KINAXIS SAAS SERVICES DATA PRIVACY ADDENDUM FOR CUSTOMERS

Scope

This Kinaxis SaaS Services Data Privacy Addendum for Customers (“Privacy Addendum”) covers the data privacy
practices that Kinaxis Inc. and its affiliated entities throughout the world (collectively referred to as “Kinaxis”) employ
when providing the Kinaxis proprietary software (including third party software licensed to Kinaxis) made available
by Kinaxis as a software as a service solution known as “RapidResponse™” at https://rapidresponse.kinaxis.com/
and/or other designated websites (the “Services”) to its customers (“Customer”, “you,” or “your”) pursuant to the
terms of an agreement entered into between Kinaxis and Customer for the purchase of the Services (the “Agreement”).
Kinaxis is committed to protecting your personal information and complying with all applicable data privacy laws and
regulations as amended from time to time, such as the EU Directive 95/46/EC and the EU Regulation 2016/679 on
the protection of natural persons about the Processing of personal data and on the free movement of such data (the
“GDPR”) and any enacting laws (“Data Privacy Laws”). For that reason, Kinaxis created this Privacy Addendum,
which explains Kinaxis’ treatment of personal data received from European Union (EU) member countries and
Switzerland when providing the Services.

1. Data Processing Terms

The following terms shall have the following meanings in this Privacy Addendum:

1.1 “Personal Data” means any information relating to an identified or identifiable natural person
(“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.

1.2 “Processing” means any operation or set of operations which is performed on Personal Data or on
sets of Personal Data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.

1.3 “Data Controller”' means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal data;

1.4 “Data Processor”' means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the Data Controller.

2. Data Privacy.

2.1 Kinaxis Assumptions. Based on your use of the Services, Kinaxis assumes that Personal Data
transferred by Customer or at Customer’s instructions (“Instruction(s)”) to Kinaxis pursuant to the
terms of the Agreement has been collected by you in accordance with all applicable Data Privacy
Laws. Kinaxis shall comply with all applicable Data Privacy Laws as amended from time to time.
Kinaxis agrees, and by using the Services you agree, that the provision of the Services may involve
the collection, processing, storage or recording of certain Personal Data of the Customer.

Kinaxis agrees, and by using the Services you agree, to comply with obligations to complete
formalities with respect to activities pursuant to the Services to the relevant supervisory authority
and further, Kinaxis shall take any other reasonable steps required by Data Privacy Laws and
requested by Customer, in order to enable Customer to comply with any notification to the relevant
 supervisory authorities, in particular in relation to the notification as may be required with respect
to data protection authorities, which Customer or its and/or Affiliate shall complete pursuant to
applicable Data Privacy Laws. The parties agree to maintain a record of processing activities under
their respective responsibility, in accordance with the terms of the GDPR.

Based on your use of the Services Kinaxis assumes Customer has informed all data subjects
concerned by the processing of their Personal Data pursuant to the Services and, where required by
applicable Data Privacy Laws, such data subjects have given their unambiguous consent to such
processing in accordance with Data Privacy Laws.

2.2 Kinaxis’ responsibilities.

Kinaxis hereby undertakes that it will:

(a) Use any such Personal Data solely for the purpose of executing the Instructions;

(b) Process the same only in accordance with the Agreement and the Instructions;

(c) Use the Personal Data strictly as necessary to carry out its obligations as part of the
Instructions and for no other purpose, thereby excluding any other processing or use of the
Personal Data for its own purposes as well as excluding the transfer of the Personal Data
to any third party unless expressly authorized by the Customer;

(d) Only subcontract its obligations under the terms of this Agreement by way of a written
agreement with the sub-processor which imposes the same obligations on the sub-processor
as are imposed on the provider under this Agreement;

(e) Ensure that the Personal Data is not disclosed or transferred to any third party without the
prior written consent of the Customer, except: (a) as specifically stated or for the necessary
performance of the Instructions, or (b) where such disclosure or transfer is required by any
applicable law, regulation or supervisory authority, in which case Kinaxis shall, wherever
possible, and legally permitted, notify promptly in writing the Customer prior to complying
with any such request for disclosure or transfer and shall comply with all reasonable
directions of the Customer with respect to such disclosure or transfer; and

(f) Implement and maintain commercially reasonable technical and organizational measures
to protect the Personal Data against accidental or unlawful destruction or accidental loss,
destruction, damage, corruption or alteration, or unauthorized disclosure or access and
against all other unlawful forms of processing.

Kinaxis will procure that any sub-processor that Kinaxis hires will:

(a) Comply with the terms of this Privacy Addendum and the Agreement;

(b) Assist Customer to comply with any obligations under Data Privacy Laws and not perform
its obligations under the Agreement in such a way as to cause Customer to breach Data
Privacy Laws;

(c) Ensure that each of its employees, agents or subcontractors are made aware of, and comply
with, Kinaxis’ obligations under this Agreement and Customer acknowledges that any
material failure by Kinaxis’ employees, agents or subcontractors to comply with the terms
of this Agreement shall be deemed a breach of this Agreement by Kinaxis;
 (d) Promptly notify Customer of: (a) any legally binding request for disclosure of the Personal
Data by a law enforcement authority unless otherwise prohibited from doing so by law; (b)
any request received for the Personal Data directly from a data subject (except where such
request relates only to that data subject’s registration information with respect to the
Services); and (c) any complaint, communication or request relating to Customer’s
obligations under applicable laws (including requests from a competent supervisory
authority).

(e) Implement or have available (including with assistance of Customer, as necessary), to the
extent required under Data Privacy Laws, appropriate mechanisms to ensure that Personal
Data can be accessed, corrected, restricted, deleted and blocked, and that data subjects can
exercise their right to data portability, due to statutory requirements, upon demand of a
supervisory authority, or of a data subject;

(f) Ensure that only such of its employees, agents or subcontractors who may be required by
Kinaxis to assist in performing any obligations imposed by Customer will have access to
the Personal Data and who are subject to written confidentiality and data security
obligations;

(g) Take reasonable steps to ensure the reliability of any employees of Kinaxis and sub-
contractor personnel who have access to the Personal Data;

(h) Notify Customer without undue delay of any material unauthorized or unlawful processing,
including any processing in violation of the provisions of this Agreement, or any accidental
loss, destruction, damage, alteration or disclosure of the Personal Data, and keep Customer
informed of any related developments; and

(i) Take reasonable steps to return, store, destroy or permanently de-identify Personal Data
when it no longer is necessary to retain it, in accordance with the terms of the Agreement,
Data Privacy Laws or other applicable law, and pursuant to the Instructions.

2.3 According to Data Privacy Laws, the parties acknowledge Kinaxis acts as a “Data Processor” in
relation to the Personal Data of Customer Kinaxis processes on Customer's behalf and Customer
remains the “Data Controller” with respect to such Personal Data. Customer is informed of and by
providing Personal Data to Kinaxis through use of the Services consents to, for the purpose of using
the Services, the whole or any part of its Personal Data being collected, processed or stored by
Kinaxis, its Affiliates and their third party suppliers.

2.4 In order to enable Customer to comply with any Data Privacy Laws, if required, Kinaxis and
Customer will enter into a version of a model contract deemed by the European Commission, on the
basis of Article 26 (4) of Directive 95/46/EC and Article 46 of the GDPR, to offer sufficient data
protection safeguards (as required by Article 26(2) of such Directive and Article 46 of the GDPR),
in relation to any transfer of Personal Data out of the European Economic Area.