrate Nomic's compliance with its privacy obligations.

a. Security Measures. In order to protect Customer's Personal Information, Nomic will (i) implement and maintain all reasonable security measures appropriate to the nature of the Personal Information, including technical, physical, administrative, and organizational controls, and will maintain the confidentiality, security, and integrity of such Personal Information; (ii) implement and maintain industry standard systems and procedures for detecting, preventing, and responding to attacks, intrusions, or other system failures, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures; (iii) designate an employee or employees to coordinate implementation and maintenance of its security measures; and (iv) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer's Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

b. Notice of Data Breach. If Nomic knows or has reasonable suspicion that Customer's Personal Information has been accessed, disclosed, or acquired without proper authorization and contrary to the terms of this State DPA, Nomic will alert Customer of any such data breach without undue delay and no later than 24 to 48 hours, and will immediately take such actions as may be necessary to preserve forensic evidence and eliminate the cause of the data breach. Nomic will give the highest priority to immediately correcting any data breach and devote such resources as may be required to accomplish that goal. Nomic will provide Customer with all information necessary to enable Customer to fully understand the nature and scope of the data breach. To the extent that Customer, in its sole reasonable discretion, deems it warranted, Customer may provide notice to any or all parties affected by any data breach. In such case, Nomic will consult with Customer in a timely fashion regarding appropriate steps required to notify third parties. Nomic will provide Customer with information about what Nomic has done or plans to do to minimize any harmful effect or the unauthorized use or disclosure of, or access to, Personal Information.

a. Cooperation Regarding Assessments. Nomic will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor. Alternatively, if required by the applicable State Data Protection Laws, Nomic may arrange for a qualified and independent assessor to assess Nomic's policies and technical and organizational measures in support of Nomic's privacy obligations under the State Data Protection Laws using appropriate and accepted control standard or framework and assessment procedure for such assessments.

b. Method. Any audit conducted under this State DPA by Customer or an independent third-party auditor, mutually agreed upon by both parties, subject to reasonable confidentiality obligations, will consist of an examination of the most recent reports, certificates, or extracts prepared by an independent auditor. If this is not sufficient in the reasonable opinion of Customer, Customer may conduct a more extensive audit which will be: (i) at Customer's expense; (ii) limited in scope to matters specific to Customer and agreed in advance; (iii) carried out during Nomic's business hours and upon reasonable notice which must be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with Nomic's day-to-day business. Any such audit must be conducted remotely, except Customer or its regulatory agency, or both, may conduct an on-site audit at Nomic's premises if required by the State Data Protection Laws. In no event will any audit of a Sub-processor, beyond a review of reports, certifications, and documentation made available by the Sub-processor, be permitted without the Sub-processor's consent.

a. Destroy or Return Prior to Termination. At Customer's request prior to termination or expiration of an order, Nomic will delete or make available for return all Personal Information to Customer as described in the Agreement, unless retention of the Personal Information is required by a law applicable to Nomic. Where any Personal Information is retained beyond termination, Personal Information must be treated as confidential and will no longer be actively processed.

a. The term of this State DPA continues for the duration of the Agreement, and this State DPA will automatically terminate upon the termination or expiration of the Agreement.

b. This State DPA is governed by the terms of the Agreement between the parties. All terms not defined in this State DPA have the meanings ascribed to such terms in the Agreement. If there is a conflict between this State DPA and the Agreement, this State DPA governs. This State DPA and the Agreement constitute the entire agreement between the parties and supersede all prior or contemporaneous negotiations, agreements, and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this State DPA is effective unless both parties sign it.