Exhibit 10.10

BLOCK.ONE AND BULLISH GLOBAL

AMENDED & RESTATED

MASTER SERVICES AGREEMENT

Execution Version

CONTENTS

Clause		Page
1.	Definitions and Interpretation		4
2.	Commencement, Duration and Structure		8
3.	Acceding to this Agreement		8
4.	Work Orders		9
5.	Provision and Receipt of the Services		9
6.	Cooperation, Information and Assistance		10
7.	Procured Services		10
8.	Service Problems and Remediation		13
9.	Personnel		13
10.	Charges		14
11.	Value Added Tax		15
12.	Security		15
13.	Maintenance		16
14.	Change Management		17
15.	Policies		17
16.	Intellectual Property		17
17.	Recipient Data		19
18.	Data Protection		19
19.	Confidentiality		19
20.	Representations and Warranties		20
21.	Force Majeure		21
22.	Termination		21
23.	Consequences of Termination		22
24.	Liability		23
25.	Cooperation with Regulators		25
26.	Business Continuity and Disaster Recovery		26
27.	Audit Rights		27
28.	Assignment		28
29.	General		28
30.	Invalidity		29
31.	Further Assurance		29
32.	Variations/Approvals		29
33.	Third Party Rights		30
34.	Dispute Resolution		30

1

Execution Version

35.	Governing Law	30
36.	Counterparts	30
Schedule 1 The Original Parties		32
Schedule 2 Template Work Order		33
Schedule 3 Data Processing Obligations		36
Schedule 4 Form of Notice of Adherence		77

2

Execution Version

THIS AMENDED & RESTATED MASTER SERVICES AGREEMENT (the “Agreement”) is made on 8 July 2021:

BETWEEN:

(1) BLOCK.ONE AND ITS AFFILIATES identified in Part A of Schedule 1;

(2) BULLISH GLOBAL AND ITS AFFILIATES identified in Part B of Schedule 1;

(3) EACH BLOCK.ONE GROUP AFFILIATE that accedes to this Agreement pursuant to clause 3 from time to time; and

(4) EACH BULLISH GROUP AFFILIATE that accedes to this Agreement pursuant to clause 3 from time to time.

WHEREAS:

(A) Certain of the parties identified in items (1) and (2) above entered into a Master Services Agreement dated 4 January 2021 (the “Original MSA”), either as original signatories thereto or by subsequently acceding to the Original MSA.

(B) The parties have entered into a Contribution Agreement dated on or about the date hereof (the “Contribution Agreement”) regarding the transfer from the Block.one Group to the Bullish Group of, among other things, Supplier Contracts and Provider Personnel who are engaged in providing Services. The purpose of the Contribution Agreement is to transfer from the Block.one Group to the Bullish Group all of the resources that are currently held by the Block.one Group but are required by, or used in connection with, the Bullish Group’s business.

(C) In connection with that certain Business Combination Agreement dated on or about the date hereof (as may be amended from time to time, the “Business Combination Agreement”), by and among Bullish Global and the other parties thereto, the parties have agreed to amend and restate the Original MSA in its entirety such that, subject to the terms and conditions contained herein, the Bullish Group will have access to the resources subject to this Agreement as if those resources had already been transferred to the Bullish Group pursuant to the Contribution Agreement. In accordance with the foregoing, the Original MSA shall be superseded and replaced in its entirety by this Agreement with effect from the date hereof. Hereafter, all references to the Original MSA in Work Orders shall be read and construed as references to this Agreement.

(D) This Agreement is a framework agreement that sets out the terms and conditions on which Block.one Group Affiliates have entered, and will enter, into Work Orders with Bullish Group Affiliates pursuant to which (i) Block.one Group Affiliates provide Services to Bullish Group Affiliates, and (ii) Bullish Group Affiliates pay Charges to Block.one Group Affiliates in respect of those Services.

(E) Members of the Block.one Group and members of the Bullish Group have entered into, and may enter into additional, Work Orders as Providers or Recipients. Such Work Orders shall be governed by this Agreement but may contain additional terms and conditions relating to the Services delivered under that Work Order. A Work Order shall become fully effective and binding once it has been duly executed by the relevant Provider and the relevant Recipient.

3

Execution Version

(F) As resources are transferred from the Block.one Group to the Bullish Group pursuant to the Contribution Agreement, the parties intend to reduce the corresponding scope of Services provided hereunder by Block.one Group Affiliates to Bullish Group Affiliates.

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

1.1 In this Agreement, unless the context otherwise requires:

“Affected Party” has the meaning given to it in clause 21.1.

“Affiliates” means in relation to a body corporate, any Subsidiary or holding company of such body corporate, and any other Subsidiary of any holding company of such body corporate for the time being. For the avoidance of doubt, an Affiliate of Block.one shall exclude Bullish Global and its Affiliates.

“Applicable Law” means all laws, statutes, regulations, regulatory constraints, obligations or rules (including binding codes of conduct and binding statements of principle incorporated and contained in such rules) in any jurisdiction applicable to the existence or operation of this Agreement or any Work Order.

“Block.one Group” means Block.one and its Subsidiaries from time to time (excluding any Bullish Group Affiliates).

“Block.one Group Affiliate” means a member of the Block.one Group from time to time.

“Bullish Group” means Bullish Global and its Subsidiaries from time to time.

“Bullish Group Affiliate” means a member of the Bullish Group from time to time.

“Business Combination Agreement” has the meaning given to it in the recitals.

“Business Continuity & Disaster Recovery Plans” has the meaning given to it in clause 26.1.1.

“Business Day” means a day other than a Saturday, Sunday, public holiday or bank holiday in the locations of the parties to this Agreement or a Work Order (as applicable).

“Charges” means the charges that are payable by a Recipient to a Provider under a Work Order.

“Confidential Information” has the meaning given to it in clause 19.1.

“Contract Change” means any change to this Agreement or any Work Order.

“Costs” means, with respect to any Services, all direct and indirect costs incurred by the relevant Provider in connection with providing the Services, including any service fees paid or accrued by Provider to any person or entity (whether or not an affiliate) with respect to the Services, which shall be calculated as any direct or indirect operating cost incurred by Provider in relation to any Services, except for (a) interest expense, (b)

4

Execution Version

income taxes, or (c) any other expenses not related to the Services including, but not limited to, any time spent by Provider’s employees and contractors on assignments that are not Services. Costs with respect to Providers incorporated in the United States will be all determined in accordance with U.S. generally accepted accounting principles and Costs with respect to other Providers not incorporated in the United States will be determined in accordance with International Financial Reporting Standards or the applicable local accounting standard. Costs of activities that provide direct benefits to the relevant Recipient shall be allocated or apportioned to the Services by the Provider using such methods as are consistent, reasonable and in keeping with sound accounting practices.

“Deliverables” means all items, writings, outputs or works that are delivered to the Recipient by the Provider as part of the Services.

“Disclosing Party” has the meaning given to it in clause 19.1.

“Dispute” has the meaning given to it in clause 34.1.

“Effective Date” means the date of the Work Order or such other date as agreed in the Work Order.

“Intellectual Property” means patents, patentable rights, rights in inventions, utility models, moral rights, trademarks, trade dress, goodwill, business names, company names, domain names, copyright, rights in product concepts, rights with respect to unfair competition, design rights, rights in data, database rights, know how, trade secrets and all other intellectual and industrial property and similar or analogous rights existing under the laws of any jurisdiction (whether or not registered, whether present, future or contingent, and including without limitation all renewals, extensions, revivals or accrued rights of action) and all pending applications for and right to apply for or register the same.

“LCIA” has the meaning given to it in clause 35.2.

“Mark-up Percentage” means, with respect to any Services, such percentage as is mutually agreed upon between the relevant Recipient and Provider in accordance with Applicable Laws and recorded in the relevant Work Order. The Mark-up Percentage shall be reviewed annually no later than ninety (90) days following the end of the calendar year to ensure that it continues to reflect an arm’s-length fee for the Services and any change shall be recorded in an amendment to the Work Order.

“Material Procured Service” means Procured Services that are provided by a Provider in connection with activities of a Recipient that are regulated under Applicable Law.

“Materials” means any technology, ideas, inventions, innovations, approaches, software, hardware, products, designs, concepts, techniques, processes, data, tools, templates, processes, methodologies, algorithms, documentation and any other knowledge or materials.

“Material Service” means any Service that is critical to the core business or operations of the Recipient and that (i) is of such importance that any weakness or failure of such Service would significantly prejudice the Recipient’s ability to meet its regulatory responsibilities, continue its business and/or manage critical operational risks; and (ii) without which the Recipient would be unable to deliver day-to-day services to its customers.

5

Execution Version

“Non-Affected Party” has the meaning given to it in clause 21.1.

“Original MSA” has the meaning given to it in the recitals.

“Permitted Purpose” has the meaning given to it in clause 19.2.

“Permitted Users” has the meaning given to it in clause 19.2.

“Pre-Existing Materials” means a party’s Materials that: (a) exists prior to the Effective Date; or (b) is developed independently by the party, at any time, without any use of, or reference to, the other party’s Confidential Information or other information obtained in connection with the Work Order.

“Procured Service” has the meaning given to it in clause 7.1.

“Provider” means each party that is identified as the provider of a Service in a Work Order.

“Provider Personnel” means the personnel of the Provider in question.

“Receiving Party” has the meaning given to it in clause 19.1.

“Recipient” means each party that is identified as the recipient of a Service in a Work Order.

“Recipient Data” means data and information either (a) owned independently of this Agreement by a Recipient and provided to a Provider in connection with and for the purposes of providing the Services or (b) generated or processed by a Provider specifically for a Recipient as part of the provision of the Services to that Recipient.

“Recipient Personnel” means the personnel of the Recipient in question.

“Regulator” means, with respect to any party, any regulatory authority having the responsibility for regulatory oversight over such party from time to time.

“Regulatory Change” means a Contract Change required to comply with Applicable Law.

“Service” means a service that a Provider will provide to a Recipient under a Work Order.

“Service Levels” means, in respect of each Service, the service levels (if any) that the Provider of that Service has agreed to meet under a Work Order.

“Service Term” means, in respect of each Service, the duration for which that Service will be provided by a Provider as specified in the relevant Work Order.

6

Execution Version

“Subsidiaries” means, in relation to a company wherever incorporated (a “holding company”), any company in which the holding company (or persons acting on its behalf) directly or indirectly holds or controls either:

(a) a majority of the voting rights exercisable at stockholder (or similar) meetings of that company;

(b) has the power to exercise a majority of the voting rights at stockholder (or similar) meetings of that company by reason of an agreement with other stockholders or other equityholders of that company; or

(c) the right to appoint or remove a majority of its board of directors, or an equivalent governing body, of that company,

and any company which is a Subsidiary of another company is also a Subsidiary of that company’s holding company.

“Supplier” means the third party to a Supplier Contract.

“Supplier Contract” means a contract between a Provider and a Supplier for the provision of a Procured Service.

“VAT” means any value-added tax or other tax of a similar nature (including sales tax, use tax, consumption tax and goods and services tax).

“Work Order” means a work order for the provision of Services entered into by two or more parties, which shall be substantially in the form of the template set out in Schedule 2 (Template Work Order) to this Agreement, or such modified or alternative form as the relevant parties may agree.

“Work Order Regulatory Change” has the meaning given to it in clause 14.4.

1.2 Additional defined terms used in this Agreement are set out in Schedule 3 (Data Processing Obligations).

1.3 In this Agreement, unless the context otherwise expressly requires, a reference to a clause or Schedule is a reference to a clause or Schedule of or to this Agreement. The Schedules form an integral part of this Agreement and references to this Agreement shall include its Schedules.

1.4 The headings used in this Agreement and / or any Work Order do not affect its interpretation.

1.5 Unless specified otherwise in this Agreement and / or any relevant Work Order:

(a) “include”, “includes” and “including” shall mean including without limitation;

(b) a “person” includes any person, individual, company, firm, corporation, government, state or agency of a state or any undertaking (whether or not having separate legal personality and irrespective of the jurisdiction in or under the law of which it was incorporated or exists);

7

Execution Version

(c) words denoting the singular include the plural and vice versa and words denoting any gender include all genders; and

(d) a statutory provision shall include any subordinate legislation made from time to time under that provision which is in force during the term of this Agreement together with any amending, consolidating or successor legislation which takes effect from time to time in the relevant jurisdiction during the term of this Agreement.

2. COMMENCEMENT, DURATION AND STRUCTURE

2.1 This Agreement applies to each Block.one Group Affiliate and each Bullish Group Affiliate from the moment that such Block.one Group Affiliate or Bullish Group Affiliate becomes a party to this Agreement, including through accession pursuant to clause 3, and thereafter until this Agreement is terminated in respect of such Block.one Group Affiliate or Bullish Group Affiliate pursuant to clause 22.

2.2 As between all the parties to this Agreement, this Agreement creates bilateral rights and obligations only between an individual Provider and a Recipient to whom it provides Services pursuant to a duly executed Work Order between the Provider and the Recipient. Those rights and obligations are personal to the relevant Provider and the relevant Recipient and, accordingly, under no circumstances shall any party to this Agreement be liable for any other party’s performance or failure to perform any obligations that that other party may have under this Agreement or any Work Order to which it is not a party. Notwithstanding the foregoing, (a) Block.one shall procure that each Block.one Group Affiliate complies with such Affiliate’s obligations under this Agreement and each Work Order to which it is party and (b) Bullish Global shall procure that each Bullish Group Affiliate complies with such Affiliate’s obligations under this Agreement and each Work Order to which it is party.

3. ACCEDING TO THIS AGREEMENT

3.1 This Agreement will apply to, and be binding on, the parties that have entered into this Agreement and each Block.one Group Affiliate and each Bullish Group Affiliate from the moment that an authorised representative of that Block.one Group Affiliate or Bullish Group Affiliate agrees, unconditionally and in writing, with Block.one and Bullish Global to be bound by the terms of this Agreement. The form of the accession must be reasonably acceptable to Block.one and Bullish Global, and Block.one and Bullish Global may, in this regard, from time to time prescribe the form of accession to be used (which at the date of this Agreement shall be a form substantially consistent with the template set out in Schedule 4 (Form of Notice of Adherence) to this Agreement). For the avoidance of doubt, subject to clause 32, an email from an authorised representative of a Block.one Group Affiliate or Bullish Group Affiliate, in a form reasonably acceptable to Block.one and Bullish Global, shall be sufficient to meet the requirements of this clause 3.1.

3.2 Block.one and Bullish Global will retain copies of all written accessions received by it from each Block.one Group Affiliate and each Bullish Group Affiliate, as applicable, and will make a copy thereof available on reasonable request by any other party from time to time.

8

Execution Version

4. WORK ORDERS

4.1 Subject to and in accordance with the terms of this Agreement, a Block.one Group Affiliate, as a Provider, may provide Services to a Bullish Group Affiliate, as a Recipient, pursuant to a duly executed Work Order to be entered into between the relevant Provider and the relevant Recipient.

4.2 Each party may negotiate and agree any number of Work Orders with the any other party to provide Services. Each proposed or amended Work Order shall constitute a legally binding agreement of the relevant parties on the date of the Work Order.

4.3 In the event of any inconsistency between the terms of this Agreement and the terms of a Work Order, the terms of this Agreement shall prevail over the terms of the Work Order unless the Work Order expressly refers to the specific conflicting term or condition in this Agreement and specifies that the Work Order’s replacement term or condition applies instead.

5. PROVISION AND RECEIPT OF THE SERVICES

5.1 Each Recipient agrees to receive the Services that the relevant Provider has agreed to provide to it, and, subject to the terms and conditions set forth in the applicable Work Order, agrees to pay the Charges for those Services.

5.2 In consideration of the payment of the Charges, each Provider shall, with effect from the relevant Effective Date and thereafter for the relevant Service Term of each Service, provide or procure the provision of that Service to the relevant Recipient.

5.3 A Provider shall:

5.3.1 provide each Service that is not a Procured Service with reasonable skill, care and diligence in accordance with Applicable Law and the requirements of the applicable Work Order;

5.3.2 monitor and analyse its performance against the Service Levels (where relevant) and report such findings to the Recipient at the Recipient’s request; and

5.3.3 use reasonable endeavours to ensure that each Procured Service shall be provided in accordance with the terms (including any Applicable Law or service levels, where relevant) contracted under the relevant Supplier Contract; provided that the foregoing shall not be deemed to limit Provider’s obligations under clause 7.10 or clause 8.

5.4 Each Provider shall:

5.4.1 carry out the Services for which it is responsible with reasonable skill, care and diligence (in line with industry practices) and taking into account and adequately managing risks associated with performing the Services for each relevant Recipient;

5.4.2 notify each Recipient promptly of any developments which may have a material adverse impact on the Provider’s ability to provide the Services to that Recipient, comply with Applicable Law or meet any other obligations that that Provider owes to that Recipient under this Agreement or any Work Order; and

9

Execution Version

5.4.3 maintain records relating to the provision of the Services and upon the Recipient’s written request, the Provider shall allow the relevant Recipient to inspect such records in connection with the provision of the Services, provided that any such inspection shall be conducted during regular business hours and in a manner consistent with Provider’s security and other applicable protocols.

5.5 Each Recipient may (i) schedule quarterly review meetings with the Provider; and (ii) conduct annual reviews on the performance and quality of the Services, whether they be provided by the Provider or a Supplier.

5.6 If the Provider or the Supplier fails to meet any Service Level, as soon as reasonably practicable after becoming aware of the failure, the Provider shall:

5.6.1 notify the Recipient and provide details of the failure;

5.6.2 promptly use its reasonable endeavours to identify the cause of the failure;

5.6.3 take appropriate action to endeavour to remedy the failure and begin meeting the Service Level; and

5.6.4 take appropriate preventive measures to ensure such failure does not reoccur.

6. COOPERATION, INFORMATION AND ASSISTANCE

Each Recipient shall:

6.1 reasonably co-operate with the relevant Provider(s) in connection with the performance of this Agreement; and

6.2 provide on a timely basis such information, decisions, data, Intellectual Property, other input materials, access to systems, access to facilities and assistance as the relevant Provider(s) may reasonably require to enable it to provide the Services in accordance with this Agreement or any Work Order.

7. PROCURED SERVICES

7.1 Where a Service provided by a Provider consists of the on-provision of an equivalent service received by such Provider pursuant to a Supplier Contract (each such Service being a “Procured Service”), the provisions of this clause 7 shall apply and take precedence over any conflicting provisions of this Agreement, solely with respect to such Procured Service. This clause 7 shall not apply where the Provider itself provides a Service directly to a Recipient.

7.2 Each Recipient of a Procured Service acknowledges that the Provider’s obligation to provide each Procured Service is limited to the obligation to manage the Supplier’s provision of that Procured Service in accordance with that Supplier Contract. Notwithstanding the foregoing, managing the Supplier’s provision of the Procured Service shall include ensuring that the Provider continues to be in compliance with the terms of the Supplier Contracts that are applicable to it. As part of its management of Suppliers, Provider shall review and verify invoices for any Supplier Contracts.

10

Execution Version

7.3 Each relevant Provider is responsible for ensuring it can pass the benefit of a Supplier Contract on to the relevant Recipient, as a Procured Service.

7.4 Each relevant Provider is only obliged to provide each Procured Service to its Recipients to the extent and in the manner that the Provider receives such Procured Service from the relevant Supplier under the applicable Supplier Contract, provided that (a) the Provider shall use its reasonable endeavours to oversee the Supplier and manage the terms of the Supplier Contract and (b) the Provider shall not be relieved from its obligations with respect to any portion of the Services which is not a Procured Service.

7.5 The Provider shall endeavour to monitor and supervise the performance of Procured Services in a professional manner. The Provider shall provide the Recipient with access to all data and reporting and related tools available from the Supplier that is relevant to the Services received by the Recipient.

7.6 The Provider shall, to the extent permitted under the relevant Supplier Contract, endeavour to enable the Recipient access to the Supplier’s premises, personnel and relevant records as may be reasonably required in order to verify that the Procured Services are being provided by the Supplier and all obligations of the Supplier are being performed in accordance with the terms of the Supplier Contract. The Recipient shall use its reasonable endeavours to ensure that the conduct of any audit does not unreasonably disrupt the Provider or the Supplier or delay the provision of the Services by the Provider and that, where possible, individual audits are coordinated with each other to minimise any disruption.

7.7 The Provider shall use commercially reasonable efforts to include in Supplier Contracts in respect of Material Procured Services a right for Regulators to access the Supplier’s premises, records and personnel on reasonable notice and subject to reasonable conditions as to safety, confidentiality and other relevant considerations for the purposes of enabling regulatory audits to be conducted and to allow Regulators to exercise its regulatory powers.

7.8 If the Supplier Contract in respect of Material Procured Services does not permit a Provider’s service recipients to directly audit or inspect any aspect of the performance of the Supplier, the Provider shall, upon reasonable request of the Recipient, exercise the Provider’s own audit or inspection rights as requested by the Recipient and deliver to the Recipient any findings derived from such audit or inspection.

7.9 Subject to clauses 7.2, 7.4 and 7.10, each relevant Provider is not liable for a breach of this Agreement (including in relation to the failure to provide the Procured Service) to the extent that such breach is caused by a failure of a Supplier to provide a Procured Service in accordance with the terms of the relevant Supplier Contract.

7.10 Where a Supplier provides a Procured Service otherwise than in accordance with the terms of the relevant Supplier Contract, the Provider shall, at the Recipient’s direction, either:

11

Execution Version

7.10.1 promptly enforce that Supplier Contract to procure performance of that Procured Service in accordance with the terms of the relevant Supplier Contract as soon as may be reasonably practicable; and/or

7.10.2 attempt to recover from that Supplier any claimable losses or damages suffered by the Provider and/or each Recipient as a result of that Supplier’s failure (and the Provider’s liability to each Recipient of that Procured Service shall be to pass on to that Recipient, after the Provider has received in cleared funds any compensation from the Supplier, a pro rata amount of that compensation so received, after deducting the costs and expenses (including legal expenses) incurred by the Provider in enforcing the relevant Supplier Contract).

7.11 Each relevant Provider may terminate or replace any Supplier Contract or agree to any changes to that Supplier Contract (other than de minimis, corrective or administrative changes) only with the approval of each relevant Recipient.

7.12 If a Provider wishes to replace a Supplier, the Provider shall promptly provide any information in connection with the replacement Supplier that it possesses and will attempt to acquire any additional information that the Recipient reasonably requests. If the Recipient is not satisfied with the replacement Supplier or associated replacement Supplier Contract, the Provider shall not replace such Supplier until the Recipient consents to a replacement Supplier and associated replacement Supplier Contract.

7.13 Where:

7.13.1 a Supplier Contract has been terminated by the Supplier, or by the Provider (pursuant to the terms of this Agreement), or expires pursuant to its terms; or

7.13.2 a Supplier Contract is transferred to the Bullish Group pursuant to the Contribution Agreement,

then the relevant Provider in question shall inform each relevant Recipient of that fact and shall be excused from performing that Procured Service from the date of termination or expiry or transfer (as applicable) of the Supplier Contract.

7.14 The Provider shall promptly, and in any case within two (2) Business Days of receipt, provide the Recipient with a copy of any notice of termination or non-renewal of a Supplier Contract that it receives from a Supplier.

7.15 Notwithstanding anything else contained in this Agreement, the Provider shall use reasonable commercial efforts to continuously provide without interruption all Procured Services, and if applicable to transition smoothly between the Provider’s and the Recipient’s Suppliers of any such Material Procured Service as necessary.

7.16 The Services set out in a given Work Order are deemed to include such Procured Services as the relevant Provider has contracted for the benefit of the relevant Recipient and that are necessary for or relevant to the provision of such Services (unless otherwise agreed), and the Charges for such Procured Services shall equal the ratable Costs of such Procured Services, charged on a pass-through basis without mark-up or administrative fee of any kind.

12

Execution Version

8. SERVICE PROBLEMS AND REMEDIATION

8.1 If any of the Services are not provided in accordance with the standards set out in this Agreement, the relevant Provider shall, without prejudice to any Recipient’s other remedies, do the following things (each Recipient acknowledges that the Provider’s ability to do so may depend on the cooperation of Suppliers that are responsible for Procured Services):

8.1.1 take reasonable steps to minimise the impact of the failure and to remedy the affected Services as quickly as may be reasonably practicable under the circumstances;

8.1.2 investigate the failure (including performing a root cause analysis to identify the cause of such failure, where the failure was a material failure and where the Provider’s internal processes and procedures require a root cause analysis); and

8.1.3 perform the Services in accordance with the standards set out in this Agreement as soon as practicable.

8.2 If the relevant Provider’s performance of its obligations under a Work Order is prevented or delayed by any act or omission of the relevant Recipient, the Provider shall not be deemed in breach of its obligations under the Work Order or otherwise liable for any costs, charges, or losses sustained or incurred by the Recipient, in each case, to the extent arising directly or indirectly from such prevention or delay.

9. PERSONNEL

9.1 Each Provider and each Recipient agrees that it is not intended that the provision of the Services pursuant to the terms of this Agreement and / or any Work Order will constitute a relevant transfer of an undertaking or a service provision change undertaking or a service provision change for the purposes of any Applicable Law.

9.2 Each Provider is responsible for ensuring that its Provider Personnel are properly trained, qualified, experienced and sufficient in number for the tasks given to them.

9.3 Each Provider shall employ or engage such Provider Personnel as it deems necessary from time to time to provide the Services.

9.4 In order to facilitate coordination between Providers and Recipients, each Recipient shall be entitled to directly contact Provider Personnel engaged in delivering Services and discuss and propose instructions regarding such Services (so long as such instruction is within the scope of the Services provided by such Provider Personnel).

9.5 Nothing in this Agreement shall operate or be construed as joint employment of the Provider Personnel. The parties hereto are independent parties and nothing contained in this Agreement shall be construed to place the parties hereto in the relationship of employer and employee, partners, principal and agent, or joint venturers. No party hereto shall have the power to bind or obligate the other parties hereto, nor shall any party hereto hold itself out as having such authority. At no time shall any Provider Personnel represent himself or herself as an employee of any Recipient or be considered an employee of any Recipient.

13

Execution Version

9.6 Each Provider hereby agrees that neither it, nor any of the Provider Personnel, is an employee or has any employment relationship with any Recipient. Each Provider shall be responsible for all employment-related issues and requirements (including all immigration issues, processing visas, providing workers’ compensation or unemployment insurance, payment of wages and benefits, payment of all employment-related taxes, workers compensation and unemployment benefits and ensuring compliance with all applicable Laws) arising in connection with Provider Personnel. Provider Personnel shall not be entitled to participate in any of the employee or fringe benefit plans or programs of any of any Recipient, including pension, 401(k), profit sharing, retirement, deferred compensation, welfare, insurance, disability, bonus, vacation pay, severance pay, and other similar plans, programs, and agreements, whether reduced to writing or not, whether under ERISA or not, even if the Provider Personnel are determined to be common law or statutory law employees of any Recipient.

9.7 Where any Block.one Group Affiliate’s Provider Personnel engaged in providing Services are transferred to the Bullish Group pursuant to the Contribution Agreement or otherwise cease to be employed by the Block.one Group, the Provider in question shall inform each relevant Recipient of that fact and shall from the date of such transfer or other cessation of employment (as applicable) of be excused from performing the relevant Services to the extent they had been performed by such Provider Personnel.

10. CHARGES

10.1 In consideration of the performance of the Services, each Recipient shall pay the Charges to each relevant Provider in accordance with the terms set out in the relevant Work Order. Without limitation, Charges may be calculated on a Costs plus Mark-up Percentage basis where appropriate, and pricing methodologies or rates in Work Orders may be adjusted from time to time in line with transfer pricing procedures and practice and as advised by external advisors and any updated transfer pricing methodology or rate may be applied to the entire taxable period.

10.2 Recipient shall pay the undisputed portions of any invoices within thirty (30) days of receipt in cleared funds to the bank account nominated in writing by the Provider.

10.3 Invoices shall be delivered to a Recipient at such address (which may be an email address) as is notified by the Recipient to the relevant Provider.

10.4 The Charges charged under a given Work Order may be nil in any relevant period in line with the level of Services provided.

10.5 If a Recipient fails to make any payment due to a Provider under a Work Order by the due date (excluding any amounts in good faith dispute at such time), then, without limiting the remedies available to the Provider under this Agreement, the Recipient shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgment, at a rate of four percent (4%) per annum. If a Recipient disputes any Charges in good faith, it shall notify the relevant Provider in writing of such dispute as soon as reasonably practicable.

14

Execution Version

10.6 Except as a Provider and Recipient may agree otherwise in writing from time to time, all payments made by a party under this Agreement and / or any Work Order shall be made gross, free of any right of counterclaim or set-off and without deduction or withholding of any kind other than any deduction or withholding required by Applicable Law.

11. VALUE ADDED TAX

11.1 All sums (including the Charges) set out in this Agreement and / or any Work Order or otherwise payable by any party to any other party pursuant to this Agreement and / or any Work Order shall be deemed to be exclusive of any VAT which is chargeable on the supply or supplies for which such sums (or any part thereof) are the whole or part of the consideration for VAT purposes.

11.2 Where, pursuant to the terms of this Agreement and / or any Work Order, any Provider makes a supply to any Recipient for VAT purposes and VAT is or becomes chargeable on such supply for which such Provider is required to account to the relevant tax authority, the Recipient shall, subject to the receipt of a valid VAT invoice, pay to the Provider (in addition to and at the same time as any other consideration for such supply) a sum equal to the amount of such VAT.

11.3 References in this Agreement and / or any Work Order to any cost or expense incurred by any party and in respect of which such party is to be reimbursed or indemnified by any other party under the terms of, or the amount of which is to be taken into account in any calculation or computation set out in, this Agreement and / or any Work Order shall include such part of such cost or expense as represents any VAT but only to the extent that such first party is not entitled to credit or repayment in respect of such VAT from the relevant tax authority.

12. SECURITY

12.1 Each Provider and each Recipient shall maintain its own internal security standards and comply with relevant security policies as required under clause 15, in each case as applicable to the Services.

12.2 Each Provider shall co-operate with any investigation that is reasonably requested by a Recipient relating to security which is carried out by or on behalf of such Recipient, including the provision to the Recipient of any records relating to the Provider’s compliance with this clause 12.

12.3 Each Recipient shall advise the Provider, and the Provider shall advise any affected Recipient, as soon as reasonably practicable after becoming aware of any security breach or potential security breach which may adversely affect the Services or data under the control of the Provider (including Recipient Data).

12.4 Each Provider and each Recipient shall:

12.4.1 maintain reasonable security measures to protect the other’s IT systems from third parties and in particular from disruption by any back door, time bomb, trojan horse, worm, virus, malware or other computer software routine intended or designed to: (a) permit access or use of information technology systems by a third person other than as expressly authorised; or (b) disable, damage or erase or disrupt or impair the normal operation of any information technology systems; and

15

Execution Version

12.4.2 not attempt to obtain access, use or interfere with any IT systems or data belonging to the other party except to the extent required to do so to receive the Services (in the case of a Recipient), provide the Services (in the case of the Provider) or as otherwise permitted under this Agreement and / or any relevant Work Order.

12.5 In the event that a Provider provides a Recipient with access to the Provider’s IT systems and if in the Provider’s sole opinion (but acting reasonably):

12.5.1 the integrity or security of the Provider’s IT systems or any data stored on them is jeopardised or is likely to be jeopardised; or

12.5.2 the performance of the Provider’s IT systems is jeopardised or is likely to be jeopardised in a material way,

that Provider shall notify each affected Recipient and shall be entitled to suspend access of affected Recipients to the Provider’s IT systems if the threat caused by the breach or activity is material (based on the Provider’s reasonable assessment), and the Provider shall use its commercially reasonable efforts to limit the extent and duration of the suspension.

12.6 In the event that a Provider requires access to a Recipient’s IT systems for the provision of Services and the Recipient suspends the Provider’s access of such systems (for reasons other than a Provider’s breach of this Agreement), the Provider may suspend the provision of Services affected by such suspension without any liability to the Recipient.

13. MAINTENANCE

13.1 To the extent necessary for a Provider to perform any maintenance on its infrastructure, the Provider may, during regularly scheduled maintenance windows (as agreed by the parties to the relevant Work Order), suspend the provision of any Service (or any part thereof) from time to time, without incurring any liability or being in breach of this Agreement. Regularly scheduled maintenance windows shall be scheduled outside of normal business hours.

13.2 To the extent a Provider needs to perform emergency maintenance outside of the regularly scheduled maintenance windows, the Provider shall provide the relevant Recipient with as much advance notice as possible.

13.3 The Provider shall limit the affected Services as far as may be reasonably practicable and use reasonable endeavours to ensure that suspension for emergency maintenance occurs outside of normal business hours (the Recipients acknowledging that emergency maintenance may have to be conducted during normal business hours).

16

Execution Version

14. CHANGE MANAGEMENT

14.1 Each party to a Work Order is responsible for identifying Regulatory Changes that are required because of a change in Applicable Law concerning that party.

14.2 In the event that any Contract Change gives rise to a requirement for a change to a Supplier Contract then the following provisions shall apply:

14.2.1 each Recipient shall be responsible, in consultation with each affected Provider, for identifying any necessary changes to any Supplier Contract relevant to it which is due to a Contract Change;

14.2.2 each Provider shall be responsible for using reasonable endeavours to agree the required amendments to the terms of any Supplier Contract in order to reflect the requirements of the Contract Change once that Contract Change has been agreed; and

14.2.3 unless and until such agreement from the relevant Supplier is obtained (where required) no Provider shall be required to perform its obligations under this Agreement, or carry out any act or omission, in any manner that is different from that set out in this Agreement.

14.3 No amendment to a Work Order shall be effective unless it is signed on behalf of the Provider and Recipient.

14.4 If the Recipient requests a change in the Work Order required to comply with Applicable Law (“Work Order Regulatory Change”) and the Provider does not agree to such Work Order Regulatory Change, or any Supplier supporting the relevant Service does not agree to support such Work Order Regulatory Change, the Recipient may immediately terminate its acceptance of such Service by providing notice to the Provider. The Recipient shall be liable for the Provider’s costs associated with winding down such Services. The Provider shall use reasonable endeavours to accommodate and agree to a Work Order Regulatory Change provided same will not result in the Provider needing to make substantive changes to its mode or location of, or Provider Personnel engaged in, providing the relevant Services. The failure of a Supplier to agree to a Work Order Regulatory Change shall not excuse the Provider from enforcing the then-existing provisions of the relevant Supplier Contract.

15. POLICIES

15.1 In providing the Services, each Provider will comply with any policies related thereto adopted by the relevant Recipient as specified in such Work Order and any amendments to such policies, provided such policies and amendments, as applicable, are communicated in advance to the Provider in writing with a reasonable period of time for the Provider to review and for the avoidance of doubt any increased costs of the Provider resulting therefrom shall be recoverable as Costs.

16. INTELLECTUAL PROPERTY

16.1 Nothing in this Agreement and / or any Work Order affects a party’s rights in respect of the Intellectual Property owned by or licensed to it as at the date of the relevant Work Order.

17

Execution Version

16.2 Each Provider grants, to the extent that it lies within its power to so grant, each relevant Recipient a non-exclusive, non-transferable, royalty-free limited licence to use relevant Intellectual Property solely for the purpose of, and for so long as is required for, receiving and enjoying the benefit of the Services. The Recipient may sub-license the foregoing licence to its other Affiliates solely for the purpose of, and for so long as is required for, the Recipient’s receipt and enjoyment of the benefit of the Services.

16.3 Each Recipient grants, to the extent that it lies within its power to so grant, each relevant Provider a non-exclusive, non-transferable, royalty-free limited licence to use relevant Intellectual Property solely to the extent necessary for the due provision of the relevant Services. The Provider may sub-license the foregoing Intellectual Property to third parties solely for the purposes of providing the relevant Services and provided such sub-license is not prohibited by the terms on which the Recipient holds rights to use such Intellectual Property.

16.4 Each party to a Work Order shall retain all rights, title and interest in and to its Pre-Existing Materials including all Intellectual Property therein (including where some are comprised in any Deliverable).

16.5 Except as set forth in clause 16.4, all rights, title and interest in and to the Deliverables including all Intellectual Property therein shall vest solely and exclusively in the Recipient on delivery. The Provider assigns to the Recipient, with full title free from all encumbrances and third party rights, all existing and future Intellectual Property in the Deliverables to the fullest extent permitted by law. To the extent such Intellectual Property does not vest in or assign to the Recipient by operation of this clause 16.5 or Applicable Law, the Provider shall hold and maintain legal title in such Intellectual Property in trust solely for the Recipient.

16.6 Each Provider grants to the Recipient a perpetual, royalty-free, worldwide, sublicenseable, transferable, non-exclusive, irrevocable license to use and exploit the Provider’s Pre-Existing Materials to the extent incorporated in, combined with, embodied or contained in the Deliverables and required or beneficial for the use of the Deliverables. All other rights in and to the Provider’s Pre-Existing Materials are reserved by the Provider.

16.7 Each Recipient grants to the Provider a royalty-free, worldwide, sublicenseable, transferable, non-exclusive, irrevocable license to use and exploit any of the Recipient’s Pre-Existing Materials to the extent necessary to provide the Services or the Deliverables to the Recipient in accordance with the Work Order. All other rights in and to the Recipient’s Pre-Existing Materials are reserved by the Recipient.

16.8 Subject at all times to the parties’ compliance with this clause 16 and clauses 18 and 19, either party to a Work Order may (a) use its general knowledge, skills and experience and any and all of its Pre-Existing Materials in the ordinary course of its business activities; (b) independently develop goods and services which may be similar to the Deliverables or Services without any obligation to the other party; and (c) use data and knowledge gained as a result of providing or receiving the benefit of the Services or Deliverables.

18

Execution Version

17. RECIPIENT DATA

17.1 As between each Provider and the relevant Recipient, the Recipient is the owner of the relevant Recipient Data and the Provider acknowledges the Recipient Data is the property of that Recipient. Each Provider hereby irrevocably and perpetually assigns, transfers and conveys to the relevant Recipient without further consideration all of its right, title and interest in and to the Recipient Data.

17.2 Each Recipient grants each relevant Provider a non-exclusive, limited licence (with the right to sub-license to any third parties involved in the provision of the Services) for the term of this Agreement to use its Recipient Data for the purpose of providing the Services to the Recipient and otherwise complying with its obligations under this Agreement.

17.3 Each Provider shall store, copy, use and disclose Recipient Data only to the extent reasonably necessary to provide the Services or otherwise perform its obligations under this Agreement and / or any Work Order. Except as otherwise expressly set forth in this Agreement, without the relevant Recipient’s approval (in its sole discretion), the Recipient Data shall not be (a) used by any Provider other than as necessary for such Provider’s performance under this Agreement and solely in connection with providing the Services and the performance of such Provider’s obligations under this Agreement, (b) disclosed, sold, assigned, leased or otherwise provided to third parties by such Provider or (c) commercially exploited by or on behalf of such Provider.

17.4 Each Provider shall at the request of a Recipient promptly return or destroy that Recipient’s Recipient Data when the Provider no longer requires that Recipient Data to provide the Services, and at the request of the Recipient shall certify such return or destruction.

18. DATA PROTECTION

The parties to a Work Order shall comply with the provisions of Schedule 3 (Data Processing Obligations) to the extent the Services under such Work Order give rise to obligations under such Schedule.

19. CONFIDENTIALITY

19.1 Each party (the “Receiving Party”) shall keep confidential all information in any medium or format (whether marked “confidential” or not) which it receives from another party (a “Disclosing Party”) pursuant to this Agreement and/or any Work Order, either directly or from any other party, which concerns the business, operations, customers, suppliers, employees and/or members (including past, present and potential customers, employees and/or members) of the Disclosing Party or any of its Affiliates (“Confidential Information”).

19.2 Subject to clause 19.3 and 19.4, the Receiving Party may use the Confidential Information only for the purposes of and in accordance with this Agreement and / or any relevant Work Order including for the purpose of receiving services from or providing services to the other parties (or any of them) (the “Permitted Purpose”). The Receiving Party may disclose the Confidential Information to its, and its other Affiliates’, employees, directors, subcontractors and professional advisers, and any

19

Execution Version

other party to whom this Agreement expressly permits disclosure (“Permitted Users”), for use as required in connection with the Permitted Purpose. The Receiving Party shall ensure that each of its Permitted Users is bound to hold all Confidential Information in confidence to a standard substantially equivalent to that required under this Agreement and / or any relevant Work Order. Where a Permitted User is not an employee or director of the Receiving Party or another of its Affiliates and is not under a professional duty to protect confidentiality, the Receiving Party shall ensure that the Permitted User shall enter into a written confidentiality undertaking with the Receiving Party on substantially equivalent terms to this clause 19.

19.3 Clause 19.1 shall not apply to any information which the Receiving Party can demonstrate:

19.3.1 is in or subsequently enters the public domain other than as a result of a breach of this clause 19 or a breach of equivalent confidentiality provisions by a Permitted User;

19.3.2 has been or is subsequently received by the Receiving Party from a third party which is under no confidentiality obligation in respect of that information;

19.3.3 has been or is subsequently independently developed by the Receiving Party without use of the Disclosing Party’s Confidential Information; or

19.3.4 was previously known to the Receiving Party free of any obligation to keep it confidential.

19.4 Each Permitted User may disclose Confidential Information where that Permitted User (or, where the Permitted User is an individual, his or her employer) is required to do so by Applicable Law or by any Regulator. In these circumstances the Receiving Party shall give the Disclosing Party prompt advance notice of the disclosure (where lawful and practical to do so) so that the Disclosing Party has sufficient opportunity (where possible) to prevent or control the manner of disclosure by appropriate legal means.

20. REPRESENTATIONS AND WARRANTIES

20.1 Each Recipient represents and warrants to each relevant Provider, and each Provider represents and warrants to each relevant Recipient, that:

20.1.1 it has the power to enter into this Agreement and will, at the time it enters into each Work Order, have the power to enter into such Work Order;

20.1.2 it has and shall have the power to perform its obligations under this Agreement and any relevant Work Order and has taken all action necessary to authorise execution and delivery and the performance of its obligations; and

20.1.3 this Agreement and each relevant Work Order constitutes legal, valid and binding obligations of that party in accordance with its terms.

20.2 Each Provider represents and warrants to each relevant Recipient, that it has the ability, capacity, sufficient resources, appropriate organisational structure supporting the performance of the Services and any regulatory approvals or authorisations as may be required by Applicable Law to perform the Services reliably and professionally.

20

Execution Version

20.3 Each Provider represents and warrants to each relevant Recipient, that it shall render the Services with promptness and diligence and shall execute them in a professional, competent and workmanlike manner, in accordance with the terms of the Agreement, and each of the Provider Personnel assigned to provide any Services under this Agreement shall have the proper knowledge, skill, training, experience, resources, qualifications and background to perform and provide the Services.

20.4 Save where expressly provided in this Agreement and / or any relevant Work Order, all conditions, warranties, covenants, representations and undertakings which might be implied, whether by statute or otherwise, in respect of a party’s obligations hereunder are excluded to the maximum extent permitted by Applicable Law.

21. FORCE MAJEURE

21.1 No party (the “Affected Party”) shall be liable to any other party (the “Non-Affected Party”) for any delay or non-performance of its obligations under this Agreement and / or any relevant Work Order to the extent arising from a Force Majeure Event and the performance of the Affected Party’s obligations, to the extent affected by the Force Majeure Event, shall be suspended during the period that the Force Majeure Event persists.

21.2 The Affected Party shall:

21.2.1 promptly notify the Non-Affected Party of the cause of the delay or non-performance and the likely duration of the delay or non-performance; and

21.2.2 use reasonable endeavours to limit the effect of that delay or non-performance on the Non-Affected Party.

21.3 The occurrence of any Force Majeure Event shall not relieve the Affected Party of its obligations under any business continuity & disaster recovery plan it has in place.

21.4 To the extent that the Services were provided notwithstanding a Force Majeure Event, the occurrence of a Force Majeure Event shall not relieve the Recipient from its obligations to pay the Charges pursuant to this Agreement and / or any relevant Work Order.

22. TERMINATION

22.1 A party to any Work Order may terminate its provision or receipt of any Services in relation to another party if the other party commits a material breach of its obligations relating to that Service and / or the relevant Work Order and fails to remedy that breach within thirty (30) days after receiving notice requiring it to remedy that breach.

22.2 A party to any Work Order may terminate its provision or receipt of Services in relation to another party if:

22.2.1 a Regulator requires it to do so; or

22.2.2 in its reasonable interpretation of Applicable Law it is required to do so.

21

Execution Version

22.3 Any Recipient may terminate any Work Order for its convenience upon ninety (90) days’ notice to Provider.

22.4 If any Recipient will cease to be or ceases to be a Bullish Group Affiliate, the Recipient shall promptly notify the Provider and this Agreement and all Work Orders shall terminate in respect of that Recipient on the ninetieth (90th) day of providing such notice and that Recipient shall no longer receive any Services under this Agreement and the Work Orders.

22.5 If any Provider will cease to be or ceases to be a Block.one Group Affiliate, that Provider shall promptly notify the Recipients to which it provides Services and will discuss in good faith the transfer of responsibility from that Provider to its Affiliate or another arrangement that ensures the continuity of those Services. The Provider and the Recipients will use reasonable endeavours to transfer responsibility to the Provider’s Affiliate or put in place an alternative arrangement within ninety (90) days of the notice. After such period, this Agreement and all relevant Work Orders shall terminate in respect of that Provider and the Provider shall no longer provide any Services under this Agreement and the Work Orders, unless otherwise agreed.

22.6 This Agreement shall expire on the earlier of (a) the date on which the Parties agree in writing that all Services have ceased, provided that the Parties and their respective Affiliates are not providing any Services hereunder and the Parties have no further expectation of issuing Work Orders hereunder and (b) the date on which the Contribution Agreement terminates.

23. CONSEQUENCES OF TERMINATION

23.1 In the event of termination of this Agreement and / or any Work Order which is terminated before its full term (as specified therein), each relevant Provider will provide such continuing assistance as the relevant Recipient may reasonably require to manage an orderly and efficient exit from this Agreement and / or any relevant Work Order (including, if requested by the Recipient, the provision of an exit plan based on the Recipient’s exit strategy), provided that those Providers may charge a reasonable fee for the provision of that assistance.

23.2 In anticipation of expiry of this Agreement pursuant to clause 22.6, each Provider will provide such assistance as the relevant Recipient may reasonably require to manage an orderly and efficient exit from this Agreement and each relevant Work Order (including, if requested by the Recipient, the provision of an exit plan based on the Recipient’s exit strategy), provided that those Providers may charge a reasonable fee for the provision of that assistance.

23.3 In the event of expiry or termination of this Agreement and / or any Work Order in respect of any party, all the rights and obligations of that party under this Agreement and / or the relevant Work Order shall cease immediately or at a time agreed by the parties, except for those provisions which expressly or by implication are intended to continue without limit in time. Expiry or termination of this Agreement and / or any Work Order in respect of any party shall not affect any rights, liabilities or remedies relating to that party and arising under this Agreement and / or any Work Order before such expiry or termination.

22

Execution Version

23.4 Without prejudice to clause 23.3, the provisions of clauses 16 (Intellectual Property), 17 (Recipient Data) and 19 (Confidentiality), this clause 23 and clauses 24 (Liability), 29 (General), 33 (Third Party Rights), 34 (Dispute Resolution) and 35 (Governing Law) shall survive expiry or termination of this Agreement and / or any Work Order and continue in force in accordance with their terms.

23.5 On expiry or termination of any Work Order, the Recipient has the right to require reasonable cooperation of the Provider upon termination of the Work Order, including appropriate and supervised access to relevant systems and documentation, to enable the Recipient to bring the relevant Services in-house or transfer them to another provider, provided that the Provider may charge a reasonable fee for the provision of such cooperation. Any such termination will proceed in accordance with the Recipient’s Business Continuity & Disaster Recovery Plan.

23.6 On expiry or termination of this Agreement and / any Work Order in relation to any party for whatever reason, such party shall, to the extent not already delivered up, deliver up to each other party all property and information belonging to those parties which may be in the possession of, or under the control of, such party. The foregoing does not require such party to deliver information within backup systems but such information shall continue to be subject to the confidentiality provisions of this Agreement.

24. LIABILITY

24.1 The limitations and exclusions set out in this clause 24 shall not apply (and no limitation or exclusion of liability shall apply) with respect to the liability of any party:

24.1.1 for death or personal injury caused by the negligence of that party or its directors, employees, agents or subcontractors;

24.1.2 for any fraud, fraudulent misrepresentation or wilful misconduct; or

24.1.3 to the extent such limitation or exclusion is not permitted by Applicable Law.

24.2 Subject to clause 24.1, the maximum aggregate liability of each Provider to each Recipient, and of each Recipient to each Provider, under and/or in connection with this Agreement and any Work Order (save for any liability of the Recipient in respect of the Charges), whether in contract, tort or otherwise, shall be limited to the Charges paid or payable to that Provider under such Work Order in the twelve (12) month period preceding such claim.

24.3 Subject to clause 24.1, no party shall be liable to any other party for any losses, liabilities, damages, costs or expenses arising under and/or in connection with this Agreement which are:

24.3.1 related to damage to the reputation of a party; or

24.3.2 loss of profit, revenue, goodwill, business opportunity or anticipated savings; or

24.3.3 indirect, special, punitive or consequential losses,

23

Execution Version

even if such losses, liabilities, damages, costs or expenses were foreseeable and notwithstanding that a party had been advised of the possibility that such losses, liabilities, damages, costs or expenses were in the contemplation of another party.

24.4 The Providers shall severally indemnify, defend, and hold harmless each relevant Recipient from all claims, liabilities or expenses attributable to claims that any of the Services or Deliverables provided by such Provider or the Recipient’s receipt or use thereof infringes any Intellectual Property of third parties, provided, however, the Provider shall have no obligations under this clause 24.4 with respect to claims to the extent arising out of:

24.4.1 receipt or use of the Services by the Recipient for purposes other than in furtherance of or consistent with the Business Plan (as defined in the Business Combination Agreement);

24.4.2 the failure of the Recipient to use any corrections or modifications of the Services made available by the Provider, after allowing for a reasonable period of time to implement such corrections or modifications;

24.4.3 information, materials, instructions, or specifications provided by or on behalf of the Recipient;

24.4.4 the use of the Services by the Recipient in combination with any product, material or data not provided by the Provider (unless such combination is required in order to make the subject of such Service useful (e.g. integration of software with an operating system); or

24.4.5 any modifications or changes made to the Services by or on behalf of any person other than the Provider (unless the Provider consented to such modifications or changes) or its agents or subcontractors (including any Supplier);

provided that no Provider shall be required to indemnify, defend or hold harmless any Recipient from the Assumed Liabilities (as defined in the Contribution Agreement) or any claim, liability or expense properly included in the Costs for the relevant Services.

24.5 The Providers shall severally indemnify, defend, and hold harmless each relevant Recipient from all claims, liabilities or expenses attributable to (a) any claim or action by any of such Provider’s Provider Personnel, including (i) arising with respect to their employment or prospective employment with such Provider, or (ii) any claims that such individual is an employee of a Recipient (or that a Recipient is a joint employer, single employer, agent, or alter ego of such Provider, or that such individual has any other relationship that would create liability by a Recipient to such individual) and any claims arising from or relating to such alleged employment or relationship or the termination of such alleged employment or relationship, including claims relating to hiring policies and decisions, claims for payment of wages or benefits, claims relating to occupational safety and health, workers’ compensation, ERISA, unemployment compensation, or other Applicable Law, claims relating to the handling and processing of any and all immigration issues and requirements (whether the Provider Personnel are located in the United States or elsewhere), or (iii) claims for harassment, discrimination, retaliation, or wrongful termination of any kind; (b) any breach by such Provider of a Supplier Contract; and/or (c) any claim initiated by a Supplier or any agent or subcontractor of

24

Execution Version

such Provider demanding payment by a Recipient of an amount under a Supplier Contract; provided that no Provider shall be required to indemnify, defend or hold harmless any Recipient from the Assumed Liabilities (as defined in the Contribution Agreement) or any claim, liability or expense properly included in the Costs for the relevant Services.

24.6 As a condition to the indemnity obligations contained in this clause 24, the Recipient shall provide the Provider with prompt notice of any claim for which indemnification shall be sought under this clause 24 and shall cooperate in all reasonable respects with the Provider in connection with any such claim. The Provider shall be entitled to (i) control the handling of any such claim and defend any such claim, in its sole discretion, with counsel of its own choosing, and (ii) settle any such claim without the consent of the Recipient, provided that such settlement does not involve the admission of any wrongdoing by the Recipient, does not restrict the Recipient’s future actions, and includes a full release of the Recipient.

24.7 No party shall be entitled to recover damages or obtain payment, reimbursement, restitution or indemnity more than once in respect of any one liability, loss, cost, damage, breach or other event or circumstances that may give rise to more than one claim.

24.8 Any claim that a party may have against another arising under or in connection with this Agreement, and all liabilities relating to such claims, shall be deemed to be waived and absolutely barred on the date falling twelve (12) months after the date such claim became known to such Party, unless the claiming party has notified the other party of the claim in writing within that twelve-(12)-month period.

25. COOPERATION WITH REGULATORS

25.1 Each relevant Provider and each relevant Recipient shall cooperate with any Regulator in connection with the performance of any Services where the Service amounts to, or is connected with, activities that are regulated under Applicable Law, provided that the relevant Provider may charge the Recipient a reasonable fee for the provision of such cooperation.

25.2 Each relevant Provider and each relevant Recipient shall provide on a timely basis such information, decisions, data, other input materials and assistance to the Regulators including access to relevant business premises of the Provider and the Recipient as may be required to allow the Regulator to exercise their functions.

25.3 The relevant Provider shall endeavour to procure that Suppliers cooperate with the Regulator in connection with the performance of a Supplier Contract where the Supplier Contract amounts to, or is connected with, activities of that are regulated by a Regulator.

25.4 The relevant Provider shall endeavour to procure the Supplier to provide on a timely basis such information, decisions, data, other input materials and assistance to a Regulator including access to relevant business premises of the Supplier as may be required to allow the Regulator to exercise their functions.

25.5 Each party shall continue to hold all regulatory approvals which are necessary in order for it to perform its obligations under this Agreement and / or any Work Order.

25

Execution Version

25.6 Each party shall direct all enquiries from a Regulator relating to other party’s provision or receipt of Services to the other party.

25.7 If a Provider or a Recipient deals directly with a Regulator, then it shall do so in an open and co-operative way, including by:

25.7.1 making informed representatives and any other personnel specified by the Regulator available for meetings with representatives or appointees of Regulator;

25.7.2 giving representatives or appointees of the Regulator reasonable access to any premises and records; and

25.7.3 answering truthfully, fully and promptly all questions which are put to it by the Regulator’s representatives or appointees,

and shall ensure that all Provider Personnel or Recipient Personnel and each of its subcontractors shall do so. To the extent permitted by the Regulator, the party dealing directly with the Regulator shall inform the other party of its discussions with the Regulator in relation to the provision of the Services under the Work Order on a regular and timely basis and consult with the other party in relation to its approach to the relevant discussions.

26. BUSINESS CONTINUITY AND DISASTER RECOVERY

26.1 Each Provider and Recipient shall:

26.1.1 establish and maintain plans that are designed to avoid (or where avoidance is not possible, minimise) disruption to the provision of Material Services in the event of a disaster event, including through backup facilities where appropriate (“Business Continuity & Disaster Recovery Plans”);

26.1.2 regularly review and update their Business Continuity & Disaster Recovery Plans and test any backup facilities to ensure the relevant Business Continuity & Disaster Recovery Plans remain adequate (including in the case of a Provider, for the provision of the Material Services) and take into account any new potential threats; and

26.1.3 regularly test their Business Continuity & Disaster Recovery Plans,

all in accordance with good industry practice, Applicable Law and in accordance, where appropriate, with any applicable policies and procedures. Given the integration and interdependency between the Parties as at the date of this Agreement, the Bullish Group’s Business Continuity & Disaster Recover Plans created with input from the Block.one Group may encompass those of the Block.one Group and fulfilment of the foregoing obligations by the Bullish Group shall accordingly discharge the corresponding obligations of the Block.one Group.

26.2 Each Provider shall ensure that the Provider’s personnel shall comply with the Business Continuity & Disaster Recovery Plans of the relevant Recipient when providing the Services, if activated, provided that such plans have been communicated to the Provider and its personnel.

26

Execution Version

26.3 Each Recipient shall ensure that all its personnel or personnel of the Recipient using facilities of the Provider shall comply with the Business Continuity & Disaster Recovery Plans of the Provider if activated, provided that such plans have been communicated to the Recipient and such personnel.

26.4 Each Provider is responsible for overseeing the activation by Suppliers of their Business Continuity & Disaster Recovery Plans in accordance with that relevant Supplier Contracts, where required. The Recipient may engage with a Supplier of a Material Procured Service in relation to their Business Continuity & Disaster Recovery Plans in accordance with clause 7.10 above.

26.5 Providers and Recipients may each make changes to their Business Continuity & Disaster Recovery Plans from time to time (and each Recipient acknowledges that Suppliers may make changes to their Business Continuity & Disaster Recovery Plans from time to time). Each Provider agrees not to make any amendments to its Business Continuity & Disaster Recovery Plans if the revised Business Continuity & Disaster Recovery Plan would provide a materially lower level of business continuity than the then-current Business Continuity & Disaster Recovery Plans, unless otherwise agreed.

26.6 Each Recipient shall notify each relevant Provider, and each Provider shall notify each relevant Recipient, as soon as reasonably practicable, and if possible at least 24 hours’ notice, if it believes that there has been, or is likely to be, a disruption to the continuity of its operations that requires the implementation of its Business Continuity & Disaster Recovery Plans. The Provider or the Recipient (as the case may be) shall then implement the relevant Business Continuity & Disaster Recovery Plans (or require the relevant Suppliers under Supplier Contracts to implement their Business Continuity & Disaster Recovery Plans) and shall:

26.6.1 continue to provide those Services which are not affected (or to the extent parts are not affected, those parts) by the disaster in accordance with the provisions of this Agreement and / or the relevant Work Order; and

26.6.2 in respect of those Services which are affected (or parts of those Services affected) by the disaster, use reasonable endeavours to recover those Services in accordance with the relevant Business Continuity & Disaster Recovery Plans.

26.7 The obligations of each Provider with respect to Business Continuity and Disaster Recovery Plans shall extend to and incorporate the Business Continuity and Disaster Recovery Plans of its Suppliers of Material Procured Services, and any changes thereto.

26.8 The parties to each Work Order agree that for the period of 180 Business Days from the date of such Work Order they are not required to comply with the foregoing provisions of this clause 26 but instead shall endeavour to design, develop and implement Business Continuity & Disaster Recovery Plans and other processes and controls necessary to be in a position to comply with such provisions from the end of such period.

27. AUDIT RIGHTS

27.1 Each Provider shall maintain and keep for the longer of:

27

Execution Version

27.1.1 the period required by Applicable Law; and

27.1.2 the Provider’s internal policies for types of information (as they exist as at the date of a Work Order or as they may be changed from time to time by notice to the Recipient),

records of material activities and functions carried out under or in relation to this Agreement and / or any Work Order.

27.2 A Recipient may notify the relevant Provider from time to time, on at least 15 Business Days’ notice (or shorter notice, if reasonably necessary to accommodate the requirement or request of a Regulator), the requirements of its internal auditors, external auditors and/or a Regulator to access:

27.2.1 any of the records and documents to be retained under this Agreement and / or any Work Order;

27.2.2 any of the sites from which any of the Services are provided, managed or administered; and

27.2.3 the Provider’s key personnel who are responsible for the management of the Services,

in order to carry out audits of the Provider’s provision of the Services. The Recipient agrees that audits may be carried out as reasonably necessary to verify the Provider’s compliance with this Agreement and / or any Work Order but not for other purposes, except where required for regulatory reasons.

27.3 The Provider shall give the Recipient or its nominated representatives access and admittance to each of the items referred to in clause 27.2 above, during the Provider’s normal business hours and subject to such reasonable conditions as the Provider may impose.

27.4 The Recipient shall bear its own costs and the reasonable costs incurred by the Provider in conducting or facilitating the conduct of audits.

28. ASSIGNMENT

No party to this Agreement may assign all or any part of the benefit of, or its rights or benefits under, this Agreement and / or any Work Order (together with any causes of action arising in connection with any of them) without consent of the other parties to this Agreement or such Work Order, as applicable. For the avoidance of doubt, a Provider subcontracting the provision of any of the Material Services shall be deemed a partial assignment that requires the consent of the applicable Recipient.

29. GENERAL

29.1 Except as otherwise provided in this Agreement and / or any relevant Work Order, no failure or delay by any party in exercising any right or remedy provided by Applicable Law or under or pursuant to this Agreement shall impair such right or remedy or operate or be construed as a waiver or variation of it or preclude its exercise at any subsequent time and no single or partial exercise of any such right or remedy shall preclude any further exercise of it or the exercise of any other remedy.

28

Execution Version

29.2 Each party agrees that it is an independent contractor and shall not hold itself out as being part of the other, nor as an agent or partner of any other party.

29.3 Except where otherwise expressly provided for in this Agreement and / or any relevant Work Order, a party does not have any authority or power to bind, contract or negotiate in the name of, nor to incur any debt or other obligation on behalf of, nor to create any liability against another party, in any way or for any purpose.

29.4 Except as otherwise specified herein, this Agreement and each Work Order sets out the entire agreement and understanding between the relevant Recipient and the Provider in respect of the subject matter of this Agreement and the relevant Work Order.

30. INVALIDITY

If at any time any provision of this Agreement and / or any Work Order is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction that shall not affect or impair:

30.1 the legality, validity or enforceability in that jurisdiction of any other provision of this Agreement or any Work Order, and this Agreement and each Work Order shall continue with such illegal, invalid or unenforceable provision removed; or

30.2 the legality, validity or enforceability under the law of any other jurisdiction of that or any other provision of this Agreement or any Work Order.

31. FURTHER ASSURANCE

Each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement and each Work Order.

32. VARIATIONS/APPROVALS

No variation of this Agreement or any Work Order shall be effective unless it is in writing and signed by the relevant parties (or their authorised representatives). Notwithstanding anything contained herein to the contrary, and recognizing that, after giving effect to the transactions contemplated by the Business Combination Agreement, the Block.one Group will control the publicly traded parent of Bullish (“Pubco”), the Block.one Group hereby expressly agrees that, as of the Initial Closing (as defined in the Business Combination Agreement) in any event where the consent, approval or authorization of a Recipient is required pursuant to the terms of this Agreement, such consent, approval or authorization shall only be deemed granted if provided in writing by the Chief Executive Officer of Pubco (or his delegee(s)).

29

Execution Version

33. THIRD PARTY RIGHTS

This Agreement and each Work Order does not create any rights which are enforceable by any person who is not a party to this Agreement or such Work Order, including under the Contracts (Rights of Third Parties) Act 1999, except to the extent third party data subject rights are provided for under the provisions of a DTA. Notwithstanding the granting of any third party rights, the parties to this Agreement shall be entitled to amend this Agreement without requiring the authority of any other party.

34. DISPUTE RESOLUTION

34.1 Any dispute arising out of or in connection with this Agreement or any Work Order (a “Dispute”) shall first be referred for resolution to the senior management of the parties in question.

34.2 This clause 34 is without prejudice to any party’s right to seek interim relief (such as an injunction) against any other party.

35. GOVERNING LAW

35.1 This Agreement and each Work Order, and any non-contractual obligations arising out of or in connection with this Agreement or any Work Order, shall be governed by English law.

35.2 All Disputes shall be finally settled by arbitration administered by the London Court of International Arbitration (the “LCIA”) in accordance with the Arbitration Rules of LCIA for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be London. The Tribunal shall consist of one arbitrator. The language of the arbitration shall be English.

35.3 The arbitrators shall award to the prevailing party, if any, as determined by the arbitrators, its costs and expenses, including its attorneys’ fees. The prevailing party shall also be entitled to its attorneys’ fees and costs in any action to confirm and/or enforce any arbitral award in any judicial proceedings.

35.4 Nothing in these dispute resolution provisions shall be construed as preventing either party from seeking conservatory or similar interim relief in any court of competent jurisdiction.

35.5 Notwithstanding clauses 35.1 and 35.2, rights or obligations arising under a DTA shall be governed by the laws of the jurisdiction specified in Section III of such DTA and the parties thereto submit to the exclusive jurisdiction of the courts and/or tribunals thereof over any claim or matter arising under or in connection with such DTA.

36. COUNTERPARTS

36.1 This Agreement and any Work Order may be executed in any number of counterparts, and by the parties to it in separate counterparts, but shall not be effective until each party has executed at least one counterpart.

36.2 Each counterpart shall constitute an original of this Agreement or relevant Work Order, but all the counterparts shall together constitute but one and the same instrument.

30

Execution Version

36.3 Transmission of an executed counterpart of this Agreement or relevant Work Order (but for the avoidance of doubt not just a signature page) by email (in PDF, JPEG or other agreed format) shall take effect as delivery of an executed counterpart of this Agreement or the relevant Work Order. If either method of delivery is adopted, without prejudice to the validity of the Agreement or the relevant Work Order thus made, each party shall provide the others with the original of such counterpart as soon as reasonably possible thereafter. The parties may execute this Agreement or the relevant Work Order by way of electronic signatures, including through such means as DocuSign or equivalent technology.

31

Execution Version

SCHEDULE 1

THE ORIGINAL PARTIES

Part A – Block.one Group Affiliates

BLOCK.ONE, a Cayman exempt company with registered office at Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104 (“Block.one”).

B1 SERVICES HK LIMITED, a Hong Kong limited company with registered office at 26/F, The Centrium, 60 Wyndham Street, Central, Hong Kong.

BLOCK.ONE LLC, a limited liability company with office address is at 1701 Kraft Drive, Suite 1000, Blacksburg VA 24060.

SMART TECHNOLOGIES SEZC, a Cayman Islands exempted limited liability company and registered as a special economic zone company with registered office at P.O. Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104.

Part B – Bullish Group Affiliates

BULLISH GLOBAL, a Cayman exempt company with registered office at Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104 (“Bullish Global”).

BULLISH (GI) LIMITED, a Gibraltar limited company with registered office at Suite 23, Portland House, Glacis Road, Gibraltar, GX11 1AA.

BULLISH HK LIMITED, a Hong Kong limited company with registered office at 26/F, The Centrium, 60 Wyndham Street, Central, Hong Kong.

BULLISH US LLC, a Delaware limited liability company with office address at 1701 Kraft Drive, Suite 1000, Blacksburg VA 24060.

BULLISH SG PTE LTD, a Singapore private limited company with office address at 80 Robinson Road, #02-00 Singapore 068898.

BULLISH, a Cayman exempt company with registered office at Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104.

32

Execution Version

SCHEDULE 2

TEMPLATE WORK ORDER

WORK ORDER

THIS WORK ORDER is dated _______________ and is entered into

BETWEEN:

(1) [Insert details] (the “Provider”); and

(2) [Insert details] (the “Recipient”).

WHEREAS:

(A) The Provider and the Recipient are both parties to the Block.one and Bullish Global Amended & Restated Master Services Agreement dated [•] 2021, as amended, supplemented or replaced from time to time (the “Agreement”).

(B) Pursuant to the Agreement, the parties wish to enter into this Work Order under which the Provider may provide and the Recipient may receive services under the terms of the Agreement.

NOW, THEREFORE, it is agreed as follows:

1. INTERPRETATION

Terms and phrases defined in the Agreement shall have the same meanings when used in this Work Order.

2. SERVICES AND CHARGES

2.1 The Provider has agreed to provide, and the Recipient has agreed to receive, the Services set out in Annex 1 in consideration for payment by the Recipient of the corresponding Charges set out therein.

2.2 For the avoidance of doubt, the Charges for the Services set out in Annex 1 may be nil in any relevant period in line with the level of Services provided.

2.3 [A non-exhaustive list of Supplier Contracts relevant to the provision of the Services is set out in Annex 2.]

2.4 [The methodology for determining Charges set out in Annex 1 of this Work Order shall apply in respect of similar or equivalent services provided by the Provider during the period from and including [•] to the date of this Work Order.]

3. SERVICE TERM

The Provider will commence providing the Services on the date of this Work Order.

33

Execution Version

4. CHARGES AND PAYMENT TERMS

4.1 The Provider shall, on the [fifteenth (15th)] day of the first month of each quarter (or such later date as the parties may agree), submit invoices to the Recipient for the Services and Charges and the Recipient shall pay such invoices within [thirty (30)] days of receipt.

4.2 Invoices shall be delivered to the Recipient at such address (which may be an email address) as is notified by the Recipient to the Provider.

5. MISCELLANEOUS

5.1 [Additional terms that apply in respect of the Services are set out in Annex 3.]

5.2 [Annex 4 contains a Processing Description applicable in respect of relevant aspects of the Services.]

5.3 Without limitation, clauses 4.3 and 35 of the Agreement shall apply to this Work Order.

ANNEX 1

THE SERVICES AND THE CHARGES

[Insert details of relevant services and charges.]

ANNEX 2

SUPPLIER CONTRACTS

[Insert list of relevant contracts.]

ANNEX 3

ADDITIONAL TERMS

[Insert additional terms – if any.]

ANNEX 4

PROCESSING DESCRIPTION

Terms defined in the EU GDPR or the Agreement have the same meanings when used in this Processing Description.

Description of processing:
Data Importers and Data Exporters:	This Processing Description describes data transfers for the above activities between the entities:
Categories of data subject:
Categories of (non-sensitive) personal data:

34

Execution Version

Categories of (sensitive) personal data (per Articles 9(1) and (10) of the EU GDPR):
Categories of recipient (receiving personal data from the Data Exporter):
Categories of recipient (receiving personal data from the Data Importer):
Processing operations:
Duration of processing:
Contact points for data protection enquiries:	Data importer:
	Data exporter:

WHEREAS the parties have hereby caused their duly authorised representatives to execute and deliver this Work Order on the date first above written.

For and on behalf of [insert name of Provider]

Name:

Title:

For and on behalf of [insert name of Recipient]

Name:

Title:

35

Execution Version

SCHEDULE 3

DATA PROCESSING OBLIGATIONS

1. DEFINITIONS AND INTERPRETATION

1.1 In this Agreement, unless the context otherwise requires:

“DTA”, “Restricted Transfer”, “Processing Arrangement”, “Data Exporter”, “Data Importer”, “Outsourcing Party”, and “Service Provider Party” have the respective meanings given to them in sections 3 (Data Transfers) and 5 (Outsourcing Arrangements).

“Data Protection Law” means a data protection, data privacy or data security law of any jurisdiction, including without limitation, the EU GDPR.

“EEA” means the European Union and the wider European Economic Area.

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Processing Description” means a description of one or more Restricted Transfers and/or a Processing Arrangements created under section 6 (Processing Descriptions) or included in an annex to a Work Order.

“Restricted Transfer” means a transfer of personal data from (or made on behalf of) a Data Exporter (in its own right or on behalf of a another person) to (or to another person on behalf of) a Data Importer which is within the scope of a Processing Description and which, but for the arrangements to be put in place under clause 2 (Data Transfers), would be prohibited by either:

(a) restrictions on the disclosure, international transfer or other processing of personal data, imposed by a Data Protection Law; or

(b) restrictions imposed by a DTA or another agreement imposing similar restrictions on any of the parties,

which (in either case) can be addressed in whole or in part by putting in place an agreement or agreements between the parties to the transfer.

2. INCORPORATED DEFINITIONS

2.1 Terms defined in or for the purposes of the EU GDPR have the same meanings when used in this Agreement (and their cognate terms are to be interpreted accordingly),¹ except that, where data are subject to processing which is governed by a Data Protection Law which regulates the processing of data relating to identifiable legal as well as natural persons, the definition of “personal data” is extended for the purposes of this Agreement to include data relating to identifiable legal persons.

¹  Note: The following terms are used in this Agreement on the basis of definitions in the EU GDPR: “controller”, “data subject”, “personal data”, “personal data breach”, “processing” (and its various cognates are also used), “processor” and “supervisory authority”.

36

Execution Version

3. DATA TRANSFERS

3.1 Subject to sections 3.2 to 3.5:

3.1.1 Where a party, or a processor on its behalf, makes a Restricted Transfer of personal data (the “Data Exporter”) to (or to a processor on behalf of) another party (the “Data Importer”), either in its own right or on behalf of another person, the Data Exporter and the Data Importer shall be bound by the following agreement, regulating that Restricted Transfer (and no other transfer or other processing of personal data):

(a) where the Data Importer (itself, or through a processor acting on its behalf) receives the personal data that are the subject matter of the Restricted Transfer as a controller in its own right, an agreement in the form set out in Annex 1 (Form of Data Transfer Agreement), using the terms identified therein under MODULE ONE, populated and amended as indicated (in italics and square brackets) in that Annex; or

(b) where the Data Importer (or a sub-processor on its behalf) receives those personal data as a processor on behalf of the Data Exporter, an agreement in the form set out in Annex 1, using the terms identified therein under MODULE TWO, populated and amended as indicated (in italics and square brackets) in that Annex;

(c) where the Data Importer (or a sub-processor on its behalf) receives those personal data as a processor on behalf of the Data Exporter, where the Data Exporter is a processor, an agreement in the form set out in Annex 1, using the terms identified therein under MODULE THREE, populated and amended as indicated (in italics and square brackets) in that Annex; and

(d) where the Data Importer (or a sub-processor on its behalf) receives those personal data as a controller in its own right, where the Data Exporter is a controller, an agreement in the form set out in Annex 1, using the terms identified therein under MODULE FOUR, populated and amended as indicated (in italics and square brackets) in that Annex.

Any agreement binding pursuant to section 3.1.1(a) or 3.1.1(b) shall be a “DTA”. In the case of a Restricted Transfer involving the export from the UK of Personal Data, the relevant agreement shall utilise the UK’s Standard Contractual Clauses set forth under the UK’s Data Protection Law.

3.1.2 Where the Data Exporter makes that Restricted Transfer as a processor on behalf of another person, and if it is duly authorised to do so or its authority to do so is subsequently duly ratified, the Data Exporter enters into (or is deemed to have entered into) the relevant agreement under section 3.1.1 as agent for and on behalf of that person.

37

Execution Version

3.2 Section 3.1 does not apply to a Restricted Transfer, and no party is bound by a DTA in respect of that transfer, unless the effect of applying section 3.1 to that transfer, either alone or taken together with other feasible compliance steps (such as informing the affected data subjects of the transfer and/or making a filing with or obtaining the approval of a supervisory authority or other competent authority), is to allow the transfer to take place without breach by any party (or any person on whose behalf the Restricted Transfer is made) of Data Protection Law or another DTA or other agreement imposing similar obligations on any party or other such person.

3.3 For the avoidance of doubt, a transfer of personal data between two parties which is already governed by a separate agreement between those parties which is sufficient, alone or taken together with other feasible compliance steps, to allow that transfer to be made without breach of any Data Protection Law, is not a Restricted Transfer. Those parties may, however, opt to terminate that separate agreement so that the transfer falls within the scope of this Agreement as a Restricted Transfer.

3.4 The rights and obligations of the Data Exporters and the Data Importers, respectively, under this section 3 are several. Except as set out in section 4 (Restricted Transfers Between Different Establishments of the Same Legal Person), this section 3 creates a multiparty DTA and the rights and obligations of the Data Exporters and the Data Importers, respectively, under that DTA are therefore also several.

3.5 The parties to a given DTA may for convenience (but are not obliged to) execute that DTA as a separate document, recording that agreement between them. Where this is the case, the separate DTA supersedes the equivalent DTA created by section 3.2, which therefore has no effect.

4. RESTRICTED TRANSFERS BETWEEN DIFFERENT ESTABLISHMENTS OF THE SAME LEGAL PERSON

4.1 This section ensures that an effective agreement, in the relevant form required for the purposes of applicable Data Protection Law, is created under section 3.2 even in the case of a Restricted Transfer made between two establishments of the same party.

4.2 Section 3.2 may apply and create a DTA (depending on the nature of the Restricted Transfer), in the case of a Restricted Transfer of personal data between two establishments of the same party.

4.3 Where this is the case:

4.3.1 that party (the “Committing Party”) enters into that DTA as both Data Exporter and Data Importer, for the benefit of the other parties to this Agreement and the third party beneficiaries of that DTA; and

4.3.2 if that party has given Notice adhering to this Agreement under section 2.2 that party agrees and declares by way of deed poll (a “Transfer Deed Poll”) that it will perform:

(a) such of the obligations of the data exporter under the DTA as are stated to be enforceable against the data exporter by the data subjects in the DTA (the “Data Exporter’s Obligations”); and

38

Execution Version

(b) such of the obligations of the data importer under the DTA as are stated to be enforceable against the data importer by the data subjects (even if only in limited circumstances) in the DTA (the “Data Importer’s Obligations”); but

no data subject will have any right or remedy as against the Committing Party under or in connection with a Transfer Deed Poll created under section 4.3.2 which exceeds the rights and remedies that would have been available to that data subject as against the data exporter and/or the data importer under or in connection with the DTA as if the data exporter and the data importer had been two distinct legal persons and the DTA had been entered into as an agreement between them. In particular, the Data Exporter’s Obligations and the Data Importer’s Obligations will only be enforceable against the Committing Party in the circumstances and otherwise to the extent stated in the DTA; and

4.3.3 each Transfer Deed Poll will be terminated or amended in the same circumstances and to the same extent as the relevant DTA is terminated or amended under this Agreement.

5. OUTSOURCING ARRANGEMENTS

5.1 Where a party processes personal data (the “Service Provider Party”) (as a processor, including as a subprocessor) on behalf of another party (the “Outsourcing Party”) or a person on whose behalf the Outsourcing Party is acting as a processor, and that processing arrangement is within the scope of a Processing Description and governed by the EU GDPR or another Data Protection Law that requires the imposition of particular data security and/or data privacy terms on the Service Provider Party, the Service Provider Party and the Outsourcing Party shall, in connection with that processing arrangement (a “Processing Arrangement”), each have the rights and obligations allocated to them in Annex 2 (Terms Applicable to Outsourcing).

5.2 The rights and obligations of the Outsourcing Parties and the Service Provider Parties, respectively, under this section 5 and Annex 2 are several.

6. PROCESSING DESCRIPTIONS

6.1 No party has any right or obligation under this Agreement in relation to a Restricted Transfer or Processing Arrangement unless that transfer or arrangement is described in a Processing Description.

6.2 The parties to a Work Order may:

6.2.1 create a Processing Description, including by attachment to such Work Order, in order to document one or more Restricted Transfers or Processing Arrangements which are governed by this Agreement; or

6.2.2 amend an existing Processing Description.

6.3 The parties creating or amending a Processing Description shall ensure that it:

6.3.1 refers to, and recites that the Processing Description forms part of, this Agreement;

39

Execution Version

6.3.2 in the case of a Processing Description describing one or more Restricted Transfers, identifies the Data Exporters and Data Importers (either individually or by category);

6.3.3 in the case of a Processing Description describing one or more Processing Arrangements, identifies the Outsourcing Parties and Service Provider Parties (either individually or by category), including, in the case of Outsourcing Parties, any controllers on whose behalf they may act;

6.3.4 in the case of a Processing Description describing one or more Restricted Transfers, includes the information necessary to populate appendix B of Annex 1 (Form of Data Transfer Agreement), as indicated in that annex, with such instructions as are necessary to indicate how that information should populate that annex; and

6.3.5 in the case of a Processing Description describing one or more Restricted Transfers or other Processing Arrangements, includes the information necessary to (a) in the case of a Restricted Transfer, populate appendix 1 of Annex 1, as indicated in that appendix (with such instructions as are necessary to indicate how that information should populate that appendix); and (b) meet the requirements of applicable Data Protection Law, including (where applicable) the opening text of article 28(3) of the EU GDPR, as to the information about a Processing Arrangement to be included in an agreement under which a processor processes personal data on behalf of a controller.

6.4 The parties acknowledge that some or all of the Processing Descriptions may be comprised within a record of processing prepared (and amended from time to time) to meet the requirements of article 30 of the EU GDPR.

7. APPOINTMENT OF THIRD PARTY PROCESSORS

7.1 The parties acknowledge that:

7.1.1 they may wish to make transfers of personal data which are potentially restricted by Data Protection Laws to third party service providers;

7.1.2 in order to address the requirements of those Data Protection Laws (and also to address other issues that may arise in relation to parties’ arrangements with those third party service providers), they may wish to put data transfer or other agreements in place with those third party service providers; and

7.1.3 for administrative convenience, they may wish one party to enter into such agreements as agent for other parties, as well as in its own right.

7.2 Pursuant to section 7.1, each party hereby appoints each other party as its agent to enter into, and then to amend, data transfer and other agreements as referred to in section 7.1.2, without the need to obtain specific authorisation or consent from that first party, as agent on behalf of that first party, at any time while both of those parties are party to this Agreement.

40

Execution Version

ANNEX 1

FORM OF DATA TRANSFER AGREEMENT

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)² for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

²  Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision […].

41

Execution Version

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8—Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9—Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12—Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

42

Execution Version

(viii) Clause 18—Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7—Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

43

Execution Version

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

MODULE ONE: Transfer controller to controller

8.1 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

(i) where it has obtained the data subject’s prior consent;

(ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iii) where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2 Transparency

(a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:

(i) of its identity and contact details;

(ii) of the categories of personal data processed;

(iii) of the right to obtain a copy of these Clauses;

(iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.

(b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.

44

Execution Version

(c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

(d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3 Accuracy and data minimisation

(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

(b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.

(c) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4 Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation³ of the data and all back-ups at the end of the retention period.

8.5 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation,

³  This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.

45

Execution Version

the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

(e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.

(f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.

(g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

46

Execution Version

8.6 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7 Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union⁴ (in the same country as the data importer or in another third country, hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

(i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;

(iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;

(iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;

(v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or

(vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

⁴  The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

47

Execution Version

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8 Processing under the authority of the data importer

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9 Documentation and compliance

(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.

(b) The data importer shall make such documentation available to the competent supervisory authority on request.

MODULE TWO: Transfer controller to processor

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

48

Execution Version

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

49

Execution Version

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union⁵ (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

⁵  The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

50

Execution Version

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

51

Execution Version

MODULE THREE: Transfer processor to processor

8.1 Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter⁶.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

⁶  See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.

52

Execution Version

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

53

Execution Version

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union⁷

(in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

⁷  The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.

54

Execution Version

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

55

Execution Version

MODULE FOUR: Transfer processor to controller

8.1 Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data⁸, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

⁸  This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

56

Execution Version

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.⁹ The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub- processor to fulfil its obligations under that contract.

⁹  This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

57

Execution Version

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby—in the event the data importer has factually disappeared, ceased to exist in

law or has become insolvent—the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

MODULE THREE: Transfer processor to processor

(a) The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub- processors at least 10 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.¹⁰ The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub- processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby—in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent—the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

¹⁰  This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

58

Execution Version

Clause 10

Data subject rights

MODULE ONE: Transfer controller to controller

(a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.¹¹ The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

(b) In particular, upon request by the data subject the data importer shall, free of charge:

(i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);

(ii) rectify inaccurate or incomplete data concerning the data subject;

(iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.

(c) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.

¹¹  That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.

59

Execution Version

(d) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter “automated decision”), which would produce legal effects concerning the data subject or similarly significantly affect him / her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:

(i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and

(ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.

(e) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

(f) The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.

(g) If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

MODULE TWO: Transfer controller to processor

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

60

Execution Version

MODULE THREE: Transfer processor to processor

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

MODULE FOUR: Transfer processor to controller

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a) The data importer¹² shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

¹²  The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

61

Execution Version

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

MODULE ONE: Transfer controller to controller

MODULE FOUR: Transfer processor to controller

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

62

Execution Version

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a) The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679                is established, as indicated in Annex I.C, shall act as competent supervisory authority.

63

Execution Version

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

64

Execution Version

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards¹³;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be

¹³  As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

65

Execution Version

ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

[For Module Three: The data exporter shall forward the notification to the controller.]

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

66

Execution Version

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

67

Execution Version

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) [For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

68

Execution Version

Clause 17

Governing law

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

MODULE FOUR: Transfer processor to controller

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 18

Choice of forum and jurisdiction

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of the Republic of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

MODULE FOUR: Transfer processor to controller

Any dispute arising from these Clauses shall be resolved by the courts of the Republic of Ireland.

69

APPENDIX

ANNEX I

A. LIST OF PARTIES

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

MODULE FOUR: Transfer processor to controller

The information to complete this Annex I.A is found in the Processing Description applicable to each transfer.

B. DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

MODULE FOUR: Transfer processor to controller

The information to complete this Annex I.B is found in the Processing Description applicable to each transfer.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The Netherlands

ANNEX II—TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The information to complete this Annex II is found in the “Terms Applicable to Outsourcing” section of the Intra-Group Data Transfer and Security Agreement.

70

Execution Version

ANNEX III – LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

A current list of sub-processors is located in the vendor management system maintained by Procurement and in the internal system of record maintained by the Privacy Office.

71

Execution Version

ANNEX 2

TERMS APPLICABLE TO OUTSOURCING

1. DATA PROCESSOR OBLIGATIONS

In relation to each DTA where the Data Importer is a processor:

1.1 the Processing Description forms part of this Agreement, setting out various aspects of the Processing Arrangement; and

1.2 the Service Provider Party shall:

1.2.1 comply with applicable Data Protection Laws;

1.2.2 subject to paragraph 2 (Processing Instructions), only process personal data in the course of that Processing Arrangement (in this Schedule, the “Processed Personal Data”), and in particular only transfer any Processed Personal Data the transfer of which is subject to a Data Protection Law of the United Kingdom or the EEA, respectively, to a country or territory outside that geographical area, on the documented instructions of the Outsourcing Party (including, where relevant instructions given on behalf of another controller);

1.2.3 promptly inform the Outsourcing Party in writing (but without any obligation to give legal advice) if, in its opinion, to follow an instruction given by the Outsourcing Party as contemplated by paragraph 1.2.2 (including under paragraph 2) would give rise to a breach of applicable Data Protection Law;

1.2.4 at all times have in place technical and organisational measures to protect the Processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access which are appropriate to the risks of varying likelihood and severity for the rights and freedoms of individuals that are presented by the processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing (“Appropriate”—and for the avoidance of doubt, the relevant Processing Description may specify whether a particular measure is or is not Appropriate to that Processing Arrangement), including in particular:

(a) the applicable measures required by paragraph 5 (Specific Security Measures); and

(b) as and where Appropriate, measures for:

(i) the pseudonymisation and encryption of Processed Personal Data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(iii) the ability to restore the availability of and access to Processed Personal Data in a timely manner in the event of a physical or technical incident; and

72

Execution Version

(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

1.2.5 give the Outsourcing Party (or, where relevant, another controller on whose behalf it acts) such co-operation, assistance and information as it may reasonably request and the Service Provider Party may reasonably be able to provide to enable the Outsourcing Party (or any such controller) to comply with its obligations under applicable Data Protection Laws and co-operate with the competent authorities in relation to the Processed Personal Data, including, where relevant given the nature of the Service Provider Party’s processing, assisting the Outsourcing Party (or any such controller):

(a) by taking appropriate technical and organisational measures, insofar as is possible, to respond to requests from data subjects for access to or rectification, erasure or portability of Processed Personal Data or for restriction of processing or objections to processing of Processed Personal Data (but the Service Provider Party shall not respond to any such data subject request except on the written instructions or with the written consent of the Outsourcing Party); and

(b) in ensuring compliance with the Outsourcing Party’s (or any such controller’s) security, data breach notification, impact assessment and data protection or data privacy authority consultation obligations under applicable Data Protection Laws, taking into account the information available to the Service Provider Party;

1.2.6 not engage any other person (other than its own employees) to process the Processed Personal Data (in this Schedule, a “Processor-Sub-Contractor”) unless:

(a) the Service Provider Party (or the Agreement Manager on its behalf) has:

(i) given reasonable Notice of the engagement, such as through the vendor onboarding and engagement process then in place; and

(ii) in that Notice, given the Outsourcing Party a reasonable opportunity (including reasonable information and access), during that period, to assess the technical and organisational measures that the proposed Processor-Sub-Contractor will have in place to protect the relevant Processed Personal Data; and taken reasonable account of any comments raised by the Service Provider Party during that period; and

(b) the Outsourcing Party has not given Notice, within 21 days of receipt of Notice from the Service Provider Party under paragraph 1.2.6(a)(i) and (ii), that it objects to the engagement, with a reasonable explanation of its reasons for objecting (and the Outsourcing Party shall not unreasonably raise such an objection);

73

Execution Version

1.2.7 ensure that all of its employees authorised to have access to (or otherwise to process) the Processed Personal Data have:

(a) been informed of the special data protection requirements applicable to their role and that they must not use or access the data except as necessary to the performance of their role; and

(b) committed themselves to confidentiality on appropriate terms or are under an appropriate statutory obligation of confidentiality;

1.3 promptly give Notice, with reasonable details, if it becomes aware of, or comes to have reasonable grounds to suspect, the occurrence of any personal data breach or other material incident prejudicing, or revealing a material weakness in, the security of the Processed Personal Data while in its possession or under its control (a “Data Security Incident”);

1.4 in relation to any Data Security Incident:

1.4.1 take:

(a) all reasonable steps to identify and correct the underlying cause of the Data Security Incident so as to eliminate or minimise the risk of its repetition and the occurrence of similar Data Security Incidents;

(b) such steps as the Outsourcing Party may reasonably request and the Service Provider Party may reasonably be able to take to assist the Outsourcing Party (or any controller on whose behalf it acts) in addressing the adverse consequences for the Outsourcing Party (or any such controller) of, and complying with the Outsourcing Party’s (or any such controller’s) obligations under applicable Data Protection Law in relation to, the Data Security Incident;

1.4.2 report to the Outsourcing Party, promptly and at regular intervals, on the steps taken under paragraphs 1.4.1(a) and (b) and their results;

1.4.3 make available to the Outsourcing Party all information, and permit and contribute to all reasonable audits, including inspections, conducted by (or by auditors appointed by) the Outsourcing Party (or any controller on whose behalf it acts), as reasonably necessary to demonstrate the Service Provider Party’s compliance with this paragraph 1.4; and

1.4.4 at the option of the Outsourcing Party (to be exercised by Notice from the Outsourcing Party (or the Agreement Manager on its behalf), in the absence of which the Outsourcing Party is deemed to have chosen deletion), delete or return to the Outsourcing Party all the Processed Personal Data in its possession or under its control as soon as is practicable after the end of the provision of the relevant services by the Service Provider Party to the Outsourcing Party, and (in the case of return) as soon as is practicable delete all other copies of those Processed Personal Data.

74

Execution Version

2. PROCESSING INSTRUCTIONS

The Outsourcing Party hereby instructs the Service Provider Party to take such steps in the processing (including the international transfer) of Processed Personal Data on behalf of the Outsourcing Party as are reasonably necessary to the provision of services by the Service Provider Party to the Outsourcing Party.

3. SUB-PROCESSING TERMS

3.1 The Service Provider Party shall ensure that each (if any) Processor-Sub-Contractor is bound by a written contract which:

3.1.1 is binding on the Processor-Sub-Contractor with regard to the Outsourcing Party and any controller on whose behalf it acts; and

3.1.2 imposes on the Processor-Sub-Contractor obligations which are (at least) equivalent to those imposed on the Service Provider Party by paragraph 1 (Service Provider Party Obligations).

3.2 Subject to paragraph 3.3, the Service Provider Party shall, promptly following a written request from the Outsourcing Party, provide the Outsourcing Party with a copy of each contract as referred to in paragraph 3.1 that is identified (specifically or by category) in the Outsourcing Party’s request.

3.3 The Service Provider Party may redact any copy contract to be provided to the Outsourcing Party under paragraph 3.2 so as to remove any commercial terms or other information not relevant to, and the removal of which will not prejudice the Outsourcing Party’s assessment of, the Service Provider Party’s compliance with this Schedule.

4. SPECIFIC SECURITY MEASURES

The technical and organisational measures referred to in paragraph 1.2.4(a) are such measures as may be set out in the relevant Processing Description or agreed in writing between the Service Provider Party and the Outsourcing Party (or, in each case, the Agreement Manager on its behalf) or, if measures meeting the requirements of paragraph 1.2.4 (excluding paragraph 1.2.4(a)) are not so set out or agreed, the following requirements, to the extent relevant to the processing carried out by the Service Provider Party on behalf of the Outsourcing Party:

4.1 Access control to premises and facilities

Unauthorised access (in the physical sense) must be prevented. Technical and organisational measures to control access to premises and facilities, particularly to check authorisation, must be implemented.

4.2 Access control to systems

Unauthorised access to IT systems must be prevented. Technical (ID/password security) and organisational (user master data) measures for user identification and authentication must be implemented.

75

Execution Version

4.3 Access control to data

Access rights should be granted per least privilege principle. Requirements-driven definition of the authorisation scheme and access rights, and monitoring and logging of access, must be implemented.

4.4 Disclosure control

Aspects of the disclosure of personal data must be controlled, in particular electronic transfer, data transport, transmission control, etc. Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking, must be implemented.

4.5 Monitoring control

Proper data management and maintenance must be maintained. Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom, must be implemented, in particular logging and reporting systems.

4.6 Job control

Commissioned data processing must be carried out according to instructions. Measures (technical/organisational) to segregate the responsibilities between the Service Provider Party and Outsourcing Party should be implemented.

4.7 Availability control

The Processed Personal Data must be protected against accidental destruction or loss. Measures to assure data security (physical/logical) must be implemented.

4.8 Segregation control

Processed Personal Data collected for different purposes should be able to process separately. Measures to allow for separate processing (storage, amendment, deletion, transmission) of Processed Personal Data for different purposes must be implemented.

76

Execution Version

SCHEDULE 4

FORM OF NOTICE OF ADHERENCE

Notice of Adherence to Block.one and Bullish Global Amended & Restated Master

Services Agreement

To:

• BLOCK.ONE, a Cayman exempt company with registered office at Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104 (“Block.one”);

• BULLISH GLOBAL, a Cayman exempt company with registered office at Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104 (“Bullish Global”);

• the other current parties to the Block.one and Bullish Global Amended & Restated Master Services Agreement dated [•] 2021, as amended, supplemented or replaced from time to time (the “Agreement”); and

• any other persons who may in the future wish to enter into the Agreement.

Terms not defined in this letter have the meaning given to them in the Agreement.

The company identified below (the “New Party”) hereby gives notice to the parties identified above (being the current parties to the Agreement and any persons who may in the future wish to enter into the Agreement) that it is willing to be bound by the Agreement in accordance with all of its terms.

The New Party will be party to the Agreement as of the date of acceptance of this notice by Block.one.

For the New Party:

[•]

Address: [•]

Signature:

Name:

Title:

Date:

77

Execution Version

Accepted by Block.one:	Accepted by Bullish Global:
BLOCK.ONE	BULLISH GLOBAL
Address: Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104	Address: Maples Corporate Services Centre Limited, P.O, Box 309, Ugland House, Grand Cayman, Cayman Islands KY1-1104
Signature:	Signature:

Name: Name:

Title: Title:

Date: Date:

78

IN WITNESS WHEREOF, each party has duly executed this Agreement, all as of the date first written above.

EXECUTED by the parties:
Signed by	)
for and on behalf of	)
BLOCK.ONE	)
	)
		Signature /s/ Andrew Bliss
		Name: Andrew Bliss
		Title: Director
Signed by	)
for and on behalf of	)
B1 SERVICES HK LIMITED	)
	)
		Signature /s/ Stephen Ellis
		Name: Stephen Ellis
		Title: Authorised Signatory
Signed by	)
for and on behalf of	)
BLOCK.ONE LLC	)
	)
		Signature /s/ Stephen Ellis
		Name: Stephen Ellis
		Title: Authorised Signatory
Signed by	)
for and on behalf of	)
SMART TECHNOLOGIES SEZC	)
	)
		Signature /s/ Andrew Bliss
		Name: Andrew Bliss
		Title: Director

[Signature page of Block.one and Bullish Global Amended & Restated Master Services Agreement]

IN WITNESS WHEREOF, each party has duly executed this Agreement, all as of the date first written above.

Signed by	)
for and on behalf of	)
BULLISH GLOBAL	)
	)
		Signature /s/ Kokuei Yuan
		Name: Kokuei Yuan
		Title: Director
Signed by	)
for and on behalf of	)
BULLISH (GI) LIMITED	)
	)
		Signature /s/ Russell Eldridge
		Name: Russell Eldridge
		Title: Director
Signed by	)
for and on behalf of	)
BULLISH HK LIMITED	)
	)
		Signature /s/ Max Nam-Storm
		Name: Max Nam-Storm
		Title: Director
Signed by	)
for and on behalf of	)
BULLISH US LLC	)
	)
		Signature /s/ David Bryan Shayden
		Name: David Bryan Shayden
		Title: Authorised Signatory
Signed by	)
for and on behalf of	)
BULLISH SG PTE LIMITED	)
	)
		Signature Alexander See
		Name: Alexander See
		Title: Director
Signed by	)
for and on behalf of	)
BULLISH	)
	)
		Signature /s/ Kokuei Yuan
		Name: Kokuei Yuan
		Title: Authorised Signatory

[Signature page of Block.one and Bullish Global Amended & Restated Master Services Agreement]