STANDARD TERMS AND CONDITIONS

The Agreement shall consist of the terms set forth above and the accompanying standard terms and conditions set forth below.

1.0 Grant of Rights. During the Term of this Agreement, it is understood and agreed by the parties that nothing in this Agreement constitutes a sale or rental of Rooms from Partner to Curacity and that Curacity bears no risk of loss with respect to any Rooms made available for sale hereunder. Partner grants Curacity the right to use the name and details of the Property (ies) and to provide the Services hereunder, including for publicity and marketing purposes and in presentations to other hotel properties. Curacity may, in its sole discretion, determine the means by which editorial amplification is delivered, including but not limited to newsletters and email marketing. Partner will provide Curacity with copy, content and any other advertising materials (collectively, the “Advertising Materials”) to publish and distribute with respect to Curacity’s Marketing opportunities through its network websites. Curacity has no obligation to undertake any responsibility to review the Advertising Materials to determine whether any included content may result in liability to third parties and Partner is solely responsible for creating, managing, editing, reviewing, deleting or otherwise controlling the Advertising Materials. This section of the Agreement and the rights hereunder are not transferable or assignable by Partner. Curacity grants the Partner the right during the Term to use, promote, and market its relationship with Curacity.

2.0 Room Pricing. Partner shall be solely responsible for setting the Room rates for its Rooms.

3.0 Payment Terms/Currency. Partner agrees to pay or to cause the applicable Property to pay, in full, upon receipt of an invoice from Curacity, the agreed commission based on the Room rate only and (exclusive of taxes, surcharges, and incidentals) generated by bookings made during the Data Attribution Time Period. Curacity will send invoices to Partner or Property after the stay at any Property is completed i.e. with respect to Consumed Bookings. As a general matter, invoices will be sent on or before the fifteenth (15th) day of each calendar month for the previous month’s commissions. In all cases, Partner shall provide rates in local currency. However, in cases where Partner and Curacity have agreed upon an alternative currency, the rate of exchange shall be the exchange rate provided by Curacity’s bank on the date the booking was made.

4.0 Term and Termination. See cover page.

5.0 Representations and Warranties.

5.1 Representations and Warranties of Partner. Partner represents, warrants and covenants that: (a) it has been duly organized and is validly existing and in good standing under the laws of its jurisdiction of organization, and has the full right, power and authority to enter into and perform the acts required of it under this Agreement; (b) the execution and delivery of this Agreement and the performance of Partner’s obligations hereunder do not conflict with, or constitute a default under any covenant, agreement, judgment, law, order or contract to which Partner is subject; (c) this Agreement constitutes the legal, valid and binding obligation of Partner when executed and delivered; and (d) Partner possess all necessary authority, rights, title and interest in and to the Property(ies) (as defined above and listed on Addendum A) and the Advertising Materials related thereto, as well as the Partner Data Set, necessary to enter into the Agreement and grant the rights granted to Curacity hereunder.

5.2 Representations and Warranties of Curacity. Curacity represents, warrants and covenants that: (a) it has been duly organized and is validly existing and in good standing under the laws of its jurisdiction of organization, and has the full right, power and authority to enter into and perform the acts required of it under this Agreement; (b) the execution and delivery of this Agreement and the performance of Curacity’s obligations hereunder do not conflict with, or constitute a default under any covenant, agreement, judgment, law, order or contract to which Curacity is subject; (c) this Agreement constitutes the legal, valid and binding obligation of Curacity when executed and delivered; (d) Curacity shall comply with all applicable laws, rules and regulations in performing its obligations under this Agreement; (e) Curacity shall conduct its business in accordance with good business judgment and shall not suffer or permit any act, event or condition that would defame Partner and/or its affiliates; (f) Curacity’s personnel and any Subcontractors have the proper skill, training and background necessary to accomplish their assigned tasks; (g) Curacity has obtained or shall obtain and maintain all rights, licenses, consents and authorizations necessary to perform its obligations and adhere to the terms and conditions set forth in this Agreement; and (h) Curacity shall dedicate sufficient resources to fulfill its obligations hereunder in an adequate and timely manner.

5.3 Limitations. EXCEPT AS EXPRESSLY SET FORTH HEREIN, NEITHER PARTY MAKES ANY WARRANTIES WHATSOEVER, EXPRESS, IMPLIED OR STATUTORY. CURACITY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE. OTHER THAN WITH RESPECT TO A PARTY’S BREACH OF CONFIDENTIALITY UNDER SECTION 8, A PARTY’S BREACH OF DATA PRIVACY AND SECURITY REQUIREMENTS IN ADDENDUM C (DATA PROCESSING ADDENDUM), IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY, THE PROPERTY, ITS GUESTS, OR ANY THIRD PARTY, FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THIS AGREEMENT (INCLUDING LOSS OF PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE), HOWEVER IT ARISES, WHETHER FOR BREACH OF THIS AGREEMENT, INCLUDING BREACH OF WARRANTY, OR IN TORT EVEN IF SUCH PARTY HAS PREVIOUSLY BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND EACH PARTY’S AGGREGATE LIABILITY ARISING OUT OF THIS AGREEMENT SHALL NOT EXCEED THE COMMISSIONS PAID BY PARTNER TO CURACITY HEREUNDER.

6.0 Miscellaneous

6.1 This Agreement may not be modified, except in writing signed by an authorized representative of both Partner and Curacity.

6.2 Non-performance by either party shall be excused to the extent that performance is rendered impossible by any cause reasonably beyond the control of the non-performing party.

6.3 If any provision of this Agreement is held to be illegal, invalid, or unenforceable under present or future laws, such provision shall be severable, and this Agreement shall be construed and enforced as if such illegal, invalid, or unenforceable provision had never comprised a part of this Agreement, and the remaining provisions of this Agreement shall remain in full force and effect and shall not be affected by such illegal, invalid, or unenforceable provision or by its severance from this Agreement. Furthermore, in lieu of such illegal, invalid, or unenforceable provision, there shall be added automatically, as a part of this Agreement, a provision as similar in terms to such illegal, invalid, or unenforceable provision as may be possible and be legal, valid, and enforceable.

6.4 This Agreement may be executed in two or more counterparts, each of which when so executed and delivered shall be deemed an original, and such counterparts together shall constitute one instrument.

6.5 This Agreement and all exhibits hereto constitute the entire agreement between Curacity and Partner with respect to the matters discussed herein, and shall be governed by the laws of the State of New York as applied to contracts made entirely within the State of New York between New York residents, without regard to its principles of conflicts of law.

6.6 Anywhere throughout this Agreement that one party is required to inform the other of something or otherwise to give notice to the other, notice must be in writing (unless this requirement is waived by the other party) to the party set forth below, and is deemed received by the recipient (a) if by facsimile, when confirmed (including by automatic confirmation), (b) if by US Mail, when received or when notice is returned from post office confirming delivery, (c) if by overnight courier, by the second day after depositing with courier. Partner agrees to promptly notify Curacity upon a change in the address or fax number set forth below.

6.7 Neither the Agreement, nor any terms or conditions contained in the Agreement, will be construed as creating a joint venture or employer/employee relationship or franchise.

7.0 Insurance. Curacity shall, at its own cost and expense, obtain and maintain and cause any sub-contracted party to obtain and maintain, throughout the Term the following insurance:

(a) Commercial General Liability with minimum limits of $5,000,000 per occurrence (combined single limits for Bodily Injury and Property Damage). Coverage shall be provided on a “per location” basis, provide coverage for claims worldwide and include Broad Form Contractual Liability and Products and Completed Operations Coverage limits of $5,000,000 may be satisfied by a combination of Commercial General Liability and Umbrella/Excess Liability policies;

(b) Worker’s Compensation with Statutory Limits for the jurisdiction within which work is performed;

(c) Professional Liability/Errors & Omissions with minimum limits of $5,000,000 per occurrence and $5,000,000 aggregate; and

(d) Cyber Insurance in the minimum amount of $3,000,000 covering any and all loss, damage, liability, cost or expense arising from, or in any way attributable to, an information security incident involving personal information in Curacity’s or its employees’ possession, custody or control, or for which Curacity is otherwise responsible.

8.0 Confidentiality.

8.1 Definition. As used herein, the “Confidential Information” of a party will mean, any and all technical and non-technical information disclosed by either party to this Agreement (the “Disclosing Party”) to the other party (the “Receiving Party” and together with the Disclosing Party, the “Parties” or individually, a “Party”), which may include without limitation: (a) data provided by Partner (“Partner Data”); (b) patent and patent applications; (c) trade secrets; (d) proprietary and confidential information, ideas, techniques, sketches, drawings, works of authorship, models, inventions, know-how, processes, apparatuses, equipment, algorithms, software programs, software source documents, and formulae related to the current, future, and proposed products and services of such Party, development, design details and specifications, employees, business and contractual relationships, business forecasts, sales and merchandising, and marketing plans; and (e) all other information, software and/or code that the Receiving Party knew, or reasonably should have known, was the Confidential Information of the Disclosing Party.

8.2 Use and Disclosure. During the Term of this Agreement and at all times thereafter, the Receiving Party will hold in strict confidence and not disclose to any third party any Confidential Information of the Disclosing Party, except as approved in writing by the Disclosing Party, and will not use the Confidential Information of the Disclosing Party for any purpose other than expressly permitted or required by this Agreement. The Receiving Party will also protect such Confidential Information with at least the same degree of care that the Receiving Party uses to protect its own Confidential Information, but in no event, less than reasonable care. The Receiving Party will limit access to the Confidential Information of the Disclosing Party to only those of the Receiving Party’s employees or authorized representatives having a need to know and who have signed confidentiality agreements containing, or are otherwise obligated to comply with, confidentiality obligations at least as restrictive as those contained herein.

8.3 Exceptions. The Receiving Party will not have any obligations under this Agreement with respect to a specific portion of the Confidential Information of the Disclosing Party if the Receiving Party can demonstrate with competent evidence that such portion of Confidential Information: (a) was in the public domain when it was disclosed to the Receiving Party; (b) entered the public domain subsequent to when it was disclosed to the Receiving Party, through no fault of the Receiving Party; (c) was in the Receiving Party’s possession free of any obligation of confidence when it was disclosed to the Receiving Party; or (d) was rightfully communicated to the Receiving Party free of any obligation of confidence subsequent to when it was disclosed to the Receiving Party. Additionally, the Receiving Party will be permitted to disclose Confidential Information to the extent that such disclosure is expressly approved in writing by the Disclosing Party, or is required by law or court order, provided that the Receiving Party immediately notifies the Disclosing Party in writing of such required disclosure (if legally permitted to do so) and cooperates with the Disclosing Party, at the Disclosing Party’s reasonable request and expense, in any lawful action to contest or limit the scope of such required disclosure, including filing motions and otherwise making appearances before a court.

8.4 Return or Destroy. Upon the Disclosing Party’s request and upon any termination or expiration of this Agreement, the Receiving Party will promptly (a) return to the Disclosing Party or destroy all Confidential Information , provided however that the Receiving Party may keep a copy of the Confidential Information in accordance with its data retention policies and any such Confidential Information shall continue to be kept confidential in accordance with the terms of this Section 8 which shall survive the termination or expiration of this Agreement.

9.0 Indemnification. Curacity shall indemnify and hold Partner, its parent, subsidiary and affiliated companies and their respective officers, directors, employees, agents, representatives, contractors, successors and assigns, (collectively, the “Partner Entities”) harmless from and against any and all third-party costs, liabilities, demands, claims, suits, actions, damages, losses, injuries, restitution or other remedies at law or in equity, lawsuits, arbitrations, administrative proceedings, regulatory proceedings, other adversarial proceedings, judgments and expenses, including, but not limited to, reasonable attorneys’ fees, related or relating to Curacity’s breach of this Agreement, including without limitation, any breach of Addendum C (Curacity Data Processing Addendum) by Curacity. This obligation shall be a continuing obligation and extend beyond the termination or expiration of this Agreement. The foregoing obligations are conditioned on Partner: (a) notifying Curacity in writing of such action and (b) cooperating and, at Curacity’s request and expense, assisting in such defense or settlement. The foregoing shall not preclude Partner from participating, at its own expense, in the defense of any claim or action and in any settlement discussions, either directly or through counsel of such party’s choice. Partner shall indemnify and hold Curacity, its parent, subsidiary and affiliated companies and their respective officers, directors, employees, agents, representatives, contractors, successors and assigns, (collectively, the “Curacity Entities”) harmless from and against any and all costs, liabilities, demands, claims, suits, actions, damages, losses, injuries, restitution or other remedies at law or in equity, lawsuits, arbitrations, administrative proceedings, regulatory proceedings, other adversarial proceedings, judgments and expenses, including, but not limited to, reasonable attorneys’ fees, related or relating to Partner’s breach of this Agreement. The foregoing obligations are conditioned on Curacity: (a) notifying Partner in writing of such action and (b) cooperating and, at Partner’s request and expense, assisting in such defense or settlement. The foregoing shall not preclude Curacity from participating, at its own expense, in the defense of any claim or action and in any settlement discussions, either directly or through counsel of such party’s choice.

10.0 Affirmative Compliance Obligation. Each party shall comply with the terms and conditions of the Data Processing Addendum attached hereto as Addendum C.

11.0 Subcontracting. Partner acknowledges that in the course of performing Curacity’s obligations hereunder, Curacity may desire or require the use of goods, services and assistance of subcontractors, suppliers, agents, consultants and/or service providers (including, without limitation, hosting providers) (each, a “Subcontractor”). Curacity shall have the right to use Subcontractors provided that (a) each Subcontractor must have entered into agreements with Curacity containing provisions regarding confidential information, proprietary and intellectual property, and such other terms and conditions as necessary to effectuate the terms and conditions of this Agreement, and (b) Curacity shall be and remain shall remain primarily liable for the due and proper performance of all obligations under this Agreement.

13.0 Equitable Relief. In the event of a breach or threatened breach of the confidentiality obligations herein, Partner or Curacity, as applicable, shall suffer immediate and irreparable harm for which money damages may be difficult to calculate and/or constitute an inadequate remedy. Therefore, each party agrees that the other party may obtain specific performance, injunctive or other equitable relief for such breach, in addition to any other remedies it may have under this Agreement or at law, without proof of actual damages. Each party agrees to waive any requirement for the securing or posting of any bond in connection with such remedy.

ADDENDUM C

CURACITY DATA PROCESSING ADDENDUM

This Curacity Data Processing Addendum (“DPA”) forms part of the Partner Agreement (“Agreement”) made by and between [PARTNER LEGAL NAME] (“Partner”) and Surface Travel, Inc. dba Curacity (“Curacity”) and is effective on the date signed by Partner and Curacity (“DPA Effective Date”).

Defined Terms. Capitalized terms not defined in this DPA have the meanings given here:

“Affiliate” means an entity that controls, is controlled by or is under common control with Partner or Curacity. For purposes of this defined term, “control” means ownership of more than fifty (50%) percent of the voting stock or other ownership interest in an entity. An Affiliate of Partner is a “Partner Affiliate”.

“Controller” means the person or entity who or that that is responsible under applicable Privacy Laws for the Processing of Personal Data and who or that determines, inter alia, the purposes and means of Processing Personal Information.

“Data Subject” means a natural person to whom Partner Personal Information relates.

“GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as may be amended or supplemented.

“Partner Personal Information” means the Personal Information Processing described in Attachment 1.

“Personal Information” means any information relating to an identified or identifiable natural person (or an identified or identifiable entity where information about an entity is protected similarly to the protection afforded to information about an individual); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.

“Personal Information Breach” means any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction or other Processing of Partner Personal Information.

“Privacy Laws” means all laws and legal requirements relating to privacy and the collection, disclosure, disposal, retention, security, transfer and other Processing of Partner Personal Information pursuant to the Agreement, each as amended, repealed, consolidated or replaced from time to time.

“Process” or “Processing” means any operation or set of operations performed on Partner Personal Information, whether or not by automated means.

“Processor” means any person or entity who or that Processes (directly or indirectly) Partner Personal Information for or on behalf of Partner, including Curacity and Sub-Processors.

“Sub-Processor” means a Processor engaged by Curacity that is authorized in accordance with the terms of this DPA to Process Partner Personal Information.

“Restricted Transfer” means a cross-border transfer of Partner Personal Information that is restricted by Privacy Laws because the transfer is made to a person or entity located in a jurisdiction which a competent government authority determines does not ensure the same or higher level of data protection as the jurisdiction from which the Partner Personal Information originates (“Originating Jurisdiction”).

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Description of Processing. This DPA applies to Curacity’s Processing of Partner Personal Information pursuant to the Agreement as a Processor. The categories of Data Subjects, categories of Partner Personal Information, subject matter, nature, purpose(s) and duration of Processing are described in Attachment 1.

Processing of Partner Personal Information

Curacity agrees to Process Personal Information only on behalf of Partner as necessary to perform its obligations under the Agreement and in compliance with Partner’s documented instructions issued from time to time, whether in writing or electronic form (“Instructions”). If applicable law requires Curacity to conduct Processing that is inconsistent with the Instructions, then Curacity will notify Partner in writing prior to commencing the Processing, unless applicable law prohibits such notification.

Curacity agrees to Process Partner Personal Information in compliance with this DPA and Privacy Laws. Without limiting the generality of the foregoing, Curacity may not: (i) Process Partner Personal Information for any purpose other than as set forth in this DPA; (ii) sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means, Partner Personal Information to a third party for monetary or other valuable consideration; and (iii) retain, use, or disclose Partner Personal Information outside of the direct business relationship between Partner and Curacity. By execution of this DPA, Curacity certifies that it understands the specific restrictions contained in this DPA.

Confidentiality and Security Measures. Curacity will impose and enforce written confidentiality and non-disclosure obligations on its employees, contractors and agents who or that Process Partner Personal Information on Curacity’s behalf. Curacity will implement and maintain reasonable and appropriate technical, physical and organizational security measures, including the measures set forth in Attachment 2 (collectively, “Technical and Organizational Security Measures”), to help ensure a level of security appropriate to the risk.

Personal Information Breaches.

Curacity will provide notification (“Personal Information Breach Notification”) to Partner at the contact information set forth in the Agreement within forty-eight (48) hours after Curacity becomes reasonably certain that a Personal Information Breach has occurred. Curacity will include in the Personal Information Breach Notification a description of the Personal Information Breach and contact details of Supplier’s authorized individual.

After delivering the Personal Information Breach Notification, Curacity will:

take all necessary steps to document, remediate, and minimize the effects of the Personal Information Breach with respect to Partner Personal Information and to prevent recurrence; and

provide timely assistance as reasonably requested by Partner in order for Partner to fulfil its obligations under Privacy Laws.

Sub-Processing.

The Sub-Processors and their respective Processing details that are authorized by Partner as of the DPA Effective Date are set forth in Attachment 3. Ten (10) business days prior to any disclosure of Partner Personal Information to a new or replacement Sub-Processor, Curacity shall update Attachment 3 to include the new or replacement Sub-Processor and submit Attachment 3 (as updated) to Partner using the contact information as set forth in the Agreement.

Partner reserves the right to object in writing to a new or replacement Sub-Processor if Partner has a good-faith belief that new or replacement Sub-Processor has violated Privacy Laws. If Partner objects to a Sub-Processor, then Partner and Curacity will use good-faith efforts to agree on a replacement for the objected-to Sub-Processor with respect to Partner Personal Information. If the parties are unable to agree on the replacement within ten (10) business days after the date of Partner’s written objection, then Partner or Curacity may terminate the Agreement upon written notice to the other party.

Prior to any disclosure of Partner Personal Information to a Sub-Processor, Curacity will enter into a binding written agreement that requires the Sub-Processor to comply with the same (or at least as protective of Partner Personal Information) obligations as those that apply to Curacity under this DPA.

Curacity is and will remain liable for the acts and omissions of its Sub-Processors to the same extent Curacity would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

Cross-Border Transfers. Curacity agrees that it will comply and will ensure that each Sub-Processor complies with Privacy Laws and Instructions with respect to any Restricted Transfer, including as set forth in Attachment 4.

Cooperation. Curacity will make available to Partner information and assistance as reasonably necessary for Partner to demonstrate its and Curacity’s compliance with Privacy Laws. Unless prohibited by applicable law, Curacity will promptly notify Partner in writing (and in any event within five (5) business days (unless an earlier time is required by law or government authority)) after Curacity’s receipt of a request, complaint, demand, legal process or order related to Partner Personal Information received from a Data Subject, government authority or other third party (“Request”). Curacity will promptly notify Partner in writing if Curacity: (i) believes that it is unable to comply with its obligations under this DPA or Privacy Laws or cannot comply within a reasonable timeframe; or (ii) becomes aware of any circumstance or change in applicable law that may prevent Curacity from complying with this DPA.

Audits; Investigations. Curacity will allow for and contribute to any audit or inspection relating to Curacity’s and its Sub-Processors’ Processing of Partner Personal Information, as permitted under the relevant agreement in place between Curacity and the Sub-Processor, whether conducted by Partner or a qualified third party mandated by Partner. If an audit or inspection reveals non-compliance with this DPA or Privacy Laws, then Curacity will undertake all reasonably necessary corrective actions in a timely manner and certify to Partner when all corrective actions are complete. Partner will bear Curacity’s expenses in connection with an audit or inspection pursuant to this DPA unless such costs are incurred due to Curacity’s breach of its obligations under the Agreement. Partner shall ensure that any information request, audit or inspection shall not oblige Curacity to provide or permit access to information concerning Curacity’s internal pricing information or relating to other recipients of Curacity Services. Partner will use best efforts to ensure that the audit or inspection is conducted during normal business hours in a manner that will result in minimal disruption to Curacity’s business. Prior to any audit or inspection conducted by a third party on Partner’s behalf, Partner will require that the third party executes a confidentiality agreement with Curacity that requires the third party’s personnel to (i) use information accessed during the audit or inspection solely for purposes of performing the audit or inspection, and (ii) handle that information in accordance with the same procedures that apply to Curacity’s handling of its own confidential information, including as described in any applicable provision of the Agreement.

Information Return or Destruction. After the end of the performance of its obligations under the Agreement, Curacity will, at Partner’s election, delete or return to Partner all Partner Personal Information in Curacity’s possession or control (including Sub-Processors). If law applicable to Curacity requires storage of Partner Personal Information after Partner has made its election to have Curacity return or delete Partner Personal Information, Curacity will store Partner Personal Information in compliance with the relevant terms of this DPA until such time as Curacity can delete the Partner Personal Information.

General Terms.

Order of Precedence. If a term of this DPA and any term of the Agreement conflict, the terms of this DPA will prevail with respect to the Processing of Partner Personal Information. If requirements set forth in Attachment 4 for a Restricted Transfer apply in connection with any Restricted Transfer and any term of this DPA conflicts with requirements in Attachment 4, then the applicable requirements in Attachment 4 will prevail. No amendment to this DPA is effective unless it is in writing, identified as an amendment to this DPA and signed by an authorized representative of each party to this DPA.

This DPA (including all addenda, annexes and attachments incorporated herein) is the complete understanding of the parties in respect of Processing of Partner Personal Information and supersedes all prior agreements relating to the same subject matter.

This DPA will inure to the benefit of and will be binding upon Curacity and Partner and their respective successors and assigns. Neither party may assign or transfer any right or obligation under this DPA in whole or in part without the prior written consent of the other party. Curacity is an independent contractor and not an employee, agent or joint venture partner of Partner.

To the maximum extent permitted by applicable law, the parties agree to treat the terms of this DPA as confidential information.

If any provision of this DPA is determined invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force. In place of the invalid or unenforceable provision, a provision shall be deemed to be agreed which comes closest to the economic meaning and purpose of the invalid or unenforceable provision.

Except as amended hereby, the Agreement remains in full force and effect in accordance with its terms.

Attachment 1

PROCESSING DESCRIPTION

Last updated: DPA Effective Date
Data Subjects
The Personal Information concern the following categories of Data Subjects (please specify):

Guests at a Partner property
Partner employees and other personnel

Categories of Personal Information
The Personal Information concern the following categories (please specify):

Special Categories of Personal Information (if appropriate): Not applicable

Nature of the Processing
The following basic Processing activities apply (please specify): performance of the Agreement.

Purpose(s) of Processing
The Personal Information are Processed by Curacity for the following purposes: performance of the Agreement.

Duration of the Processing
The duration of the Processing will be the same as the duration of the Agreement, except as otherwise as set forth below or agreed in writing by the Parties.

Attachment 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

• Measures of pseudonymisation and encryption of Partner Personal Information
• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services Processing Partner Personal Information
• Measures for ensuring the ability to restore the availability and access to Partner Personal Information in a timely manner in the event of a physical or technical incident related to Partner Personal Information
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the Processing of Partner Personal Information
• Measures for user identification and authorisation related to Partner Personal Information
• Measures for the protection of data during transmission of Partner Personal Information
• Measures for the protection of Partner Personal Information during storage
• Measures for ensuring physical security of locations at which Partner Personal Information is processed
• Measures for ensuring events logging related to Partner Personal Information
• Measures for ensuring system configuration, including default configuration, for Partner Personal Information
• Measures for internal IT and IT security governance and management for Partner Personal Information
• Measures for certification/assurance of processes and products Processing Partner Personal Information
• Measures for ensuring data minimisation related to Partner Personal Information
• Measures for ensuring data quality related to Partner Personal Information
• Measures for ensuring accountability with respect to Partner Personal Information
• Measures for allowing for data portability, processing restrictions, erasure and consent for Partner Personal Information

Attachment 3

AUTHORIZED SUB-PROCESSORS

For Research and Data Analytics: InnovaRXI Ltd., 400 Applewood Crescent, Vaughan, Ontario, Canada

For Cloud Services: Microsoft Azure Services (Azure); Amazon Web Services (AWS) (United States)

Attachment 4

ADDITIONAL TERMS APPLICABLE TO RESTRICTED TRANSFERS

A. FOR RESTRICTED TRANSFERS SUBJECT TO GDPR

When Partner or a Partner Affiliate (each, a “data exporter”) makes a Restricted Transfer of Partner Personal Information subject to GDPR to Curacity or a Sub-Processor (each, a “data importer”) (i) located in a jurisdiction that is not part of the European Economic Area covered by an adequacy decision under GDPR Article 45 and (ii) the data importer’s Processing of Partner Personal Information is not otherwise subject to the GDPR, then data exporter and data importer will complete and execute the Standard Contractual Clauses (Module Two). The Standard Contractual Clauses also will apply to a Restricted Transfer by Partner or a Partner Affiliate to Curacity or a Sub- Processor when the Partner Personal Information is not subject to GDPR but the competent government authority for that Partner Personal Information authorizes the use of the Standard Contractual Clauses.

Curacity will ensure that all Restricted Transfers subject to GDPR and authorized pursuant to this DPA made by a Sub-Processor are subject to the Standard Contractual Clauses (Module Three).

The parties agree that the Standard Contractual Clauses are completed as follows:

1) The contents of Attachment 1 and Attachment 3 to the DPA shall form Annex I.B to the Standard Contractual Clauses (Module Two or Module Three).

2) The contents of Attachment 2 to the DPA shall form Annex II to the Standard Contractual Clauses.

3) Clause 7 (Docking Clause) of the Standard Contractual Clauses (Module Two or Module Three) applies.

4) Before disclosing a copy of the Standard Contractual Clauses (Module Two or Module Three) pursuant to Clause 8.3, the disclosing party must use commercially-reasonable efforts to redact all commercial terms but provide a meaningful summary if the data subject would otherwise not be able to understand the content or exercise his/her/their rights as a result of the redaction.

5) Per Clause 9(a) of the Standard Contractual Clauses (Module Two or Module Three), the data exporter hereby provides a general authorization (Option 2) for the Processing of Partner Personal Information as set forth in the DPA. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-Processors as set forth in the DPA.

6) The optional provision in Clause 11(a) (Redress) of the Standard Contractual Clauses (Module Two or Module Three) does not apply.

7) In conducting a Transfer Impact Assessment related to Processing of Partner Personal Information governed by Standard Contractual Clauses, Curacity represents that it has carefully considered the requirements of Clause 14(b).

8) The parties choose Option 3 of Clause 17 of the Standard Contractual Clauses (Module Two or Module Three).

9) Per Clause 18(b), disputes arising under the Standard Contractual Clauses (Module Two or Module Three) shall be resolved in the courts of Belgium.

B. FOR RESTRICTED TRANSFERS OF PARTNER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF ARGENTINA

For a Restricted Transfer subject to the Privacy Laws of Argentina, Partner and Curacity hereby agree to the additional clauses set forth in the Annexes to Regulation No. 60-E/2016, available at http://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.htm.

Jurisdictions considered to provide an adequate level of data protection under the Data Protection Laws of Argentina are set forth at http://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.ht and include the members of the European Economic Area (EEA), Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (only for the private sector), the Principality of Andorra, New Zealand, the Republic of Uruguay, the State of Israel (only for data that is subject to automated processing), and the United Kingdom of Great Britain and Northern Ireland.

C. FOR RESTRICTED TRANSFERS OF PARTNER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF SWITZERLAND

When Partner or a Partner Affiliate (each, a “data exporter”) makes a Restricted Transfer of Partner Personal Information subject to the Federal Data Protection Act of Switzerland (“FADP”) to Curacity or a Sub-Processor (each, a “data importer”) who or that is located outside Switzerland or the EEA and which is not covered by the list published by the Federal Data Protection and Information Commissioner of Switzerland (available at https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2020/staatenliste.pdf.download.pdf/20200908_Staatenliste_d.pdf), then each data exporter and data importer shall complete and execute the Standard Contractual Clauses (Module Two) subject to the following:

(i) if the Restricted Transfer of Partner Personal Information is subject to the FADP but not also covered by GDPR, then the following terms shall be deemed to amend the Standard Contractual Clauses:

All references to the GDPR are to be understood as references to the FADP;

The competent supervisory authority in Annex I.C under Clause 13 is the Federal Data Protection and Information Commissioner of Switzerland;

Applicable law for contractual claims under Clause 17 is the law of Switzerland;

The term “Member State” must not be interpreted in such a way as to exclude a data subject in Switzerland from the possibility of suing for his/her rights in Switzerland in accordance with Clause 18 c.; and

Data of Swiss legal entities are subject to protection as personal data of data subjects under FADP.

(ii) if the Restricted Transfer of Partner Personal Information is subject to the FADP and GDPR, then the following terms shall be deemed to amend the Standard Contractual Clauses:

The competent supervisory authority in Annex I.C under Clause 13 shall include the Federal Data Protection and Information Commissioner of Switzerland;

The term “Member State” must not be interpreted in such a way as to exclude a data subject in Switzerland from the possibility of suing for his/her rights in Switzerland in accordance with Clause 18 c.; and

Data of Swiss legal entities are subject to protection as personal data of data subjects under FADP.

D. FOR RESTRICTED TRANSFERS OF PARTNER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF UNITED KINGDOM

For Restricted Transfers of Partner Personal Information covered by Chapter V of the UK GDPR and the other applicable Privacy Laws of the United Kingdom, Partner and Curacity hereby agree to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) (Addendum) as set forth below.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties) and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

2. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

3. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

4. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

5. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

6. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

7. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

8. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

9. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

10. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

11. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

12. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

13. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.

14. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:

a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

b. In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c. Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e. Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

g. References to Regulation (EU) 2018/1725 are removed;

h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

j. Clause 13(a) and Part C of Annex I are not used;

k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l. In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m. Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

n. Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

15. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

16. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

17. From time to time, the ICO may issue a revised Approved Addendum which:

a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

18. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

a. its direct costs of performing its obligations under the Addendum; and/or

b. its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

19. The Parties do not need the consent of any third party to make changes to this Addendum but any change must be made in accordance with its terms.