Last Updated: April 1, 2025

This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Snappy Subscription  Terms available at https://www.covver.io/subscription (the “Agreement”) entered into by and between the  entity utilizing the Services provided under the Agreement hereinafter referred to as “Client”) and Snappy App, Inc. (or other affiliate thereof designated on your Order) (hereinafter referred to as “Company”). Company and  Client are hereinafter jointly referred to as the “Parties” and individually as the “Party.” Capitalized terms not  otherwise defined herein shall have the meaning given to them in the Agreement.

  1. Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have  the meanings set forth opposite each one of them:

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common  control with the subject entity, including any if its affiliated companies, subsidiaries, holding companies  and parent companies. “Control” for purposes of this definition means direct or indirect ownership or  control of more than 50% of the voting interests of the subject entity;

1.2. “Applicable Laws” means (a) European Union or Member State laws with respect to any Client Personal  Data in respect of which Client is subject to EU Data Protection Laws; and (b) any other applicable law  with respect to any Client Personal Data in respect of which the Client is subject to any other Data  Protection Laws;

1.3. “Authorized Personnel” means any person who processes Client Personal Data on Company’s behalf,  including Company’s employees, officers, partners, principals, contractors and Sub Processors.

1.4. “CCPA” means the California Civil Code Section 1798.100-1978.199.

1.5. “Client Personal Data” means any Personal Data Processed by Company on behalf of the Client  pursuant to or in connection with the Agreement; provided, however, any data provided by an end  user in connection with collecting a gift shall not be deemed “Client Personal Data”.

1.6. "Data Protection Laws" means, as applicable in connection with the Processing of Client Personal Data  under the Agreement, (a) EU Data Protection Laws, or (b) CCPA and any legislation and/or regulation  implementing or made pursuant to the GDPR and the CCPA, or which amends or replaces any of them;

1.7. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of  each Member State and as amended, replaced or superseded from time to time, including by the GDPR  and laws implementing or supplementing the GDPR;

1.8. "GDPR" means EU General Data Protection Regulation 2016/679;

1.9. “User” – shall hold the meaning ascribed to it under the Agreement.

1.10. "Restricted Transfer" means (i) a transfer of Client Personal Data from Client to Company; or (ii) an  onward transfer of Client Personal Data from a Company to a Sub Processor, or between two  establishments of Company, in each case, where such transfer would be prohibited by Data Protection  Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions  of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this  DPA, including without limitation the applicable Standard Contractual Clauses;

1.11. "Sub Processor" means any person (including any third party and any Company Affiliate, but excluding  an employee of Company or any of its sub-contractors) appointed by or on behalf of Company or any  Company Affiliate to Process Personal Data on behalf of the Client in connection with the Agreement;

1.12. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of  Personal Data to third countries pursuant to the GDPR and adopted by the European Commission  Decision 2021/914 of 4 June 2021 which is attached herein for convenience by linked reference:  https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.  1.13. The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal

Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as  in the GDPR.

1.14. The terms “Service Provider”, “Sell”, “Contractor” and “Consumer” shall be interpreted in accordance  with the CCPA; Where applicable, references to Company shall also refer to ‘Service Provider’,  references to Sub Processor shall refer to ‘Sub-Contractor’ and references to Data Subject shall also  refer to ‘Consumer’;

  1. Roles of the Parties; Processing of Client Personal Data

2.1. In the scope of Company’s processing of Client Personal Data, as between the Parties, for the purposes  of this DPA only, and except where otherwise indicated, Company shall be deemed the  Processor/Service Provider and Client shall be deemed the Controller (or its equivalent under the  CCPA). Client authorizes and instructs Company to Process Client Personal Data related to Data  Subjects who use the Services, and to share such data with Sub-Processors and relevant third parties

service providers as necessary to provide the Services, on Client’s behalf, as part of the Services, as  further detailed under Annex 1 to this DPA. Client authorizes Company to engage with all relevant third  parties service providers as necessary to provide the Services under data processing agreements on  Client’s behalf, including, inter alia, engaging such third parties service providers as necessary to  provide the Services under the EU SCCs on Client’s behalf to facilitate the lawfulness of Personal Data  Transfers between Client and third parties service providers as necessary to provide the Services.