Data Processing Addendum

1. Structure.

This Data Processing Addendum (“DPA”) is subject to and forms part of the Agreement between True

Medicine, Inc. (“TrueMed” or “Company”) and the applicable Merchant, and governs TrueMed’s

Processing of Personal Data. In the event of a conflict between this DPA and TrueMed’s Terms, this DPA

shall control.

2. TrueMed as a Data Processor, Data Controller, and Business Associate.

Data Processing Roles

TrueMed as a Processor

When TrueMed Processes Personal Data as a Data Processor, it is

acting as a Data Processor on behalf of the Merchant, acting as

the Data Controller.

TrueMed as a Controller

When TrueMed Processes Personal Data as a Data Controller, it

has the sole and exclusive authority to determine the purposes

and means of Processing Personal Data it receives from or

through the Merchant.

TrueMed as a Business Associate

When TrueMed Processes personal data that is Protected Health

Information as a Business Associate, it is acting as a HIPAA

business associate to one or more Telehealth Partners in their

capacity as a HIPAA covered entity.

Data Processing Purposes

TrueMed as a Processor

The purposes of TrueMed’s Processing of Personal Data in its

capacity as a Data Processor are to:

●provide access to the TrueMed platform to TrueMed’s

Merchant partners; and

●provide, provide access to, and market TrueMed’s services

for or on behalf of TrueMed’s Merchant partners.

TrueMed as a Controller

The purposes of TrueMed’s Processing of Personal Data in its

capacity as a Data Controller when providing TrueMed’s services

are to:

●utilize third parties (e.g., payment method providers like

TrueMed) in connection with the performance of the

Services;

●monitor, prevent and detect fraudulent transactions and

fraudulent activity, and monitor, prevent and mitigate

financial loss, security risks, and other harms;

●implement, maintain and perform internal processes that

enable TrueMed to provide its Services, including

relationship management, billing, and invoicing;

●comply with Applicable Laws; and

●analyze and develop TrueMed’s Services.

TrueMed as a Business Associate

The purposes of TrueMed’s Processing of Protected Health

Information in its capacity as a Business Associate are to:

●collect, process, and store Protected Health Information for

or on behalf of its Telehealth Partner(s); and

●comply with individual rights requests and other

requirements under HIPAA pursuant to Truemed’s obligations

to its Telehealth Partner(s).

Categories of Data Subjects and Personal Data

TrueMed as a Processor and as a

Controller

TrueMed may Process the Personal Data of End Users, Merchant

representatives, and any natural person who accesses or uses the

TrueMed Services.

TrueMed as a Business Associate

TrueMed may Process the Protected Health Information of End

Users for and on behalf of TrueMed’s Telehealth Partner(s).

Personal Data

If applicable, TrueMed may Process payment account details,

billing/shipping address, name, order description (including date,

time, amount, product or service description), device ID, email

address, IP address/location, order ID, payment card details, tax

ID/status, unique customer identifier, and identity information.

Sensitive Data

TrueMed may Process Protected Health Information provided by

End Users for and on behalf of TrueMed’s Telehealth Partner(s).

3. TrueMed Obligations when Acting as a Data Processor.

3.1 Obligations.

When TrueMed is acting as a Data Processor for a Merchant, TrueMed will:

a. Process Personal Data on Merchant’s behalf and according to its Instructions. TrueMed will inform

Merchant if, in its opinion, Merchant’s Instructions violate or infringe Applicable Data Protection

Laws;

b. ensure that all persons TrueMed authorizes to Process Personal Data are granted access to Personal

Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal

Data;

c. to the extent required by Applicable Data Protection Laws, inform Merchant of each request

TrueMed receives from Data Subjects (including "verifiable consumer requests" as defined under the

CCPA) exercising their rights under Applicable Data Protection Laws to (i) access (e.g., right to know

under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased; (iii) restrict or

object to TrueMed’s Processing; or (iv) data portability (collectively “Data Subject Request”). Other

than to request further information, identify the Data Subject, and, if applicable, direct the Data

Subject to the Merchant as Data Controller, TrueMed will not respond to these requests unless it is

instructed in writing to do so by the applicable Merchant. Taking into account the nature of the

Processing, TrueMed will assist Merchant by appropriate technical and organizational measures,

insofar as this is possible, to enable Merchant to meet its obligations to respond to a Data Subject

Request;

d. to the extent required by Applicable Data Protection Laws, inform Merchant of each law

enforcement request TrueMed receives from a Governmental Authority requiring TrueMed to

disclose Personal Data or participate in an investigation requiring TrueMed to disclose Personal Data,

unless prohibited by Applicable Laws;

e. implement and maintain a written information security program to implement the Data Security

Measures;

f. if TrueMed experiences a Data Breach, notify Merchant without undue delay, in each case after

becoming aware of the Data Breach. To the extent known to TrueMed, TrueMed’s notification will

describe in reasonable detail (i) the type of Personal Data that was the subject of the Data Breach,

(ii) the categories and potential number of individuals or records affected (including their countries),

and (iii) the status of TrueMed’s investigation and current or planned remediation. Following the

notification, TrueMed will provide relevant updates to assist Merchant in complying with its

obligations under Applicable Data Protection Laws;

g. to the extent required by Applicable Data Protection Laws and following a written request from

Merchant, contribute to audits or inspections by making available audit reports. Following this

request, and no more frequently than once annually, TrueMed will promptly provide documentation

or complete a written data security questionnaire of reasonable scope and duration regarding

TrueMed’s Processing of Personal Data. All reports and documentation provided, including any

response to a security questionnaire, are TrueMed’s confidential information; and

h. at Merchant choice, delete or return all Personal Data Processed in connection with the Services,

and delete existing copies, following termination of the Agreement, except that TrueMed will not be

required to delete or return that Personal Data, or delete existing copies, to the extent that

TrueMed’s storage of that Personal Data or those copies is (i) required by TrueMed to exercise its

rights and perform its obligations under this Agreement; or (ii) required or authorized by Applicable

Data Protection Laws for a longer period.

3.2 Sub-processors.

a. TrueMed engages Sub-processors as necessary to perform the Services. Merchant consents to

TrueMed’s use of its existing Sub-processors and grants TrueMed a general written authorization to

engage Sub-processors as necessary to perform the Services. Merchant acknowledges that

TrueMed’s Sub-processors are essential to provide the Services and that if Merchant objects to

TrueMed’s use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement

(including this DPA), TrueMed will not be obligated to provide Services for which TrueMed uses that

Sub-processor.

b. TrueMed will enter into a written agreement with each Sub-processor that imposes on that

Sub-processor obligations comparable to those imposed on TrueMed under this DPA, including the

obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfill its data

protection obligations under that agreement, TrueMed will remain liable for the acts and omissions

of its Sub-processor to the same extent TrueMed would be liable if performing the relevant Services

directly under this DPA.

3.3 CCPA.

If the CCPA applies and TrueMed is acting as a Data Processor, TrueMed will not: (a) sell or share (as

defined under the CCPA) Personal Data; (b) retain, use or disclose Personal Data outside of its direct

business relationship with Merchant other than to provide TrueMed’s Services and as required to comply

with Applicable Laws; and (c) combine Personal Data received from Merchant with Personal Data

received from or on behalf of an individual or collected from TrueMed's own interactions with the

individual, except to provide TrueMed’s Services and as permitted by Applicable Laws. TrueMed certifies

that it understands and will comply with the requirements in this DPA relating to the CCPA and will

provide the same level of privacy protection to Personal Data as required by the CCPA. TrueMed will

inform Merchant if it determines that it can no longer meet its obligations under the CCPA and will take

reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.

3.4 Disclaimer of Liability.

Notwithstanding anything to the contrary in the Agreement, including this DPA, TrueMed will not be

liable for any claim made by a Data Subject arising from or related to TrueMed’s acts or omissions, to the

extent that TrueMed was acting in accordance with Merchant’s Instructions.

4. Merchant’s Obligations as a Data Controller.

Merchant acknowledges and agrees that it shall::

a. only provide Instructions to Stripe that are lawful;

b. comply with and perform its obligations under Applicable Data Protections Law, including with

regard to Data Subject rights, data security and confidentiality, and ensure it has an appropriate legal

basis for the Processing of Personal Data as described in the Agreement, including this DPA; and

c. provide Data Subjects with all necessary information (including by means of offering a transparent

and easily accessible public privacy notice)and, where required by Applicable Data Protection Law,

obtain all necessary consents, regarding its and TrueMed’s Processing of Personal Data for the

purposes described in the Agreement, including this DPA.

5. TrueMed’s Obligations as a Data Controller.

TrueMed shall comply with and perform its obligations under Applicable Data Protection Laws when

Processing Personal Data.

6. Definitions.

Capitalized terms used but not defined in this DPA have the meanings ascribed to them in the Terms or

an Order Form.

a. “Applicable Data Protection Law” means Applicable Laws that apply to Personal Data Processing

under the Agreement and this DPA, including federal, state, and local Applicable Laws relating in any

way to privacy, data protection or data security.

b. “Business Associate” has the meaning ascribed to it in HIPAA.

c. “CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199,

and its implementing regulations.

d. “Covered Entity” has the meaning ascribed to it in HIPAA.

e. “Data Controller” means the entity which, alone or jointly with others, determines the purposes and

means of Processing Personal Data, which may include, as applicable, a “Business” as defined under

the CCPA.

f. “Data Breach” means an unauthorized or unlawful Processing, use, access, loss, disclosure,

destruction or alteration of Personal Data in a party’s, or a party’s subcontractor’s, agent’s or

representative’s, possession or control.

g. “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller,

which may include, as applicable, a “Service Provider” as defined under the CCPA.

h. “Data Security Measures” means physical, technical, and organizational measures that are intended

to secure Personal Data to a level of security appropriate for the risk of the Processing, including

without limitation measures regarding user authentication; vulnerability, patch, and configuration

management; application security; and encryption.

i. “HIPAA” means the Health Insurance Portability and Accessibility Act of 1996, the Health Information

Technology for Economic and Clinical Health Act of 2009, as each have been and may be amended

from time to time, and their respective implementing rules and regulations.

j. “Instructions” means any communication or documentation, including that which may be provided

through a TrueMed API or written agreements between you and Truemed through which the Data

Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data

Controller.

k. “Personal Data” means any information relating to an identifiable natural person that is Processed in

connection with the Services, and includes “personal information” as defined under the CCPA, but

excludes Protected Health Information.

l. “Process” means to perform any operation or set of operations on Personal Data or sets of Personal

Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving,

consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning

or combining, restricting, erasing or destroying, as described under DP Law.

m. “Protected Health Information” has the meaning ascribed to it by HIPAA.

n. “Sensitive Data” means sensitive personal data to extent treated distinctly as a special category of

Personal Data under Applicable Data Protection Laws, such as “sensitive personal information” as

defined under the CCPA.

o. “Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data

Processor’s behalf in connection with the Services.