Remitly Data Protection Addendum

This data protection addendum ("DPA") is effective as of November 15, 2022 and applies to any agreement between Remitly (the specific Remitly entity may be Remitly Europe Ltd, Remitly UK Ltd, Remitly Inc., Remitly DIFC Ltd, Remitly NZ Ltd, Remitly Brasil Instituição De Pagamento Ltda ) where Remitly is a data controller and you or your company is a data processor. Each such agreement is referred to below as a Main Agreement.

This DPA is an implementation of the oneDPA, a crowdsourced, standardised DPA created and maintained by a group of lawyers from some of the world's leading law firms and in-house teams to collaboratively create a standard DPA. More information on oneDPA is available here: https://www.claustack.com/category/onedpa.

By signing a Main Agreement, you and Remitly are also deemed to have executed this DPA and any required Transfer Mechanism.

Variables

Parties' relationship	Remitly is a Controller and a Business and you are a Processor and a Service Provider. In some circumstances, Remitly may be a Processor, in which case Remitly appoints you as its Sub-processor, which shall not change the obligations of either Remitly or you under this DPA.

Parties' roles

Data Subject Status	Data flow	Data Exporter Entity Details	In this DPA, "Remitly" means and signatory is
If the data subject is in the United Kingdom ("UK Data Flow"):	Remitly UK Ltd (controller or data exporter) to Vendor (processor or data importer) and Remitly, Inc. (processor)	Remitly UK Ltd - 90 Whitfield Street, London W1T 4EZ	Remitly UK Ltd
If the data subject is in Europe ("Europe Data Flow"):	Remitly Europe Ltd (controller or data exporter) to Remitly Inc (processor) to Vendor (sub-processor or data importer)	Remitly Europe Ltd - Ground Floor, 1 Albert Quay, Ballintemple, Cork, T12 X8N6, Ireland.	Remitly, Inc
If the data subject is in the DIFC ("DIFC Data Flow"):	Remitly DIFC Ltd (controller or data exporter) to Vendor (processor or data importer) and Remitly, Inc. (processor)	Remitly DIFC Ltd	Remitly DIFC Ltd
If the data subject is in New Zealand ("NZ Data Flow"):	Remitly NZ Ltd (controller or data exporter) to Vendor (processor or data importer) and Remitly, Inc. (processor)	Remitly NZ Ltd	Remitly NZ Ltd
If the data subject is in Brazil ("Brazil Data Flow"):	Remitly Brasil Ltda Ltd (controller or data exporter) to Vendor (processor or data importer) and Remitly, Inc. (processor)	Remitly Brasil Instituição De Pagamento Ltda Av Paulista, 1374 Andar 11 E 12 Esp 12a124 Bela Vista Sao Paulo, Brazil Cep: 01310-916	Remitly Brasil Instituição De Pagamento Ltda (“Remitly Brasil”)


Contacts	Remitly	Processor
	Name: Head of Privacy Email: privacy@remitly.com	The name and email address specified in the Main Agreement for data protection contracts or other legal notices.

Main Agreement	The agreement between the parties that expressly incorporates this DPA
Term	This DPA will commence on the final date of signature of the Main Agreement and will expire upon the later of the date that the last surviving term of the Main Agreement expires, or the latest date required to comply with Data Protection Laws.
Breach Notification Period	Without undue delay after becoming aware of a personal data breach
Sub-processor Notification Period	A reasonable timeframe before the new sub-processor is granted access to Personal Data
Liability Cap	The liability provisions contained within the Agreement shall not apply to this DPA
Governing Law and Jurisdiction	The Europe Data Flow will be governed by the laws of the Republic of Ireland with jurisdiction in the courts of Ireland. The UK Data Flow will be governed by the last of England and Wales with jurisdiction in the courts of England and Wales. The UAE Data Flow will be governed by the laws and regulations of the DIFC with jurisdiction in the courts of the DIFC. The NZ Data Flow will be governed by the laws and regulations of New Zealand. The Brazil Data Flow will be governed by the laws and regulations of Brazil with jurisdiction in the courts of Sao Paolo. Otherwise, the governing law and jurisdiction for this DPA will be the same as in the main agreement.
Data Protection Laws	All laws, regulations and court orders which apply to the processing of Personal Data in the European Economic Area (EEA), the United Kingdom (UK), the United States (US), New Zealand, Australia, Brazil and the Dubai International Financial Centre (DIFC). This includes, but is not limited to, the European Union Regulation (EU) 2016/679, the Data Protection Act 2018, California Consumer Privacy Act of 2018 (CCPA)/California Privacy Rights Act of 2020 (CPRA), the Privacy Act 2020, the Privacy Act 1998, and the Brazilian General Data Protection Law (LGPD), each as amended or superseded from time to time.
Services related to processing	As described in the Main Agreement
Duration of processing	For the Term of the Main Agreement
Nature and purpose of processing	As described in the Main Agreement
Personal Data	The types of personal data processed are as described in the Main Agreement
Data subjects	The individuals whose Personal Data will be processed areas described in the Main Agreement
Special provisions	As set forth and designated in the Main Agreement
Transfer Mechanism	For the Europe Data Flow, the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country. Where Remitly acts as a Controller and you act as Remitly's Processor with respect to the Personal Data subject to the EU SCCs, its Module 2 applies. Where Remitly acts as a processor and you act as Remitly's Sub-processor with respect to the Personal Data subject to the EU SCCs, its Module 3 applies. For the UK Data Flow, the International Data Transfer Addendum issued by the Information Commissioner's Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022 applies. For the DIFC Data Flow, the DIFC Standard Contractual Clauses, for the transfer of personal data from the DIFC to a third-party country applies. For the NZ Data Flow, the NZ Model Contract Clauses applies. For the Brazil Data Flow, where Remitly acts as the Controller and you act as a Processor, Module 2 of the EU SCCs applies until the ANPD approves its version of the SCCs. In each case, as they may be amended or superseded.

ANNEX 1

Security measures. Technical and organisational measures to ensure the security of Personal Data	As listed in the Coupa Risk Assessment Questionnaire

ANNEX 2

Sub-processors. Current sub-processors	As listed in the Coupa Risk Assessment Questionnaire

TERMS

1. What is this agreement about?

1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).

1.2 (a) Definitions. Under this DPA:

Adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data,
Controller, data subject, personal data breach, process/processing, processor, and supervisory authority have the same meanings as in the Data Protection Laws,
Business and Service Provider have the same meanings as in the CCPA/CPRA, and
Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

1.2 (b) Any equivalent statutory definitions dealing with the subject matter are incorporated herein as if they were a part of this DPA, and as those are amended from time to time.

2. What are each party's obligations?

2.1 Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.
2.2 Processor obligations. To the extent that there are any Sub-Processors, Processor instructs Sub-Processor to process Personal Data in accordance with this DPA, and is responsible for sharing Controller's instructions with Sub-Processor prior to the processing of Personal Data.

2.3 Processor/Sub-Processor obligations. Processor/Sub-Processor will:

  - (a) only process Personal Data in accordance with this DPA and
   Controller's and Processor's instructions unless legally required

to do otherwise),

  - (b) not sell, retain or use any Personal Data for any purpose
  other than as permitted by this DPA and the Main Agreement,
  - (c) inform Controller/Processor immediately if (in its opinion)
  any instructions infringe Data Protection Laws,
  - (d) use the technical and organisational measures described in
   Annex 1 when processing Personal Data to ensure a level of

security appropriate to the risk involved,

  - (e) notify Controller/Processor of a personal data breach within
  the Breach Notification Period and provide assistance to

Controller/Processor as required under Data Protection Laws in
responding to it,

  - (f) ensure that anyone authorised to process Personal Data is
   committed to confidentiality obligations,
  - (g) without undue delay, provide Controller/Processor with
   reasonable assistance with:
          - (i) data protection impact assessments,
          - (ii) responses to data subjects' requests to exercise their 
          rights under Data Protection Laws, and
          - (iii) engagement with supervisory authorities,
  - (h) if requested, provide Controller/Processor with information
   necessary to demonstrate its compliance with obligations under

Data Protection Laws and this DPA,

  - (i) allow for audits at Controller/Processor's reasonable 
  request, provided that audits are limited to once a year and

during business hours except in the event of a personal data
breach, and

  - (j) return Personal Data upon Controller/Processor's written
   request or delete Personal Data by the end of the Term, unless

retention is legally required.

2.4. Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

3.1 Use of Sub-Processors. Controller/Processor authorises Processor/Sub-Processor to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor/Sub-Processor's existing sub-processors are listed in Annex 2.

3.2 Sub-processor requirements. Processor/Sub-Processor will:

- (a) require its sub-processors to comply with equivalent terms as

Processor/Sub-Processor's obligations in this DPA,
- (b) ensure appropriate safeguards are in place before internationally
transferring Personal Data to its Sub-Processor, and
- (c) be liable for any acts, errors or omissions of its Sub-Processors
as if they were a party to this DPA.

3.3 Approvals. Processor/Sub-Processor may appoint new sub-processors provided that they notify Controller/Processor in writing in accordance with the Sub-processor Notification Period.

3.4 Objections. Controller/Processor may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International personal data transfers

4.1 Instructions. Processor/Sub-Processor will transfer Personal Data outside the UK, the EEA, Brazil, DIFC, New Zealand, or an adequate country (as defined by the applicable data protection authority) only on documented instructions from Controller/Processor, unless otherwise required by law.

4.2 Transfer mechanism. Where a party is located outside the UK, the EEA, Brazil, DIFC, New Zealand, or an adequate country and receives Personal Data:

- (a) that party will act as the data importer,
- (b) the other party is the data exporter, and
- (c) the relevant Transfer Mechanism will apply.

4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

4.4 Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

- (a) challenge the request and promptly notify the data exporter about it,

and
- (b) only disclose to the public authority the minimum amount of Personal Data
required and keep a record of the disclosure.

5. Other important information

5.1 Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.

5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

- (a) Transfer Mechanism,
- (b) DPA,
- (c) Main Agreement.

5.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA's front
as may be updated by a party to the other in writing.

5.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

5.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

5.6 Amendments. Any amendments to this DPA must be agreed in writing.

5.7 Assignment. Neither party can assign this DPA to anyone else without the other party's consent.

5.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

5.9. Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.