MOZIAC PAYMENTS, INC – GDPR COMPLIANT PRIVACY POLICY

This GDPR Compliant Privacy Policy addresses customer data protection as it concerns the use and processing of Consumer Data in Connection with Payment Processing Services, as well as safeguards that are in place when transfers of international data exist (this “Attachment I”). This Attachment I shall have an effective date of what is stated in the Data Retention Policy (the “Agreement).

This Attachment I applies to any product, service, or other offering where Mozaic Payments, Inc. (“Mozaic”) provides card and/or direct debit processing, gateway and/or fraud protection services (the “Payment Services”) to its consumers or Merchants. This Attachment I shall be considered part of the applicable Data Retention Policy (the “Agreement”) between you (“you” or “Merchant”) and Mozaic Payments, Inc. that governs Mozaic’s Payment Services to you.

In the event there is any conflict between the terms of this Attachment I and the Agreement, the terms of this Attachment I will control. Capitalized terms used but not defined in this Attachment I have the meaning set out in the Agreement.

We may amend this Attachment I from time to time. The revised version will be effective at the time we post it on https://mozaic.io/ (our “website”) unless otherwise specifically stated. If our changes reduce your rights or increase your responsibilities, we will post a notice on our website. If you do not agree with any change or amendment to this Attachment I, you may discontinue your use of the Payment Services.

Definitions

The following terms have the following meanings when used in this Attachment I:

“Controller” means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar data protection and privacy roles) is defined in Data Protection Law, “Controller” shall have the meaning as defined in the applicable Data Protection Law including a “Business” as defined in the California Consumer Privacy Act (“CCPA”).

“Customer” means your consumer or customers who use the Payment Services.

“Customer Data” means the Personal Data that

1. the Customer provides to you and which you pass on to Mozaic through the use by you of the Payment Services AND
2. Mozaic may collect from the Customer’s device and browser through use by you of the Payment Services.

“Data Protection Laws” means any applicable data protection laws, regulations, directives and regulatory requirements applicable to Mozaic’s provision of the Payment Services, including any amendments thereto and any associated regulations or instruments (e.g., the California Consumer Privacy Act 2018, Cal. Civ.

Code § 1798.100 et seq (“CCPA”), the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 in the Commonwealth of Australia (Cth), the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).

“Mozaic” means Mozaic Payments, Inc. and all company entities and subsidiaries which Mozaic, or its successor(s), directly or indirectly from time to time owns or controls.

“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Process” or “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.

1. Processing of Customer Data in Connection with the Payment Service

1. The parties to this Attachment I acknowledge and agree that the Merchant and Mozaic are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services that Mozaic provides its Customers. As such, Mozaic independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data.
2. The parties acknowledge and agree that Mozaic is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
   1. as reasonably necessary to provide and improve the Payment Services to Merchant and its Customers, including in connection with its fraud protection tools;
   2. to monitor, prevent and detect fraudulent payment transactions and to prevent harm to Merchant, Mozaic, and to third parties,
   3. to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which Mozaic is subject, including applicable anti- money laundering and identity verification obligations;
   4. to analyze, develop and improve Mozaic’s products and services;
   5. internal usage, including but not limited to, data analytics and metrics;
      
   6. to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Customer Data is not identifiable, including calculating your averages by region or industry;
   7. complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
   8. any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.

2. Controller Assigned

1. Mozaic shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Attachment I (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Customer Data) and shall not knowingly do anything or permit anything to be done with respect to the Customer Data that likely would lead to a breach by Merchant of the Data Protection Laws. Mozaic shall only transfer Customer Data to third parties, sub-processors or members of Mozaic Payments, Inc. who shall sign written agreements which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Attachment I.

3. Notice to Customers

1. Merchant shall use commercially reasonable efforts to (i) notify Customers in their privacy policy that Mozaic is an independent Controller for the purpose of Processing Customer Data as described in this Attachment I and (ii) include a link to the Mozaic privacy statement available at Mozaic’s website in Merchant’s privacy policy.

4. Cross Border Data Transfers and GDPR Compliance

1. The parties to this Attachment I agree that Mozaic may transfer Customer Data Processed under this Attachment I outside the country where it was collected as necessary to provide the Payment Services. If Mozaic transfers Customer Data protected under this Attachment I to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, Mozaic will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with applicable Data Protection Laws. See below for specific example.
   1.  For purposes of compliance with the GDPR, we rely on the EU’s SCC and Mozaic’s internal corporate binding rules for transfers of Customer Data within Mozaic Payments, Inc.
2. With respect to your data transfers to Mozaic of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states or the United Kingdom, we each agree that (i) to the extent applicable, your signing of the Agreement will be deemed to be signature and acceptance of the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR (“EU Transfer Clauses”) by Merchant, as the data exporter and in the role of controller, and will be deemed to be signature and acceptance of the standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being, in force in the United Kingdom (the “UK Transfer Clauses”), as the data exporter (ii) to the extent applicable, Mozaic’s signature of the Agreement will be deemed to be signature and acceptance of the EU Transfer Clauses by Mozaic , as the data importer and in the role of controller, and will be deemed to be signature and acceptance of the UK Transfer Clauses, as the data importer; and (iii) the parties shall be subject to the Module 1 provisions of the EU Transfer Clauses. In the event the European Commission or the UK Secretary of State (or other applicable UK authorized body) revises and thereafter publishes new EU Transfer Clauses or UK Transfer Clauses, respectively (or as otherwise required or implemented by the European Commission or the UK Secretary of State (or other applicable UK authorized body)), the Parties agree that such new EU Transfer Clauses or UK Transfer Clauses, as applicable, will supersede the present EU Transfer Clauses or UK Transfer Clauses, as applicable, and that the parties agree to take all such actions required to effect the execution of the new EU Transfer Clauses or UK Transfer Clauses, as applicable. The EU Transfer Clauses (Module 1) and the UK Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:
   1. EU Transfer Clauses
      1. option 1 of Clause 17 (Governing law) shall apply and the laws of Luxembourg shall govern the EU Clauses;
      2. in accordance with Clause 18 (Choice of forum and jurisdiction), the courts of Luxembourg will resolve any dispute arising out of the EU Clauses; and
      3. The parties agree that the details required under the EU Transfer Clauses Appendix are as set forth on this Attachment 1.
   2. UK Transfer Clauses
      1. Clause II(h)(iii) is incorporated and signature of the Agreement by Mozaic will be deemed the requisite initials from Mozaic as the data importer;
      2. The parties agree that the details required under Annex B of the UK Transfer Clauses are as set forth on this Attachment 1 (to the extent applicable).

Attachment I

Appendix to the EU Transfer Clauses and Annex B of the UK Transfer Clauses

*The following is applicable, to the extent required, under the EU Transfer Clauses and the UK Transfer Clauses*

Each party agrees to be bound by the terms and conditions set out in this Attachment I Appendix, in exchange for the other party also agreeing to be bound by this Attachment I Appendix. Where this Attachment I Appendix uses terms that are defined in the Approved EU Standard Contractual Clause (SCC) those terms shall have the same meaning as in the Approved EU SCC. The Standard Contractual Clause shall mean the SCC that is set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the appropriate safeguards.

If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this Attachment 1 Appendix has been entered into.

Annex 1. A. List of Parties

1. Data Exporter
   1. Name and Address: The data exporter is the Merchant and the address is as provided in the Agreement
   2. Contact person’s name, position and contact details: as provided in the Agreement
   3. Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement
   4. Signature and date: please see the “Cross Border Transfers” section of this Attachment I
   5. Role (controller/processor): controller
2. Data Importer
   1. Name and Address: The data importer is Mozaic and the address is as provided in the Agreement
   2. Contact person’s name, position and contact details: as provided in the Agreement
   3. Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement Signature and date: please see the “Cross Border Transfers” section of this Attachment I
   4. Role (controller/processor): controller

Annex 1. B. Description of Transfer

1. Data subjects Whose Personal Data is Transferred
   The Personal Data transferred concern the following categories of data subjects:
   1. The data exporter’s customers, employees and other business contacts
2. Categories of Personal Data Transferred
   1. The personal data transferred may include the following categories of data: Name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by Mozaic under the Agreement.
3. Sensitive data (if appropriate) and Safeguards
   1. As it concerns international data transfers and the appropriate safeguard, the Approved EU SCC is the governing authority in which is abided by as it concerns this Attachment I Appendix.
   2. The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
4. Nature of the Processing
   As set forth in the Agreement.
5. Purpose of the Transfer
   The transfer is made for the following purposes:
   1. Performance of the services provided by data importer to data exporter in accordance with the Agreement.
   2. To identify fraudulent activity and risk that is, or may, affect the data importer, the data exporter or other customers of the data importer.
   3. To comply with laws applicable to the data importer.
   4. As set forth in the Data Protection Laws and this Attachment I.

6. The Period for which the Personal Data will be Retained, or, if that is not Possible, the Criteria Used to Determine that Period

The data importer only retains the personal data for as long as is necessary with regards the relevant purpose(s) it was collected for (please see purposes above). To determine the appropriate retention period for personal data, the data importer considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which the personal data is processed and whether such purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

7. For transfers to Sub-Processors, also Specify Subject Matter, Nature and Duration of the Processing

The data importer may share personal data with third-party service providers that perform services and functions at the data importer’s direction and on its behalf. These third-party service providers may, for example, provide an element of the services provided under the Agreement such as customer verification, transaction processing or customer support, or provide a service to the data importer that supports the services provided under the agreement such as storage. When determining

the duration of the processing undertaken by the third-party service providers, the data importer applies the criteria provided above in this Annex1.B.

Annex 1.C. Supervisory Authority

In accordance with Clause 13(a) of the EU Transfer Clauses, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority.

Annex II. Technical and Organizations Measures Including Technical and Organizational Measures to Ensure the Security of the Data

1. Mozaic’s policies ensure compliance with this principle and require the use of technical controls to prevent the risk of disclosure of personal data. Mozaic employs encryption in transit and at rest for all personal data. Mozaic has comprehensive policies that provide key obligations and processes to protect data when it is transferred within the enterprise and externally with third parties.
2. Mozaic’s management process protects the ongoing availability and resiliency of data and systems throughout their lifecycle by ensuring that changes are planned, approved, executed, and reviewed appropriately. The Company’s business continuity management process provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders
3. Mozaic regularly tests, plans, executes and reports on the results of the testing program to assess and evaluate the effectiveness of its technological and organizational measures. The program is managed through our enterprise risk and compliance team who work with relevant stakeholders to obtain and evaluate information required for testing, reporting and remediating as necessary.
4. Mozaic’s internal security policies take into account global safety set forth in the requirements necessary to facilitate sounds safety and security processes, including physical security, in accordance with applicable laws and requirements. Special emphasis is placed on security systems and safeguards when constructing special or sensitive areas such as mail rooms, equipment storage, shipping and receiving areas, computer/server rooms, communications vaults or classified document/ information storage areas in accordance with Mozaic’s information security handling standard.
5. Mozaic has outlined and defined event logging and monitoring types and attributes. Mozaic’s policies and supporting processes set forth a system configuration that must be implemented across all systems.
6. Our policies require, through technical controls, that data elements collected and generated are those which are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Mozaic’s privacy impact assessment processes ensure compliance with these policies.
7. Mozaic’s access and quality policy ensures that all personal data is correct, complete, and up to date, enabling individual users to access the system to correct and modify their particulars (e.g., address, contact details etc.), and, where a request for correction is received from a data subject, to provide a service which delivers their right to correction. Our data governance program monitors data quality, issues and remediations, as necessary. We require that all data be classified according to its business value with assigned retention periods, which is based upon Mozaic’s legal, regulatory, and business recordkeeping requirements. Upon expiration of the retention period, data and information is disposed, deleted, or destroyed.
8. Mozaic has developed a set of information security, technology, data governance, third party management and privacy policies and principles that are aligned to industry standards and designed to engage stakeholder collaboration and partnership in awareness and compliance with such policies and controls across the organization to ensure participation and accountability from the top down across the organization. Each program defines accountabilities for cross-functional data related decisions, processes and controls.
9. Mozaic has programs in place to ensure data subject rights are fulfilled, including access, correction and erasure. Data erasure requests are fulfilled unless Mozaic has a legal, regulatory obligation or other legitimate business reason to retain it. Mozaic’s policies ensures that erasure occurs throughout the customer lifecycle.
10. The parties do not need the consent of any third party to make changes to this Attachment I Appendix, but any changes must be made in accordance with its terms.