PRIVACY POLICY 
Updated: March 10, 2021 

Liquidity Capital ("Company", "we", "us" or "our") respects your privacy and recognizes that your  privacy is important. This privacy policy ("Privacy Policy") sets forth and governs the privacy practices of the Company and applies to users that access our website and the services therein, including our  proprietary software platform ("Platform"). It is your responsibility to read this Privacy Policy  thoroughly. This Privacy Policy also provides the required information under the EU General Data Protection  Regulation ("GDPR") and the California Consumer Privacy Act of 2018 ("CCPA"), to the extent applicable. In that case under the GDPR, you are defined as a “Data Subject” with respect to your use of the  Platform and our Site and Services, and as a “Data Controller” with respect to the Company Data (as  defined in our Terms and Conditions and, if applicable, in our Master License Agreement). 

Applicability 
This Privacy Policy explains Liquidity’s data collection practices that are applicable towards: (i) any visitor  of our website ("Visitor"); and (ii) any entity which uses our Platform and their users (i.e., their  employees) ("Customer"). Customers and Visitors will be jointly referred to as "you" or "your".  

The Privacy Policy in a nutshell: 
• You are not required by law to provide us with any Personal Data (as such term is defined below).  Please note, that some of our services require the processing of certain Personal Data, as further  described in this Privacy Policy. Without such data we may not be able to provide you with all or  part of the services. 

• Our website and services are intended for users over the age of 16 or an equivalent minimum age  for providing consent to process Personal Data in the relevant jurisdiction. Children under such age  are not permitted to use our services nor provide us with any Personal Data.  

• You may be entitled under applicable laws to review, amend, erase, or restrict the processing of  your Personal Data. Please review the "Privacy Rights" section below for more information about  your rights.  

Collection and Use of Data 
Depending on your interaction with our website or use of the Platform, we may collect two types of  data from you, as follows:
"Personal Data" or "Personal Information" (in accordance with applicable law definitions), shall mean  information that identifies an individual or may with reasonable effort identify an individual. This may  include online identifiers such as your IP address, name, email, etc. 
"Non-Personal Data" shall mean technical and aggregated data about you that is non-identifiable and  non-personal data. Non-personal Data which is collected may include your aggregated usage  information and technical information transmitted by your device, including certain software and  hardware information about your device (e.g., the device you use, the type of browser and operating  system your device uses, access time and the website's domain name from which you linked to the  Website, etc.) in order to enhance the functionality of the website. We may also collect information about your activity on the website (e.g., how many users visited the website, which pages were viewed,  etc). If we decide to combine Personal Data with Non-Personal Data, we shall treat the consolidated data as  Personal Data.  The disclosure of any Personal Data and the process of any such Personal Data by us, shall be in  accordance with this Privacy Policy and in accordance with our Data Processing Agreement set forth  below. We do not knowingly collect or process any Special Categories of Personal Data, such as constituting or  revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union  membership, genetic data, biometric data, data concerning a person's health or data concerning a person’s sex life or sexual orientation. In the event you become aware that such data has been uploaded  to the website or the Platform or collected by us unintentionally, please inform us immediately.

The Personal Data and Non-Personal Data are collected as follows: 
• Directly from you when you provide it to us; 
• Automatically as you navigate through the site using cookies and other tracking technologies  defined and discussed with more detail below. Information collected automatically may incluge  usage details, email address, IP address, and information collected through cookies and other  tracking technologies; and 
• From third parties as further described below. 

Personal Data is only used for limited purposes, as specified below: 
A. Personal Data regarding Customers: If you choose to use our Platform you will be required to  provide us with your full name and email address (for signing-up) or access authorizations to the  Platform and email address (for login), payment information. As a Customer we will send you  emails with marketing materials regarding the services you are currently using or any services we may offer in the future ("Direct Marketing") and subject to your consent (opt-in) we will  share your contact details with our Customer. The Purposes of the Processing is to provide the  services to the Customers and with respect to EU persons (Legal basis under the GDPR):  Performance of a contract with you or in order to take steps at your request prior to entering  into a contract. Direct Marketing is subject to our legitimate interest and in accordance with  applicable laws, you may opt-out at any time from certain correspondence. 

B. Contact Us: In the event you choose to contact us in order to ask any question you will be  requested to provide your name, phone number, email address and free text. The Purposes of  the Processing is To answer your questions and provide you with assistance, or any other service  you requested. The correspondence will be stored by us in the event we believe it is required,  for example, in the event of any claims or in order to provide you with any further assistance. And in accordance with the GDPR the processing of such data is subject to your consent. 

C. News Letters:
In the event that you sign up to receive our newsletter you will be requested to  provide your email address. The Purposes of the Processing is to send you newsletters. In  accordance with the GDPR, such use and processing is subject to your consent and You may opt out at any time the newsletter service.

D. Device Information: We may collect Personal Data from your device. Such information may  include Internet protocol (IP) address, unique identifiers, as well as other information that  relates to your activity through the Website. This data might be collected by us or by our service  providers (i.e., through cookies). The Purposes of the Processing is our use in such data in order  to maintain, protect and manage our website for analytic and statistic purposes regarding  interaction with our website. We use this data under our legitimate interests.

Publicly Available Information
We collect, gather, and analyze publicly available information, for example professional information  available on social media and information derived from databases that are available to us by third  parties, we believe in good-faith that such third parties provide or share with us such data in compliance  with all applicable laws. This information mostly includes names, contact information (such as email addresses) and job titles. Even though this data was made publicly available by an individual, we respect  the privacy and rights of such individual and thus, this Privacy Policy governs such data as well.

The California Consumer Privacy Act 2018: 
The Categories of Personal Information Collected and Shared by Us 
Please note that the definition of Personal Information under the CCPA does not include: (i) publicly  available information from government records; and (ii) de-identified or aggregated consumer  information. According to the CCPA requirements, below is a list specifying the categories of Personal Information we  collect from you:  

A. Identifiers - A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license  number, passport number, or other similar identifiers. This information is collected. 

B. Personal information categories listed in the California Customer Records statute (Cal. Civ.  Code § 1798.80(e)) - A name, signature, Social Security number, physical characteristics or  description, address, telephone number, passport number, driver's license or state identification  card number, insurance policy number, education, employment, employment history, bank  account number, credit card number, debit card number, or any other financial information,  medical information, or health insurance information. Some personal information included in  this category may overlap with other categories. Such information is not collected. 

C. Protected classification - Age (40 years or older), race, color, ancestry, national origin,  citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex  (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including  familial genetic information). Such information is not collected. 

D. Commercial information - Records of personal property, products or services purchased,  obtained, or considered, or other purchasing or consuming histories or tendencies. Such  information is not collected. 

E. Biometric information - Genetic, physiological, behavioral, and biological characteristics, or  activity patterns used to extract a template or other identifier or identifying information, such  as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical  patterns, and sleep, health, or exercise data. Such information is not collected.

F. Internet or other similar network activity -
Browsing history, search history, information on a  consumer's interaction with a website, application, or advertisement. Such information is not collected. G. Geolocation data - Physical location or movements. Such information is not collected. 

H. Sensory date - Audio, electronic, visual, thermal, olfactory, or similar information. Such  information is not collected. 

I. Professional or employment-related information - Current or past job history or performance  evaluations. Such information is not collected. 

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)) - Education records directly related to a student  maintained by an educational institution or party acting on its behalf, such as grades,  transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. Such information is not collected. 

K. Inferences drawn from other personal information - Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Such information is not collected. 

According to the CCPA requirements, below is information concerning disclosures of Personal  Information we made for business purposes: 
In the last twelve (12) months, the Company has disclosed the following categories of Personal  Information for business purposes: (A) Identifiers. We have disclosed your Personal Information for a business purpose to the following categories of third  parties: service providers & data aggregators (e.g. for analytical purposes), business partners (for fraud  detection, payment calculation and bank account integration). Please note, that Personal Information disclosed by us for a business purpose, is subject to contractual  obligations on behalf of the third party, to whom the information was disclosed, and who may not use this information for any purpose except for performing its obligations under the engagement we have  with such third party. 

According to the CCPA requirements, below is information concerning the sale of Personal  Information: 
In the last twelve (12) months, the Company has not sold Personal Information. With Whom We Share Data We do not sell, trade, or rent our users' Personal Data to other parties. We may share data solely for  limited purposes as described below: 
• We will share your Personal Data, solely to the extent needed to comply with applicable law or  regulation (including our policies and agreements). 
• We will share your Personal Data solely to the extent needed to establish or exercise our rights to  defend ourselves against legal claims or to prevent harm to our rights, property, or safety and with  respect to our users, yourself or any third party or for the purpose of collaborating with law  enforcement agencies or in case we find it necessary in order to enforce intellectual property or  other legal rights. 
• We may share your data, in the event of a corporate transaction (for instance, sale of a substantial  part of our business, merger, consolidation or asset sale). In such case, our affiliated companies or  acquiring company will assume the rights and obligations as described in this Privacy Policy.  
• We may share Personal Data with our trusted partners and service providers who assist us in  operating the Services and conducting our business, such as: cloud hosting services, account  maintenance and technology services.  
• Subject to your consent (opt-in), we may share Personal Data with our Customers for the  performance of our Services. • We may share online identifiers collected by us (as detailed herein), for the purpose of operating  our business, as well as to calculate payments and detect fraud, security, or technical issues in connection with the Product and Software. 

Privacy Rights 
Privacy laws in different jurisdictions provide different rights regarding your Personal Data, such as the  right to access your Personal Data; The right to delete Personal Data; The right to opt-out from Personal  Data processing, and so on. Principally, if you are a resident of the European Economic Area ("EEA") or the State of California, the  provisions of the GDPR and the CCPA, respectively, provide you with the following rights:

The right to be informed: In order to ensure fair and transparent processing of Personal Data, you  have the right to be provided with information regarding how we collect data and our privacy  practices, as detailed herein.  
The right to access data: You have the right to request a confirmation from us that we process your  Personal Data and under certain circumstances, to be provided with a copy of the Personal Data we  process.  
The right to request deletion of you Personal Data: You have the right to require us to delete  certain Personal Data, if certain conditions are satisfied (if the Personal Data is no longer needed for  the original purpose it was collected and there is no new lawful basis for continued processing; If  you have exercised your right to withdraw consent (to the extent applicable), or to object to the  processing and we have no overriding grounds for the continued processing; The Personal Data is  processed unlawfully; Or, erasure of Personal Data is necessary to comply with applicable  legislation. Please note, this right is not absolute. We may reject your request under certain circumstances, including where we have to retain the data in order to comply with legal obligations  or defend against legal claims, etc.  
The right to object: You have the right to object to the processing of Personal Data, in the event that the basis for our processing activity is based on our legitimate interests, however, we will be  permitted to continue the processing if our legitimate interests override your rights or when  processing is necessary to establish, exercise or defend a legal claim or right, etc. 
The right to restrict processing: You may ask us to restrict the processing your Personal Data,  when: the accuracy of the data is contested; Processing is unlawful and you request restriction  instead of erasure; The Personal Data is no longer needed for the original purpose it was collected,  however the retention of the data is still required to establish, exercise or defend legal rights; Or, there are overriding grounds in the context of an erasure request.
Rectification (in the event you are an EEA resident): You have the right to require the update or  amendment of Personal Data which is not correct. 
Portability: You have the right to have your Personal Data "ported" to a third-party, subject to the  following: The Personal Data was provided by you; The Personal Data is processed automatically;  And the Personal Data was processed on the legal bases of contract or consent; 
The Right to Non-Discrimination (in the event you are a California resident): You have the right not  to be discriminated against for having exercised your rights under the applicable laws. In particular,  we cannot not: deny the consumer goods or services, charge the consumer different prices for  goods or services, whether through denying benefits or imposing penalties provide the consumer  with a different level or quality of goods or services. We provide you with the option to exercise certain choices and controls in connection with our  treatment of your Personal Data, depending on your relationship with us. If you wish to exercise any or  all of the above rights, please contact our privacy team at: privacy@liquidity.inc..Where we are not able to provide you with the information or exercise the rights you have asked for, we will try to explain the  reasoning for this and inform you of your rights, including the right to complain to the relevant  supervisory authority (in the event you are EEA resident). We reserve the right to ask for reasonable  evidence needed to verify your identity prior to providing you with any such information in accordance  with applicable law.

Cookies
The usage of our website may include implementation of "cookies" or similar technologies, by us or by third parties, which will store certain information on your device. Cookies are used for many different  purposes, including, and not limited to, enrichment of our Website work, as well as to understand your  needs and optimize the website's performance. Cookies enable us to improve your experience while  using the website. See more information about cookies at: www.allaboutcookies.org.  See below the list of third-party cookies and other tracking technologies currently used as part of our  website: 
A. Google Analytics -
Analytical, Measurement & Performance, third party privacy policy:  www.google.com/policies/privacy/partners;https://policies.google.com/technologies/managing? hl=en; https://tools.google.com/dlpage/gaoptout. For additional information regarding our use of  Google products, click here. 
B. Intercom -
Essential, Functionality, Operation & Security Cookies, third party privacy policy:  https://www.intercom.com/legal/privacy. 
C. Hubspot -
Analytical, Measurement & Performance, third party privacy policy:  https://legal.hubspot.com/cookie-policy. We do not collect Personal Information automatically, but we may tie this information to Personal  Information about you that we collect from other sources or from information that you may provide to  us. However, to the extent the information we collect by automatic means constitutes Personal Data  under the GDPR, either before or after we collect it, our processing of such Personal Data complies with  the GDPR. 
Cookies 0pt-out  You are able to manage your cookies preferences, including the deletion of cookies, approval or decline  of certain cookies, and receipt of a notification prior to the storage of a cookie. This can be done through your browser settings. For more information, please review the below links (click according to the  browser you are using): Google Chrome; Firefox; Internet Explorer; Safari; Edge; Opera. Third party's cookies which are embedded in our website shall be subject to the applicable third party’s  cookie policy. Blocking or erasing certain types of cookies may limit your online experience. Furthermore, disabling  cookies will not prevent advertisements from being displayed, however the advertisements will not be personalized.

Third Party Websites 
Our Privacy Policy only addresses the use and disclosure of information we collect from you. To the  extent that you disclose your information to other parties via the website (e.g., by clicking on a link to  any other website or location) or via other sites throughout the Internet, different rules may apply to  their use or disclosure of the information you disclose to them. You acknowledge that we are not  responsible for the products, services, or descriptions of products or services that you receive from third  party sites or to the content or privacy practices of those sites and that this Privacy Policy does not apply to any such third party products and services. You are knowingly and voluntarily assuming all risks of  using third party sites. You agree that we shall have no liability whatsoever with respect to such third  party sites and your usage of them. 

Children’s Data
Our website and Platform are not intended or directed for children, as such term is defined under  applicable law, and specifically under the age of 16 (or any equivalent age). We do not knowingly collect  or solicit information from children. If we later obtain actual knowledge that we processed a child’s  Personal Data, we will take necessary steps to delete the applicable data. 

Security and Retention Policy 
Since your privacy is important to us, we are committed to protecting your Personal Data from  unauthorized access, use or disclosure. We have implemented physical, technical, and administrative  security measures that comply with applicable laws and industry standards.  We will take necessary measures to minimize the Personal Data that is stored on our servers in the first  place. In the event of a data breach, in which we discover your Personal Data may be at risk, we will take  reasonable efforts to notify you and the applicable authority (if required, subject to applicable laws). The safety and security of your information also depends on you. Where we have given you (or where  you have chosen) a password for access to certain parts of our Sites, you are responsible for keeping this  password confidential. You shall not share your password with anyone. We urge you to be careful about  giving out information in public areas of the Site (if any). The information you share in public areas may  be viewed by any user of the Site. Unfortunately, the transmission of information via the Internet is not completely secure. Although we  do our best to protect your personal information generally and in compliance with applicable laws, we  cannot guarantee the security of your personal information transmitted to our Site or via our  Services. Any transmission of personal information is at your own risk. We are not responsible for  circumvention of any privacy settings or security measures contained on the Site or via the Services.We only retain your personal information/Personal Data for as long as is necessary for us to use your  information as described above, or to comply with our legal obligations and legitimate interests. Please  be advised that this means that we may retain some of your personal information/Personal Data after you cease to use our Services. For instance, we may retain your data as necessary to meet our legal obligations. 

When determining the relevant period in which we retain or establish/revise periods for retaining  personal information/Personal Data, we will take the following factors into account: • Our contractual obligations and rights in relation to the information involved; 
• Legal obligation(s) under applicable law to retain data for a certain period of time or with  respect to pending or anticipated legal actions; 
• Our legitimate interest where we weigh your interest in controlling your Personal Data and  against our lawful purpose in processing your Personal Data; • Statutes of limitations under applicable law(s); • If you have made a request to have your information deleted; and 
• Guidelines issued by relevant data protection authorities. Otherwise, pursuant to GDPR, we will securely erase your personal information/Personal Data once  there is no lawful basis or legal obligation to store or process it. 

Transfer of Data
We may store or process your Personal Data in AWS servers (located in North Virginia, US) or in other  states or countries. In the event of data transfer outside your jurisdiction, we will take appropriate  measures to ensure that your Personal Data receives an adequate level of data protection when it is  being transferred as required under applicable law. 

Changes to This Privacy Policy  
We may update this Privacy Policy from time to time and if required under applicable laws. Thus, we  encourage you to check this Privacy Policy from time to time in order to be updated with the most  recent Privacy Policy. The most recent and updated version of this Privacy Policy is as referred to in the "Updated" heading in the preamble. If a material change occurs, we will make our best efforts to  provide you with updates, in accordance with the requirements of the applicable law.  

Do Not Track Signals
Please note that Do Not Track signals are not responded. See: http://www.allaboutdnt.com/, for more  information. 

Contact Information.
If you have any questions, please contact us at: Liquidity Capital M.C. Ltd. 30 Sheshet Hayamim, Rd., Bnei Brak, Israel. You can also contact us via email at: privacy@liquidity.inc

Data Processing Agreement 
Recently updated March 10, 2021 

PREAMBLE
This Data Processing Agreement (the “DPA”), entered into by the users accessing or using Liquidity’s  website or using the Services (each a “User”, “Licensee”, or “you”) and Liquidity Capital M.C. Ltd. (and  its subsidiaries) (“Liquidity”, “we”, “us” or “our”), governs the processing of Personal Data that the User uploads or otherwise provides Liquidity in connection with the Services and the processing of Personal  Data by Liquidity on behalf of the User in connection with the Services.  Capitalized terms not defined in this DPA shall have the meaning given to them in our terms and  conditions at: https://www.liquidity.inc/terms-and-conditions (the “Terms and Conditions”), or in the  relevant Master License Agreement entered between the parties (the “Master Agreement”). In the event of any conflict or inconsistency between any of the terms of the Terms and Conditions, the Master Agreement and this DPA, the provisions of the following documents (in order of precedence) shall prevail: (a) the Master Agreement (to the extent applicable); (b) the Terms and Conditions; (c) this DPA.

1. DEFINITIONS 
1.1. In this DPA, the following terms shall have the meanings set out below and related terms shall  be construed accordingly: 
a) "Applicable Laws" means (a) European Union or Member State laws with respect to any  User Personal Data in respect of which User is subject to EU Data Protection Laws; and (b)  any other applicable law with respect to any User Personal Data in respect of which the  User is subject to any other Data Protection Laws including the CCPA. 
b) “Business Contact Data” means information relating to personnel of either Liquidity or  User, which may be processed by the other party in connection with the Agreement. 
c) “CCPA” means the California Consumer Privacy Act of 2018 together with any subordinate  legislation or regulations. 
d) "User Personal Data" means any Personal Data Processed by Liquidity or its Sub  Processors pursuant to or in connection with the Services. 
e) "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the  data protection or privacy laws of any other country such as the CCPA. 
f) "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic  legislation of each Member State and as amended, replaced or superseded from time to  time, including by the GDPR and laws implementing or supplementing the GDPR. 
g) "GDPR" means EU General Data Protection Regulation 2016/679.
h) "Services" means the services and other activities to be supplied to or carried out by or on  behalf of Liquidity for the User, pursuant to the Master Agreement and/or the Terms and  Conditions (as applicable). 
i) "Sub Processor" means any entity appointed by or on behalf of Liquidity to Process  Personal Data on behalf of the User. 
j) "Liquidity" means an entity that owns or controls, is owned or controlled by or is or under  common control or ownership with Liquidity. 

1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach","Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.

2. PROCESSING OF USER PERSONAL DATA
2.1 Liquidity shall: 
a)comply with all applicable Data Protection Laws in the Processing of User Personal Data; and 
b) subject to Section 14.7, not Process User Personal Data other than on User’s documented  instructions, unless Processing is required by Applicable Laws to which Liquidity is subject, in  which case Liquidity shall, to the extent permitted by Applicable Laws, inform the User of that  legal requirement before the relevant Processing of that Personal Data. 

2.2 The User instructs Liquidity and authorizes Liquidity to instruct each Sub Processor to: 
a) Process User Personal Data;  
b) transfer User Personal Data to any country or territory; and 
c) in each case as reasonably necessary for the provision of the Services in consistency with the  Master Agreement and the Terms and Conditions.  

2.3 The obligations set out in Sections 3 to 5 and 7 to 14 of this DPA apply only if and to the extent that Liquidity processes User Personal Data as a Processor.  

3. LIQUIDITY’S PERSONNEL & USER’S OBLIGATIONS
3.1 Liquidity shall take reasonable steps to ensure that any employee, agent or contractor of  Liquidity who may have access to the User Personal Data, are subject to confidentiality  undertakings or professional or statutory obligations of confidentiality.
 
3.2 The User warrants and represents that it has and will collect, Process and transfer all User Personal Data, which is Processed by and/or transferred to Liquidity, in accordance with all  Applicable Laws. Addendum to this DPA with respect to the CCPA attached hereto as Annex 2.

4. SECURITY
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context  and purposes of Processing as well as the risk of varying likelihood and severity for the rights and  freedoms of natural persons, Liquidity shall in relation to the User Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that  risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5. USE OF PROCESSORS AND SUBPROCESSING 
5.1 User authorizes Liquidity to appoint (and permit each Sub Processor appointed in accordance with  this Section 5 to appoint) Processors and/or Sub Processors in accordance with this Section 5.
 
5.2 Liquidity may continue to use those Processors and/or Sub Processors already engaged by Liquidity as at the date of this DPA, subject to Liquidity, in each case and as soon as practicable, meeting the  obligations set out in Section 5.4. 

5.3 Liquidity can at any time and without justification appoint a new Processor and/or Sub-Processor  provided that User is given fifteen (15) days' prior notice and the User does not legitimately object  to such changes within that timeframe. Legitimate objections must contain reasonable and  documented grounds relating to a Processor and/or Sub-Processor's non-compliance with Data  Protection Laws. If, in Liquidity's reasonable opinion, such objections are legitimate, Liquidity shall  either refrain from using such Processor and/or Sub-Processor in the context of the processing of  User Personal Data or shall notify the User of its intention to continue to use the Processor and/or  Sub-Processor. Where Liquidity notifies User of its intention to continue to use the Processor and/or  Sub-Processor in these circumstances, User may, by providing written notice to Liquidity, stop  sharing with Liquidity its User Personal Data. 

5.4 With respect to each Processor and/or Sub Processor, Liquidity shall: a)ensure that the arrangement between Liquidity and the Processor and/or Sub Processor is  governed by a written contract including terms which offer at least the same level of  protection for User Personal Data as those set out in this DPA and meet the requirements of  Article 28(3) of the GDPR; b) upon User’s request, provide copies of Liquidity’s agreements with Processors and/or Sub  Processors (which may be redacted to remove confidential commercial information not  relevant to the requirements of this DPA). 

5.5 Liquidity shall ensure that each Processor and/or Sub Processor performs the obligations which  apply to Processing of User Personal Data carried out by that Processor and/or Sub Processor, as if it  were party to this DPA in place of Liquidity. 

6. CROSS-BORDER DATA TRANSFERS
6.1 User acknowledges that Applicable Laws may require that additional measures be taken to secure  transfers of User Personal Data outside the country or region they originate from. In such a case,  User shall assist Liquidity in implementing these additional measures and, for instance, enter into  separate agreements, where and as mandated under Applicable Laws. Without limiting the  generality of the foregoing, Liquidity shall refrain from transferring any Personal Data subject to the  data protection laws of the European Union outside the European Union or a country deemed  adequate by the European Commission, without relying on a transfer mechanism in accordance with  the legislation of the European Union.

7. DATA SUBJECT RIGHTS
7.1 Considering the nature of the Processing, each Party shall assist the other Party by implementing  appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of  such Party’s obligations, to respond to requests to exercise Data Subject rights under the Data  Protection Laws in so far as such requests relate to the User Personal Data Processed by Liquidity on  behalf of the User. 

7.2 Liquidity shall: a) promptly notify User if Liquidity receives a request from a Data Subject under any Data  Protection Law in respect of User Personal Data; and b) not respond to that request except as required by Applicable Laws to which Liquidity is  subject, in which case Liquidity shall to the extent permitted by Applicable Laws inform  User of that legal requirement before responding to the request. 

8. PERSONAL DATA BREACH
8.1 Liquidity shall notify User without undue delay if Liquidity or any Sub Processor becomes aware of a  Personal Data Breach affecting User Personal Data, providing User with sufficient information to  allow user to meet any obligations to report or inform Data Subjects of the Personal Data Breach  under the Data Protection Laws. 

8.2 Liquidity shall co-operate with User and take such reasonable commercial steps as are directed by  User to assist in the investigation, mitigation and remediation of each such Personal Data Breach. 

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. Liquidity shall provide reasonable assistance to User with any data protection impact assessments,  and prior consultations with Supervising Authorities or other competent data privacy authorities,  which reasonably could be deemed required by Article 35 or 36 of the GDPR or equivalent  provisions of any other Data Protection Law, in each case solely in relation to Processing of User Personal Data by, and taking into account the nature of the Processing and information available to  Liquidity. 

10. DELETION OR RETURN OF USER PERSONAL DATA
10.1. Subject to Sections 10.2 and 10.3, Liquidity shall promptly and in any event within 60 days of the  date of cessation of any services involving the Processing of User Personal Data (the "Cessation  Date"), delete and procure the deletion of all copies of those User Personal Data, to the extent  such User Personal Data includes Personal Data. 

10.2. Subject to Section 10.3, User may in its absolute discretion by written notice to Liquidity within  90 days of the Cessation Date require Liquidity, on User’s expense, to (a) return a complete copy  of all User Personal Data to the User (to the extent such User Personal Data includes Personal  Data) by secure file transfer in such format as is reasonably notified by User to Liquidity; and (b)  delete and procure the deletion of all other copies of User Personal Data Processed by Liquidity.  Liquidity shall comply with any such written request within 60 days of the request.

10.3. Liquidity may retain User Personal Data to the extent required by Applicable Laws and only to  the extent and for such period as required by Applicable Laws and always provided that Liquidity shall ensure the confidentiality of all such User Personal Data and shall ensure that such User  Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws  requiring its storage and for no other purpose. 

10.4. For purposes of clarification, statistical data which has been anonymized and consequently no  longer constitute Personal Data may be retained and used freely by Liquidity perpetually in  accordance with the terms of the Master Agreement and the terms of our Terms and Conditions (as applicable). 

10.5. Liquidity shall upon User’s request provide written certification to User that it has fully complied  with this Section 10.

11. AUDIT RIGHTS 
11.1. Liquidity shall keep, or cause to be kept the information necessary to demonstrate compliance  with its obligations under this DPA including full and accurate records relating to the processing  of User Personal Data and upon reasonable notice and at User's cost and expense make  available to User and grant to User and its auditors or agents a right of access to and to take  copies of any relevant information or records kept by Liquidity pursuant to this Section 11.1. 

11.2. User’s information and audit rights only arise to the extent that the Master Agreement and the  Terms and Conditions do not otherwise give them information and audit rights meeting the  relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of  the GDPR). 

11.3. User shall give Liquidity reasonable notice of any audit or inspection to be conducted under  Section 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable  endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Liquidity’s premises, equipment, personnel and business while its personnel are on those  premises in the course of such an audit or inspection. Liquidity need not give access to its  premises for the purposes of such an audit or inspection: 
a) to any individual unless he or she produces reasonable evidence of identity and authority; 
b) outside normal business hours at those premises, unless the audit or inspection needs to be  conducted on an emergency basis and User has given notice to Liquidity that this is the case  before attendance outside those hours begins; or c) for the purposes of more than one audit or inspection in any calendar year. 

12. REPRESENTATIVE DATA
12.1. The provisions of this DPA shall apply mutatis mutandis in relation to Business Contact Data in  relation to which Liquidity is Controller and User’s obligations as Processor shall apply to the User in  relation such data.

13. INDEMNIFICATION
13.1. Notwithstanding any limitation of liability agreed between the Parties pursuant to the Agreement, a  Party (the “Defaulting Party”) shall indemnify the other Party (the “Non-Defaulting Party”) against all  damages and fines that are awarded in a trial or imposed by the Supervisory Authority by way of  final decision or settlement (and any reasonable attorney’s fees incurred by the Non-Defaulting  Party in respect of such decision or settlement), against the Non-Defaulting Party, arising directly  out of the Defaulting Party’s breach of its obligations pursuant to this DPA or a breach of warranty  contained herein.

13.2. Liability under this indemnity is conditional on the Non-Defaulting Party having complied with its  obligations and warranties under this DPA including, but not limited, to those obligations arising  pursuant to Section 13.3.  

13.3. If any third party makes a claim, or notifies an intention to make a claim or start an investigation,  against the Non-Defaulting Party which may reasonably be considered likely to give rise to a liability  under the indemnity contained in Section 13.1, against the Defaulting Party (the “Claim”), the Non Defaulting Party shall: a) notify the Defaulting Party in writing within ten (10) days of receipt by the Non-Defaulting Party  of any documentation relating to the Claim, specifying the nature of the Claim and such relief  or penalty as is sought therein; b) cooperate with the Defaulting Party in all reasonable respects in connection with the defense or  investigation of the Claim; c) not make any admission of liability, agreement or compromise in relation to the Claim without  the prior consent of the Defaulting Party (such consent not to be unreasonably withheld or  delayed), provided that the Non-Defaulting Party may settle the Claim (after giving prior  written notice of the terms of settlement (to the extent legally possible) to the Defaulting  Party, but without obtaining the Defaulting Party’s consent) if the Non-Defaulting Party  reasonably believes that failure to settle the Claim would be prejudicial to it in any material  respect; d) permit the Defaulting Party to, upon written thereof to the Non-Defaulting Party, undertake to  conduct all proceedings or negotiations in connection with the Claim, assume the defense  thereof, and, if it so undertakes, it shall also undertake all other required steps or proceedings  to settle or defend any such claim, including the employment of counsel at the Defaulting  Party’s. 

13.4. Notwithstanding this Section 13, the Defaulting Party shall have no liability under Section 13.1 to the  extent that a Claim has arisen due to any act or omission not attributable to the Defaulting Party.

13.5. Nothing in this Section 13 shall restrict or limit the Non-Defaulting Party’s general obligation at law  to mitigate any loss it may suffer or incur as a result of an event that may give rise to a claim under  the indemnity contained in Section 13.1.

 13.6. In no event shall either Party, any Party’s group company or any of either Party’s directors, officers,  employees, agents or consultants be liable for any indirect or consequential loss or loss of profit, or  damages, whether or not the party concerned has been advised of the possibility of such damages, or for any loss of opportunity, goodwill, or anticipated earnings, in each case arising out of or in any  way in connection with this DPA. 

14. MISCELLANEOUS TERMS 
14.1. Governing law and jurisdiction. The parties hereby submit to the choice of jurisdiction stipulated in  the Terms and Conditions and, if applicable, in the terms of the Master Agreement, with respect to  any disputes or claims howsoever arising under this DPA, including disputes regarding its existence,  validity or termination or the consequences of its nullity and this DPA and all non-contractual or  other obligations arising out of or in connection with it are governed by the laws of the country or  territory stipulated for this purpose in the Terms and Conditions and, if applicable, in the terms of  the Master Agreement. 

14.2. Both Parties shall cooperate and assist the other Party in the event of any measures or  investigations taken by the Supervisory Authority related to any activities conducted under this DPA,  including promptly notifying the other Party of the threat and commencement of such measures.  The Parties shall take all reasonable measures necessary to limit the potential damage incurred to  either of the Parties due to such event. 

14.3. User acknowledges and agrees that Liquidity may use pseudonymized User Personal Data for the  purposes listed in Annex 1 of this DPA, and that Liquidity will act as a Controller in relation to the  processing it undertakes for those purposes. 

14.4. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall  remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as  necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely  as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part  had never been contained therein 

ANNEX 1: DETAILS OF PROCESSING OF USER PERSONAL DATA 
This Annex 1 includes certain details of the Processing of User Personal Data as required by Article 28(3)  GDPR. Subject matter and duration of the Processing of User Personal Data and the obligations and rights of  the User shall be in accordance with the Terms and Conditions, and if applicable, in accordance with the  Master Agreement. The nature and purpose of the Processing of User Personal Data: Liquidity processes Personal Data in  the following ways:  
A. Contact Details - Contact details of the persons on behalf of the User, and or the Scored  Entities (as defined in the Terms and Conditions and the Master Agreement). 
B. Regulatory requirements - Regulators in different jurisdictions require that Liquidity saves Personal Data for future proof of correct basis for tax payments and other official  statements. The categories of Data Subject to whom the User Personal Data relates▪ Contact Details. The types of User Personal Data to be Processed: 
▪ Representative Data: 
▪ Work email addresses 
▪ Work telephone numbers 
▪ Job titles 
▪ Names 
▪ Other information provided in the correspondences. 

Annex 2 
Addendum to Liquidity’s DPA with respect to the California Consumer Privacy Act 
This Addendum is entered into by the users accessing or using Liquidity’s website or using the Services (each a “User”, “Licensee”, or “you”) and Liquidity Capital M.C. Ltd. (and its subsidiaries) (“Liquidity”,  “we”, “us” or “our”), and amends the Liquidity’s Data Processing Agreement between Liquidity and the  User (“DPA”) with respect to Liquidity’s processing of Customer Personal Data of California Consumers  under the CCPA. Capitalized terms used but not otherwise defined in this Addendum will have the  meanings given to them in the DPA. Capitalized terms not otherwise defined in the DPA, will have the  meanings given to them under the CCPA. No CCPA Sale. The parties agree that for the purposes of the CCPA, Liquidity acts as a CCPA Service  Provider for Customer Personal Data. User does not sell User Personal Data to Liquidity because  Liquidity shall only use User Personal Data for the purposes specified in the DPA. Liquidity certifies that  it has read and understands this Addendum and will abide by it, including by avoiding any action that  would cause the other Party to be deemed to have sold Personal Data or Personal Information under  the CCPA.