FTI Consulting Technology Data Protection Addendum

3.1 Process the Client Personal Data solely on the documented instructions of Client, for the purposes of providing, supporting and managing the Services and as otherwise necessary to perform its obligations under the Agreement, unless required by applicable law to which FTI or any FTI Affiliate is subject, in which case FTI shall inform Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest;

3.2 Process only the types of Client Personal Data, relating to the categories of Data Subjects, and in the manner and duration required to deliver the Services, as is set out in the Annex 1, or as otherwise agreed in writing by the Parties. The Agreement (including this DPA) constitutes such documented instructions, and each use of the Services then constitutes further instructions;

3.3 Take measures reasonably appropriate in accordance with applicable Data Protection Laws to ensure the security of the Client Personal Data;

3.4 ensure that any staff who may have access to the Client Personal Data commit themselves to contractual or statutory obligations of confidentiality, and take reasonable steps to ensure the reliability of such staff;

3.5 where FTI receives a Legal Process requiring disclosure of Client Personal Data to a Public Body, FTI shall (unless prohibited from doing so by applicable laws) notify the Client of the same. Without prejudice to the foregoing, where the Legal Process places a legally binding obligation on FTI to disclose Client Personal Data, or to otherwise respond to the Legal Process, the Client acknowledges that FTI shall be required to Process Client Personal Data as a Controller in determining its response to that Legal Process;

3.6 notify Client promptly if FTI: (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and cannot cure this inability to comply within a reasonable time frame; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this DPA. In the event FTI provides such notice, Client will have the right to temporarily suspend the relevant Processing under this DPA until such time that the Processing is adjusted in such a manner that the noncompliance is remedied. To the extent such adjustment is not possible, Client will have the right to terminate this DPA and/or the Agreement.

4.1 be expressly and specifically authorized by Client to use (i) those Sub-Processors already engaged by FTI or any FTI Affiliate as of the date of this Addendum, and (ii) any FTI Affiliate as a Sub-Processor. The list of Sub-Processors (including FTI Affiliates acting as Sub-Processors) is published on the TRUST site, which includes a Sub-Processor notification mechanism to which Client shall subscribe.

4.2 be generally authorized to engage any other Sub-Processor, subject to FTI:

4.3 In relation to any notice received or published under clause 4.2.2, and in accordance with clause 4.2.3, the Client shall have a period of 30 (thirty) days from the published date or of the notice to register any reasonable objection to the use of that Sub-Processor by sending an email to Technologysubprocessorobjection@fticonsulting.com . Where the Client registers such an objection, FTI will respond to the Client with any known commercially reasonable solution which avoids the use of the objected to Sub-Processor within 30 (thirty) days from the date when the Client registered the objection. Where no such solution can be found, either party may (notwithstanding anything to the contrary in the Agreement) terminate the relevant Services immediately on notice to the other party. If Client does not register an objection during the thirty (30) day timeframe, such Sub-Processor shall be deemed an authorized Sub-Processor for the purposes of this Addendum.

5.1 To the extent US Privacy Laws apply to FTI’s Processing of Client Personal Data, such Client Personal Data will be disclosed by Client to FTI to perform the Services under the Agreement, including performing the activities set forth in clause 13.6 of this Addendum, and FTI will act as Client’s ‘Service Provider’ or ‘Processor’, as such terms are defined under applicable US Privacy Laws, with respect to such data. For purposes of this section, references to ‘Processor’ include ‘Service Provider’ where the applicable US Privacy Law uses the term ‘Service Provider.’

5.2 FTI will not to the extent required under US Privacy Laws:

5.3 Where required under US Privacy Laws, FTI will provide reasonable assistance (i) to help Client evaluate whether FTI is using Client Personal Data in a manner consistent with the Client’s obligations under US Privacy Laws; and (ii) to enable Client to conduct and document data protection assessments, by providing, necessary information to Client.

5.4 FTI will enable Client, upon written notice to FTI, to take reasonable and appropriate steps to stop and remediate any of FTI’s use of Client Personal Data pursuant to the Agreement that Client deems in its reasonable opinion is unauthorized.

5.5 Any steps taken by the Client as set out in clauses 5.3 and 5.4 shall be subject to FTI’s commercial practicability and shall not require FTI or its Sub-Processors to provide access to or disclose any intellectual property, confidential information, or other materials which could compromise the security, availability, performance or integrity of FTI’s systems, data, premises and/or cause FTI to breach any applicable law, its obligations of confidentiality and/or non-disclosure to its other customers or any other person.

5.6 FTI may disclose Personal Data to FTI’s Processors in connection with such Processors providing services to FTI, and FTI may permit such Processors to Process Client Personal Data as necessary for FTI to provide the Services to Client; provided, in each case, that FTI binds its Processors to comply with FTI’s material obligations under this DPA with respect to the Processing of Client Personal Data. To the extent that FTI is deemed to be a ‘Contractor’ (as such term is defined under the CCPA), FTI certifies that it understands the restrictions on its Processing of Personal Data as set forth in this clause 5 and will comply with them.

5.7 To the extent that Client discloses or otherwise makes available Deidentified Data to FTI, or FTI deidentifies Client Personal Data, FTI agrees to (i) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household; (ii) publicly commit to maintain Deidentified Data in a deidentified form; and (iii) contractually obligate any further recipient to comply with all provisions of this clause 5.7.

7.1 notify Client without undue delay [and in any event no more than seventy-two (72) hours];

7.2 taking into account the information available and to the extent known, provide all such information and cooperation as Client may reasonably require in order for Client to fulfil its Personal Data Breach reporting obligations under (and in accordance with the timescales required by) Data Protection Laws;

7.3 promptly, commence an investigation and take such measures and actions as it considers necessary or appropriate to remedy or mitigate the effects of the Client Personal Data Breach;

7.4 except as required by applicable law or contractual obligations, as mandated by a Supervisory Authority or in furtherance of FTI’s efforts to investigate or remediate the Client Personal Data Breach, FTI will not inform any third party (other than a Sub-Processor of Client Personal Data) of a Client Personal Data Breach referencing or identifying the Client, without Client’s prior written consent.

8.1Taking into account the nature and scope of the Processing, FTI shall:

8.2 Client acknowledges and consents that some technical and data centre support will be supplied by FTI Affiliates located outside of the US and EU depending on the scope of Services and as such, Personal Data may be Processed by those FTI teams or Affiliates in the United States, European Economic Area, India, United Kingdom, and/or Australia.

9.1 FTI (or third parties engaged by FTI) audits its compliance against data protection and information security standards on a regular basis. The specific audits, and the data protection and information security certifications FTI has achieved, may vary depending upon the nature of the Services and are described on the TRUST site: https:/ www.FTITechnology.com/trust and in Annex II.

9.2As directly related to FTI’s Processing of Client Personal Data, upon written request and subject to obligations of confidentiality, FTI shall:

9.3 To the extent Client cannot reasonably assess FTI’s compliance with it respective obligations pursuant to Data Protection Laws and this DPA through review under clause 9.1, on thirty (30) day advance written notice, FTI shall allow for and contribute to audits, including inspections, conducted by Client, or any competent auditor mandated by Client, provided that any mandated auditor is not a competitor of FTI or any FTI Affiliate, to inspect and audit the relevant and applicable facilities used by FTI to Process Client Personal Data.

9.4 Client agrees that the scope, and duration, of any audit or inspection requested in clauses 9.1 and 9.2 shall be: (i) mutually agreed between the Parties acting reasonably and in good faith, and (ii) subject to additional fees payable by Client. Beyond such restrictions, Client shall use current certifications and documentation FTI makes generally available to avoid or minimize repetitive audits wherever possible. Further, Client understands and agrees that any request for information, audits (or inspections) shall not require FTI or its Sub-Processors to provide access to or disclose any intellectual property, confidential information, or data that could compromise the security, availability, performance or integrity of FTI’s systems, premises and/or cause FTI to breach any applicable law, its obligations of confidentiality and/or non-disclosure to its other customers or any other third party; and unless expressly prohibited by a Supervisory Authority, Client accepts that any on-site audit or inspection at a facility controlled or managed by a third party shall be subject to the security, non-disclosure and access policies set forth by that third party.

9.5 An audit or inspection permitted in compliance with clause 9.3 will be conducted during FTI’s standard business day and shall be limited to once per calendar year, unless (i) FTI has experienced a Client Personal Data Breach within the prior twelve (12) months, or (ii) Client is able to evidence an incidence of FTI’s s material noncompliance with this DPA; or (iii) as otherwise directed or requested by a Supervisory Authority.

10.1 subject to clauses 13.5, 13.6 and 10.3 and the terms of the Agreement, delete Client Personal Data in accordance with FTI’s security, retention and disaster recovery policies which require backup and archival copies of Personal Data are retained for ninety- one days (91), provided they are protected in accordance herewith;

10.2 when instructed by Client within thirty-one (31) days of the termination or expiry of the Agreement, return any original Client Personal Data to Client;

10.3 where required by Data Protection Laws to which FTI or any FTI Affiliate is subject, retain Client Personal Data to the extent and for the duration reasonably required by that law.

11.1 In respect of any Restricted Transfers subject to the GDPR, the parties hereby enter into Module 2 of the EEA Standard Contractual Clauses for any C2P Restricted Transfer (with Client as Data Exporter and Controller and FTI as Data Importer and Processor), or Module 4 of the EEA Standard Contractual Clauses for any P2C Restricted Transfer (with FTI as data exporter and Processor and Client as data importer and Controller). Such Modules are hereby incorporated by reference into this Addendum and which shall come into effect upon the commencement of the associated Restricted Transfer. The parties make the following selections:

11.2 Save for Restricted Transfers pursuant to clause 11.3, any Restricted Transfer subject to the UK GDPR, the EEA Standard Contractual Clauses (incorporated by reference pursuant to clause 11.1) shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in the Principal Agreement, except that for the purposes of Table 4 of Part 1 (Tables) the parties select both the “importer” and “exporter” options.

11.3 Client acknowledges that various FTI entities and affiliates established in the US are certified under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension (collectively, the “DPF”). For the avoidance of doubt, to the extent that a transfer between Client and FTI is covered by DPF, and to the extent that the same constitutes a valid adequacy decision for the purposes of EU, Swiss or UK Data Protection Laws (as applicable), then the SCCs will not apply. FTI’s certification can be viewed on the Data Privacy Framework List available at: https://www.dataprivacyframework.gov. In the event that the European Commission, Swiss federal government or UK government no longer recognizes the DPF as a valid adequacy decision, the parties agree that the SCC’s (where applicable, as modified by the provisions of clause 11.2 or 11.4), shall apply.

11.4 In respect of any Restricted Transfer subject to the Swiss FADP, the EEA Standard Contractual Clauses shall be amended as follows: (i) Scope of “personal data” (Clause 1.c / Annex I.B): In addition to Personal Data pertaining to individuals, these amended Standard Contractual Clauses (Clauses) shall be applicable to and protect Personal Data pertaining to legal entities as well, if and to the extent such Personal Data pertaining to legal entities is within the scope of the Swiss FADP; (ii) Competent supervisory authority (Clause 13 / Annex I.C): To the extent the transfer of Personal Data as specified in Annex I.B is subject to the Swiss FADP, the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority. To the extent the transfer of Personal Data as specified in Annex I.B is subject to the GDPR, the supervisory authority of the Member State in which the Swiss data exporter’s EU representative according to GDPR Article 27(1) is established shall act as competent supervisory authority; and (iii) Data subject jurisdiction (Clause 18.c): The term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of pursuing their rights at their place of habitual residence (Switzerland) in accordance with clause 18.c. Accordingly, data subjects with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland.

11.5 In respect of any Restricted Transfer between FTI and a Sub-Processor, FTI shall either: (a) enter into Module 3 of the EEA Standard Contractual Clauses (where applicable, with appropriate amendments for the Swiss FADP); (b) enter into the UK IDTA; and/or (c) take steps to ensure that the Sub-Processor is certified under the DPF, where doing so is necessary to ensure that the Restricted Transfer complies with Data Protection Laws.

11.6 For the avoidance of doubt, if, and to the extent that, the European Commission or the UK Government issues any amendment to, or replacement of, the EEA Standard Contractual Clauses or UK IDTA, the parties acknowledge and agree that such clauses will automatically be deemed to replace all Standard Contractual Clauses then in force between the Client and FTI and the parties shall take such additional steps as necessary to give ensure that such replacement terms are implemented across all transfers.

11.7 If, at any time, a Supervisory Authority or a court with competent jurisdiction over a party mandates that certain cross-border transfers from Controllers to Processors must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Client Personal Data is conducted with the benefit of such additional safeguards.

11.8 In respect of any Restricted Transfer subject to the Privacy Act 1988 (Cth) No. 119 (as amended) and its Australian Privacy Principles, FTI and Client acknowledge and agree:

12.1 FTI and the Client will each act as separate and individual Controllers in relation to any Personal Data (including, without limitation, Personal Data relating to any of the Client's workers, FTI's workers, any litigation or arbitration opponent or customer or vendor or transaction partner) Processed by the Client or FTI to deliver Controller Services set out under the Principal Agreement.

12.2 FTI and the Client will each comply with its own respective obligations under the Data Protection Laws in relation to their Processing of Personal Data under the Principal Agreement. In particular, the Client will ensure that any disclosures of Personal Data to FTI are lawful, and, in each case where necessary under the Data Protection Laws, the Client has notified and secured the consent of the relevant Data Subjects prior to disclosing Personal Data to FTI.

12.3 FTI may appoint Processors as required to deliver the services, who will process the Personal Data on FTI's behalf and at FTI's direction. Further, FTI may disclose Personal Data to other Controllers:

12.4 The Parties agree that no “sale” (as that term is defined under US Privacy Laws applicable to Client) of Client Personal Data is intended as part of the Agreement, and both Parties will take reasonable steps to ensure no sale occurs. The Parties agree that any provision of Consumer Information by one Party to another under the Agreement is necessary to perform a business purpose and is not part of, and explicitly excluded from, the exchange of consideration, or any other thing of value, between the Parties.

12.5 C2C Restricted Transfers - The Client acknowledges and agrees that FTI may be located outside of the European Economic Area or the UK, and that certain Processors or Controllers engaged by FTI under clause 12.3 may also be located outside of the European Economic Area or the UK.

13.1 Client shall ensure that, wherever it discloses Client Personal Data to FTI, it is authorized to do so in accordance with the Data Protection Laws for the purposes of FTI Processing that Personal Data to provide the Services and shall notify FTI immediately upon becoming aware of any circumstances in which such disclosure and subsequent Processing by FTI may have become unlawful. Client further agrees it has provided all notices and obtained all relevant authorizations, consents, rights and permissions for the Processing of Personal Data in accordance with this DPA including but not limited to any Special Categories of Data and where applicable, approval by any relevant Controllers to use FTI as a Processor;

13.2 Client shall keep the amount of Personal Data disclosed or transmitted to FTI, Sub-Processor and any FTI Affiliate to the minimum necessary to provide the Services pursuant to the Agreement;

13.3 Client shall serve as a single point of contact for FTI and be solely responsible for internal coordination, review and submission of any Processing instructions in respect of which any Client Affiliate is the Controller;

13.4 Client acknowledges that notification(s) and information pursuant to this DPA will be delivered to one or more of Client’s business, technical or administrative contacts, designated by Client in writing by any means, including email. It is the Client’s sole responsibility to ensure FTI has accurate and current contact information at all times;

13.5 Client acknowledges that FTI’s email and associated collaboration records are Processed through Microsoft 365 which is configured based on the designated location of the FTI personnel the email was addressed to and in accordance with multi-geo locations as published on: https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide#microsoft-365-multi-geo-availability. FTI’s global email archiving and spam filtering are provided through Mimecast which is replicated and retained, unless otherwise subject to an applicable Legal Process or litigation hold, for up to three (3) years in Germany. Client consents to any Personal Data provided to FTI by email will be replicated and retained accordingly. To the extent that the Client wishes to transmit certain information or any data to FTI and objects to that data being replicated and retained in accordance with this clause, Client will use a communication or transmission method other than e-mail and agree to not transmit or otherwise disclose Personal Data via email to FTI;

13.6 Client acknowledges and consents that Personal Data Processed for FTI’s (i) compliance with its legal and regulatory obligations, (ii) establishment, exercise and defense of legal claims, and (iii) internal legitimate business purposes of system management and performance, network monitoring, threat monitoring, security processing, invoicing, support ticketing systems, maintaining FTI’s relationship with Client; (“Systems Data”) and are Processed by FTI as an independent Controller, and that FTI does not act as Processor in this respect, and as such, FTI shall be responsible for ensuring that such Processing is performed in accordance with applicable Data Protection Laws. For the avoidance of doubt, FTI Processes Personal Data pursuant to clause 13.6(iii) as a ‘service provider’ under CCPA.

14.1 To the extent that the Client or FTI (the “Disclosing Party”) discloses Personal Data subject to Canadian Privacy Laws to a third party (including to an affiliate of the Disclosing Party) located outside Canada (the “Recipient”), the Disclosing Party must enter into a contractual arrangement with the Recipient whereby the Recipient agrees to provide a level of protection to Personal Data that is comparable to the protection granted under Canadian Privacy Laws. To the extent that the Client or FTI anonymizes, de-identifies or aggregates Personal Data, such process will be completed in compliance with Canadian Privacy Laws. Each party agrees not to re-identify or attempt to re-identify anonymized, de-identified or aggregated Personal Information unless authorized or required by Canadian Privacy Laws

15.1 The provisions of this Addendum are supplemental to the provisions of the Agreement. In the event of inconsistencies between the provisions of this Addendum and the privacy provisions of the Agreement, the provisions of this Addendum shall prevail; provided, however, the liability of each party and each party’s affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence. In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent Supervisory Authority.

16.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible; or (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.