GLOBAL DATA PROTECTION AND INFORMATION SECURITY AGREEMENT

(Controller – Controller)

Last Updated: February 10th, 2026

This Global Data Protection and Information Security Agreement (“DPA”) is made part of an agreement with Paramount Skydance Corporation and/or one or more of its Affiliates (such party(ies), as applicable, “Paramount”), which makes reference to this DPA or the URL at which this DPA is located (the “Agreement”). This DPA does not limit other obligations of Partner, including, without limitation, any obligations under the Agreement or laws that apply to Partner or to Partner’s performance under the Agreement. In the event of a conflict between the DPA, the Agreement or any applicable security requirements, the requirement that is most restrictive and protective of Paramount, as determined by Paramount in its sole discretion, shall apply unless otherwise expressly agreed upon in writing by Paramount.

1 DEFINITIONS

1.1 Capitalized terms defined below shall have the meanings set forth herein, whether or not such terms are otherwise defined in the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement.

1.2 “Affiliate” means an entity, directly or indirectly, controlling, controlled by, or under direct or indirect common control with a party; provided, that with respect to Paramount Skydance Corporation, only those entities that are directly or indirectly controlled by such entity.

1.3 “Argentinian Model Clauses” mean the model contract titled Contrato modelo de transferencia internacional de datos personales con motivo de la cession de datos personales as adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60-E/2016.

1.4 “Brazilian Model Clauses” mean the model contract titled Cláusulas-padrão Contratuais as adopted by the Brazilian National Data Protection Authority under Annex II to Resolution CD/ANPD No. 19/2024.

1.5 “Data Protection Laws” mean any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self-regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communications, data protection, or Security Incident management and/or notification, including without limitation the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); the United Kingdom General Data Protection Regulation (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., as amended (“CCPA”), and other applicable state and federal United States privacy laws (together, with the CCPA the “US Privacy Laws”); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 (“LGPD”).

1.6 “Data Subject” means, as applicable:

1.6.1 any identified or identifiable individual;
1.6.2 the meaning as set forth in Data Protection Laws; and
1.6.3 such similar terms as defined in any Data Protection Laws, including the term “Consumer”.

1.7 “Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws, including without limitation the right of access, right to rectification, right to restrict Processing, right to erasure, right to data portability, or right to object to the Processing.

1.8 “European Model Clauses” mean:

1.8.1 in respect of Personal Data to which the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 (“EU Model Clauses”);
1.8.2 in respect of Personal Data to which the UK GDPR applies, the EU Model Clauses, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (“UK Model Clauses”); and
1.8.3 in respect of Personal Data to which the FADP applies, the EU Model Clauses as applicable in Switzerland and adapted as follows:

(a) the term ‘Member State’ shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18(c); and
(b) the EU Model Clauses also protect the data of legal entities until the entry into force of the revised FADP (“Swiss Model Clauses”).

1.9 “Governmental Entity” means any federal, state, provincial, municipal, local or foreign government, governmental authority, regulatory or administrative agency, governmental commission, department, board, bureau, agency, instrumentality, court or tribunal, and includes a “Supervisory Authority” as defined in applicable Data Protection Laws.

1.10 “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to, a unique (as applicable) Data Subject, computing device, or household, and shall include, but is not limited to, all “personal data”, “personal information”, or similar terms, as defined in applicable Data Protection Laws.

1.11 “Process” or “Processing” means any operation or set of operations that is performed on Paramount Data, whether or not by automated means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification, and including all “processing” as defined in applicable Data Protection Laws.

1.12 “Restricted Transfer” means a transfer (either directly or via onward transfer) of Personal Data by a Party acting as an exporter to an importer located in a jurisdiction that has not been recognized by the Data Protection Laws applicable to the exporter as offering an adequate level of protection for Personal Data.

1.13 “Security Incident” means:

1.13.1 the unauthorized, unlawful or accidental acquisition, use, disclosure, destruction, alteration, deletion, modification, access to, corruption, transfer, sale, rental, or other Processing of any portion of Paramount Data;
1.13.2 any act or omission that compromises the privacy, security, confidentiality, availability, or integrity of Paramount Data or any safeguards put in place to protect the same;
1.13.3 any failure by Partner to adhere to this DPA;
1.13.4 any other event involving Personal Data that triggers notification obligations or consumers or regulatory authorities, or similar requirements under Data Protection Laws; or
1.13.5 any attempt to cause any of the events described in this section 1.13.

1.14 “Paramount Data” means any and all data or information (including Personal Data), in any form, format or media, provided or otherwise accessed by or made available to Partner or any of its employees, agents or contractors or by any other party in connection with or incidental to the Agreement, as well as all data and works obtained, developed or produced by Partner in connection with the Agreement, including derivatives, aggregations, or analysis of any of the foregoing. For clarity, Paramount Data shall not include data or information that has been directly collected by Partner independently of its performance under this Agreement, from sources besides the Paramount Properties.

1.15 “Paramount Property” means the websites, mobile applications and/or other digital media properties owned or operated by Paramount.

1.16 The terms “Business”, “Controller”, “Operator”, “Processor”, “Service Provider” and “Special Categories of Personal Data” as used in this DPA will have the meanings ascribed to them in applicable Data Protection Laws. With respect to “Special Categories of Personal Data,” this term shall also include “sensitive personal information” or similarly defined terms in applicable Data Protection Laws and Personal Data collected from a “child” as defined under applicable Data Protection Laws.

2 ROLES OF THE PARTIES

2.1 The Parties agree that as between each other, each:

2.1.1 is a separate and independent Controller and Business;
2.1.2 does not and will not Process Personal Data which it discloses or receives under the Agreement as joint Controllers;
2.1.3 will individually determine the purposes, means, and lawful basis of its Processing of Personal Data; and
2.1.4 shall be individually and separately responsible for complying with Data Protection Laws (including by providing the same level of protection to Personal Data as Businesses are required to provide under Data Protection Laws), as well as ensuring that any third party to whom it provides Personal Data also complies with Data Protection Laws. The Parties further agree that any third party engaged by Partner or to whom Partner provides Paramount Data is not and shall not be engaged as a Service Provider or as a Processor of Paramount.

2.2 The Agreement describes the Services provided by each Party and for each Service describes:

2.2.1 its subject matter, purpose, and intended benefits;
2.2.2 the duration of Processing of any Personal Data in connection with the Service;
2.2.3 the categories of Data Subjects affected;
2.2.4 the categories of Personal Data Processed;
2.2.5 a Party’s responsibility, if any, for the accuracy and quality of Personal Data; and
2.2.6 contact details for a Party’s data protection officer or equivalent individual.

2.3 Except as expressly provided in the Agreement, Partner acknowledges that:

2.3.1 As between Partner and Paramount, Paramount owns all right, title and interest in Paramount Data;
2.3.2 Paramount is disclosing Paramount Data to Partner only for the limited and specific purposes set forth in the applicable annex to the Agreement; and
2.3.3 Partner is granted a right to use Paramount Data only for such purposes.

2.4 Partner shall impose restrictions at least as protective as this DPA on any recipient of Paramount Data, and shall remain responsible to Paramount for any breach of this Agreement by such recipient.

2.5 Except as contemplated in the Agreement or where expressly required by law, Partner shall not:

2.5.1 access, disclose to a third party, or export Paramount Data;
2.5.2 implement any technologies intended to track, monitor, or view Paramount customers or end users of Paramount Properties via the collection of Personal Data; or
2.5.3 collect Special Categories of Personal Data from Paramount Properties or provide Special Categories of Personal Data to Paramount.

3 OBLIGATIONS OF THE PARTIES

3.1 Technical and Organizational Measures. Each Party shall implement appropriate technical and organizational measures to protect Personal Data. Partner will maintain physical, administrative, and technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) 800-53 Cybersecurity Framework, the Cloud Security Alliance, or other similar industry standards for information security) to protect the confidentiality, integrity, and availability of Paramount Data and systems. Partner shall maintain industry-leading standards in evolving technical controls, such as: firewalls, anti-virus software, security monitoring, and security alerting systems.

3.2 Staff Training. Each Party shall ensure that all employees, agents and contractors involved in the Processing of Personal Data under the Agreement shall receive training on their responsibilities for the Processing including any applicable procedures or policies implemented by the Parties.

3.3 If Partner receives a request for access to Paramount Data from a Governmental Entity, Partner shall promptly notify Paramount in advance of any such disclosure, and shall cooperate with Paramount in objecting to the request to the full extent permitted by law. If Partner is prohibited from notifying Paramount of such request by applicable law, then Partner shall engage legal counsel to take reasonable measure to object to such disclosure. In case of any disclosure, Partner shall disclose only the minimum Paramount Data necessary to comply with the request.

3.4 Security Incidents:

3.4.1 Detection and Response. Partner will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (a) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (b) restore the availability or access to Paramount Data in a timely manner.
3.4.2 Notice of Security Incident. If Partner becomes aware of a Security Incident, or information that should reasonably lead Partner to suspect a Security Incident has occurred, Partner shall notify Paramount without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible: (a) the segment and quantity of Paramount Data affected (including whether Paramount Personal Data was affected), (b) the nature of the intrusion (if applicable), (c) any indication of likely unauthorized use of Paramount Data, and the corrective action taken or to be taken by Partner, and (d) all other available details required under applicable laws, including Data Protection Laws, for Paramount to comply with its own investigation and notification obligations to Data Subjects affected by the Security Incident or to Governmental Entities. Partner shall not release or publish any filings, communications, notices, press releases, or reports about the Security Incident to the extent that such notification or public statement refers to Paramount without Paramount’s written authorization, but in all other respects the Parties agree that each Party shall be responsible for determining what, if any, notifications or public statements should be issued on its behalf, and for issuing such notifications or public statements. The obligations of Partner under this section 3.4.2 only apply to the extent that they do not prevent Partner from complying with notification deadlines provided for by Data Protection Laws.
3.4.3 Remediation Efforts. Following any Security Incident, Partner shall consult in good faith with Paramount regarding remediation efforts that may be necessary and reasonable (“Remediation Efforts”). Partner shall (a) undertake any Remediation Efforts requested by Paramount or any government agency with jurisdiction over Partner, in either case at Partner’s sole expense, (b) ensure and provide assurance (including written evidence) to Paramount that reasonable measures were and are being taken to prevent recurrence of the same or similar type of Security Incident, and (c) reasonably cooperate with any Remediation Efforts undertaken by Paramount.

3.5 Cooperation of Parties

3.5.1 Where required by Data Protection Laws, each Party shall implement adequate mechanisms to allow Data Subjects to grant consent to and/or opt-out of use of Personal Data, and to communicate Data Subject choices to each other. Each Party shall provide reasonable and timely assistance in order to enable the other Party to comply with Data Protection Laws, including to:

(a) respond to a Data Subject’s request in relation to Personal Data held by the other Party;
(b) conduct data protection impact assessments or data security assessments; and
(c) implement reasonable and appropriate steps to stop and/or remediate the unauthorized use of Personal Data.

3.5.2 If Partner is Processing Personal Data collected from users of Paramount Properties, Partner agrees to:

(a) implement and honor any opt-out and other relevant signal(s) that are (i) passed by Paramount, (ii) required by Data Protection Laws, or (iii) otherwise agreed-upon by the Parties;
(b) pass any opt-outs described in subsection (a) to any entity that receives such Personal Data and take necessary steps (including contractual restrictions) to require any entity that receives such Personal Data to implement and honor any opt-out and other relevant signal(s) that are (i) passed by Paramount, (ii) required by Data Protection Laws, or (iii) otherwise agreed upon by the Parties;
(c) be a registered vendor listed in the Global Vendor List of the IAB Europe Transparency and Consent Framework (latest version), if applicable; and
(d) grant Paramount the right to take reasonable and appropriate steps to implement measures Paramount deems necessary to ensure such Personal Data is used in accordance with this DPA and Agreement, and to stop/remediate any unauthorized use of such Personal Data, including, without limitation, removal of Partner’s pixels, tags, or similar tracking code from Paramount Properties without prior notice to Partner.

3.5.3 For the avoidance of doubt, each Party remains responsible for compliance with requests from Data Subjects made to it.

3.6 The Parties shall review the effectiveness of this DPA, the Agreement and any data sharing under it against the purposes and aims stated in this DPA and the Agreement. The review shall be conducted on a periodic basis throughout the duration of the term of the Agreement. The Parties will use reasonable efforts to mutually review the effectiveness and agree on any remediation (if required by Data Protection Laws).

3.7 Partner shall promptly notify Paramount of any determination (made by Partner or by a third party with respect to Partner) that it can no longer meet its obligations under this DPA, the Agreement, or Data Protection Laws.

4 INTERNATIONAL DATA TRANSFERS

4.1 The Parties acknowledge that the provision of the Services under the Agreement may involve a Restricted Transfer. Notwithstanding the generality of the foregoing, the Parties agree to the following with respect to a Restricted Transfer:

4.1.1 If the Processing of Personal Data under the Agreement involves a Restricted Transfer by Paramount to Partner of Personal Data to which the GDPR, the UK GDPR, or the FADP applies, the Parties agree to comply with the European Model Clauses, which shall be deemed incorporated into and form part of this DPA. For purposes of the European Model Clauses:

(a) Paramount is the Data Exporter and Partner is the Data Importer (as defined in the European Model Clauses); and
(b) where applicable in each case and unless otherwise agreed by the Parties: (i) Annex 1 of this DPA shall apply and be deemed to be Annex I of the European SCCs; and (ii) section 3 of this DPA and any additional technical and organizational measures ensuring the security of Personal Data set out in the Agreement shall apply and deemed to be Annex II of the European SCCs.

4.1.2 If the Processing of Personal Data under the Agreement involves a Restricted Transfer by Paramount to Partner of Personal Data subject to Argentinian Data Protection Laws, the Parties agree to comply with the Argentinian Model Clauses. The description and details of International Data Transfers, for the purposes of the Argentinian Model Clauses, are set out in Annex 1 to this DPA.
4.1.3 If the Processing of Personal Data under the Agreement involves a Restricted Transfer by Paramount to Partner of Personal Data subject to the LGPD, the Parties agree to comply with the Brazilian Model Clauses, which shall be deemed incorporated into and form part of this DPA. For the purposes of the Brazilian Model Clauses,

(a) Paramount is the Data Exporter and Vendor is the Data Importer (as defined in the Brazilian Model Clauses); and
(b) where applicable in each case and unless otherwise agreed by the Parties: (i) the configurable fields under Clause 1, Clause 2, Clause 3, Clause 4 and Section IV of the Brazilian Model Clauses shall be completed as set out in Annex 1 to this DPA; and (ii) section 3 of this DPA and any additional technical and organizational measures ensuring the security of Personal Data set out in the Agreement shall replace the table contained in Section III of the Brazilian Model Clauses.

4.1.4 If the provision of the Services involves a Restricted Transfer by Partner to a third party, Partner warrants that it shall:

(a) execute the European Model Clauses, the Argentinian Model Clauses, the Brazilian Model Clauses, or any other applicable safeguard that complies with applicable Data Protection Laws to safeguard the transfer of Personal Data, and make available the same to Paramount upon request; and
(b) if required by applicable Data Protection Law, carry out any transfer impact assessment in respect of the third country of destination which at a minimum takes account of the specific circumstances of the transfer, the laws and practices of the third country of destination, and any relevant contractual, technical, or organizational safeguards that Partner has put in place with the third party. Partner shall make available such transfer impact assessments to Paramount upon request.

4.2 Partner represents and warrants that, except in the course of ordinary litigation, neither Partner, nor, to Partner’s knowledge, any third party to whom Partner intends to provide Paramount Data, has received a request from any Governmental Entity for access to Personal Data that is Processed by Partner in connection with the Services. Partner covenants to immediately notify Paramount in the event that, in Partner’s opinion:

4.2.1 any Restricted Transfers performed under the Agreement would be in breach of the European Model Clauses, Argentinian Model Clauses, Brazilian Model Clauses, or applicable Data Protection Laws governing such Restricted Transfers; or
4.2.2 Partner is unable to provide an adequate level of protection for Personal Data under applicable Data Protection Laws (each an “Inadequacy Notice”). Upon receipt of an Inadequacy Notice from Partner, Paramount shall be entitled to terminate the Agreement with no further expenses, costs, or liabilities.

4.3 If any additional Data Protection Laws become effective during the Agreement which involve Restricted Transfers not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.

4.4 In connection with its obligations pursuant to 28 CFR Part 202 (the “Rule”), Partner represents and warrants that it has performed the appropriate diligence required to represent and warrant that any pixels and other tracking technologies placed on Paramount Properties ("Partner's Providers") are not Covered Entities. To the extent Partner’s Providers are Foreign Persons, Partner has bound such Partner Providers to the contractual restrictions required under the Rule. The terms “Covered Entities” and “Foreign Persons” have the meanings set forth in the Rule and Exec. Order 14117.

5 DELETION OF PARAMOUNT DATA; PRESERVATION

5.1 Without limiting any obligation in the Agreement, and subject to Partner’s retention obligations under applicable laws, rules, and regulations, Partner shall promptly and securely destroy (by making unreadable, un-reconstructable, and indecipherable) any or all Paramount Data (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following:

5.1.1 termination or expiration of the Agreement or any applicable statement of work, work order or similar transaction document for any reason; or
5.1.2 Paramount’s reasonable request.

5.2 If Partner is required to retain Paramount Data pursuant to applicable laws, rules and regulations, including Data Protection Laws, Partner shall so inform Paramount of such requirement.

5.3 If Paramount notifies Partner in writing that particular Paramount Data may be Paramount attorney-client communication or attorney work-product, then Partner shall:

5.3.1 not take any action that would result in waiver of such privilege or work product immunity through the acts or omissions of Partner or its Affiliates;
5.3.2 if required by Paramount, immediately terminate the ability of any users of the applicable software or services to share such Paramount Data with third parties; and
5.3.3 instruct all Partner personnel who may have access to such Paramount Data to maintain such Paramount Data as strictly confidential.

5.4 If Partner is required by law or by interrogatories, written requests for information or documents by a Governmental Entity, subpoena, civil investigative demand or similar legal process to disclose any Paramount Data that may be within attorney-client or work-product privileges, then Partner must provide (unless prohibited by applicable law) Paramount with prompt, written notice of such request or requirement so that Paramount may at its own expense seek an appropriate protective order or object to the requested disclosure.

5.5 Partner shall comply with Paramount requirements regarding the preservation and production of Paramount Data held by Partner that is relevant for legal and regulatory proceedings or investigations.

6 MISCELLANEOUS

6.1 Survival. Partner’s obligations under this DPA shall continue for so long as Partner Processes Paramount Data, even if the Agreement between the Parties has expired or been terminated.

6.2 Changes to the DPA. In addition to any rights under the Agreement, Paramount may modify this DPA at any time, including to the extent required to comply with Data Protection Laws, a court order or guidance issued by a Governmental Entity, by posting an updated version of this DPA at https://legal.paramount.com/cc-security-and-privacy or successor website.