Data Sharing Terms

1. Application

These Data Sharing Terms (“DST ”) apply to the Processing of Personal Data shared between us whenever this DST is incorporated by reference into another agreement between us (such as an Order Form, our Growth Product Terms, or Developer Terms, each of these, as applicable, referred to as “Main Agreement”). “We” shall mean the Immutable entity identified as your contracting party in the Main Agreement. “You” shall mean the entity entering into the Main Agreement with us.

The DST contains the rules applicable to our relationship as Independent Controllers or Processors (as further explained below) and the respective transfer of Personal Data, along with additional rules about the transfer of data outside of the European Union (“EU ”), European Economic Area (“EEA ”) and United Kingdom (“UK”), as may be applicable. Each of us must Process Personal Data on the terms set out in this DST. The specific details of each data transfer, as required by the Standard Contractual Clauses(“SCCs ”), are set out in the applicable Specification within Annexure I (for data sharing between independent Controllers), Annexure II (for data sharing from us to you where we act as your Processor) and Annexure III (for data sharing from you to us as your Processor).

2. Precedence

The DST supplements the European Standard Contractual Clauses (“SCC ”) and the UK International Data Transfer Addendum (“IDTA ”), in accordance with Annexure I, where both Parties act as Independent Controllers (as defined below) or Annexure II and III, where we act as Processor on your behalf. In case of inconsistency between the terms of this DST and the SCC and/or the IDTA, the SCC and/or IDTA will apply to the extent of the inconsistency.

3. Controller-Controller Relationship

While our relationship does, unless expressly defined otherwise in these DST, not constitute (including for the purposes of the GDPR) either a Joint Controller relationship or a Data Controller to Data Processor relationship, the Parties still wish to detail the nature of the Processing operation. Our relationship (including for the purposes of the GDPR) is that of two distinct Controllers, each determining independently the purposes and means of the respective Processing with each of us being an “Independent Controller ”.

You are solely responsible for using the data received from us in compliance with applicable data protection laws and these DST. Where you intend to use any of the transmitted data to take legal actions against players, you shall in each case conduct an additional manual investigation of the case and not rely solely on the data received from us as the data collected by us can only indicate misconduct of a player but not provide full evidence.

4. Controller-Processor Relationship

In certain specific situations described in Annexure II and III, we may not act as Independent Controller, but rather Process Personal Data on your behalf and instruction, meaning you are the “Controller ” and we are a “Processor ”. In these scenarios, the following applies:

4.1 Data Categories, Data Subjects, means, purposes and duration of Processing are specified in Annexure II and III.

4.2 We will only Process Personal Data only on your documented instructions, unless we are obliged to process Personal Data under applicable law in which case we will notify you accordingly to the extent permitted by law. Your right to instruct us does also include the right to appoint delegates who are entitled to share or receive Personal Data with or from us. You as the Controller must all times ensure that these delegates process any received Personal Data in accordance with Applicable Data Protection Law and that sharing such Personal Data between your delegates and us complies with Applicable Data Protection Laws.

4.3 We will ensure that all our personnel handling the Personal Data are subject to an adequate duty of confidentiality.

4.4 We will implement and maintain throughout the term of Processing adequate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access.

4.5 You give your general approval to enable us to use services of carefully selected sub-processors which are in every case subject to a data processing agreement providing for comparable terms as these DST. In case we intend to onboard a new or replace an existing sub-processor, we will notify you in good time in advance giving you the right to object. Such objection may only be based on documented facts that give rise to justified concerns regarding the ability of the sub-processor to comply with its obligations under Applicable Data Protection Law.

4.6 We will apply adequate technical and organizational measures to support you in complying with data subject requests.

4.7 We will support you in reasonable scope in context of any other of your obligations regarding security of processing, notification of supervisory authorities or data subjects, data protection impact assessments or prior consultations with authorities.

4.8 We will, at your discretion, return or delete all Personal Data we have stored in accordance with your instructions after the term of our Processing services has expired. This does not apply if we are subject to any statutory retention obligations that require retention of your Personal Data.

4.9 Upon request we will provide you with relevant documentation to allow you to assess our compliance with obligations under this Section 4. Where this documentation is not sufficient for a proper assessment, you may request a remote audit to be conducted by you or a professional auditor appointed by you and sworn to secrecy. Such audit requires timely prior notification (at least 30 days) and must be conducted during our regular business hours and may not unnecessarily interfere with our business activities.

5. Cross border data transfers

Each of us agrees that Applicable Data Protection Laws may require that additional measures be taken to secure transfers of Personal Data outside the country or region from which the Personal Data originates. In such a case, we will help each other in implementing these additional measures. To that extent:

● For transfers of Personal Data relating to EEA data subjects from us to you : Where we are subject to EU GDPR in context of collecting Personal Data from EEA data subjects, we need to enter into the SCC with you to the extent you are not established in the EEA. For this scenario, this DST supplements the SCC, which are incorporated by reference in accordance with its Module 1 – Data Controller to Data Controller and Module 4 – Data Processor to Data Controller, and provide the details for the relevant appendix in Annexures I and II to this DST.

● For transfers of Personal Data from you to us : Where you are located in the EEA and need to share Personal Data with us, we need to enter into the SCC. For this scenario, this DST supplements the SCC, which are incorporated by reference on accordance with Module 2 – Data Controller to Data Processor, and provide the details for the relevant appendix in Annexure III to this DST.

● For transfers relating to the UK : In case any of the scenarios mentioned above is subject to UK GDPR, we will need to enter into the IDTA to the SCC. For this scenario, the acceptance of these terms is deemed acceptance and execution of the IDTA to the SCC as issued by the UK Information Commissioner’s Office, which is incorporated by reference in accordance with Annexure V.

5.1 Security of Processing

**** Clause 8.5(c) of the SCC (Module 1) is supplemented as follows:

“and have received sufficient training on data protection compliance”.

Clause 8.5(d) of the SCC (Module 1) is supplemented as follows:

“Data Importer shall promptly following discovery or notice of such Personal Data Breach, at its own costs and expenses, take (i) corrective action to mitigate any risks or damages involved with such Personal Data Breach and to protect Data Exporter Personal Data from any further use and/or access, (ii) investigate, evidence and document such Personal Data Breach, in particular its context, date of occurrence, type, extent and data involved, as well as any elements pertaining to the diagnosis of the origin or the occurrence of such Personal Data Breach, and the direct and indirect consequences of this Personal Data Breach, and provide Data Exporter with such evidence and documents, and (iii) any other actions that may be required by Applicable Data Protection Laws as a result of such Personal Data Breach, subject to Data Exporter’s prior written approval.”

Clause 8.5(h) of the SCC (Module 1) is added as follows:

“In any case, on becoming aware of any suspected or actual Personal Data Breach, the Data Importer shall notify the Data Exporter without undue delay and in any case within twenty-four (24) hours after having become aware of the suspected or actual Personal Data Breach”

5.2 Data Subject Rights

**** Clause 10 of the SCC (Module 1) is supplemented as follows:

Data Importer shall not respond to that request itself unless it has been authorised to do so by the Data Exporter or to confirm that such request has been duly forwarded to Data Exporter upon doing so.

5.3 Cooperation

**** The Data Importer will be responsible for all costs of cooperation and assistance by Data Importer to Data Exporter to enable Data Exporter to comply with its obligations under GDPR where required under the SCC.

5.4 Liability

**** Clause 12 of the SCC (Modules 1, 2 and 4) is supplemented as follows: Each party shall be liable to the other party/ies for any damages it causes the other party/ies by any breach of these Clauses subject to the limitation of liability set out in the Main Agreement.

5.5 Effective Date

**** The SCC and/or the IDTA shall come into force on the date you accept these terms or the first transfer of the Personal Data from the Data Exporter to the Data Importer, whichever the earlier. It shall be automatically terminated when our relationship terminates or expires for any reason (although any relevant provisions will survive for as long as Personal Data related to a party is retrained by the other party).

5.6 Supervision

Where the Data Exporter is established in the EEA, option 1 of Clause 13(a) of the SCC (“ The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority”) will apply.

**** Where the Data Exporter is not established in EEA but otherwise subject to GDPR, option 3 of Clause 13(a) of the SCC (“ The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority ”) will apply.

5.7 Duration and consequence of termination

**** Clause 16 of the SCC (Module 1 and 4) is supplemented as follows:

“Upon expiration or termination for whatever reason of these Clauses or the DST: The Data Importer shall inquire from the Data Exporter about the Data Exporter’s intention with regard to the Personal Data at least fifteen (15) days prior to the effective termination of these Clauses or the DST. Further to this inquiry, where the Data Exporter inform the Data Importer of its intention to retrieve Personal Data, the Data Importer shall retrieve all Personal Data and make them available to the Data Exporter under a commonly used electronic format within fifteen (15) days from effective termination or expiration. Further to such provision, or if Data Exporter has not instructed Data Importer for the retrieval of Personal Data prior to the effective expiration or termination of these Clauses or the DST, Data Importer shall delete all Personal Data on its systems (without prejudice to any backup archives) unless otherwise instructed by Data Exporter prior to the effective date of termination. Data Importer shall cooperate reasonably and in a timely manner with the efforts by Data Exporter, or any other party acting on Data Exporter’s behalf, to provide for an orderly transition of the Processing to Data Exporter or another service provider. Notwithstanding anything to the contrary, Data Importer may retain one copy of the Personal Data only for as long as there exists a legal requirement to do so but in compliance with Applicable Data Protection Laws and subject to the provision of these Clauses.”

5.8 Governing law

Regarding Clause 17 of the SCC (Module 1, 2 and 4) it is agreed that the SCC shall be governed by the laws of an EU member state allowing for third-party beneficiary rights. This law shall be the law of Ireland. Any dispute arising from the SCC shall be resolved by the courts of Ireland.

Where the IDTA to the SCC applies, the governing law shall be that of England and Wales and any dispute arising from the IDTA shall be resolved by the courts of England and Wales.

5.9 Options

**** Optional language contained in clause 7 (“Docketing Clause”) and the second paragraph of clause 11(a) (“Redress”) of the SCC are waived. In clause 9(a) option 2 (general written authorization) is selected.

6. Definitions

The terms “Personal Data ”, “Data Subject ”, “Controller ”, “Personal Data Breach ”, “Processing ”, “Processor ” and “Supervisory Authority ” shall have the meaning as defined in Article 4 GDPR. Any terms not defined in this DST have the meanings given in the Applicable Data Protection Laws.

Applicable Data Protection Law means: (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR ”) and any implementing local law; (ii) the e-Privacy Directive 2002/58/EC (“ePrivacy Directive ”); (iii) the United Kingdom Data Protection Act (“UK GDPR ”; and, together with the EU GDPR referred as “GDPR ” for as long as they remain substantially similar); and (iv) any equivalent legislation in any jurisdiction in which we are established, or subject to specific data protection laws.

Annexure I to Data Sharing Terms

This Annexure I is intended to supplement the relevant Annexure of the SCC and / or IDTA (as applicable) where we act as Independent Controller (Module 1).

**A. LIST OF PARTIES

Data importer(s):

Name: you, as specified in the Main Agreement

Address: the address details attributed to you in the Main Agreement

Contact person’s name, position and contact details: the contact details attributed to the authorised representative who has entered into the Main Agreement on behalf of you.

Activities relevant to the data transferred under these Clauses: Passport account creation and management

Role: Controller/Data Importer

Data exporter(s):

Name: Immutable zk Pty Ltd.

Address: c\o Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Passport account creation and management

Role: Controller/Data Exporter

**B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

● Users or prospective users of the Passport product as well as active players of the games of the data importer are the Data Subjects involved.

Categories of Personal Data transferred

● Non-sensitive Personal Data only will be transferred, such as the user's email, social media handle name and/or wallet addresses.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

● Continuous

Nature of the Processing

● We collect relevant Personal Data through direct interactions with users e.g. when users create a Passport account. Detailed descriptions of how we process and use Personal Data are included in our Privacy Policy.

● The data exporter collects and stores automated data to detect potential fraudulent account creations for online games of the data importer and if a potential fraudulent use case is identified, the relevant data is forwarded to the data importer who stores the data on its systems to further investigate the case and take legal action, if needed.

Purpose(s) of the Personal Data transfer and further Processing

● Transfer of the relevant Personal Data is required to enable the operation of the Passport authorisation tool and associated account creation and management functions.

● The purpose of the processing is to help the data importer identify potential violations of its terms of use and, if necessary, allow the data importer to enforce the terms of use against the violator.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

● Personal Data retention to be aligned to each organisation’s privacy policy. It will only be retained for as long as necessary to fulfil the purposes we collected it for.

Annexure II to Data Sharing Terms

This Annexure II supplements the relevant Annexure of the SCC and / or IDTA (as applicable) where we act as Processor (Module 4).

A. LIST OF PARTIES

Data importer(s):

Name: you, as specified in the Main Agreement

Address: the address details attributed to you in the Main Agreement

Contact person’s name, position and contact details: the contact details attributed to the authorised representative who has entered into the Main Agreement on behalf of you.

Activities relevant to the data transferred under these Clauses: Receiving customer or prospect data from data exporter, analyse this data and reach out to customers and prospects for marketing purposes; and receiving sentiment analysis outputs derived from community Discord data processed by the data exporter on behalf of the data importer.

Role: Controller/Data Importer

Data exporter(s):

Name: Immutable zk Pty Ltd.

Address: c\o Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Collect customer/prospect data for data importer to allow data importer to reach out to these customers or prospects for marketing purposes; and transferring sentiment analysis outputs to the data importer following processing of Discord community data on behalf of the data importer.

Role: Processor/Data Exporter

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

● Users of the Immutable platform who wish to engage with data importer and/or play games offered by data importer on the Immutable platform.

● Members of Discord servers or communities operated or managed by the data importer, whose message content has been processed by the data exporter for sentiment analysis purposes on behalf of the data importer.

Categories of Personal Data transferred

● Email addresses, wallet addresses (Immutable zkEVM, Metamask), marketing choices (opt-in/opt-out decisions), Telegram user ID, Discord user ID, Epic Games user ID.

● Sentiment analysis outputs derived from Discord community message content, which may include sentiment scores or classifications linked to Discord user IDs, aggregated trend data, and thematic classifications. Where such outputs have been fully anonymised such that no individual data subject can be identified, they fall outside the scope of this Annexure.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

● Continuous

Nature of the Processing

● Data exporter operates an online platform (Immutable platform) where game studios (like the data importer) can host online games and make them available to players.

● Data exporter collects certain personal data of potential players who wish to engage with the data importer via the online platform and manages the marketing choices of the players on behalf of the data importer.

● Data of relevant players who have consented to receive marketing information from the data importer will be shared with the data importer.

● Data of players who have completed ‘quests’ (specific activities and milestones related to games) will be shared by the data exporter with the data importer in order to reflect completion statuses and attribute points on the platform.

● Where instructed by the data importer under Annexure III, the data exporter will deploy and operate a Discord bot to process community message data for sentiment analysis purposes. Following completion of that processing, the data exporter will transfer the resulting sentiment analysis outputs to the data importer in its capacity as Controller.

Purpose(s) of the Personal Data transfer and further Processing

● The purposes of the transfer of personal data to the data importer are to: (1) enable the data importer to reach out to the data subjects who have consented for marketing purposes in their own responsibility; and/or (2) enable the data importer to access information shared with the exporter regarding ‘quest’ completions; and/or

(3) enable the data importer to receive sentiment analysis outputs derived from the processing of Discord community data carried out by the data exporter on the data importer's behalf, for the purpose of providing the data importer with insights regarding community engagement, player feedback, and general sentiment trends.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

● The personal data will be retained for the entire period of the processing activities carried out for the data importer under the Main Agreement on a rolling basis (i.e. data of certain data subjects who have opted out may be deleted during the term while new data subjects may be added).

● Sentiment analysis outputs transferred to the data importer under purpose (3) above shall be retained by the data importer only for as long as necessary for the data importer's legitimate business purposes, and in accordance with the data importer's own privacy policy and applicable data retention obligations. The data importer is solely responsible for determining and complying with its own retention obligations in respect of such outputs once received.

C. COMPETENT SUPERVISORY AUTHORITY

● The competent supervisory authority is determined to be that of Ireland .

● See section 5.6 of the DST.

Annexure III to Data Sharing Terms

This Annexure III supplements the relevant Annexure of the SCC and / or IDTA (as applicable) where we act as Processor (Module 2).

A. LIST OF PARTIES

Data exporter(s):

Name: you, as specified in the Main Agreement

Address: the address details attributed to you in the Main Agreement

Contact person’s name, position and contact details: the contact details attributed to the authorised representative who has entered into the Main Agreement on behalf of you.

Activities relevant to the data transferred under these Clauses: Data of relevant players who have completed ‘quests’ (specific activities and milestones related to games) will be shared by the data exporter with the processor in order to reflect completion statuses and attribute points. In addition, the data exporter will share audience data with the data importer to enable the data importer to provide certain audience related marketing services. The data exporter may also instruct the data importer to deploy a Discord bot within Discord servers administered by or on behalf of the data exporter for the purpose of community sentiment analysis.

Role: Controller/Data Exporter

Data importer(s):

Name: Immutable zk Pty Ltd.

Address: c\o Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Data importer will process the received data from data exporter in order to reflect completion statuses and attribute points. The data importer will process the audience data received from the data exporter for providing respective marketing services to the data exporter. The data importer will also, where instructed, deploy and operate a Discord bot to process community message data for sentiment analysis purposes on behalf of the data exporter.

Role: Processor/Data Importer

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

● Players of games offered by data exporter on the platform of the data importer who have completed certain ‘quests’.

● Customers of the data exporter who have consented to receive marketing communications from the data exporter

Categories of Personal Data transferred

● Email addresses, wallet addresses (Immutable zkEVM, Metamask), marketing choices (opt-in/opt-out decisions), Telegram user ID, Discord user ID, Epic Games user ID.

● Discord user IDs; message content (text) submitted by users within designated Discord server channels; and derived sentiment scores or classifications generated from such content.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

● Continuous

Nature of the Processing

● Data exporter operates an online platform (Immutable platform) where game studios (like the data exporter) can host online games and make them available to players.

● Data importer will process the received data from data exporter in order to reflect completion statuses and attribute points.

● The data exporter can share lists of customers (audiences) with the data importer which will be stored, analysed and processed by the data importer on behalf of the data exporter in order to provide service related to such audiences.

● The data exporter may instruct the data importer to deploy and operate a Discord bot within Discord servers administered by or on behalf of the data exporter. The bot will collect message content from designated channels and process that content to generate sentiment analysis outputs (such as aggregated sentiment scores, trend indicators, or thematic classifications) for the benefit of the data exporter. The data importer will process such data solely on the documented instructions of the data exporter and will not use it for its own independent purposes.

Purpose(s) of the Personal Data transfer and further Processing

● The purposes of the transfer of personal data to the data importer are to: (1) enable the data importer to reach out to the data subjects who have consented for marketing purposes on behalf of the data exporter; and/or (2) enable the data importer to access information shared with the exporter regarding ‘quest’ completions; and/or

(3) enable the data importer to perform sentiment analysis on Discord community message data on behalf of the data exporter, for the purpose of providing the data exporter with insights regarding community engagement, player feedback, and general sentiment trends in relation to the data exporter's games or platform presence.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

● The personal data will be retained for the entire period of the processing activities carried out for the data importer under the Main Agreement on a rolling basis. The data exporter has the power to decide for how long the services are required and may instruct the data importer to delete or return the Personal Data at any time, subject to any statutory retention obligations.

● With respect to Discord message content processed for sentiment analysis: raw message content shall be retained by the data importer only for as long as is necessary to generate the relevant sentiment output, and in any event for no longer than 90 days following collection, unless the data exporter provides documented instructions requiring a different retention period. Aggregated or anonymised sentiment outputs that do not permit identification of individual data subjects are not subject to this retention limit.

C. COMPETENT SUPERVISORY AUTHORITY

● The competent supervisory authority is the authority competent at the country of establishment of the data exporter in the EEA.

● See section 5.6 of the DST.

**Annexure IV to Data Sharing Terms

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer must maintain technical and organisational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

The Data Importer is responsible for engaging appropriate expertise to ensure an appropriate level of security is maintained. Notwithstanding that, some of the following measures may be considered as part of an overall data security regime:

● Measures of pseudonymisation and encryption of Personal Data

● Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services

● Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

● Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the Processing

● Measures for user identification and authorisation

● Measures for the protection of data during transmission

● Measures for the protection of data during storage

● Measures for ensuring physical security of locations at which Personal Data are Processed

● Measures for ensuring events logging

● Measures for ensuring system configuration, including default configuration

● Measures for internal IT and IT security governance and management

● Measures for certification/assurance of Processes and products

● Measures for ensuring data minimisation

● Measures for ensuring data quality

● Measures for ensuring limited data retention

● Measures for ensuring accountability

● Measures for allowing data portability and ensuring erasure

Annexure V to Data Sharing Terms

For the purpose of this Annexure IV and subject to Personal Data being subject to UK GDPR, the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 is deemed incorporated into the DST by reference, and the Tables set out in Part 1 shall be deemed completed by the information provided in Annexure I and the below:

● Table 1 – Exporters and Importers: See Annexure 1-A

● Table 2 – The option selected is option no. 1 “ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information ” referred in Appendix 1

● Table 3 –

o Description of the transfers – See Annexures 1-3

o Technical and Organization Measures – See Annexure 4

o List of Sub Processors – Not applicable

● Table 4 – The option selected is option no. 3 “ Neither Party ”