a. “Biometric Data” means Personal Information resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual that allows or confirms the unique identification of that individual.

b. “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.

c. “Data Protection Requirements” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Provider’s Processing of Personal Information, including without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation (“GDPR and Brazil’s Law No. 13.709 of August 14, 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of July 8, 2019) (the “LGPD”)).

d. “Data Safeguards” means the administrative, operational, organizational, technical, and physical safeguards described in Section 9 of these Standards, as modified in accordance with these Standards. e. “Genetic Data” means Personal Information relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of that individual and which result, in particular, from an analysis of a biological sample from such individual.

f. “Health Data” means Personal Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health.

g. “Malware” means computer software, code, or instructions that: (a) adversely affect the operation, security, availability, or integrity of a computing, telecommunications, or other digital operating or processing system or environment, including without limitation, other programs, data, databases, computer libraries, and computer and communications equipment, by altering, destroying, disrupting, or inhibiting such operation, security, or integrity; (b) self-replicate without manual intervention where such self-replication lacks functional purpose; (c) purport to perform a useful function but which actually perform either a destructive, harmful, or unauthorized function, or perform no useful function and utilize substantial computer, telecommunications, or memory resources; or (d) without authorization, collect and/or transmit to third parties any information or data, including such software, code, or instructions commonly known as viruses, Trojans, logic bombs, worms, and spyware.

h. “Personal Information” means any information (i) that can be used (alone or in combination with other information within Provider’s control) to identify, locate, or contact a specific individual, or (ii) related to an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address, and email address as well as less obvious information such as an individual’s personal preferences, hotel stay-related information, guest account information, location data, and online identifiers. Personal Information also includes (without limitation) factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual. Personal Information may pertain to customers, employees, or others. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, and excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information only includes information: (i) provided to Provider by or on behalf of Hilton; or (ii) obtained, used, accessed, possessed, or otherwise Processed by Provider in connection with the provision of the Services.

i. “PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement.

j. “Process“ means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

k. “Provider Processing Record” means a written record of all categories of Processing carried out in connection with the Services, which contains the following: (i) the name and contact details of Provider and any Subcontractors and, where applicable, the name and contact details of Provider’s data protection officer; (ii) the categories of Processing performed by the Provider for Hilton; (iii) the list of countries, if any, to which the Provider transfers Personal Data; and (iv) a description of the Provider’s Data Safeguards.

l. “Security Breach“ means (i) any circumstance pursuant to which applicable Data Protection Requirements require action in response to such circumstance, including but not limited to, notification of such breach to be given to affected parties, a regulator, or data protection authority; or (ii) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either Physical Security or Systems Security (as such terms are defined below) in a manner that either does or could reasonably be expected to permit unauthorized Processing, use, disclosure, acquisition of, or access to any Personal Information. “Physical Security” means physical security at any location housing systems maintained by Provider or its agents or Subcontractors in connection with the Services or in the course of physical transportation of assets or physical media used by Provider or its agents or Subcontractors in performing the Services. “Systems Security” means security of computer, electronic, or telecommunications systems of any variety (including databases, hardware, software, storage, switching, and interconnection devices and mechanisms); security of networks of which such systems are a part or with which such systems communicate; and security of networks used directly or indirectly by Provider or its agents, or Subcontractors in connection with the Services.

m. “Sensitive Personal Information“ is Personal Information which due to its nature has been classified by applicable Data Protection Requirements as deserving additional privacy and security protections, including (without limitation): (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body or (B) financial account number; (ii) an individual’s username which, in combination with a password, PIN, or access code would grant access to an online account; (iii) Cardholder Data; (iv) data about racial or ethnic origin; (v) data about political opinions, religious or philosophical beliefs, or trade union membership; (vi) Genetic Data; (vii) Biometric Data; (viii) Health Data; and (ix) data concerning a natural person’s sex life or sexual orientation. n. “Services“ means the goods and services provided by Provider to Hilton, or through Hilton for the benefit of its franchisees, as further described in the Agreement.

o. “Subcontractor“ means an entity, including any Provider affiliate, engaged by Provider to perform Services for Provider that involve the Processing of Personal Information.

a. If the Provider will obtain or have access to Personal Information originating from the European Economic Area (“EEA”), UK, or Switzerland, the following applies:

i. If Provider will store Personal Information originating from the UK outside of the UK or EEA, Provider agrees to the UK Addendum to the European Commission Standard Contractual Clauses (SCCs) between controllers and processors. The SCCs and UK Addendum are incorporated by reference into these Standards, as further discussed in Section 8(b);

ii. If Provider will store Personal Information originating from within the EEA or Switzerland outside of the EEA or Switzerland, Provider agrees to the European Commission Standard Contractual Clauses (SCCs) between controllers and processors. The SCCs are incorporated by reference into these Standards, as further discussed in Section 8(b).

b. When Section 8(a) applies, the SCCs for transfers between controllers and processors (Module two) are incorporated by reference (the SCCs can be found). Hilton and Provider agree to the SCCs as follows:

i. Hilton is the controller/data exporter. Provider is processor/data importer.

ii. Pursuant to Clause 6 (Details of the transfer) of the SCCs, Hilton and the Provider agree that the details of the transfer are described in the Agreement and Sections 2-4 of these Standards. The details of the transfer form Annex 1.B of the SCCs.

iii. Hilton and Provider agree to incorporate Clause 7 (Docking clause) of the SCCs.

iv. Pursuant to Clause 8 (Obligations of the parties) of the SCCs, Provider as the data importer agrees that it has implemented the technical and organizational security measures specified in Section 9 of these Standards (the Data Safeguards). The Data Safeguards constitute the technical and organizational security standards that form Annex II of the SCCs.

v. Hilton and Provider agree to incorporate Clause 9(a) Option 2 (General Written Authorization) of the SCCs.

vi. Hilton and Provider agree that the following language applies to Clause 13(a) (Supervision) of the SCCs: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

vii. Hilton and Provider agree that Clause 17 (Governing Law) Option 1 of the SCCs shall apply. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland except when the UK Addendum applies, in which case the parties agree that this shall be the laws of England and Wales.

viii. Pursuant to Clause 18 (Choice of forum and jurisdiction) of the SCCs, any dispute arising from these Clauses shall be resolved by the courts of Ireland, except when the UK Addendum applies, in which case the parties agree that any dispute arising from these Clauses shall be resolved by the courts of England and Wales.

ix. Pursuant to Annex I. A (List of parties) of the SCCs, the Data Exporter party shall be: Hilton 7930 Jones Branch Drive McLean, Virginia 22101 U.S.A. Data Protection Officer DataProtectionOffice@hilton.com Activities relevant to the data transferred under these Clauses: The data exporter engages with the data importer to process data in accordance with the parties’ data processing agreement. Role: Controller

x. Pursuant to Annex I.A (list of parties) of the SCCs, Provider shall provide Hilton with the Data Importer party information.

xi. Pursuant to Annex I.C (Competent Supervisory Authority) and in accordance with Clause 13 (Supervision) of the SCCs, the Competent Supervisory Authority is the Dutch Data Protection Authority, except when the UK Addendum applies, in which case the Competent Supervisory Authority is the UK’s Information Commissioner’s Office.

xii. Pursuant to Annex III. (List of Sub-Processors) of the SCCs, Provider shall provide Hilton with the list of sub-processors, when applicable.

xiii. Hilton and Provider agree that by signing the Agreement they are also signing the SCCs, and if relevant, the UK Addendum, as incorporated by reference and completed in accordance with this Section 8(b).

c. Should a court with applicable jurisdiction invalidate the use of the SCCs as a mechanism by which to transfer Personal Information, Hilton and Provider agree to promptly implement contractual language and/or technical changes to ensure that transfers of Personal Information are lawful.

d. Should countries other than those in the EEA, UK, and Switzerland adopt cross-border data transfer clauses similar to the SCCs, Hilton and Provider agree to execute such clauses when necessary.

a. Provider will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Standards, and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.

b. Consistent with the foregoing, Provider agrees:

i. to adopt, implement, maintain, and monitor a written information security program that contains administrative, technical, and physical safeguards to (A) prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information; (B) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; and (C) ensure the ability to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;

ii. to conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;

iii. to take reasonable steps to ensure the trustworthiness of all Provider employees, agents and Subcontractors who will be provided with access to Personal Information;

iv. to ensure that its information security program includes industry standard password, firewall, operating system, anti-virus, and Malware protections to protect Personal Information stored or otherwise handled on computer systems;

v. to encrypt, using industry standard encryption tools, all records and files (A) containing Personal Information that Provider transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Information that Provider: (1) stores on laptops or storage media; (2) stores on portable devices; and (3) stores on any device that is transported outside of the physical or logical access controls of Provider; and to safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Information;

vi. to maintain an incident response program that specifies the actions to be taken by Provider when it has reason to believe that a Security Breach may have or has occurred;

vii. to implement such additional security measures as may be required under the Data Protection Requirements or specified in the Agreement.

viii. to comply with the PCI Standards with respect to Cardholder Data if the Provider Processes Cardholder Data in connection with the Services. Consistent with Provider’s obligations as set forth in the Agreement, Provider acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Provider further represents and warrants that it will not take any actions that will compromise Hilton’s ability to comply with the PCI Standards.

ix. where Provider, directly, or through any of its agents or Subcontractors, connects to Hilton’s computing systems and/or networks, that: (A) all Provider interconnectivity to Hilton’s computing systems and/or networks and all attempts at same will only occur through Hilton’s security gateways/firewalls; (B) Provider will not access, and will not permit any other person or entity to access, Hilton’s computing systems and/or networks without Hilton’s authorization; (C) if Hilton grants Provider permission to access its computing systems and/or networks, Provider will only access Hilton’s computing systems and/or networks as authorized; and (D) Provider’s systems connecting to Hilton’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Hilton’s computing systems or networks, will be actively protected by an industry standard Malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Hilton’s computing systems and/or networks. Provider agrees that Hilton may perform periodic assessments of Provider’s network. Should any assessment of Provider’s network reveal inadequate security by Provider or its agents or Subcontractors, Hilton, in addition to other remedies it may have, may suspend Provider’s, its agents’ or Subcontractors’ access to Hilton’s computing systems and/or networks until such security issue has been resolved to the satisfaction of Hilton.

c. Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to Hilton; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.

d. If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will be required to certify to Hilton that all forms of Personal Information disposed of have been destroyed in accordance with these Standards. If Provider cannot so certify, Provider shall provide a written explanation for its inability to certify that it complied with this disposal requirement.

e. Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by Hilton. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Information.