Data Processing Addendum

This Data Processing Addendum, including its Exhibits (this “Addendum”), forms integral part of the Terms of Use, or any other agreement about the delivery of the contracted services between CAKE.com Inc. (“CAKE.com”) and the User (the “Agreement”) named in such Agreement or identified below to reflect the parties' agreement about the Processing of User Personal Data (as those terms are defined below).

In the event of a conflict between the terms and conditions of this Addendum, the Agreement, or any other documentation, the terms and conditions of this Addendum govern and control with respect to the subject matter of Processing of User Personal Data. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Definitions

1.1 “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this Addendum, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such an entity.

1.2 “Anonymized Data” means, having regard to the guidance published by the European Data Protection Board, Personal Data which does not relate to an identified or identifiable natural person or rendered anonymous in such a manner that the data subject is not or no longer identifiable.

1.3 “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act (“Swiss DPA”), Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, the Brazilian Law No. 13,709/2018 - Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national implementing the Directive.

1.4 “Authorized Subprocessor” means a subprocessor engaged by CAKE.com to Process User Personal Data on behalf of the User per the User's Instructions under the terms of the Agreement and this Addendum. Authorized Subprocessors may include CAKE.com Affiliates but shall exclude CAKE.com employees, contractors and consultants.

1.5 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data.

1.6 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.7 “Legitimate Business Purposes” means the exhaustive list of specific purposes for which CAKE.com is allowed to process some Personal Data as a Controller as specified in Section 2.4.

1.8 “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes any special categories of Personal Data defined in Art. 9 of the UK GDPR, data relating to criminal convictions and offences or related security measures defined in Art. 10 of the UK GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.

1.9 “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.10 “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data Processed by CAKE.com or CAKE.com's Authorized Subprocessor.

1.11 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt: This includes processing of Personal Data to disclose, aggregate, pseudonymize, de-identify or anonymize Personal Data, and to combine Personal Data with other Personal Data, or to derive any data or information from such Personal Data.

1.12 “Services” means the CAKE.com Services as set forth in the Agreement.

1.13 “Specific US State Data Protection Law” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder (“CCPA”); the Colorado Privacy Act of 2021; the Virginia Consumer Data Protection Act of 2021; the Utah Consumer Privacy Act of 2022, as amended; and any other US state law that may be enacted that adheres to the same or substantially the same requirements of the aforementioned laws in this definition.

1.14 “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs”).

1.15 “Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum.

1.16 “User Personal Data” means Personal Data, including but not limited to:

1. Content Data: All text, sound, video, or image files that are part of an End User’s profile and End User information exchanged between End Users and with CAKE.com via the Services;
2. Account Data (name, screen name and email address);
3. Support Data (as defined in EXHIBIT A - Annex I of the Standard Contractual Clauses);
4. Website Access Data (including cookies); and
5. Diagnostic Data, including but not limited to: Data from applications (including browsers) installed on End User devices (“Telemetry Data”), Service generated server logs (for example meeting metadata and End User settings) and internal security logs that are generated by or provided to CAKE.com by, or on behalf of, User through use of the Services as further defined in EXHIBIT A - Annex I of the Standard Contractual Clauses).

2. Processing of Personal Data: Roles, Scope and Responsibility

2.1 The parties acknowledge and agree to the following: User is the Controller of User Personal Data. CAKE.com is the Processor of User Personal Data, except where CAKE.com or a CAKE.com Affiliate acts as a Controller processing User Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in Section 2.4.

2.2 Only to the extent necessary and proportionate, User as Controller instructs CAKE.com to perform the following activities as Processor on behalf of User:

1. Provide and update the Services as configured, and used by User and its End Users, (for example, through User's use of CAKE.com settings or administrator controls) including to make ongoing product improvements and provide personalized experiences and recommendations;
2. Secure and real-time monitor the Services;
3. Resolve issues, bugs, and errors;
4. Provide User requested support, including applying knowledge gained from individual customer support requests to benefit all CAKE.com users but only to the extent such knowledge is anonymized; and
5. Process User Personal Data as set out in the Agreement and EXHIBIT A - Annex I to the Standard Contractual Clauses (subject matter, nature, purpose, and duration of Personal Data Processing in the controller to processor capacity and any other documented instruction provided by User and acknowledged by CAKE.com as constituting instructions for purposes of this Addendum).

(collectively, the “Instructions”).

2.3 CAKE.com shall immediately notify the User, if, in CAKE.com's opinion, an Instruction of the User infringes Applicable Data Protection Law and request that User withdraw, amend, or confirm the relevant Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction, CAKE.com shall be entitled to suspend the implementation of the relevant Instruction.

2.4 CAKE.com may Process certain User Personal Data for its own Legitimate Business Purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one of the following exhaustive list of purposes:

1. Directly identifiable data (name, screen name, profile picture and email address and all User Personal Data directly connected to such directly identifiable data) may be Processed for:
   1. billing, account, and customer relationship management (marketing communications to procurement, sales, and other User personnel that requests such communication), and related User correspondence (mailings about for example necessary updates);
   2. complying with and resolving legal obligations, including responding to Data Subject Requests for Personal Data processed by CAKE.com as data Controller (for example website data), tax requirements, agreements and disputes;
   3. abuse detection, prevention, and protection, virus scanning and scanning to detect violations of Terms of Use (such as copyright infringement, SPAM, and actions not permitted under the Agreement and CAKE.com´s applicable policies and procedures);
2. Pseudonymized and/or aggregated data (CAKE.com will pseudonymize and/or aggregate as much as possible and pseudonymized and/or aggregated data will not be processed on a per-User level), for:
   1. improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of the Services;
   2. internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy); and
   3. receiving and using Feedback for CAKE.com's overall service improvement.

When acting as an independent Controller, CAKE.com will not process User Personal Data for any purposes other than the above list of Legitimate Business Purposes.

2.5 CAKE.com will not Process User Personal Data for third-party advertising, direct marketing, profiling, research or analytics purposes except where such processing is (i) necessary to comply with User's instructions as set out in Section 2.2 of this Addendum, or (ii) for the Legitimate Business Purposes described in Section 2.4 or (iii) part of CAKE.com’s free Services.

2.6 CAKE.com shall only process User Personal Data for the purposes specified in this Addendum; provided, however, CAKE.com may process User Personal Data for “further” or “compatible” purposes (within the meaning of Articles 5(l)(b) and 6(4) GDPR, where applicable), or seek consent from End Users for new types of data processing, where permitted by the CAKE.com account administrator and Applicable Data Protection Law.

2.7 Regardless of its role as Processor or Controller, CAKE.com shall process all User Personal Data in compliance with Applicable Data Protection Laws, the “Security Measures” referenced in Section 6 of this Addendum and EXHIBIT A - Annex I to the Standard Contractual Clauses.

2.8 User shall ensure that its Instructions to CAKE.com comply with all laws, rules, and regulations applicable to User Personal Data, and that the Processing of User Personal Data per User's Instructions will not cause CAKE.com to be in breach of Applicable Data Protection Law. User is solely responsible for the accuracy, quality, and legality of (i) the User Personal Data provided to CAKE.com by or on behalf of User; (ii) how User acquired any such User Personal Data; and (iii) the Instructions User provides to CAKE.com regarding the Processing of such User Personal Data. User shall not provide or make available to CAKE.com any User Personal Data in violation of the Agreement, this Addendum, or otherwise in violation of CAKE.com´s applicable policies and procedures and shall indemnify CAKE.com from all claims and losses in connection therewith.

2.9 Following the completion of the Services, at User's choice, to the extent that CAKE.com is a Processor, CAKE.com shall either enable User to delete some of User's Personal Data (for example an End User's Personal Data) or all of User's Personal Data, shall return to User the specified User Personal Data, or shall delete the specified User Personal Data, and delete any existing copies in compliance with its data retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal order law, CAKE.com shall take measures to inform the User and block such User Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by applicable law) and shall continue to appropriately protect the User Personal Data remaining in its possession, custody, or control and, where any Authorized Subprocessor continues to possess User Personal Data, require the Authorized Subprocessor to take the same measures that would be required of CAKE.com.

3. Privacy by design and by default

3.1 CAKE.com agrees to minimize Processing to the extent necessary to provide the Services and for the purposes permitted in this Addendum, the Agreement, or as otherwise agreed upon by User and CAKE.com. This includes minimization of Telemetry Data, Support Data, and feedback functionality; minimization of data retention periods; collection of pseudonymized identifiers when necessary, but immediate effective (irreversible) anonymization when the Service can be performed without Personal Data; and the implementation and control of strict access controls to the User Personal Data.

3.2 CAKE.com shall maintain a process whereby when CAKE.com collects new types of Diagnostic Data, such new collection shall be supervised by a privacy officer. CAKE.com will perform regular checks on the contents of collected Telemetry Data to verify that neither directly identifying data are collected nor User Content Data.

3.3 When CAKE.com plans to introduce new features, or related software and services (“New Service”), which will result in new types of Processing (i.e., new Personal Data and/or new purposes), CAKE.com will:

1. perform a data protection impact assessment;
2. determine if the new types of Processing following a New Service are allowed within the scope of this Addendum; and
3. ensure that the new Processing occurs with the necessary User notice or consents.

4. Authorized Persons

CAKE.com shall ensure that all persons authorized to Process User Personal Data and User Content are made aware of the confidential nature of User Personal Data and User Content and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate legal obligation of confidentiality.

5. Authorized Subprocessors

To the extent that CAKE.com is a Processor:

5.1 User hereby generally authorizes CAKE.com to engage subprocessors in accordance with this Section 5.

5.2 User approves the Authorized Subprocessors listed at https://cake.com/sub-processors .

5.3 CAKE.com may remove, replace, or appoint suitable and reliable further subprocessors in accordance with this Section 5.3:

1. CAKE.com shall in a timely manner and before the new subprocessor starts processing any User Personal Data notify User of the intended engagement (including the name and location of the relevant subprocessor and the activities it will perform).
2. In an emergency concerning Service availability or security, CAKE.com is not required to provide prior notification to the User but shall provide notification in a timely manner following the change in subprocessor.

In either case, the User may object to such an engagement in writing within fifteen (15) business days of receipt of the aforementioned notice by CAKE.com.

If User does not object to a new subprocessor's engagement within fifteen (15) business days of notice issuance from CAKE.com, that new subprocessor shall be deemed accepted.

5.4 CAKE.com shall ensure that Authorized Subprocessors adhere to relevant confidentiality obligations that prevent them from unauthorized Processing of User Personal Data and User Content both during and after their engagement by CAKE.com.

5.5 CAKE.com shall, by way of contract or other legal act, impose on the Authorized Subprocessor data protection obligations consistent with the obligations set out in this Addendum and in accordance with GDPR and other Applicable Data Protection Law requirements. The parties acknowledge and agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If Personal Data are transferred to an Authorized Subprocessor in a third country that does not ensure an adequate level of protection according to the European Commission, the FDIPC, or UK Information Commissioner's Office, CAKE.com will ensure the transferred data are processed with the same GDPR transfer guarantees as agreed with User (such as Standard Contractual Clauses and BCRs). CAKE.com will also perform a case-by-case assessment if supplementary measures are required in cases of onward transfers to third countries to bring the level of protection of the transferred data up to the EU standard of essential equivalence.

5.6 CAKE.com shall be fully liable to User where that Authorized Subprocessor fails to fulfil its data protection obligations for the performance of that Authorized Subprocessor's obligations to the same extent that CAKE.com would itself be liable under this Addendum had it conducted such acts or omissions.

6. Security of Personal Data

6.1 CAKE.com may not update the Services or introduce any functionality that would purposefully allow anyone not authorized by User to gain access to User Content and User Personal Data.

6.2 CAKE.com certifies that it has not purposefully created any “back doors” or similar programming in the Services that could be used by third parties to access the system and/or Personal Data. CAKE.com has not purposefully created or changed its business processes in a manner that facilitates such third-party access to Personal Data or systems. CAKE.com certifies there is no applicable law or government policy that requires CAKE.com as importer to create or maintain back doors or to facilitate access to Personal Data or systems.

6.3 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CAKE.com shall maintain appropriate technical and organizational measures with regard to User Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to, the “Security Measures” set out in Annex II to the Standard Contractual Clauses (attached here as EXHIBIT B). User acknowledges that the Security Measures are subject to technical progress and development and that CAKE.com may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

7. International Transfers of Personal Data

7.3 CAKE.com may not update the Services in a way that would remove User's ability to choose to store certain Personal Data at rest within the European Economic Area (“EEA”).

7.3 User acknowledges and agrees that CAKE.com may transfer and process User Personal Data to and in the United States. CAKE.com may transfer User Personal Data to third countries (including those outside the EEA without an adequacy statement from the European Commission) to Affiliates, its professional advisors, or its Authorized Subprocessors, including when a CAKE.com End User knowingly connects to data processing operations supporting the Services from such locations (for example, when the End user travels outside of the territory of the EU). CAKE.com shall ensure that such transfers are made in compliance with Applicable Data Protection Law and this Addendum.

7.3 Any transfer of User's Personal Data made subject to this Addendum from member states of the European Union, the EEA, Switzerland or the United Kingdom to any country that does not ensure an adequate level of protection according to the European Commission, the FDIPC, or UK Information Commissioner's Office (as applicable), shall be undertaken through the Standard Contractual Clauses, in connection with which the parties agree to the following:

1. EU SCCs (Controller to Controller Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Section 2.4 of this Addendum, the EU SCCs shall apply, completed as follows:
   1. Module One will apply;
   2. in Clause 7, the optional docking clause will apply;
   3. in Clause 11, the optional language will not apply;
   4. in Clause 17, Option 1 will apply, and the New EU SCCs will be governed by Irish law;
   5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
   6. Annex I of the EU SCCs shall be deemed completed with the information set out in EXHIBIT A of this Addendum; and
   7. Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in EXHIBIT B to this Addendum.
2. EU SCCs (Controller to Processor/Processor to Processor Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Section 2.2 of this Addendum, the EU SCCs shall apply, completed as follows:
   1. Module Two or Module Three will apply (as applicable);
   2. in Clause 7, the optional docking clause will apply;
   3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Addendum;
   4. in Clause 11, the optional language will not apply;
   5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
   6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
   7. Annex I of the EU SCCs shall be deemed completed with the information set out in EXHIBIT A to this Addendum; and
   8. Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in EXHIBIT B to this Addendum.
3. Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
   1. The EU SCCs shall also apply to transfers of such Personal Data, subject to sub-Section (ii) below;
   2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above in Section 7.3 (a)-(b) of this Addendum, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Addendum.
4. Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 7.3 (a)-(b), with the following modifications:
   1. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
   2. references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
   3. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in EXHIBIT A and EXHIBIT B to this Addendum.

7.4 It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the extent of such conflict.

7.5 CAKE.com may adopt a replacement data export mechanism (including any new version of or successor to the Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law) (“Alternative Transfer Mechanism”). So long as the Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which User Personal Data is transferred on behalf of the User, User agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.

7.6 CAKE.com will follow European Data Protection Board requirements and Applicable Data Protection Law requirements concerning the completion of a data transfer impact assessment (“DTIA”).

8. Rights of Data Subjects

To the extent that CAKE.com is a Processor:

8.1 CAKE.com shall promptly notify User upon receipt of a request by a Data Subject to exercise Data Subject rights under Applicable Data Protection Law. CAKE.com will advise the Data Subject to submit his or her request to User, and User will be solely responsible for responding to such Data Subjects’ request.

8.2 CAKE.com shall, taking into account the nature of the Processing, and to the extent that the User is unable to directly respond to requests from Data Subjects to exercise their rights under the applicable Data Protection Law, upon User’s request, provide reasonable assistance to the User by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of User's obligation to respond to requests for exercising the Data Subject's rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under Applicable Data Protection Law, to facilitate such Data Subject request to the extent able and only as required by applicable Data Protection Law. The User shall reimburse CAKE.com for the commercially reasonable costs arising from this assistance.

9. Disclosure of Personal Data

9.1 CAKE.com will not disclose or provide access to any User Personal Data except:

1. as User directs;
2. as described in this Addendum; or
3. as required by law.

9.2 If a court, law enforcement authority, intelligence agency or other competent authority contacts CAKE.com with a demand for User Personal Data, CAKE.com will first assess if it is a legitimate order consistent with Applicable Data Protection Law requirements as well as with the Agreement, this Addendum and applicable CAKE.com`s policies and procedures. If so, CAKE.com will attempt to redirect this third party to request that data directly from User.

If compelled to disclose or provide access to any User Personal Data to law enforcement authority, for law enforcement purposes such as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security, CAKE.com shall abide by the request or order of a law enforcement authority to the extent it is legally required, necessary and proportionate.

If CAKE.com is prohibited by law from fulfilling its obligations under this Section 9.2, CAKE.com shall represent the reasonable interests of User. This is in all cases understood to mean:

1. CAKE.com shall document a legal assessment of the extent to which: (i) CAKE.com is legally obliged to comply with the request or order; and (ii) CAKE.com is effectively prohibited from complying with its obligations in respect of the User under this Addendum.
2. CAKE.com shall not provide more User Personal Data than is strictly necessary for complying with the request or order.
3. If CAKE.com becomes aware of a situation where it has reason to believe that the laws and practices in the third country of destination applicable to the processing of the Personal Data by CAKE.com, its Affiliates and Authorized Subprocessors, including any requirements to disclose Personal Data or measures authorizing access by public authorities, will prevent CAKE.com from fulfilling its obligations under this Addendum, CAKE.com will inform User without undue delay after CAKE.com becomes aware of such a situation.

10. Compliance Auditing

10.1 CAKE.com will conduct third-party audits to attest to the ISO 27001 and AICPA Service Organization Control - SOC 2 Type II frameworks as follows:

1. CAKE.com will conduct at least one audit annually. CAKE.com will audit the Security, Availability and Privacy Criteria in the SOC-2 audit.
2. Audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework.
3. Audits will be performed by qualified, independent, third-party security auditors at CAKE.com's selection and expense.

10.2 Each audit will result in the generation of an audit report (“CAKE.com Audit Report”), which CAKE.com will make available to User upon request. The CAKE.com Audit Report will be CAKE.com's Confidential Information. CAKE.com will promptly remediate issues raised in any CAKE.com Audit Report to the satisfaction of the auditor.

10.3 At its request and cost, User is entitled to have an audit carried out by a mutually agreed upon auditor to demonstrate that CAKE.com complies with the provisions of this Addendum and Clause 8.9 “Documentation and compliance” (EU SCCs) for the processing of Personal Data. User may exercise the right no more than once a year, except in respect of an additional audit following (i) a CAKE.com data breach or (ii) if specifically ordered by User's national Supervisory Authority.

10.4 Following receipt by CAKE.com of a request for an audit under this Section 10.4, CAKE.com and User will discuss and agree in advance on

1. the identity of an independent and suitably qualified third-party auditor to conduct the audit;
2. the reasonable start date and duration (not to exceed two weeks in respect of any on premise audits) of any such audit;
3. the scope, process and normative framework of the audit, including: (i) the data processing outcomes, information, and control requirements to be in scope of the audit evidence requirements; and (ii) the nature and process for satisfactory audit evidence; and
4. the security and confidentiality controls applicable to any such audit. All audits must be conducted in accordance with recognized international auditing standards.

10.5 Nothing in this Addendum will require CAKE.com to provide Personal Data of other CAKE.com users or access to any CAKE.com systems or facilities that are not involved in the provision of the contracted Services.

11. Cooperation

CAKE.com shall provide the User with all required assistance and cooperation in enforcing the obligations of the parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing of User Personal Data for the purpose of the performance of the Agreement, CAKE.com shall in any event provide User with such assistance relating to:

1. The security of User Personal Data;
2. Performing checks and audits;
3. Performing Data Protection Impact Assessments (“DPIA”);
4. Prior consultation with the Supervisory Authority;
5. Responding to requests from the Supervisory Authority or another government body;
6. Responding to requests from Data Subjects;
7. Reporting User Personal Data Breaches.

12. Security incidents and data breaches

12.1 In the event of a confirmed Personal Data Breach (at CAKE.com or at a subprocessor of CAKE.com), affecting any of User’s Personal Data, CAKE.com shall, without undue delay, inform the User of the Personal Data Breach, its nature and scope, and the remedial actions CAKE.com will undertake, and take such steps as CAKE.com in its sole discretion deems necessary and reasonable to remediate such violation and initiate remedial actions that are in compliance with Applicable Data Protection Law. In the event of such a Personal Data Breach, CAKE.com shall, to the extent required under Applicable Data Protection Law, and taking into account the nature of the Processing and the information available to CAKE.com, promptly provide the User with reasonable cooperation and assistance necessary for User to comply with its obligations under Applicable Data Protection Law with respect to notifying relevant Personal Data Breach to (i) the relevant Supervisory Authority and/or (ii) Data Subjects affected by such Personal Data Breach without undue delay. The User will be responsible for fulfilling its obligations under Applicable Data Protection Law. Notification(s) of Personal Data Breach, if any, will be delivered to the authorized representative of the User by any means CAKE.com selects, including via email. It is the User’s sole responsibility to ensure User maintains accurate contact information on CAKE.com’s management console and secure transmission at all times.

12.2 In the event of a large scale, as determined by CAKE.com, confirmed Personal Data Breach (with CAKE.com or an Authorized Subprocessor of CAKE.com), User allows CAKE.com to independently alert and consult the relevant Supervisory Authorities in order to better inform the User what steps the Supervisory Authorities expect.

12.3 The obligations described in Sections 12.1 and 12.2 shall not apply if a Personal Data Breach results from the actions or omissions of User, except where required by Applicable Data Protection Law. If the Personal Data Breach is caused by User`s affiliate, employee, contractor, or agent, or due to User`s failure to maintain User`s systems, network, or User Personal Data in a secure manner, the User shall have sole responsibility for initiating remedial actions and the User shall notify CAKE.com immediately of the Personal Data Breach and steps the User will take to remedy such breach. CAKE.com may take any action, in its sole discretion, including suspension of User`s access to the Services, to prevent harm to the User, CAKE.com, the Services, or other third parties. The User waives any right to raise a claim against CAKE.com for losses User incurs that may result from CAKE.com`s respective actions.

12.4 CAKE.com's obligation to report or respond to a Personal Data Breach under Sections 12.1 and 12.2 is not and will not be construed as an acknowledgement by CAKE.com of any fault or liability of CAKE.com with respect to the Personal Data Breach.

13. US State Law Privacy Exhibit

13.1 To the extent that User (i) is a “business” and CAKE.com processes “personal information” (as those terms are defined by the CCPA) on User’s behalf, or (ii) is a “controller” and CAKE.com processes “personal data” (as each of those terms are defined by the applicable Specific US State Data Protection Laws) on User’s behalf, or (iii) meets both criteria set out in (i) and (ii), then the CAKE.com US State Law Privacy Exhibit, attached hereto as EXHIBIT C to this Addendum, shall apply to CAKE.com’s “processing” of User’s “personal information” and “personal data” (as each of those terms are defined under the applicable Specific US State Data Protection Laws).

13.2 In the event of a conflict between EXHIBIT C and any other parts of this Addendum with respect to CAKE.com’s “processing” of “personal information” and “personal data” (as each of those terms are defined under the Specific US State Data Protection Laws), the terms of EXHIBIT C control and govern over other parts of this Addendum with respect to the parties’ obligations under the applicable Specific US State Data Protection Laws.

14. General

14.1 This Addendum may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

14.2 User and CAKE.com acknowledge that the other party may disclose the Standard Contractual Clauses, this Addendum, and any privacy-related provisions in the Agreement to any Supervisory Authority upon request.

14.3 Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement or any other documentation, with regard to the subject matter of this Addendum, this Addendum shall prevail to the extent of that conflict.

14.4 If there is a change in (i) Specific US State Data Protection Law, (ii) Applicable Data Protection Law, or (iii) a determination, decision, or order by a Supervisory Authority or competent court affecting this Addendum or the lawfulness of any Processing activities under this Addendum, then CAKE.com may propose supplements and modifications to this Addendum. If the User objects to the supplement or modification, then User must object to the supplement or modification within thirty (30) days or the right to object is waived. If User timely objects to the appropriateness of the supplement or modification, then the parties will work to resolve their differences, and if resolution cannot occur within thirty (30) days of User’s notice of objection, then either party may terminate this Addendum and any affected portion(s) of the Agreement. All supplements and modifications will be in writing and signed by the parties, unless the terms of the Agreement provide otherwise.

14.5 The provisions of this Addendum are severable. If any phrase, clause or provision or Exhibit (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Addendum or the remainder of the Exhibit, shall remain in full force and effect.

14.6 This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

EXHIBIT A

Annex I: Description of the Processing/Transfer

Controller to Controller

A) List of Parties:

B) Description of Transfer:

Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner’s Office (the “ICO”). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Controller to Processor

A) List of Parties:

B) Description of Transfer

C) Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is ICO. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

EXHIBIT B

Technical and Organizational Security Measures

CAKE.com’s technical and organizational security measures for Processing User Personal Data will meet the Minimum-Security Control Requirements set out in this EXHIBIT B (“Security Measures”). User recognizes that there may be multiple acceptable approaches to accomplish a particular minimum control requirement. CAKE.com shall document in reasonable detail how a particular control meets the stated minimum control requirement. CAKE.com may revise the Security Measures from time to time. The term “should” in these Security Measures means that CAKE.com will use commercially reasonable efforts to accomplish the stated minimum control requirement and will document those efforts in reasonable detail, including the rationale, if any, for deviation.

As used in these Security Measures, (i) “including” and its derivatives mean “including but not limited to”; and (ii) any capitalized terms not defined in this EXHIBIT B shall have the same meaning as set forth in this Addendum.

1. Definitions

1.1 “Systems” means CAKE.com’s production systems.

1.2 “Assets” means CAKE.com’s production assets.

1.3 “Facilities” means CAKE.com’s production facilities, whether owned or leased by CAKE.com.

2. Risk Management

2.1 Risk Assessment Program. The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts.

2.2 Risk Assessment. A risk assessment must be performed on a regular basis to verify the implementation of controls that protect business operations and User Content.

3. Security Policy

3.1 A documented set of rules and procedures must regulate the Processing of information and associated services.

3.2 Security Policies and Exception Process. Security policies must be documented, reviewed, and approved, with management oversight, on a periodic basis, following industry best practices.

3.3 A risk-based exception management process must be in place for prioritization, approval, and remediation or risk acceptance of controls that have not been adopted or implemented.

3.4 Awareness and Education Program. Security policies and responsibilities must be communicated and socialized within the organization to CAKE.com personnel. CAKE.com personnel must receive security awareness training on a regular basis.

4. Organizational Security

4.1 A personnel security policy must be in place to establish organizational requirements to ensure proper training, competent performance, and an appropriate and accountable security organization.

4.2 Organization. Current organizational charts representing key management responsibilities for services provided must be maintained.

4.3 Background Checks. Where legally permissible, background checks (including criminal) must be performed on applicable CAKE.com personnel.

4.4 Confidentiality Agreements. CAKE.com personnel must be subject to written non-disclosure or confidentiality obligations.

5. Technology Asset Management

5.1 Controls must be in place to protect CAKE.com production assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction and transfer, removal and disposal of assets.

5.2 Accountability. A process for maintaining an inventory of hardware and software assets and other information resources, such as databases and file structures, must be documented. Process for periodic asset inventory reviews must be documented. Identification of unauthorized or unsupported hardware/software must be performed.

5.3 Asset Disposal or Reuse. If applicable, CAKE.com will use industry standards to wipe or carry out physical destruction as the minimum standard for disposing of assets. CAKE.com must have documented procedures for disposal or reuse of assets.

5.4 Procedures must be in place to remove data from production systems in which User’s Personal Data are stored, processed, or transmitted.

6. Physical and Environmental

6.1 Controls must be in place to protect systems against physical penetration by malicious or unauthorized people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions.

6.2 Physical and Environmental Security Policy. Physical and environmental security plans must exist for facilities and scenarios involving access or storage of User’s Personal Data. Additional physical and environmental controls must be required and enforced for applicable facilities, including servers and datacenter locations.

6.3 Physical Access. Physical access, to include visitor access to facilities, must be restricted and all access periodically reviewed.

6.4 Policies must be in place to ensure that information is accessed on a need-to-know basis.

6.5 Environmental Control. Facilities, including data and processing centers, must maintain appropriate environmental controls, including fire detection and suppression, climate control and monitoring, power and back-up power solutions, and water damage detection. Environmental control components must be monitored and periodically tested.

7. Communication and Connectivity

7.1 CAKE.com must implement controls over its communication network to safeguard data. Controls must include securing the production network and implementation of logging and monitoring, and disabling communications where no business need exists.

7.2 Network Identification. A production network diagram, to include production devices, must be kept current to facilitate analysis and incident response.

7.3 Data Flow Diagram. A current data flow diagram must depict data from origination to endpoint (including data which may be shared with subprocessors).

7.4 Firewalls. Firewalls must be used for the isolation of all environments, to include physical, virtual, network devices, production and non-production, and application/presentation layers. Firewall management must follow a process that includes restriction of administrative access, and that is documented, reviewed, and approved, with management oversight, on a periodic basis.

7.5 The production network must be either firewalled or physically isolated from the development and test environments. Multi-tier security architectures that segment application tiers (e.g., presentation layer, application and data) must be used.

7.6 Clock Synchronization. Production network devices must have internal clocks synchronized to reliable time sources.

7.7 Remote Access. The data flow in the remote connection must be secured and multi-factor authentication must be utilized during the login process.

7.8 Subprocessors’ remote access, if any, must adhere to the same controls and must have a valid business justification.

7.9 Wireless Access. Wireless access to the CAKE.com corporate network must be configured to require authentication.

8. Change Management

8.1 Changes to the production systems, production network, applications, data files structures, other system components, and physical/environmental changes must be monitored and controlled through a formal change control process. Changes must be reviewed, approved, and monitored during post implementation to ensure that expected changes and their desired result are accurate.

8.2 Change Policy and Procedure. A change management policy, including application, operating system, network infrastructure, and firewall changes must be documented, reviewed, and approved, with management oversight, on a periodic basis.

8.3 The change management policy must include clearly identified roles and responsibilities so as to support separation of duties (e.g., request, approve, implement). The approval process must include pre- and post-evaluation of change.

9. Operations

9.1 Documented operational procedures must ensure the correct and secure operation of CAKE.com's assets. Operational procedures must be documented and include monitoring of capacity, performance, service level agreements and key performance indicators.

10. Access Control

10.1 Authentication and authorization controls must be appropriately robust for the risk of the system, data, application, and platform; access rights must be granted based on the principle of least privilege and monitored to log access and security events, using tools that enable rapid analysis of user activities.

10.2 Logical Access Control Policy. Documented logical access policies and procedures must support role-based, “need-to-know” access (e.g., interdepartmental transfers, terminations) and ensure separation of duties during the approval and provisioning process. Each account provisioned must be uniquely identified. User access reviews must be conducted on a periodic basis.

10.3 Privileged Access. Management of privileged user accounts (e.g., those accounts that have the ability to override system controls), to include service accounts, must follow a documented process and be restricted. A periodic review and governance process must be maintained to ensure appropriate provisioning of privileged access.

10.4 Authentication and Authorization. A documented authentication and authorization policy must cover all applicable systems. That policy must include password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, thresholds for inactivity, and assurance that no shared accounts are utilized.

11. Data Integrity

11.1 Controls must ensure that any data stored, received, controlled, or otherwise accessed is accurate and reliable. Procedures must be in place to validate data integrity.

11.2 Data Transmission Controls. Processes, procedures, and controls must be documented, reviewed, and approved, with management oversight, on a periodic basis, to ensure data integrity during transmission and to validate that the data transmitted is the same as data received.

11.3 Data Transaction Controls. Controls must be in place to protect the integrity of data transactions at rest and in transit.

11.4 Data Policies. A policy must be in place to cover data classifications, key and certificate lifecycle management, cryptographic algorithms and associated key lengths. This policy must be documented, reviewed, and approved with management oversight, on a periodic basis.

12. Incident Response

12.1 A documented plan and associated procedures, to include the responsibilities of CAKE.com personnel and identification of parties to be notified in case of an information security incident, must be in place.

12.2 Incident Response Process. The information security incident management program must be documented, tested, updated as needed, reviewed, and approved, with management oversight, on a periodic basis. The incident management policy and procedures must include prioritization, roles and responsibilities, procedures for escalation (internal) and notification, tracking and reporting, containment and remediation, and preservation of data to maintain forensic integrity.

13. Business Continuity and Disaster Recovery

13.1 CAKE.com must have formal documented recovery plans to identify the resources and specify actions required to help minimize losses in the event of a disruption to the business unit, support group unit, application, or infrastructure component. Plans assure timely and orderly recovery of business, support processes, operations, and technology components within an agreed upon time frame and include orderly restoration of business activities when the primary work environment is unavailable.

13.2 Business Recovery Plans. Comprehensive business resiliency plans addressing business interruptions of key resources supporting services, including those provided by subprocessors, must be documented, tested, reviewed, and approved, with management oversight, on a periodic basis. The business resiliency plan must have an acceptable alternative work location in place to ensure service level commitments are met.

13.3 Technology Recovery. Technology recovery plans to minimize service interruptions and ensure recovery of systems, infrastructure, databases, applications, etc. must be documented, tested, reviewed, and approved with management oversight, on a periodic basis.

14. Back-ups

14.1 CAKE.com must have policies and procedures for back-ups of User’s Personal Data. Backups must be protected using industry best practices.

14.2 Back-up and Redundancy Processes. Processes enabling full restoration of production systems, applications, and data must be documented, reviewed, and approved, with management oversight, on a periodic basis.

15. Third-Party Relationships

15.1 Subprocessors must be identified, assessed, managed, and monitored. Subprocessors that provide material services, or that support CAKE.com's provision of material services to Users, must comply with control requirements no less stringent than those outlined in this document.

15.2 Selection and Oversight. CAKE.com must have a process to identify subprocessors providing services to CAKE.com; these subprocessors must be disclosed to the User and approved to the extent required by this Agreement.

15.3 Lifecycle Management. CAKE.com must establish contracts with subprocessors providing material services; these contracts should incorporate security control requirements, including data protection controls and notification of security and privacy breaches must be included. Review processes must be in place to ensure subprocessors’ fulfillment of contract terms and conditions.

16. Standard Builds

16.1 Production systems must be deployed with appropriate security configurations and reviewed periodically for compliance with CAKE.com’s security policies and standards.

16.2 Secure Configuration Availability. Standard security configurations must be established, and security hardening demonstrated. Process documentation must be developed, maintained, and under revision control, with management oversight, on a periodic basis. Configurations must include security patches, vulnerability management, default passwords, registry settings, file directory rights and permissions.

16.3 System Patches. Security patch process and procedures, to include requirements for timely patch application, must be documented.

16.4 Operating System. Versions of operating systems in use must be supported and respective security baselines documented.

16.5 Desktop Controls. Systems must be configured to provide only essential capabilities.

17. Application Security

17.1 CAKE.com must have an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems. CAKE.com must ensure that web-based and mobile applications used to store, receive, send, control, or access User Personal Data are monitored, controlled, and protected.

17.2 Functional Requirements. Applications must implement controls that protect against known vulnerabilities and threats, including Open Web Application Security Project (“OWASP”) Top 10 Risks and denial of service (DoS) attacks.

17.3 Application layer controls must provide the ability to filter the source of malicious traffic.

17.4 Restrictions must also be placed on or in front of web server resources to limit denial of service (DoS) attacks.

17.5 CAKE.com must monitor uptime on a hosted web or mobile application.

17.6 Software Development Life Cycle. A Software Development Life Cycle (SDLC) methodology, including release management procedures, must be documented, reviewed, approved, and version-controlled, with management oversight, on a periodic basis. These must include activities that foster the development of secure software.

17.7 Testing and Remediation. Software executables related to client/server architecture that are involved in handling User Personal Data must undergo vulnerability assessments (both the client and server components) prior to release and on an on-going basis, either internally or using external experts, and any gaps identified must be remediated in a timely manner.

1. Testing must be based on, at a minimum, the OWASP Top 10 risks (or the OWASP Mobile Top 10 risks, where applicable), or comparable replacement.
2. CAKE.com must conduct penetration testing on a regular basis.

18. Vulnerability Monitoring

18.1 CAKE.com must continuously gather information and analyze vulnerabilities in light of existing and emerging threats and actual attacks. Processes must include vulnerability scans, anti-malware, Intrusion Detection Systems (“IDS”)/Intrusion Prevention Systems (IPS), logging and security information and event management analysis and correlation.

18.2 Vulnerability Scanning and Issue Resolution. Vulnerability scans (authenticated and unauthenticated) and penetration tests must be performed against internal and external networks and applications periodically and prior to system provisioning for production systems that process, store or transmit User Content.

18.3 Malware. In production, CAKE.com must employ tools to detect, log, and disposition malware.

18.4 Intrusion Detection/Advanced Threat Protection. Network and host-based intrusion detection/advanced threat protection must be deployed with events generated fed into centralized systems for analysis. These systems must accommodate routine updates and real-time alerting. IDS/advanced threat protection signatures must be kept up to date to respond to threats.

18.5 Logging and Event Correlation. Monitoring and logging must support the centralization of security events for analysis and correlation. Organizational responsibility for responding to events must be defined. Retention schedule for various logs must be defined and followed.

19. Cloud Technology

19.1 Adequate safeguards must ensure the confidentiality, integrity, and availability of User Personal Data stored, processed or transmitted using cloud technology (either as a cloud customer or cloud provider, to include subprocessors), using industry standards.

19.2 Audit Assurance and Compliance. The cloud environment in which data is stored, processed or transmitted must be compliant with relevant industry standards and regulatory restrictions.

19.3 Application and Interface Security. Threat modeling should be conducted throughout the software development lifecycle, including vulnerability assessments, including Static/Dynamic scanning and code review, to identify defects and complete remediations before hosting in cloud environments.

19.4 Business Continuity Management and Operational Resiliency. Business continuity plans to meet recovery time objectives (RTO) and recovery point objectives (RPO) must be in place.

19.5 Data Security and Information Lifecycle Management. Proper segmentation of data environments and segregation must be employed; segmentation/segregation must enable proper sanitization, per industry requirements.

19.6 Governance and Risk Management. Comprehensive risk assessment processes and centralized monitoring that enables incident response and forensic investigation must be used to ensure proper governance and oversight.

19.7 Identity and Access Management. Management of accounts, including accounts with privileged access, must prevent unauthorized access and mitigate the impacts thereof.

19.8 Infrastructure and Virtualization Security. Controls defending against cyberattacks, including the principle of least privilege, baseline management, intrusion detection, host/network-based firewalls, segmentation, isolation, perimeter security, access management, detailed data flow information, network, time, and a SIEM solution must be implemented.

19.9 Supply Chain Management, Transparency and Accountability. CAKE.com must be accountable for the confidentiality, availability and integrity of production data, including data processed in cloud environments by subprocessors.

19.10 Threat and Vulnerability Management. Vulnerability scans (authenticated and unauthenticated) must be performed, both internally and externally, for production systems. Processes must be in place to ensure tracking and remediation.

20. Audits

20.1 CAKE.com will conduct an independent third-party review of its security policies, standards, operations, and procedures related to the Services provided to User, on a regular basis. Such a review will be conducted in accordance with the AICPA Service Organization Control (SOC) 2 Type II audit standards - AICPA's Statements on Standards for Attestation Engagements (SSAE), and CAKE.com will be issued a SOC 2 Type II report. Upon the User’s request, CAKE.com will provide the User with a copy of the SOC 2 Type II report within thirty (30) days. If applicable, CAKE.com will provide a bridge letter to cover time frames not covered by the SOC 2 Type II audit period scope within 30 days, upon request by the User. If exceptions are noted in the SOC 2 Type II audit, CAKE.com will document a plan to promptly address such exceptions and shall implement corrective measures within a reasonable and specific period. Upon the User’s reasonable request, CAKE.com will keep User informed of progress and completion of corrective measures.

20.2 User shall rely on the third-party audit SOC 2 Type II report for validation of proper information security practices and shall not have the right to audit, unless such right is granted under applicable law, except in the case of a Security Breach resulting in a material business impact to User. If the User exercises the right to audit as a result of a Security Breach, such audit shall be within the scope of the Services. User will provide CAKE.com with a minimum of thirty (30) days of notice prior to the audit. CAKE.com shall have the right to approve any third-party User may choose to conduct or be involved in the audit.

21. Specific Measures

EXHIBIT C

US State Law Privacy Exhibit

This US State Law Privacy Exhibit (“State Law Exhibit”) supplements the terms of this Addendum to which it is attached and sets forth certain data privacy rights and obligations in connection with Specific US State Data Protection Laws. Capitalized terms used in this EXHIBIT C but not otherwise defined herein have the meaning ascribed to them in this Addendum or the Agreement.

Section A – General Provisions. This Section A of the State Law Exhibit applies to CAKE.com’s provision of and User’s use of the Services to the extent that User is a Business or a Controller and CAKE.com Processes or is Processing User’s Personal Information or Personal Data pursuant to CCPA or other Specific US State Data Protection Laws.

1. Definitions. As used throughout this State Law Exhibit, “User” means a Business or Controller that subscribes to CAKE.com Services. Capitalized terms used in this Section A, but not otherwise defined, have the meaning ascribed to them in Sections B 1. and C 1. below.
2. Audits and Assessments. CAKE.com will conduct third-party audits and assessments in accordance with Section 10.1 and 10.2 of this Addendum.
3. Restrictions on Receipt of Information. Nothing under this State Law Exhibit shall require CAKE.com to disclose: (a) any data or information of any other user of CAKE.com, or any third party; (b) any internal accounting or financial information; (c) any trade secret of CAKE.com; or (d) any information that, in CAKE.com’s reasonable opinion could: (i) compromise the security of CAKE.com’s networks, systems, or premises; (ii) cause CAKE.com to breach its security or privacy obligations to any third party; or (iii) any information sought for any reason other than the reasons outlined in this State Law Exhibit. CAKE.com may require User’s agreement to reasonable CAKE.com (or its third-party auditor or assessor’s) terms and conditions prior to providing the CAKE.com Audit Report to User.
4. Deletion of Data. CAKE.com will (a) as required by Specific US State Data Protection Laws applicable to User and at User’s direction, delete or return all Personal Data to the User at the end of the provision of Services or (b) as required by the CCPA, not retain, use, or disclose Personal Information upon termination or expiration of the relationship between the User and CAKE.com. Nothing in this Section A 4. will require CAKE.com to (i) delete or return data that it must retain pursuant to applicable Laws or (ii) return instead of destroying Personal Data to the extent that return is not technically feasible, or return would impose substantial burdens, costs, or both upon CAKE.com.

Section B - California. This Section B of the State Law Exhibit applies to CAKE.com’s provision of and User’s use of the Services to the extent that User is a Business and CAKE.com is Processing Personal Information on User’s behalf pursuant to CCPA.

1. Definitions. As used in this Section B of the State Law Exhibit: (a) “Business”, “Business Purpose”, “Commercial Purpose”, “User”, “Processing”, “Sell”, “Service Provider” and “Share” have the respective meanings given in the CCPA; and (b) “Personal Information” means “personal information” as defined in the CCPA, but only to the extent the personal information is collected, accessed, obtained, received, used, disclosed, or otherwise processed by CAKE.com as a result of CAKE.com’s provision of Services to User in its capacity as a Business under the Agreement.
2. Acknowledgments and Obligations. CAKE.com (a) acknowledges that Personal Information is disclosed by User only for the limited and specified purposes of providing the Services described in the Agreement and for the purposes described in the Agreement; (b) shall comply with obligations applicable to Service Providers under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA, including the same privacy protection required to be provided by Businesses; (c) agrees that User may take reasonable and appropriate steps consistent with Section A 2. of this State Law Exhibit to help to ensure that CAKE.com’s use of Personal Information is consistent with User’s obligations under the CCPA; (d) shall notify User promptly of any determination made by CAKE.com that it can no longer meet its obligations under the CCPA; and (e) agrees that User may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, consistent with and in accordance with applicable regulations, by requesting reasonable documentation from CAKE.com that verifies CAKE.com no longer retains or uses Personal Information that is subject to a valid deletion request.
3. Restrictions. CAKE.com shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the purpose(s) described in Section B 2. (a) of this State Law Exhibit, or as otherwise permitted by the CCPA, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than such purpose(s) or the servicing of a different Business; (c) retain, use or disclose Personal Information outside of the direct business relationship between CAKE.com and User, except to the extent permitted by CCPA; or (d) combine the Personal Information received pursuant to the Agreement with Personal Information received from another party, or CAKE.com’s own interactions with the User to whom the Personal Information pertains, except to the extent a Service Provider is permitted to do so under the CCPA. CAKE.com hereby certifies that it understands its obligations under this State Law Exhibit and will comply with them.
4. Audits, Reviews, and Assessments. User, subject to reasonable requirements and written agreements as required by CAKE.com and consistent with the CCPA, and at User’s sole cost and expense, may audit, review, or assess CAKE.com not more than once every twelve (12) months, in accordance with Section A 2. of this State Law Exhibit.
5. Consumer Requests. User will promptly notify CAKE.com and provide all necessary information to CAKE.com after receiving and verifying a Consumer request, and CAKE.com shall promptly take such actions and provide such information as User may reasonably request pertaining to a Consumer’s Personal Information in order to help User fulfill requests of individuals to exercise their rights under the CCPA, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of, or receive information about Personal Information pertaining to them. If CAKE.com receives any request directly from User’s Consumer(s), then CAKE.com may either (i) advise the Consumer to contact User directly with such request or (ii) contact User to respond directly to the Consumer.

Section C – Virginia, Colorado, Utah & Other States. This Section C of the State Law Exhibit applies to CAKE.com’s provision of and User’s use of the Services to the extent that User is a Controller of Personal Data and CAKE.com Processes User’s Personal Data under Specific US State Data Protection Laws.

1. Definitions. As used in this Section C of the State Law Exhibit: (a) “Controller”, “Personal Data”, “Process” and “Processor” shall have the respective meanings given to them in the Specific US State Data Protection Laws; and (b) “Instructions” has the meaning given below.
2. Processing of Personal Data: Roles, Scope, and Responsibility.
   1. For the purposes of this State Law Exhibit, the parties acknowledge and agree to the following: (i) User is the Controller of User Personal Data and (ii) CAKE.com is the Processor of User Personal Data.
   2. Only to the extent necessary and proportionate, User as Controller instructs CAKE.com to perform the activities as Processor on behalf of User in accordance with the Instructions set forth in Section 2.2 of this Addendum.
   3. To the extent that CAKE.com acts as a Processor of User Personal Data, CAKE.com shall Process User Personal Data only in accordance with User’s Instructions. User shall ensure that its Instructions to CAKE.com comply with all Laws, rules, and regulations applicable to the User Personal Data, and that the Processing of User Personal Data per User's Instructions will not cause CAKE.com to be in breach of Specific US State Data Protection Laws. User is solely responsible for the accuracy, quality, and legality of (i) the User Personal Data provided to CAKE.com by or on behalf of User; (ii) how User acquired any such User Personal Data; and (iii) the Instructions it provides to CAKE.com regarding the Processing of such User Personal Data. User shall not provide or make available to CAKE.com any User Personal Data in violation of the Agreement, this Addendum, or this State Law Exhibit.
   4. The User authorizes CAKE.com to conduct scanning and reporting of Personal Data in limited circumstances (e.g. to comply with other applicable Laws; to ensure compliance with CAKE.com’s applicable policies and procedures).
   5. With regard to Personal Data, the “EXHIBIT A Controller to Processor” portion of this Addendum further describes the nature and purposes of the Processing, the types of Personal Data to be Processed, and the duration of the Processing.
3. Authorized Persons. CAKE.com shall ensure that all persons authorized to Process User Personal Data are made aware of the confidential nature of User Personal Data and are subject to a duty of confidentiality with respect to the data.
4. Subcontractors and Subprocessors. To the extent that CAKE.com is a Processor, User hereby generally authorizes CAKE.com to engage subcontractors and subprocessors in accordance with this Section C 4.
   1. User approves CAKE.com’s use of the providers located at https://cake.com/sub-processors to Process User’s Personal Data.
   2. CAKE.com may remove, replace or appoint additional providers. CAKE.com shall notify User of any changes to these provider engagements. Where required by Specific US State Data Protection Laws, CAKE.com shall also provide an opportunity for User to object to the engagement in accordance with Sections C 4. (d) and C 4. (e) herein.
   3. In an emergency concerning availability or security of the Services, CAKE.com is not required to provide prior notification to User of the removal, replacement, or appointment of subcontractors, but shall provide notification within seven (7) business days following the change in a subcontractor.
   4. In either case, the User may object to such an engagement of a subcontractor in writing within fifteen (15) business days of receipt of the aforementioned notice by CAKE.com.
   5. If the User objects to the engagement of a new subcontractor, CAKE.com shall have the right to cure the objection through one of the following options (to be selected at CAKE.com's sole discretion):
      1. CAKE.com may cancel its plans to use the subcontractor with regard to User Personal Data.
      2. CAKE.com may take the corrective steps requested by the User in its objection (which remove User's objection) and proceed to use the subcontractor with regard to User Personal Data.
      3. CAKE.com may cease to provide or the User may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such a subcontractor with regard to User Personal Data. CAKE.com shall provide User with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If CAKE.com, in its sole discretion, cannot provide any such alternative(s), or if User does not agree to any such alternative(s), if provided, CAKE.com and User may terminate the affected portion(s) of the Agreement with thirty (30) days prior written notice. Termination shall not relieve the User of any fees or charges owed to CAKE.com for Services provided up to the effective date of the termination under the Agreement.
      4. If the User does not object to a new subcontractor’s engagement within fifteen (15) business days of notice issuance from CAKE.com, that new subcontractor shall be deemed accepted.
   6. CAKE.com shall engage any subcontractor that Processes User’s Personal Data only pursuant to a written contract and require the subcontractor to meet any obligations of CAKE.com that are subcontracted with respect to such Personal Data. CAKE.com remains liable to User where that subcontractor fails to fulfill its data protection obligations for the performance of that subcontractor's obligations to the same extent that CAKE.com would itself be liable under this State Law Exhibit had it conducted such acts or omissions.
5. Information Security. Taking into account the context of Processing, CAKE.com shall maintain appropriate technical and organizational measures with regard to User Personal Data to ensure a level of security appropriate to the risk in accordance with this State Law Exhibit and as otherwise expressly stated in the Agreement.
6. Compliance Information. Upon the reasonable request of User, CAKE.com shall make available to User reasonable information, consistent with and in accordance with applicable Laws, in CAKE.com’s possession necessary to demonstrate CAKE.com’s compliance with CAKE.com’s obligations in this State Law Exhibit.