Data Processing and Security Addendum

This Hopper Data Processing and Security Addendum, inclusive of Appendices 1, 2, and 3 hereto, (“Addendum”) sets out the essential terms required by Hopper (USA), Inc., a Delaware corporation with its principal place of business located at 265 Franklin Street, Suite 1702, Boston, MA 02110 USA and/or its affiliates (meaning any other entity directly or indirectly controlling or controlled by, or under direct or indirect common control with Hopper (USA), Inc., including without limitation Hopper, Inc., a Canadian federal Corporation with a principal place of business at 5795 Avenue de Gaspe, Montreal, Quebec, H2S 2X3, Canada and Hopper Travel (Ireland), Ltd., a Ireland Corporation with a principal place of business at Mespil Business Centre, Mespil House, Sussex Road, Dublin 4 (collectively “Hopper”), for vendors and service providers (each a “Provider”) who collect, process, receive or otherwise have access to Hopper Data (as defined below). With respect to the Personal Data processed by Provider on behalf of Hopper, Hopper is the data controller of such data and Provider will operate as a data processor of such data. This Addendum shall be deemed incorporated into the terms and conditions of any agreement (each, and “Agreement”) between Hopper and Provider to which it is attached, whether entered into before or after the date of execution hereof. In the event of any conflict between any term of any Agreement and this Addendum, the terms of this Addendum shall govern and prevail.

  1. Definitions.

“Agreement” means any and all agreements between the parties under which Provider receives, collects, accesses or otherwise processes Hopper Data.

“Hopper Data” means any data that is provided by Hopper to Provider, directly or indirectly (including through the Service) or otherwise collected, accessed or processed by Provider on behalf of Hopper, about Hopper, the Hopper apps websites and services, any Hopper consumer, end user, employee, partner, vendor or other provider, or the use of any services by any of them, including any Personal Data.

“Personal Data” means any Hopper Data that can be used to identify, locate, or contact an individual including: (i) first and last name; (ii) home or other physical address; (iii) telephone number; (iv) email address or online identifier associated with an individual; (v) social security number, passport number, driver’s license number, or similar identifier; (vi) credit or debit card number; (vii) employment, financial or health information; (viii) IP address or device identifier, or (ix) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing.

“Service” means the services provided by Provider under an Agreement.

  1. Use of Personal Data. Except as expressly permitted in writing by Hopper, including as expressly set forth in any Agreement duly executed between Hopper and Provider, Provider will not directly or indirectly (1) disclose, sell, distribute or transmit the Personal Data to any third party, or (2) use the Personal Data for any purpose other than to provide Hopper the Service hereunder at the direction of and in accordance with the instructions of Hopper, and in accordance with all applicable privacy and data protection laws. Provider will notify Hopper in writing immediately upon making a determination that it has not met, or can no longer meet, its obligations under this Section 2 of this Addendum, and, in such case, will abide by Hopper's written instructions, including instructions to cease further processing of the Personal Data, and take any necessary steps to remediate any processing of such Personal Data not in accordance with this Section 2 of this Addendum.
  2. EU Personal Data. If the Hopper Data that Provider processes contains Personal Data of residents of the European Union (“EU”), Provider then agrees that this Addendum incorporates by reference the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“Model EU Third Country Clauses”) specifically incorporating Module Two thereof with respect to the provisions of each of Clauses 8, 9, and 10 (“Module Two”), and the optional language of Clause 7 and Clause 11(a). For purposes of the Model EU Third Country Clauses (including Module Two), each of Hopper’s affiliates established in the EU shall be “controller” and “data exporter” and Provider is “data importer” and “data processor.” This Addendum shall further incorporate by reference: (1) Appendix 1 attached hereto, which sets forth the identity of the data importer and data exporter, the details of the transfer(s), including in particular the categories of personal data that are transferred and the purpose(s) and duration for which they are transferred, and any specific restrictions and/or additional safeguards applicable to the processing of “sensitive data,” as referenced in Clauses 6, 8.2, 8.5, 8.7, and 13(a) of the Model EU Third Country Clauses; (2) Appendix 2 attached hereto, which sets forth the ​​technical and organizational safeguards required to be set forth in Appendix II to the Model EU Third Country Clauses, as referenced in Clauses 8.3, 8.6 and 10; and (3) Appendix 3 attached hereto, which sets forth the list of approved subcontractors as referenced in Clause 9(a). Clause 9(a) of the Model EU Third Country Clauses shall be agreed to be the following paragraph, which shall replace and supersede Section 4 of this Addendum with respect to any data subject to the provisions of this Section 3 (the reference to Annex III shall refer to Appendix 3 of this Addendum):

The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least thirty (30) days prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.

Clause 13(a) of the Model EU Third Country Clauses shall be agreed to be the following paragraph:

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Clauses 17 and 18(b) of the Model EU Third Country Clauses shall be agreed to be the following paragraphs, which shall replace and supersede Section 11 of this Addendum with respect to any data subject to the provisions of this Section 3:

Clause 17. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 18(b) The Parties agree that those shall be the courts of Ireland.

In the event of any conflict between this Addendum or the Agreement and the Model EU Third Country Clauses incorporated herein, the Model EU Third Country Clauses shall govern.

  1. Subcontractors. To the extent any subcontractors, vendors, or other third-parties of Provider are required to have access to the Hopper Data in order to enable Provider to provide the Service (“Subcontractors”), Provider shall (i) provide Hopper with an accurate and complete list of any Subcontractors of Provider which will access to the Hopper Data at least thirty (30) days prior to granting such access; (ii) obtain Hopper’s written consent to permit access by such Subcontractor; (iii) impose via written agreement the same privacy, security, and other requirements on any such Subcontractor to which Provider is subject under this Addendum; and (iv) remain responsible for any Subcontractor’s actions with respect to the Hopper Data. A list of approved Subcontractors is attached hereto as Appendix 3.
  2. Security. Provider has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) that includes administrative, technical, operational, organizational, and physical safeguards to ensure the confidentiality, security, integrity, and availability of the Hopper Data and to protect against unauthorized access, use, disclosure, or access, and against unlawful or accidental alteration, loss, or destruction of the Hopper Data. In particular, the Information Security Program shall include, but not be limited to, the technical and organizational safeguards where appropriate or necessary to ensure the protection of the Hopper Data as set forth in Appendix 2.
  3. Compliance, Reports & Inquiries.

Upon Hopper’s request, Provider will provide Hopper with information demonstrating that it maintains information security controls aligned with the requirements in this Addendum. Provider will maintain, at a minimum, SOC-2 Type I and Type II report compliance audit documentation, or its equivalent, during the Term and will provide a copy (without charge) to Hopper at least once per year during the Term upon written request by Hopper. If Provider handles any Cardholder Data as defined in the Payment Card Industry -– Data Security Standard (“PCI-DSS”), Provider will maintain, at a minimum, compliance with the latest PCI-DSS standard as applicable to Provider and/or Hopper and maintain independent audit documentation including at least an Attestation of Compliance, during the Term and will provide a copy (without charge) to Hopper on the date hereof and at least once per year during the Term upon written request by Hopper. If Provider does not maintain SOC-2 Type I and Type II report compliance audit documentation as specified above, then Provider shall maintain (for three (3) years after the Agreement ends) complete and accurate records relating to its processing of Hopper hereunder and its compliance with this Addendum. Hopper may audit such records during regular business hours, with reasonable advance notice and subject to reasonable confidentiality procedures. Hopper may not audit Provider more than once annually unless an audit reveals a noncompliance or is needed to satisfy Hopper’s own legal compliance obligations.

Provider will provide Hopper with the contact details of Provider’s global data privacy lead, chief privacy officer, data protection officer, or other employee appointed by Provider to address data privacy issues.

Provider will cooperate as directed by Hopper in any audits or inquiries conducted by or on behalf of Hopper, its affiliates and operations worldwide, and/or any data protection authorities, courts, and/or other authorities related to the processing of the Personal Data, including by providing support to Hopper with respect to (i) assisting Hopper in responding to data subject requests for exercising data subject rights under applicable law, including erasing or blocking Personal Data without delay on Hopper’s instruction; (ii) assisting Hopper in responding to data protection authority or other regulatory requests for information related to Provider’s processing; and (iii) providing all information necessary related to Provider’s processing for Hopper to demonstrate compliance with applicable data protection laws.

Provider shall promptly notify Hopper if it receives a request for subject access, rectification, cancellation, objection or any other data protection related requests, and, should any court, government agency or law enforcement agency contact Provider with a demand for Hopper's Data, Provider will direct the law enforcement agency to request such information directly from Hopper. As part of this effort, Provider may provide Hopper's basic contact information to the agency. If compelled to disclose Hopper's Data to law enforcement, then Provider will promptly, and without any undue delay, notify Hopper and deliver a copy of the request (except when Provider is legally prohibited from doing so) to allow Hopper to seek a protective order or any other appropriate remedy.

  1. Security Breach. Provider will notify Hopper immediately in writing upon discovery of any suspected or actual breach of or compromise or unauthorized access to any Hopper Data’s security or confidentiality (each, a “Security Incident”). The notice will describe the Security Incident, the status of Provider’s investigation, and, if applicable, the potential number of persons affected. Provider shall cooperate fully with Hopper in the investigation of the Security Incident. Notwithstanding anything to the contrary in the Agreement or this Addendum, Provider shall indemnify and reimburse Hopper for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred by Hopper as a result of such Security Incident, and remedy any harm or potential harm caused by such Security Incident. To the extent that a Security Incident gives rise to a need, in Hopper’s sole judgment to (i) provide notification to public authorities, individuals, or other persons, or (ii) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a “Remedial Action”)), at Hopper’s request, Provider shall, at Provider’s cost, undertake such Remedial Actions. Provider will not communicate with any third party regarding any Security Incident except as directed by Hopper in its sole discretion.
  2. Insurance. Provider will maintain (i) general commercial liability, workers compensation, employers liability and any other insurance required by law or appropriate to operation of its business and (ii) errors and omissions/professional liability and cyber liability/computer crimes liability insurance which expressly (a) covers breach, loss of or unauthorized access to data or systems and other computer or employee crimes and (b) applies to Hopper Data and any other property of Hopper under Provider’s control. All insurance will be rated A-VII or higher and will have adequate limits commensurate with industry practices (but in any event no less than Two Million Dollars ($2,000,000) per claim and Five Million Dollars ($5,000,000) aggregate for the liability policies). Provider will provide certificates of insurance and add Hopper as an additional insured upon request.
  3. Additional Agreements. Provider shall, upon Hopper’s request, promptly execute, and cause any third party to which it discloses Personal Data or allows access to Personal Data to execute, supplemental data processing agreement(s) with Hopper or any of its affiliated companies or take other appropriate steps to address cross- border transfer or other data protection requirements if Hopper concludes, in its sole, reasonable judgment, that such steps are necessary to address applicable data protection or privacy laws concerning Personal Data. Such supplemental data processing agreement(s) may include, without limitation, the European Commission Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU) and other data protection terms.
  4. Term and Termination. This Addendum shall remain in full force and effect for until the latter of (i) the Agreement(s) remains in effect, and (ii) Provider retains copies of the Hopper Data. Hopper may terminate this Addendum and/or Agreement immediately, without judicial notice or resolution and without prejudice to any other remedies, in the event that (i) Provider is in substantial breach of any representations or warranties given under this Addendum, and fails to cure such breach within 30 days' notice from Hopper, (ii) Provider provides notice to Hopper pursuant to Section 2 of this Addendum, (iii) a data protection or other regulatory authority or other tribunal or court in the countries in which Hopper or its affiliate entities operates finds that there has been a breach of any relevant law in that jurisdiction by virtue of the Provider's or Hopper's processing of Personal Data, (iv) compliance with the terms of this Addendum by the Provider would put Provider in breach of its legal obligations; or (v) if either party makes an assignment for the benefit of creditors, becomes subject to a bankruptcy proceeding, is subject to the appointment of a receiver, or admits in writing its inability to pay its debts as they become due. Upon termination of this Addendum for any reason, the Provider shall, and shall cause any and all subcontractors to, immediately at Hopper 's request: (i) return all Hopper Data and all copies of the Hopper Data subject to this Addendum to Hopper; or (ii) destroy all copies of such Hopper Data in a secure manner that is reasonably designed to render the information permanently unreadable and not reconstructable into a usable format (i.e., in accordance with the then-current U.S. Department of Defense, or similar data destruction standard or CESG standards, as applicable). Provider shall also promptly certify to Hopper that it and its subcontractors have carried out Provider's directions as per this Section 10. Sections 6d and 10 of this Addendum will survive any termination or expiration of the Agreement.
  5. Governing Law. This Addendum will be governed by and construed in accordance with the governing law designated in the Agreement into which it is incorporated.

APPENDIX 1 (Hopper Data Processing and Security Addendum)

1.A - LIST OF PARTIES Data exporter(s): Name: Hopper Travel (Ireland), Ltd. Address: Mespil Business Centre, Mespil House, Sussex Road, Dublin 4 Contact person’s name, position and contact details: Brian Carroll, General Counsel, legal@hopper.com Activities relevant to the data transferred under these Clauses: See Appendix 1.B **Signature and date: **

Role (controller/processor): Controller

Data importer(s): Name: ____ Address: __ Contact person’s name, position and contact details: ____ Activities relevant to the data transferred under these Clauses: See Appendix 1.B Signature and date:

Role (controller/processor): Processor

1.B - DETAILS OF THE TRANSFER(S)

  1. Subject Matter The subject matter of the data processing under this Addendum is the Hopper Data processed by Provider on behalf of Hopper.
  2. Duration The duration of the data processing under this Addendum is the period during which Provider performs services for Hopper under the Agreement or as otherwise required by law.
  3. Purpose The purpose of the data processing under this Addendum is the provision of the Service under the Agreement (as amended from time to time).
  4. Nature of Processing The data processing will involve any such processing that is necessary for the purposes set out in the Agreement, this Addendum, and below (as applicable).
  5. Type of Personal Data The types of Personal Data processed are as described in the Agreement (as amended from time to time), this Addendum, and below (as applicable).
  6. Categories of Data Subjects In providing the Service to Hopper, Provider processes the Personal Data of the data subjects referenced in the Agreement (as amended from time to time), this Addendum, and below (as applicable).
  7. Sensitive Data None.

1.C - COMPETENT SUPERVISORY AUTHORITY

Ireland Data Protection Commission (DPC) (An Coimisiún um Chosaint Sonrai)

APPENDIX 2 - Technical and Organizational Safeguards(Hopper Data Processing and Security Addendum)

a. Access Controls. Policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems, data processing equipment, data processing systems, and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to the Hopper Data have appropriately controlled access and will maintain the confidentiality of the Hopper Data, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing the Hopper Data or information relating thereto to unauthorized individuals; (iv) to encrypt and decrypt the Hopper Data where appropriate; (v) t provide for the use of pseudonymisation where appropriate; and (vi) to ensure that data collected for different purposes can be processed separately.

b. Security Awareness and Training. A security awareness and training program for all members of Provider'’s workforce (including management) who have access to the Hopper Data, which includes training on how to implement and comply with its Information Security Program.

c. Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address Security Incidents (as defined herein), including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into the Hopper Data or information systems relating thereto, and procedures to identify and respond to suspected or known security or privacy incidents, mitigate harmful effects of such incidents, and document such incidents and their outcomes.

d. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages the Hopper Data or systems that contain the Hopper Data, including a data backup plan, a Business Continuity Plan (BCP) and a disaster recovery plan, including measures to ensure the ongoing confidentiality, integrity, availability and resilience of Provider systems and services, and to ensure the ability to restore the availability and access to the Hopper Data in a timely manner in the event of a physical or technical incident;

e. Device and Media Controls. Policies and procedures that govern the receipt and removal of hardware and electronic media that contain the Hopper Data into and out of a Provider facility, and the movement of these items within a Provider facility, including policies and procedures to address the final disposition of the Hopper Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for reuse.

f. Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith, and measures to ensure that it is possible to check and establish whether and by whom data have been input into data processing systems or removed.

g. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of the Hopper Data and protect it from disclosure, improper alteration, or destruction.

h. Storage and Transmission Security. Technical security measures to guard against unauthorized access to the Hopper Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and at rest in storage on networks or systems to which unauthorized individuals may have access, and to ensure that it is possible to check and establish to which bodies the transfer of Data by means of data transmission facilities is envisaged.

i. Storage Media. Policies and procedures to ensure that prior to any storage media containing Hopper Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, Provider will irreversibly delete such Hopper Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media such that it is impossible to recover any portion of data on the media that was destroyed. Provider shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Hopper Data.

j. Assigned Security Responsibility. Provider shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Provider shall inform Provider as to the person responsible for security.

k. Testing. Provider shall regularly test, assess, and evaluate the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified and protecting the Hopper Data. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

l. Adjust the Program. Provider shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Provider or the Hopper Data, and Provider'’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

APPENDIX 3 - Subcontractors (Hopper Data Processing and Security Addendum)

The controller has authorised the use of the following sub-processors: None.