Data Processing Addendum

Last Update: March 16, 2023

This Data Processing Addendum ("Addendum" ), forms part of the Sezzle Merchant Agreement ("Agreement" ) between: you ("Company" ); and Sezzle Inc. ("Service Provider" ).

Introduction

A. Service Provider provides payment processing services (the "Services" ).

B. Company is a controller of certain Personal Data (as described in Exhibit A) and has chosen to utilize the Services to process such information in connection with Service Provider’s performance of the Agreement.

C. The parties wish to enter into this Addendum to ensure Service Provider’s processing of Personal Data on behalf of Company complies with Company’s instructions and Applicable Data Protection Laws.

In consideration of the mutual obligations set out herein, the parties hereby agree as follows:

1. Definitions. The following terms shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

1.1 "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Service Provider respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2 "Applicable Data Protection Laws" means all laws, statutes, and regulations regarding data protection, privacy, and security that are applicable to a party or Company Personal Data, including, without limitation, the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR" ) and any laws amending, replacing or superseding the GDPR.

1.3 "Company Personal Data" means information which relates to an identified, or identifiable person, as described in Exhibit A and any other Personal Data Processed by Service Provider or any Service Provider Affiliate on behalf of Company or any Affiliate pursuant to or in connection with the Agreement or any related Statement of Work.

1.4 "Controller" , "Processor" , "Data Subject" , "Personal Data" , "Process" , "Processing" , "Supervisory Authority" , "Personal Data Breach" , and "Special Categories of Personal Data" shall have the same meaning as in the Applicable Data Protection Laws.

1.5 "EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

1.6 "Restricted Transfer" means the transfer of Company Personal Data from Company to Service Provider where (1) the data was originally held by Company in the EEA, (2) the data will be received by Service Provider outside of the EEA, and (3) the transfer would be prohibited by Applicable Data Protection Laws in the absence of the Standard Contractual Clauses or another adequate transfer mechanism as approved by the European Commission.

1.7 "Subprocessor" means any Processor (including any third party and any Service Provider Affiliate) appointed by Service Provider to Process Company Personal Data on behalf of Company or any Company Affiliate.

2. Processing of Company Personal Data

2.1 Service Provider may Process Company Personal Data as per the terms of the Agreement and this Addendum.

2.2 Service Provider shall not Process Company Personal Data for any purpose other than those specified in the Agreement, this Addendum, or Company's documented instructions. Service Provider shall immediately inform the Company if, in its opinion, any processing instruction infringes upon any Applicable Data Protection Laws.

2.3 Exhibit A to this Addendum sets out certain information regarding the Service Provider's Processing of the Company Personal Data. Company may make reasonable amendments to Exhibit A by written notice to Service Provider from time to time as Company reasonably considers necessary to meet those requirements.

3. Confidentiality

Service Provider shall take reasonable steps to ensure the confidentiality of any employee, agent or contractor who may have access to Company Personal Data. Among other things, Service Provider will strictly limit access to those individuals who need to access Company Personal Data for purposes of providing the Services, and will contractually require all individuals that have access to Company Personal Data to keep such data confidential.

4. Security

4.1 Service Provider shall implement reasonable and appropriate technical and organizational measures to protect Company Personal Data.

4.2 In assessing the appropriate level of security, Service Provider shall take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Company Personal Data transmitted or stored. Service Provider and any Subprocessors represent and warrant that their security program is documented using an accepted industry framework (e.g. CIS, NIST, ISO, etc.).

4.3 Company shall have the right to terminate the Agreement immediately, and without penalty, in the event Service Provider fails in any of its obligations under this Addendum after Company has provided notice of the failure and Service Provider has failed to cure the failure within a reasonable period of time. In the event of termination, Service Provider’s obligations under this Addendum shall continue for so long as Service Provider has access to Company Personal Data.

5. Subprocessing

5.1 Service Provider shall not engage any Subprocessors to Process Company Personal Data unless it is required as part of providing the Services or with Company’s prior written consent, such consent not to be unreasonable withheld. Service Provider shall provide information on its Subprocessors upon written request by the Company.

5.2 With respect to each Subprocessor, Service Provider shall:

5.2.1 carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for Company Personal Data as is required by this Addendum, and provide evidence of such due diligence to Company upon request;5.2.2 include terms in the contract between Service Provider and each Subprocessor that are materially equivalent as those set out in this Addendum; and5.2.3 remain fully liable to Company for the known actions or inactions of any Subprocessor in relation to the Processing of Company Personal Data.

6. Data Subject Rights.

6.1 Service Provider shall assist Company in responding to complaints, communications, or requests by a Data Subject to exercise a right under Applicable Data Protection Laws relating to the Company Personal Data. This shall include, at minimum, maintaining the ability to access, modify, remove from Processing, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Company.

6.2 Service Provider shall promptly notify Company if it receives a request from a Data Subject in respect to Company Personal Data, including a request by a Data Subject to access, modify, or delete his or her Personal Data. Service Provider shall await instructions from Company concerning whether, and how to, respond to such a request

7. Personal Data Breach.

7.1 Service Provider shall notify Company immediately upon Service Provider or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, and shall provide Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects or relevant governmental agency or agencies of the Personal Data Breach under the Applicable Data Protection Laws.

7.2 Service Provider shall, and shall require any Subprocessor to, co-operate with Company and each Company Affiliate and take such reasonable commercial steps to assist in the investigation, mitigation, and remediation of any such Personal Data Breach. To the extent reasonably incurred in connection with a Personal Data Breach due to Service Provider’s or any Subprocessor’s action or inaction, Service Provider shall be responsible for: (a) mutually agreed on fees for Company’s attorneys and consultants; (b) the cost of providing notice to affected Data Subjects; (c) the cost of providing notice to any governmental agencies, credit bureaus, and other required entities; (d) the cost of providing affected Data Subjects with credit monitoring and protection services for twelve (12) months (or longer, if required by applicable laws) to the extent the disclosure of the affected Data Subject’s Personal Data could lead to a compromise of the Data Subjects’ credit or credit standing or if otherwise required by Applicable Data Protection Law; (e) the cost of any other legally required or mutually agreed on industry standard measures; and (f) fines or penalties attributable to the Personal Data Breach. Such amounts in this Section 7.b supersede, and are not limited by, any limitations of liability provided in the Agreement. For clarity, Company will have the right to conduct (or direct the conducting of) any of the measures described in this Section 7.b.

8. Data Protection Impact Assessment and Prior Consultation.

Service Provider shall provide reasonable assistance to Company with any data protection impact assessments which are required under Applicable Data Protection Laws in relation to Service Provider’s Processing of Company Personal Data.

9. Deletion or return of Company Personal Data.

9.1 Subject to Section 9.b, Service Provider shall promptly upon Company’s request or in any event within sixty (60) calendar days of the effective date of termination of the Agreement: (a) return all Company Personal Data to Company by secure file transfer in such format as notified by Company to Service Provider; or (b) delete and procure the deletion of all copies of Company Personal Data Processed by Service Provider or any Subprocessor.

9.2 Notwithstanding Section 9.a, Service Provider may retain Company Personal Data to the extent required by applicable laws, but only to the extent and for such period as required by applicable laws. Service Provider will notify Company in writing if it believes that such a legal requirement exists. If required by law to retain Company Personal Data, Service Provider will continue to ensure the confidentiality of such Company Personal Data and only Process Company Personal Data as necessary for applicable legal requirement.

10. Relevant Records and Audit Rights.

10.1 Upon Company’s request, Service Provider shall promptly make available to Company all information reasonably necessary to demonstrate compliance with this Addendum.

10.2 In addition to any audit rights granted pursuant to the Agreement, Service Provider shall allow for and contribute to audits, including inspections, by Company or a mutually agreed on auditor ("Auditor" ) of any premises where the Processing of Company Personal Data takes place in order to assess compliance with this Addendum, and shall provide reasonable access to the Auditor to inspect, audit, and copy any relevant records, processes, and systems documents in order that Company may satisfy itself that the provisions of this Addendum are being complied with.

11. International Data Transfer.

Insofar as the Agreement involves a Restricted Transfer, Service Provider agrees to cooperate with Company to take appropriate steps to comply with Applicable Data Protection Laws.

12. General Terms.

Any obligation imposed on Service Provider under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. Company and Service Provider expressly recognize and agree that this Addendum includes provisions addressed in other portions of the Agreement. Company and Service Provider hereby agree that the terms and conditions set out herein shall be added as an Addendum to the Agreement. This Addendum and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other. In respect of any conflict between the Agreement and this Addendum, the provisions which provide the greatest protection of the Company Personal Data shall prevail; provided, however, that in no event shall this Addendum be deemed to eliminate, limit, or otherwise diminish Service Provider’s obligations or commitments to Company under portions of the Agreement.

EXHIBIT A: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA

1. Subject matter and duration of the Processing of Company Personal Data

The subject matter and duration of the Processing of the Company Personal Data are set out in the Agreement.

2. The nature and purpose of the Processing of Company Personal Data

The nature and purposes of Processing as set forth in the Agreement.

3. The types of Company Personal Data to be Processed

As set forth in the Agreement.

4. The categories of Data Subject to whom the Company Personal Data relates

As set forth in the Agreement.

© 2026 Sezzle Inc.