This Data Protection Addendum (“DPA”) specifies certain data protection obligations of Supplier under each agreement entered into between Supplier and DIRECTV (the “Agreement”) pursuant to which Supplier may process Personal Information as defined below. This DPA shall form part of and be incorporated by reference into the Agreement and may be updated by DIRECTV upon reasonable prior written notice to Supplier, but only to the extent and only as necessary to comply with applicable Law. At all times during the term of the Agreement, or after the term if Supplier retains access to Personal Information, Supplier shall, and shall cause its Subprocessors to, comply with this DPA. If there is a conflict between or among provisions in the Agreement and this DPA, the most consumer protective provision that also complies with the terms of this DPA will control.

1. DEFINITIONS

1.1 “Law” means any federal, state, provincial, local, municipal, foreign, international, multinational or other constitution, law, statute, treaty, rule, regulation, ordinance, or code relating to privacy, data protection, or cybersecurity, and any guidance issued by regulatory authorities competent to interpret or enforce the same, and includes any amendment, substitution, replacement or law enacting any of them. Without limiting the foregoing, “Law” includes the California Consumer Privacy Act and its regulations (collectively “CCPA”).

1.2 “DIRECTV Data” means all data or information, including Personal Information, made available to Supplier by or on behalf of DIRECTV under the Agreement.

1.3 “Personal Information” means (i) information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household; and (ii) without limiting clause (i), “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under any Law applicable to the relationship or performance of the parties to the Agreement, but in each case limited to the information that Supplier accesses or processes in connection with the work to be performed by Supplier for DIRECTV or for its benefit pursuant to the Agreement (“Services”). Individuals whose data is encompassed by this definition may include, but are not limited to, customers, potential customers, and employees of DIRECTV. References to “individual(s)” in this DPA include households and consumers where those terms are used by applicable Law.

1.4 “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Information or on sets of Personal Information, such as access to or the collection, use, modification, analysis, storage, retention, deletion, disclosure, dissemination, making available, transfer, sale, or sharing of Personal Information, whether orally, in writing, or by electronic or other means.

1.5 “Purpose,” “business purpose,” “specific purpose," and terms of similar import, mean any or all of the following, as the context permits: (i) the purpose as specified in the Agreement preamble clauses or descriptions of the purpose of the relationship or the Services; and (ii) the purpose of the Services as expressed or inferred by the specific descriptions or intended outcomes of the Services in the Agreement or any orders, POs, statements of work or other ordering documents that identify or describe the specific Services provided pursuant to the Agreement.

1.6. “Subprocessor” means any person or entity that processes Personal Information on Supplier’s behalf, including any other persons or entities that process Personal Information on behalf of Supplier’s Subprocessors, to assist Supplier in its performance of the Agreement.

2. GENERAL SUPPLIER OBLIGATIONS

2.1. DIRECTV is disclosing Personal Information to Supplier solely for the limited and specific purposes, including business purposes, described in the Agreement and this DPA. Supplier must treat as confidential in accordance with the Agreement all Personal Information it processes on behalf of DIRECTV, whether provided by DIRECTV to Supplier or accessed or collected on DIRECTV’s behalf by Supplier, unless instructed otherwise in writing by DIRECTV.

2.2. Supplier must, in performing its duties under this DPA, at a minimum and without limiting any more stringent obligations in the Agreement, comply with all obligations set forth in, provide the same or better level of privacy protections for Personal Information required by, and not use or disclose any Personal Information in violation of any restrictions in the Agreement, this DPA, or applicable Law. Supplier represents and warrants that as of the effective date of this DPA and continuously throughout its term, Supplier has obtained and will maintain all permissions, authorizations, and consents required by the Agreement and all applicable Laws.

2.3. Supplier will notify DIRECTV promptly and in any event within five (5) business days of receipt of any requests from individuals regarding access, correction, erasure, restriction, portability, objections to use, opting out of sale, sharing, or targeted advertising, and consent withdrawals that relate to Personal Information (each, a “Consumer Rights Request”). Notices required or permitted by this DPA shall be provided pursuant to the notice requirements in the Agreement.

2.4. Supplier will promptly comply with such Consumer Rights Requests in accordance with applicable Law, the Agreement, and this DPA. Where Supplier is acting as a service provider, contractor, or processor under applicable Law, Supplier will process a Consumer Rights Request in accordance with Section 4.1 and, with respect to DIRECTV Data, DIRECTV’s lawful instructions.

2.5. Without limiting Section 2.4, upon either party’s request, the parties shall cooperate and agree upon a process to ensure that individuals’ lawful opt-out requests related to Personal Information (e.g., Do Not Sell or Share requests, delete requests, or requests to opt out of targeted advertising) are reliably relayed to each other to the extent reasonably necessary for each party to comply with Laws. A party shall not provide the other party with access, or send or disclose to the other party, any Personal Information of an individual who (i) has not granted consent in any case where such consent is required by Laws, including, if applicable, for any processing of sensitive personal information; or (ii) at the time such individual’s opt-out request is required to have been processed by the sending party under Laws, is an individual that lawfully opted out of, or that withdrew consent for, the processing, sale or sharing of such individual’s Personal Information.

2.6. Supplier will notify DIRECTV promptly and in any event within five (5) business days of receipt of any notices, requests for information, or orders from data protection authorities that relate to DIRECTV Data.

2.7. Consistent with Section 8 (Cooperation, Impact Assessments and Audits), Supplier agrees that DIRECTV has the right to ensure that Supplier uses and processes the Personal Information received from or on behalf of DIRECTV in a manner consistent with DIRECTV’s obligations under applicable Law.

2.8. Supplier will promptly notify DIRECTV if it becomes aware of any violation of this DPA or determines that it can no longer fulfill its obligations under this DPA or any Law, and in any event within five (5) business days of becoming aware of such violation or making such determination.

2.9. Unless Supplier has obtained DIRECTV’s prior written consent in each instance, Supplier shall not use or otherwise process DIRECTV Data to: (i) train, teach, tune, or provide feedback to Supplier’s algorithms or any AI model through machine learning techniques or AI, for any purpose; or (ii) create any derivative work or product for the benefit of Supplier or any other party. Supplier shall not sell, share, or disclose to Subprocessors or third parties (including subcontractors), or otherwise process, DIRECTV Data (including prompts) for the purpose of developing, training, tuning, evaluating, providing feedback to, or improving any AI model or AI system. Supplier shall obtain written contractual obligations from its Subprocessors and third parties (including subcontractors) that are sufficient to ensure their compliance with the obligations set forth in this Section 2.9. As used in this DPA, the terms “Artificial Intelligence,” “AI,” “AI model,” and “AI system” have the meanings ascribed to them by the National Institute of Standards and Technology (“NIST”), including in NIST’s Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January 2023) and its Generative AI Profile (NIST AI 600-1) (July 2024), each as amended or updated from time to time.

2.10. Any AI included in or used by the Services (and DIRECTV’s use thereof) is subject to the terms of this DPA and the Agreement. Supplier shall independently validate all AI for accuracy and compliance with applicable Law prior to using the AI in the performance of the Services. Supplier represents and warrants that: (i) it has implemented and will maintain a robust AI governance program that ensures that all AI systems and AI models are subject to human oversight by qualified personnel; and (ii) it will provide all notices and disclosures and implement and maintain all risk management programs and impact assessments as required by Law. Supplier shall periodically, but no less than annually, test all AI for risks of harm, including but not limited to discrimination, bias, plagiarism, inaccurate or misleading information, infringement or misappropriation, breach of confidentiality, or relating to data protection and privacy. All testing shall comply with requirements under Law.

3. ROLE-SPECIFIC OBLIGATIONS

3.1. The parties acknowledge and agree that, depending upon the nature of Supplier’s processing of Personal Information under the Agreement, Supplier may meet all or any combination of the role definitions set forth in Sections 3.2 and 3.3 below, and thus the Supplier obligations in both Sections 3.2 and 3.3 may apply. If applicable, Supplier’s obligations in Sections 3.2 and 3.3 are in addition to its obligations in Section 2 (General Supplier Obligations).

3.2. If Supplier is a “third party” as defined in CCPA or is not a “processor” as defined in other Laws, then the following obligations shall also apply:

3.2.1 For purposes of this DPA and the Agreement, the parties acknowledge that: (i) under the CCPA, Supplier is a “third party” and DIRECTV is a “business” as those terms are defined and interpreted under the CCPA; and (ii) under other applicable privacy Laws, each party is an independent "controller." Each party may process Personal Information solely as permitted by applicable Law for the specific and limited purposes set forth in the Agreement and this DPA. For the avoidance of doubt, Supplier’s right to process Personal Information for purposes permitted by applicable Law, when such Personal Information is received from or made available by DIRECTV or collected under DIRECTV’s authorization, remains subject to all obligations and restrictions in the Agreement and this DPA applicable to Supplier’s processing of such Personal Information.

3.2.2 DIRECTV may require Supplier to provide DIRECTV with Supplier’s written attestation of compliance with the CCPA and other applicable privacy Laws regarding Supplier’s processing of Personal Information as a third party or independent controller.

3.2.3 DIRECTV may, including in response to a notice from Supplier under Section 2.8 of the DPA, and upon written notice given reasonably in advance considering the circumstances, take reasonable and appropriate steps to ensure that Supplier uses the Personal Information that it received from, or processed on behalf of, DIRECTV, in a manner consistent with DIRECTV’s obligations as a business under the CCPA or as a controller under other applicable privacy Laws, and/or to stop and remediate the unauthorized use of Personal Information by Supplier.

3.3. If Supplier is a “service provider” or “contractor” as each is defined in CCPA, or a “processor” as defined in other Laws, then the following obligations shall apply in addition to Supplier’s obligations in Section 3.2:

3.3.1 Supplier shall not: (i) sell or share Personal Information, as the terms “sell” and “share” are defined in any applicable Law; (ii) process an individual’s Personal Information for any purpose other than the specific purpose of performing the Services or pursuant to the directions of DIRECTV; (iii) process Personal Information outside of the direct business relationship between Supplier and DIRECTV; or (iv) combine Personal Information that Supplier receives from, or on behalf of, DIRECTV with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with an individual person, for any purpose other than the specific purpose of performing the Services or otherwise pursuant to the directions of DIRECTV. The foregoing obligations and restrictions do not apply to the extent that performing them would violate any applicable Law.

3.3.2. Supplier certifies that it understands and will comply with these obligations and restrictions.

4. CONSUMER RIGHTS REQUESTS

4.1. If Supplier is a “service provider” or “contractor” as each is defined in CCPA, or a “processor” as defined in other Laws, then the following obligations shall apply:

4.1.1 If DIRECTV receives a Consumer Rights Request for which Supplier has an obligation to comply by Law or this DPA, DIRECTV will inform Supplier of such Consumer Rights Request and any related processing instructions that DIRECTV reasonably deems necessary for DIRECTV to respond to such Consumer Rights Request.

4.1.2 If Supplier receives a Consumer Rights Request that relates to Personal Information subject to this DPA, then, unless expressly authorized by DIRECTV or required by Law, Supplier will not respond to a Consumer Rights Request, except to acknowledge its receipt. Upon request, Supplier will promptly provide to DIRECTV all information necessary to enable DIRECTV to respond to Consumer Rights Requests and any notices, requests for information, or orders from data protection authorities received by Supplier or DIRECTV that relate to Personal Information.

4.2. Supplier will process Consumer Rights Requests in accordance with applicable Law and this DPA. Supplier agrees that DIRECTV has the right, subject to any requirements of applicable Law but otherwise in its sole discretion, to require Supplier at any time to (i) provide to DIRECTV all Personal Information in Supplier’s possession; and (ii) delete all Personal Information in Supplier’s possession that is no longer required for the performance of the Services. Supplier shall respond to such requests promptly and without unreasonable delay; provided that, where any Law pertaining to Consumer Rights Requests requires DIRECTV to respond by a specified deadline, Supplier shall comply with its obligations under this Section no later than five (5) business days before that deadline.

4.3. Supplier must maintain complete and accurate records relating to its compliance with each Consumer Rights Request (which records must not include data required to be deleted pursuant to Law) and provide access at all reasonable times to the records.

4.4. Supplier will, at DIRECTV’s option, return or destroy the Personal Information upon expiration or termination of the Agreement, subject to any retention obligations specified in the Agreement or by applicable Laws. If Supplier is required by Law to retain information that is subject to a Consumer Rights Request or determines it must retain information to provide the Services specified in this Agreement, it will so advise DIRECTV in writing within twenty (20) calendar days, and DIRECTV will provide further direction.

4.5. Upon request, Supplier shall provide written confirmation to DIRECTV of its compliance with its obligations under this Section 4.

5. US-ONLY PROCESSING

5.1. Supplier shall ensure that no Personal Information is physically or logically transferred to, accessed by, or otherwise processed by its employees, agents, personnel, representatives, consultants, subcontractors, or other third parties in any country other than the United States, unless expressly agreed to in writing by DIRECTV. In the event Supplier discovers or reasonably believes that any Personal Information has been or is being transferred to, accessed from, or otherwise processed in any country other than the United States, Supplier shall provide prompt written notice of such activity to DIRECTV (which shall be provided no later than forty-eight (48) hours after the discovery of such activity).

6. INFORMATION SECURITY

6.1. Without limiting Supplier’s information security obligations in the Agreement, Supplier will implement and maintain appropriate technical and organizational information security measures, including tools, policies, procedures, and practices appropriate to the nature, scope, context, and risks of the Personal Information it processes, to protect Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. Any failure by Supplier to comply with Supplier's information security obligations in the Agreement and any processing by Supplier that results in unauthorized access to or disclosure or use of Personal Information shall be a material breach of this DPA and shall be a security incident (which includes terms such as "security breach" and similar terms under the Agreement) for purposes of the Agreement.

7. CONTRACTS WITH SUBPROCESSORS AND THIRD PARTIES

7.1. Prior to engaging a Subprocessor to perform any aspect of Supplier’s rights or obligations under the Agreement where such engagement involves the processing of Personal Information, Supplier will provide DIRECTV with at least thirty (30) days' prior written notice identifying the name of such Subprocessor, the location of such Subprocessor’s processing activities, and the nature of the processing and categories of Personal Information subject to processing by the Subprocessor. DIRECTV may object to any such engagement within fifteen (15) days of receiving such notice, and the parties shall cooperate in good faith to resolve such objection; provided that if the parties cannot resolve such objection within thirty (30) days, DIRECTV may terminate the affected Services upon written notice setting forth reasonable grounds for such objection. Supplier shall obtain the Subprocessor’s written agreement to comply with Personal Information protection obligations that are consistent with the Law, the Agreement, and this DPA. Supplier will remain fully liable to DIRECTV for the performance of its Subprocessor’s obligations under this DPA.

7.2. Prior to engaging a Subprocessor in accordance with this DPA, Supplier shall conduct one or more Personal Information security and privacy compliance assessments of the Subprocessor to ensure that the Subprocessor will meet the Personal Information protection and security requirements under the Agreement, this DPA, and Laws. Supplier shall accurately record and store information in relation to engaging Subprocessors, including all Personal Information security assessment documents, and shall provide the same to DIRECTV upon request. Upon request, Supplier will fully cooperate in the prompt completion of assessments or audits related to Supplier’s or Supplier’s Subprocessors’ access, use, storage, and/or other processing of Personal Information.

7.3. Where DIRECTV is required under Law to obtain the consent of any individual prior to disclosing (or granting DIRECTV's consent to disclose) Personal Information to a third party (including any Subprocessor), then upon DIRECTV’s request, Supplier shall provide DIRECTV with all such relevant information as may be under Supplier’s control or otherwise available to Supplier to facilitate DIRECTV’s collection of such consent.

8. COOPERATION, IMPACT ASSESSMENTS AND AUDITS

8.1. Upon DIRECTV’s request and taking into account the nature of the applicable processing, to the extent such information is available to Supplier, Supplier will assist DIRECTV in fulfilling its obligations under Laws to carry out a privacy impact or similar risk assessment related to DIRECTV’s use of the Services, including, if required by Laws, by assisting DIRECTV in consultations with law enforcement or relevant government authorities.

8.2. Supplier will keep records of its processing in compliance with Law and as necessary to demonstrate its compliance with this DPA. Upon DIRECTV’s request, Supplier shall make available to DIRECTV any records reasonably necessary to demonstrate compliance with Supplier’s obligations under Laws and this DPA.

8.3. Audits.

8.3.1 Supplier will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to DIRECTV upon DIRECTV’s written request at reasonable intervals (subject to confidentiality obligations). DIRECTV may share a copy of Audit Reports with relevant government authorities as required by Law or upon their request.

8.3.2 Subject to the terms of this Section 8.3, DIRECTV has the right, at DIRECTV’s expense, to conduct an audit of reasonable scope and duration pursuant to a mutually agreed-upon audit plan with Supplier that is consistent with the Audit Parameters (an “Audit”). DIRECTV may exercise its Audit right: (i) to the extent Supplier’s provision of an Audit Report does not provide sufficient information for DIRECTV to verify Supplier’s compliance with this DPA or the parties’ compliance with Laws; (ii) as necessary for DIRECTV to respond to a request by law enforcement or government authority related to Personal Information subject to this DPA; (iii) in connection with a Security Incident; or (iv) where DIRECTV has reasonable grounds to believe Supplier is not complying with its obligations under this DPA.

8.3.3 Each Audit must conform to the following parameters (“Audit Parameters”): (i) be conducted by, at DIRECTV’s discretion, qualified DIRECTV personnel or an independent third party subject to reasonable confidentiality obligations to Supplier; (ii) be limited in scope to matters reasonably required for DIRECTV to assess Supplier’s compliance with this DPA and the parties’ compliance with applicable Laws; (iii) occur at a mutually agreed date and time during Supplier’s regular business hours, provided that the parties shall cooperate in good faith to agree upon a date that enables DIRECTV to comply with any applicable legal deadlines, and if the parties are unable to agree upon such a date within ten (10) business days of DIRECTV's written request, DIRECTV may set a reasonable date on reasonable written notice to Supplier; (iv) occur no more than once annually, unless required by applicable Laws or in connection with a Security Incident or Supplier breach of this DPA; (v) restrict findings to Personal Information only; and (vi) treat any results as confidential information to the fullest extent permitted by Laws.

8.4. For any disclosure or transfer of Personal Information that involves Supplier, Supplier shall take reasonable and appropriate steps to help DIRECTV (i) ensure the recipient uses the transferred Personal Information in a manner consistent with any Law that applies to such disclosure or transfer, and (ii) stop and remediate any unauthorized use of Personal Information after receiving notice that the recipient has not met or can no longer meet its obligations under any Law that applies to the recipient’s processing of the Personal Information.

8.5. Notwithstanding anything in this DPA to the contrary, if and to the extent required by any Law or judicial or law enforcement order or demand, DIRECTV may disclose Supplier’s name and any related information about Supplier and its processing of Personal Information.

9. INDEMNIFICATION

9.1. Any failure by Supplier to comply with this DPA that causes or results in any actual or threatened claims, losses, damages, or regulatory enforcement actions (“Claims”) brought by a third party or regulatory authority against DIRECTV shall be subject to Supplier’s indemnification obligations as set forth in the Agreement. For purposes of such indemnification obligations: (i) Claims arising under this DPA shall be subject to any exceptions to any disclaimer of damages, cap on liability, or other limitation of liability set forth in the Agreement; and (ii) Claims arising under this DPA shall be included among the categories of claims to which the highest cap on liability set forth in the Agreement applies.