1. Application

These Data Sharing Terms (“DST”) apply to the Processing of Personal Data shared

between us whenever this DST is incorporated by reference into another agreement

between us (such as an Order Form, our Growth Product Terms, or Developer Terms).

The DST contains the rules applicable to our relationship as Independent Controllers and

the transfer of Personal Data, along with additional rules about the transfer of data outside

of the European Union (“EU”), European Economic Area (“EEA”) and United Kingdom

(“UK”), as may be applicable. Each of us must Process Personal Data on the terms set out

in this DST. The specific details of each data transfer, as required by the Standard

Contractual Clauses(“SCCs”), are set out in the applicable Specification within Annexure I.

2. Precedence

The DST supplements the European Standard Contractual Clauses (“SCC”) and the UK

International Data Transfer Addendum (“IDTA”), in accordance with Annexure I, where both

Parties act as Independent Controllers (as defined below). In case of inconsistency

between the terms of this DST and the SCC and/or the IDTA, the SCC and/or IDTA will apply

to the extent of the inconsistency.

3. Independent controllership

While our relationship does not constitute (including for the purposes of the GDPR) either a

Joint Controller relationship or a Data Controller to Data Processor relationship, the Parties

still wish to detail the nature of the Processing operation. Our relationship (including for the

purposes of the GDPR) is that of two distinct Controllers, each determining independently

the purposes and means of the respective Processing with each of us being an

“Independent Controller”.

4. Cross border data transfers

Each of us agrees that Applicable Data Protection Laws may require that additional

measures be taken to secure transfers of Personal Data outside the country or region from

which we originate. In such a case, we will help each other in implementing these

additional measures. To that extent:

• For transfers from the EEA: this DST is intended to supplement the SCC, which are

incorporated by reference in accordance with its Module 1 – Data Controller to Data

Controller, and provide the details for the relevant appendix in Annexures I and II to

this DST.

• For transfers from the UK: the acceptance of these terms is deemed acceptance

and execution of the IDTA to the SCC as issued by the UK Information

Commissioner’s OXice, which is incorporated by reference.

4.1 Security of Processing

Clause 8.5(c) of the SCC is supplemented as follows:

“and have received suXicient training on data protection compliance”.

Clause 8.5(d) of the SCC is supplemented as follows:

“Data Importer shall promptly following discovery or notice of such Personal Data Breach,

at its own costs and expenses, take (i) corrective action to mitigate any risks or damages

involved with such Personal Data Breach and to protect Data Exporter Personal Data from

any further use and/or access, (ii) investigate, evidence and document such Personal Data

Breach, in particular its context, date of occurrence, type, extent and data involved, as well

as any elements pertaining to the diagnosis of the origin or the occurrence of such Personal

Data Breach, and the direct and indirect consequences of this Personal Data Breach, and

provide Data Exporter with such evidence and documents, and (iii) any other actions that

may be required by Applicable Data Protection Laws as a result of such Personal Data

Breach, subject to Data Exporter’s prior written approval.”

Clause 8.5(h) of the SCC is added as follows:

“In any case, on becoming aware of any suspected or actual Personal Data Breach, the

Data Importer shall notify the Data Exporter without undue delay and in any case within

twenty-four (24) hours after having become aware of the suspected or actual Personal Data

Breach”

4.2 Data Subject Rights

Clause 10 of the SCC is supplemented as follows:

Data Importer shall not respond to that request itself unless it has been authorised to do so

by the Data Exporter or to confirm that such request has been duly forwarded to Data

Exporter upon doing so.

4.3 Cooperation

The Data Importer will be responsible for all costs of cooperation and assistance by Data

Importer to Data Exporter to enable Data Exporter to comply with its obligations under

GDPR under clauses 8.6(d), 8.9(c) and 10 of the SCC.

4.4 Liability

Clause 12 of the SCC is supplemented as follows:Each party shall be liable to the other

party/ies for any damages it, its staX or its authorized sub-Processors, causes the other

party/ies by any breach of these Clauses and/or any data protection laws, including, but

not limited to, loss of profits, reputation, image or business opportunity, and reasonable

attorney's fees, subject to the limitation of liability set out in the General Terms.

4.5 EIective Date

The SCC and/or the IDTA shall come into force on the date you accept these terms or the

first transfer of the Personal Data from the Data Exporter to the Data Importer, whichever

the earlier. It shall be automatically terminated when our relationship terminates or expires

for any reason (although any relevant provisions will survive for as long as Personal Data

related to a party is retrained by the other party).

4.6 - Supervision

While the Data Exporter is not established in EEA, option 3 of Clause 13 of the SCC – (“The

supervisory authority of one of the Member States in which the data subjects whose

personal data is transferred under these Clauses in relation to the o;ering of goods or

services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C,

shall act as competent supervisory authority”) will apply.

4.7 Duration and consequence of termination

Clause 16 is supplemented as follows:

“Upon expiration or termination for whatever reason of these Clauses or the DST:The Data

Importer shall inquire from the Data Exporter about the Data Exporter’s intention with

regard to the Personal Data at least fifteen (15) days prior to the eXective termination of

these Clauses or the DST. Further to this inquiry, where the Data Exporter inform the Data

Importer of its intention to retrieve Personal Data, the Data Importer shall retrieve all

Personal Data and make them available to the Data Exporter under a commonly used

electronic format within fifteen (15) days from eXective termination or expirationFurther to

such provision, or if Data Exporter has not instructed Data Importer for the retrieval of

Personal Data prior to the eXective expiration or termination of these Clauses or the DST,

Data Importer shall delete all Personal Data on its systems (without prejudice to any

backup archives) unless otherwise instructed by Data Exporter prior to the eXective date of

termination. Data Importer shall cooperate reasonably and in a timely manner with the

eXorts by Data Exporter, or any other party acting on Data Exporter’s behalf, to provide for

an orderly transition of the Processing to Data Exporter or another service provider.

Notwithstanding anything to the contrary, Data Importer may retain one copy of the

Personal Data only for as long as there exists a legal requirement to do but in compliance

with Applicable Data Protection Laws and subject to the provision of these Clauses.”

4.8 Governing law

Despite anything to the contrary in the General Terms, the Data Exporter not being

established in the EEA, the governing law for data processing operations subject to the EU

GDPR will be France. For data processing operations subject to the UK GDPR, the governing

law shall be that of England and Wales.

4.9 Choice of forum and jurisdiction

The Data Exporter not being established in the EEA, the courts of France have been elected

as competent jurisdiction in the occurrence of any dispute between the Parties relating to

the SCC. For data processing operations subject to the UK GDPR, the courts of London

shall have exclusive jurisdiction over any dispute arising out of the IDTA.

4.10 Options

Optional language contained in clause 7 (“Docketing Clause”) and the second paragraph of

clause 11 (“Redress”) of the SCC are waived.

5. Definitions

The terms “Personal Data”, “Data Subject”, “Controller”, “Personal Data Breach”,

“Processing”, “Processor” and “Supervisory Authority” shall have the meaning as

defined in Article 4 GDPR. Any terms not defined in this DST have the meanings given in the

Applicable Data Protection Laws.

Applicable Data Protection Law means: (i) the EU General Data Protection Regulation

2016/679 (“EU GDPR”) and any implementing local law; (ii) the e-Privacy Directive

2002/58/EC (“ePrivacy Directive”); (iii) the United Kingdom Data Protection Act (“UK

GDPR”; and, together with the EU GDPR referred as “GDPR” for as long as they remain

substantially similar); and (iv) any equivalent legislation in any jurisdiction in which we are

established, or subject to specific data protection laws.

Annexure I to Data Sharing Terms

This Annexure I is intended to supplement the relevant Annexure of the SCC and / or IDTA

(as applicable).

Data Transfer Specifications

The specific details of the data transfer applicable to the services you have subscribed to

are set out in the relevant Specification below.

Specification A: Passport Integration Data

This specification applies if you have integrated Immutable Passport into your Application.

A. LIST OF PARTIES

Data importer(s):

Name: you, the Developer.

Address: the address details attributed to you, the Developer who agrees to the Developer

Terms or any other protocol licence agreement with Immutable.

Contact person’s name, position and contact details: the contact details attributed to the

authorised representative who is capable of agreeing to the Developer Terms or any other

protocol licence agreement with Immutable on behalf of you, the Developer.

Activities relevant to the data transferred under these Clauses: Passport account creation

and management

Role: Controller/Data Importer

Data exporter(s):

Name: Immutable zk Pty Ltd.

Address: cÄo Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont

Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and

Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Passport account creation

and management

Role: Controller/Data Exporter

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

• Users or prospective users of the Passport product are the Data Subjects involved.

Categories of Personal Data transferred

• Non-sensitive Personal Data only will be transferred, such as the user's email,

social media handle name and/or wallet addresses.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a oneo

> or continuous basis)

• Continuous

Nature of the Processing

• We collect relevant Personal Data through direct interactions with users e.g. when

users create a Passport account. Detailed descriptions of how we process and use

Personal Data are included in our Privacy Policy.

Purpose(s) of the Personal Data transfer and further Processing

• Transfer of the relevant Personal Data is required to enable the operation of the

Passport authorisation tool and associated account creation and management

functions.

The period for which the Personal Data will be retained, or, if that is not possible, the

criteria used to determine that period

• Personal Data retention to be aligned to each organisation’s privacy policy. It will

only be retained for as long as necessary to fulfil the purposes we collected it for.

Specification B: Growth Product – Wishlist Marketing Data

This specification applies if you have subscribed to a Growth Product that includes the

sharing of Personal Data in relation to the provision of those Growth Products.

A. LIST OF PARTIES

Data importer(s):

Name: you, the customer receiving Growth Products.

Address: the address details attributed to you, the customer receiving Growth Products

who agrees to the Growth Product Terms with Immutable.

Contact person’s name, position and contact details: the contact details attributed to the

authorised representative who is capable of agreeing to the Growth Product Terms with

Immutable on behalf of you, the customer receiving Growth Products.

Activities relevant to the data transferred under these Clauses: Receiving and using

Personal Data in relation to the provision of Growth Products.

Role: Controller/Data Importer

Data exporter(s):

Name: Immutable zk Pty Ltd.

Address: cÄo Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont

Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and

Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Provision of Personal Data

via the Growth Products.

Role: Controller/Data Exporter

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

● Users of Immutable’s platforms, including Immutable Play.

Categories of Personal Data transferred

● Non-sensitive Personal Data only will be transferred, such as the user's email, social

media handle name and/or wallet addresses.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a oneo

> or continuous basis)

● Continuous

Nature of the Processing

● We collect relevant Personal Data through direct interactions with users on Immutable

Platforms and or via external platforms such as “X”. Detailed descriptions of how we

process and use Personal Data are included in our Privacy Policy.

Purpose(s) of the Personal Data transfer and further Processing

● To allow the Data Importer to gain insights on their end user audiences and

communicate with end users about the Data Importer's Game, including for community

engagement and product updates.

The period for which the Personal Data will be retained, or, if that is not possible, the

criteria used to determine that period

Personal Data retention to be aligned to each organisation’s privacy policy. It will only be

retained for as long as necessary to fulfil the purposes we collected it for.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is determined to be that of France.

See section 4.6 of the DST.

Annexure II to Data Sharing Terms

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND

ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer must maintain technical and organisational measures to ensure an

appropriate level of security, taking into account the nature, scope, context and purpose of

the Processing, and the risks for the rights and freedoms of natural persons.

The Data Importer is responsible for engaging appropriate expertise to ensure an

appropriate level of security is maintained. Notwithstanding that, some of the following

measures may be considered as part of an overall data security regime:

• Measures of pseudonymisation and encryption of Personal Data

• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of

Processing systems and services

• Measures for ensuring the ability to restore the availability and access to Personal

Data in a timely manner in the event of a physical or technical incident

• Processes for regularly testing, assessing and evaluating the eXectiveness of

technical and organisational measures in order to ensure the security of the

Processing

• Measures for user identification and authorisation

• Measures for the protection of data during transmission

• Measures for the protection of data during storage

• Measures for ensuring physical security of locations at which Personal Data are

Processed

• Measures for ensuring events logging

• Measures for ensuring system configuration, including default configuration

• Measures for internal IT and IT security governance and management

• Measures for certification/assurance of Processes and products

• Measures for ensuring data minimisation

• Measures for ensuring data quality

• Measures for ensuring limited data retention

• Measures for ensuring accountability

• Measures for allowing data portability and ensuring erasure

Annexure III to Data Sharing Terms

For the purpose of this Annexure III and subject to Personal Data being transferred out of

the UK, the template Addendum issued by the ICO and laid before Parliament in

accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised

under Section 18 is deemed incorporated into the DST by reference, and the Tables set out

in Part 1 shall be deemed completed by the information provided in Annexure I and the

below:

• Table 1 – Exporters and Importers: See Annexure 1-A

• Table 2 – The option selected is option no. 1 “The version of the Approved EU SCCs

which this Addendum is appended to, detailed below, including the Appendix

Information” referred in Appendix 1

• Table 3 –

o Description of the transfers – See Annexures 1-2

o Technical and Organization Measures – See Annexure 2

o List of Sub Processors – Not applicable

• Table 4 – The option selected is option no. 3 “Neither Party”