1.1

"Applicable Data Protection Law" means, where applicable, European Data Protection Law and Non-European Data Protection Law, including but not limited to the California Consumer Privacy Act, along with the California Privacy Rights Act and relevant regulations issued by the California Privacy Protection Agency (CCPA), the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act and relevant rules issued by the Colorado Attorney General (CPA), Connecticut Data Privacy Act (CTDPA) and Utah Consumer Privacy Act (UCPA). Pursuant to CCPA, the definition of "controller" includes "Business", and the definition of "processor" includes "Service Provider", with these capitalized terms as defined in the CCPA.

1.2

"Europe" means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, the United Kingdom and Switzerland.

1.3

"European Data Protection Law" means, as applicable, (1) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"), (2) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and (3) the Federal Act on Data Protection of June 19, 1992 and its ordinances, and, once it entered into force on September 1, 2023, the revised Swiss Federal Act on Data Protection dated 25 September 2020 (collectively, "FADP") in Switzerland relating to the fundamental rights of natural persons relating to the processing of personal data, privacy and/or electronic communications.

1.4

"Adequacy Framework" means any system of certification adopted by the European Commission (or in respect of Personal Data transfers caught by the requirements of the UK GDPR or the Swiss FADP, the relevant UK and/or Swiss governmental or regulatory body as applicable), pursuant to which transfers of Personal Data to participating organizations are considered adequate pursuant to Article 45(1) of the GDPR, the UKGDPRand/ortheSwiss FADP, includingthe EU-USDataPrivacy Frameworkadopted pursuant to European Commission Implementing Decision of 10 July 2023 (and any equivalent frameworks adopted pursuant to UK Data Protection Law and/or the Swiss FADP);

1.5

"Non-European Data Protection Law" means data protection or privacy laws in force outside of Europe.

1.6

The terms "controller", "datasubject", "personal data","processing" and "processor" shall have the meanings under the Applicable Data Protection Law(s), as the case may be.

2.1 Applicability

This DPA shall apply to the extent STAG processes personal data of data subjects in relation to the Customer's use of any STAG products or services pursuant to the Agreement, and where such processing is regulated under Applicable Data Protection Laws.

2.2 CCPA

For the avoidance of doubt, STAG is a Service Provider and not a third party as described in the CCPA. Therefore, STAG shall not: (a) sell or share the personal data; (b) retain, use, or disclose the personal data for any purpose other than providing the services specified in the Agreement. Specifically, STAG shall not retain, use, or disclose the personal data for a Commercial Purpose (as defined in CCPA); or (c) retain, use, or disclose the personal data outside of the direct business relationship between STAG and Customer.

2.3 Data Subject Consents

Where required by Applicable Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary data subject consents, and has provided/will provide the necessary notifications.

3.1 Parties' Roles

Customer, as controller, appoints STAG as a processor to process the personal data on Customer's behalf.

3.2 Purpose Limitation

STAG shall process personal data for the purposesset forth in this DPA and the Agreement only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA set out Customer's complete instructions to STAG in relation to the processing of personal data and any processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties.

3.3 Compliance

Customer, as controller (or as processor, as applicable, where STAG is engaged as a sub-processor), shall be responsible for ensuring that, in connection with Customer's personal data and the Subscription and Service it has complied, and will continue to comply, with all applicable laws, rules and regulations, including but not limited to all Applicable Data Protection Laws; and it has, and will continue to have, the right to disclose, transfer, or provide access to, the personal data (including all personal data included therein) to STAG for processing in accordance with the terms of the Agreement and this DPA.

4.1 Security

STAG shall implement and maintain appropriate technical and organizational measures designed to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized third-party access or use (each a "Security Incident").

4.2 Confidentiality of Processing

STAG shall ensure its employees that are authorized to process the personal data are subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.

4.3 Security Incidents

Upon becoming aware of a Security Incident, STAG shall notify Customer without undue delay, and shall provide such timely information as Customer may reasonably require to enable Customer to fulfill any data breach reporting obligations under the European Data Protection Legislation. STAG will take reasonably necessary measures and actions to remedy or mitigate the effects of such a Security Incident.

6.1 Data Subjects' Rights

To the extent STAG processes personal data, STAG will reasonably cooperate with Customer in dealing with requests from data subjects or regulatory authorities regarding STAG's processing of personal data. For the avoidance of doubt, Customer is responsible for responding to requests made by data subjects.

6.2 Data Protection Impact Assessments and Prior Consultation

If, pursuant to Applicable Data Protection Laws, Customer is required to perform a data protection impact assessment or prior consultation with a data regulator, then at Customer's request, STAG will provide such documents as are generally available for the Subscription or Service (for example, this DPA, the Agreement). Any additional assistance shall be mutually agreed between the parties and shall be subject to the payment of an additional fee as determined by STAG.

6.3 Audit Rights

Upon Customer's reasonable request, STAG shall make available to the Customer all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the processing of personal data by STAG or its sub-processors.

8.1

With respect to international transfers of personal data from within Europe to the United States, and to the extent Customer has self-certified under the appropriate framework described herein, the parties agree that the processing of personal data shall be governed by the requirements of the EU-US Data Privacy Framework (DPF), the UK Extension to the EU-US DPF, and the Swiss-US DPF. Customer agrees to maintain its self-certification (if applicable) and shall immediately notify STAG in the event it ceases to be self-certified under the applicable framework. In the event the EU-US DPF, UK Extension to the EU-US DPF, or the Swiss-US DPF are invalidated by a court of competent jurisdiction, or in the event Customer ceases to be self-certified under the applicable DPF, the EU Standard Contractual Clauses (SCCs) (Controller to Processor) shall take effect in place of the invalidated DPF(s) and shall be incorporated into this DPA by reference and be considered duly executed between the Parties upon click-through the Agreement. With respect to international transfers of personal data from within Europe to countries outside of Europe orthe United States, the parties agree that the processing of personal data shall be governed by the terms of the Standard Contractual Clauses (Transfers Controller to Processor) (and the U.K. addendum, if applicable), which shall be incorporated into this DPA by reference and be considered duly executed between the Parties upon signature of this Addendum.

8.2

In the event of any conflict or inconsistency between the other sections of this DPA and the Standard Contractual Clauses for Controllers to Processors, the latter shall prevail.

8.3

If the European Commission adopts new versions of the Standard Contractual Clauses for transfers from controllers to processors, or if further contractual frameworks are required under Applicable Data Protection Laws, the parties agree to cooperate in good faith to adapt this DPA to the new version, or agree on a valid alternative international transfer mechanism.

10.1

Except as amended by this DPA, the Agreement will remain in full force and effect.

10.2

If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

10.3

Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

10.4

Modificationsto this DPA may be made by STAG at any time by providing electronic notice to Customer. Customer is responsible for reviewing and becoming familiar with any modifications. Customer's continued use of the Service after the effective date of the modifications will be deemed acceptance of the modified terms.