Exhibit 4.8

Agreement No. 319103.A.011

CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (i) NOT MATERIAL AND (ii) IS THE TYPE OF INFORMATION THAT RADCOM LTD. TREATS AS PRIVATE OR CONFIDENTIAL. OMISSIONS ARE DENOTED IN BRACKETS THROUGHOUT THIS EXHIBIT.

No. 319103.A.011

AGREEMENT NO. 319103.C

Between

RADCOM Ltd.

And

AT&T Services, Inc.

Agreement No. 319103.A.011

AMENDMENT NO. 319103.A.011

AGREEMENT NO. 319103.C

After all Parties have signed, this Amendment is made effective as of the last date signed by a Party and is between Radcom, LTD, a an Israeli company incorporated under the laws of Israel, with its office at 24 Raoul Wallenberg Street, Tel Aviv, Israel (“Supplier” ), and AT&T Services, Inc., a Delaware corporation (“AT&T”) each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, Supplier and AT&T entered into the Software and Professional Services Agreement No. 319103.C, as previously amended (the “Agreement”) on March 29, 2019 (the “Effective Date”), and

WHEREAS, Supplier and AT&T desire to amend the Agreement as hereinafter set forth

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:

1.	Section 1.6 titled “Term of Agreement”, is here by deleted in its entirety and replaced with the following:

1.6 Term of Agreement

This Agreement shall be effective on the Effective Date and will continue in effect for a term expiring on [**] (the “Term”), unless it is Cancelled or Terminated before that date. The Parties may extend the term of this Agreement beyond that date by mutual written agreement.

Any Order in effect on the date when this Agreement expires or is Terminated or Cancelled will continue in effect until such Order either (i) expires by its own terms or (ii) is separately Terminated or Cancelled, prior to its own expiration, as provided in this Agreement. The terms and conditions of this Agreement shall continue to apply to such Order as if this Agreement were still in effect.

2.	Section 5.3 - Access to AT&T Premises and Non-Public Information Systems - vendor management system ([VMS]) is here by deleted in its entirety and replaced with the following:

Section 5.3 Access to AT&T Premises and Non-Public Information Systems - vendor management system ([VMS])

When appropriate, Supplier Representatives shall have reasonable access to AT&T’s premises during normal business hours, and at such other times as may be agreed upon by the Parties, to enable Supplier to perform its obligations under this Agreement. Supplier shall coordinate such access with AT&T. Where required by governmental regulations, Supplier shall submit satisfactory clearance from the U.S. Department of Defense

and/or other federal, state or local authorities.

Supplier shall ensure that Supplier Representatives, while on or off AT&T’s premises, (i) protect AT&T’s materials, buildings and structures, (ii) perform Services which do not interfere with AT&T’s business operations, and (iii) perform such Services with care and due regard for the safety, convenience and protection of AT&T, its employees, and property.

Agreement No. 319103.A.011

AT&T may require Supplier Representatives to exhibit identification credentials issued by AT&T’s vendor management system (VMS) to gain unescorted access to AT&T’s premises for the performance of Services. In addition, if any Supplier Representative requires access to AT&T’s Nonpublic Information Resources (as defined in the AT&T Supplier Information Security Requirements), Supplier must obtain an ATT UID for each such Supplier Representative from AT&T’s VMS. ATT UIDs will be provisioned upon Supplier’s successful opening of a worker record within the VMS. Supplier Representatives shall also exhibit their company’s photo identification, if any. If, for any reason, any Supplier Representative is no longer performing Services or no longer has a need to have access to AT&T’s Nonpublic Information Resources, then Supplier shall immediately close the Supplier Representative’s record in the VMS and promptly return any identification credentials issued by the VMS. In cases where a Supplier Representative is being removed due to misconduct involving work at AT&T, Supplier will immediately inform the AT&T sponsoring manager of the nature of the misconduct.

AT&T currently uses a third-party VMS vendor and reserves the right to change the VMS vendor at any time and from time to time. Supplier shall enter into an agreement with AT&T’s designated VMS vendor, at no cost to AT&T, and supply any information about each Supplier Representative reasonably required by the VMS vendor to create a worker record and enable provisioning of identification credentials and ATT UIDs. If Supplier fails to enter into an agreement with AT&T’s VMS vendor to use the VMS, Supplier’s Supplier Representatives will not be allowed access to AT&T’s premises (other than on an escorted basis) or to AT&T’s Nonpublic Information Resources. AT&T reserves the right to restrict Supplier’s or Supplier Representatives’ access to AT&T’s facilities and/or Nonpublic Information Resources, without liability to AT&T, until AT&T is satisfied that Supplier is compliant with its obligations under this Section.

Supplier shall ensure that information provided to AT&T or the VMS vendor for its Supplier Representatives is 1) input accurately into the VMS (including the SSN/Security ID for each Supplier Representative, the Agreement number in the “Contract or PO #” field as it may be changed, the start and end dates (end date must not be after the expiration date of the Agreement), the citizenship or lawful permanent residence of each Supplier Representative, and the worker classification obtained from the AT&T sponsoring manager), 2) maintained properly throughout the term of the engagement, and 3) closed on a timely basis upon the termination or expiration of the engagement or the need for the Supplier Representatives to have access to AT&T’s premises or Nonpublic Information Resources. Supplier shall not enable or allow any Supplier Representative to let anyone else use the AT&T identification credentials or an ATT UID issued to that Supplier Representative to gain access to AT&T’s premises or Nonpublic Information Resources.

In addition, notwithstanding anything to the contrary in the Termination section of this Agreement, if Supplier breaches any of its obligations under this Section, then AT&T may, by giving notice to Supplier, terminate this Agreement, in whole or in part, as of the termination date specified in such notice without regard to any cure period and without liability to Supplier except for payment for Services rendered up to the date of termination.

3.	Section 15.22, titled “Anticorruption Laws” is hereby deleted in its entirety and replaced with the following:

Section 15.22 Anticorruption Laws

Supplier hereby represents and warrants that the employees, temporary workers, agents, consultants, partners, officers, directors, members or representatives of Supplier and its Subcontractors, if any, performing Services or other activities under this Agreement (each and any of the foregoing individuals, for the purpose of this Section, a “Supplier Representative”) shall comply with the US Foreign Corrupt Practices Act and all applicable anticorruption laws (including commercial bribery laws).Supplier Representatives shall not directly or indirectly pay, offer, give, promise to pay or authorize the payment of any portion of the compensation received in connection with this Agreement or any other monies or other things of value in connection with its performance to a Government Official, as such term is defined below, to obtain or retain business or secure any improper advantage nor shall it permit such actions by a third party in connection with this Agreement. For purposes of this Section, “Government Official” means:

(i)

an officer or employee of any government or any department, agency, or instrumentality thereof, including government-owned or government-controlled commercial entities.

Agreement No. 319103.A.011

(ii)

an officer or employee of a public international organization.

(iii)

any person acting in an official capacity for or on behalf of any government or department, agency, or instrumentality or public international organization.

(iv)

any political party or official thereof;

(v)

any candidate for political office; or (vi) any other person, individual or entity at the suggestion, request or direction or for the benefit of any of the above-described persons or entities.

4.	Section 15.29, titled “Supplier’s Compliance with Industry Standards” is hereby deleted in its entirety and replaced with the following:

Section 15.29 Supplier’s Compliance with Industry Standards

Supplier represents and warrants that any commercial off the shelf (COTS) Materials that are developed, made available, or provided by or on behalf of Supplier under this Agreement adhere, and to the extent maintained by Supplier will continue to adhere, to the most current versions of one or more of the following security industry standards, methodologies, and/or quality controls:

●

Center for Internet Security (CIS) Standards/Benchmarks

●

ISO/IEC 27001

●

National Institute of Standards and Technology (NIST) SP 800-53

●

OWASP Application Security Verification Standard

●

Payment Card Industry-Data Security Standards (PCI-DSS)

In the event of an inconsistency or conflict between the requirements in this clause, the Specifications, and any other provisions in this Agreement, the most stringent requirements will control. Upon AT&T’s request, Supplier must promptly and reasonably answer questions concerning Supplier’s adherence to security industry standards or the COTS Materials.

5.	Section 15.2, titled “Independent Contractor” is hereby deleted in its entirety and replaced with the following:

Section 15.2 Independent Contractor

Supplier is engaged in an independent business and will perform all obligations under this Agreement as an independent contractor and not as the agent or employee of AT&T.

Agreement No. 319103.A.011

Regarding any Supplier Representatives who perform any Services or other activities on behalf of AT&T in the United States, Supplier represents and warrants to AT&T as follows:

Supplier Representatives are and shall be considered solely the employees of Supplier or its Subcontractors, and are not employees or agents of AT&T; and all Supplier Representatives are compensated as IRS Form W-2 employees, unless any Supplier Representative performs Services for less than ninety (90) days in any given calendar year, in which case such Supplier Representative may be compensated via IRS Form 1099;

ii.

Supplier, or its Subcontractors, have and retain the right to exercise full control of and supervision over Supplier Representatives’ performance of the Services and full control over the employment, direction, assignment, compensation, and discharge of all Supplier Representatives performing the Services;

iii.

Supplier, or its Subcontractor(s), are solely responsible for all matters relating to compensation, wage and hour compliance, and benefits for all Supplier Representatives who perform Services;

iv.

Supplier has in place legally enforceable arbitration agreements with all subcontractors that work for AT&T that require such Supplier subcontractors to submit to binding arbitration any disputes regarding Supplier subcontractors’ work for AT&T, and such arbitration agreement with Supplier subcontractors does not permit class or collective action arbitrations regarding Supplier subcontractors’ work for AT&T.

6.	Section 5.8, titled “Offshore Work Permitted Under Specific Conditions” is hereby deleted in its entirety and replaced with the following:

5.8 Offshore Work Permitted Under Specific Conditions

No Supplier Entity may provide Services from a location outside the United States (“Offshore Location”) without AT&T’s prior written consent. If AT&T consents to a Supplier Entity performing the Services at an Offshore Location, then the Offshore Location, and any additional terms and conditions required for such consent (“Supplemental Offshore Terms and Conditions”), will be specifically set forth in Appendix K–Offshore Location. Supplier may change performance of a Service from one approved Offshore Location to another approved Offshore Location (or to a U.S. location). Supplier may not change Offshore Locations, or the Services to be performed or the Supplier Entities performing Services at such Offshore Locations and may not modify the Supplemental Offshore Terms and Conditions without AT&T’s consent and an amendment to Appendix K– Offshore Location. The requirements of this Section are in addition to the Sections titled “Assignment and Delegation” and “Use of Subcontractors”.

AT&T may, in its discretion, revoke its consent to the performance of Services at an Offshore Location if : (i) this Agreement was breached with respect to an Offshore Location, (ii) the Laws with respect to the Services performed at such Offshore Location were violated, (iii) the continued performance of Services at such Offshore Location constitutes a risk to AT&T’s financial or security interests or could reasonably damage AT&T’s reputation, or (iv) the Supplier Entity providing Services at an Offshore Location undergoes a change of Control. Supplier must advise AT&T as early as possible of any such change of Control or anticipated change of Control. Upon AT&T’s revocation of consent, Supplier must, as applicable, perform such Services from within the United States or from another AT&T-approved Offshore Location, or use a different AT&T-approved Supplier Entity, and the Parties will amend Appendix K– Offshore Location accordingly.

Agreement No. 319103.A.011

A Supplier Entity’s performing Services at an Offshore Location without AT&T’s written consent will be a material breach of this Agreement for which AT&T may immediately (notwithstanding anything to the contrary in this Agreement and in addition to AT&T’s other remedies) terminate this Agreement or an applicable Order.

Services performed in Offshore Locations will be subject to the terms of this Agreement, including the Sections titled “Compliance with Laws” and “Records and Audits.” Supplier must provide, and must ensure that all Supplier Entities provide, physical access to AT&T to inspect Offshore Locations.

If AT&T identifies an information security issue involving access to or storage of AT&T’s Information or data related to an approved Offshore Location, Supplier will immediately work in good faith with AT&T to resolve such issue. If the Parties are unable to resolve such issue to AT&T’s satisfaction, AT&T may (not withstanding anything to the contrary in this Agreement and in addition to AT&T’s other remedies) terminate this Agreement or Order, and will pay Supplier for Deliverables provided prior to the effective date of termination.

If authorized by AT&T to access the AT&T internal network, or perform Services at an Offshore Location, before so doing, Supplier must be in compliance with any AT&T-provided requirements for such access and performance of the Services and to the extent stipulated in Appendix K– Offshore Location.

Supplier’s IPv6 Roadmap and Compliance - The Agreement is hereby amended to add a new Section 15.32 (“Supplier’s IPv6 Roadmap and Compliance”) as follows:

15.32 Supplier’s IPv6 Roadmap and Compliance

Upon AT&Ts request, Supplier shall maintain and provide to AT&T either (i) attestation that Supplier’s Deliverables are Internet Protocol Version 6 (IPv6) compliant; or (ii) Supplier’s IPv6 roadmap demonstrating Supplier’s commitment including dates that Supplier’s Deliverables will be IPv6 compliant (“Supplier’s IPv6 Roadmap”) in accordance with the earlier of Supplier’s IPv6 roadmap timeline or the timeline in subsection 6, below.

To ensure Supplier’s Deliverables support an orderly and seamless transition from Internet Protocol Version 4 (IPv4) to (IPv6. Supplier represents and warrants that any Supplier Deliverables provided to AT&T, are IPv6 compliant, or will be IPv6 compliant in accordance with this Section.

With respect to Supplier IPv6 responsibilities and planning activities with AT&T, Supplier shall:

Communicate and work with AT&T to ensure that any Supplier Deliverables will be IPv6 compliant. An IPv6 compliant service or product must be able to operate in a dual stacked IPv4/IPv6 environment as well as an IPv6 only environment.

Include in new design and engineering plans, IPv6 compliance requirements.

Assess existing technologies to include IPv6 requirements, where applicable.

Reduce reliance on IPv4 addresses and drive IPv6 adoption for all new hardware, software, systems, tools, applications, etc., whether purchased or built for use, or sale.

Ensure that any new IP related product or system to be provided to AT&T has IPv6 technical support for development, implementation, and field deployment.

Agreement No. 319103.A.011

For non-compliant Deliverables, unless required earlier by law, provide a migration path and commitment to upgrade to IPv6 for all Deliverables to be at least 50% complete by end 2024; at least 80% by Q2 2025, and all complete by January 1, 2026.

Flow down similar requirements to Supplier’s applicable Subcontractors.

Supplier shall ensure its Materials offered, for sale, furnished, or sold to AT&T will be fully IPv6 compliant by January 1, 2026.

Section 10.1, titled “Information” is hereby deleted in its entirety and replaced with the following:

10.1 Information

With respect to the Information of a Party, the other Party must:

hold it in confidence with the same degree of care with which it protects its own Information.

ii.

restrict disclosure to its Affiliates, employees, contractors, and agents with a need to know, advise such persons of their confidentiality obligations, and ensure that they are bound by confidentiality obligations reasonably comparable to those in this Agreement;

iii.

except as permitted or required under this Agreement, not commercially exploit such Information (or allow anyone else to do so); and

iv.

ensure that any copies bear the same notices or legends, if any, as the originals.

Except for a Party’s Customer Information and trade secrets, the restrictions in Subsection (a) will not apply to Information that: (i) at the time of disclosure was already known to the other Party free of restrictions to keep it confidential, as evidenced by its written records; (ii) is or becomes publicly known through no wrongful act of the other Party; (iii) is lawfully received from a third party, free of restrictions to keep it confidential; (iv) is independently developed by the other Party without use of the disclosing Party’s Information; or (v) the Party consents in writing to be free of restriction. A Party’s confidentiality obligations under this Agreement will remain in effect, including after the Agreement’s expiration or termination, until it qualifies under one of the exceptions in this Subsection. Confidentiality obligations with respect to a Party’s Information that constitutes a trade secret will remain in effect for so long as such Information remains a trade secret under applicable Laws.

To the extent feasible, each Party must mark or designate Information as confidential; however, the failure to do so will not waive the confidentiality provisions where: (i) it is reasonably obvious under the circumstances that the Information is confidential or (ii) the receiving Party’s employees, contractors, or agents accessed or received the Information while on the disclosing Party’s premises or while accessing its or its customers’ systems, network, or facilities.

If a receiving Party receives or is provided access to Information under this Agreement that has been de-identified or aggregated by a Party, the receiving Party agrees that it is prohibited from and will not attempt to re-identify, reverse engineer, or otherwise link or associate any de-identified or aggregated Information with any identifiable individual, household, or device, unless expressly authorized in writing in advance by the other Party. The receiving Party further agrees to comply with all relevant privacy and data protection laws to the extent applicable to such Information.

Agreement No. 319103.A.011

EEA, UK and Switzerland Data Privacy including GDPR Data Processing Obligations - The Agreement is hereby amended to add a new Appendix (“Appendix P - EEA, UK and Switzerland Data Privacy including GDPR Data Processing Obligations”) as follows:

Appendix P - EEA, UK and Switzerland Data Privacy including GDPR Data Processing Obligations attached hereto.

10.

Appendix K: Offshore Locations. The Agreement hereby amended to delete Appendix K in its entirety and replaced with Appendix K: “Offshore Locations” attached hereto.

Agreement No. 319103.A.011

The terms and conditions of the Agreement in all other respects remain unmodified and in full force and effect.

Original signatures transmitted and received via electronic transmission and digital signatures meeting the requirements of the Uniform Electronic Transactions Act or the Electronic Signatures in Global and National Commerce Act are true and valid signatures and will bind the Parties to the same extent as an original signature. This Amendment may be executed in counterparts, each of which will be an original but all of which together will constitute one document.

The Parties have caused this Amendment to be executed by their duly authorized representatives.

Radcom Ltd.		AT&T Services, Inc.

By:	/s/ Hadar Rahav	By:	/s/ [**]
Name:	Hadar Rahav	Name:	[**]
Title:	CFO	Title:	[**]
Date:	06/26/2025	Date:	06/27/2025

Radcom Ltd.

By:	/s/ Benny Eppstein
Name:	Benny Eppstein
Title:	CEO
Date:	06/26/2025

Agreement No. 319103.A.011

APPENDIX P – EEA, UK AND SWITZERLAND DATA PRIVACY AND GDPR DATA PROCESSING OBLIGATIONS

The provisions in this Appendix shall be applicable to the Processing of Personal Data that is subject to Data Protection Laws. To the extent that there is a conflict between the terms and conditions elsewhere in this Agreement and those in this Appendix, the latter shall control to the extent of such conflict.

Where AT&T has entered into the Agreement for itself and for and on behalf of its Affiliates, all references to “AT&T” in this Appendix (and in respect of the Standard Contractual Clauses, where these apply) shall be construed as reference to the applicable AT&T Affiliate whose Personal Data the Supplier Processes pursuant to the Agreement. Where Supplier has entered into the Agreement for itself and for and on behalf of its Affiliates, all references to “Supplier” in this Appendix (and in respect of the Standard Contractual Clauses, where these apply) shall be construed as reference to the Supplier or applicable Supplier Affiliate that is a Party to the Agreement and Processes Personal Data pursuant to the Agreement.

1. Definitions

The following definitions shall apply to this Appendix:

Data Controller: means a natural or legal person who is considered to be a “controller” in relation to the Personal Data under the Data Protection Laws of the applicable Extended EEA Country.

Data Processor: means a natural or legal person who is considered to be a “processor” of the Data Controller under the Data Protection Laws of the applicable Extended EEA Country.

Data Protection Laws: means all laws and regulations of the applicable Extended EEA Country that relate to the Processing of Personal Data.

Data Subject: has the meaning ascribed to “data subject” under the Data Protection Laws of the applicable Extended EEA Country.

EU: means the European Union.

GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation).

Extended EEA Country: means a country within the European Economic Area, Switzerland, or the United Kingdom.

Personal Data: means any information that is considered under the Data Protection Laws of the applicable Extended EEA Country to be “personal data” that Supplier Processes under this Agreement.

Personal Data Breach: has the meaning ascribed to “personal data breach” under the Data Protection Laws of the applicable Extended EEA Country, to the extent that such breach occurs with respect to Personal Data.

Process and Processing: have the meaning ascribed to “process” or “processing” under the Data Protection Laws of the applicable Extended EEA Country.

Third Country: means a country not deemed adequate to receive the Personal Data under the Data Protection Laws of the applicable Extended EEA Country.

Sensitive Personal Data: means any information that is considered under the Data Protection Laws of the applicable Extended EEA Country to be “sensitive personal data” or “special categories of personal data” or similar, that Supplier Processes under this Agreement.

Standard Contractual Clauses: means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972 (available here).

Sub-Data Processor: means a natural or legal person who is engaged (directly or indirectly) by the Data Processor to carry out specific Processing activities on behalf of the Data Controller.

Supervisory Authority: means any governmental authority, agency, or regulator in relation to Personal Data, including “supervisory authorities” as understood under the Data Protection Laws of the applicable Extended EEA Country.

Agreement No. 319103.A.011

2. Supplier as Data Processor or Sub-Data Processor

Section 2 and Section 3 apply to the extent that in relation to particular Personal Data:

●

AT&T is a Data Controller and Supplier is its Data Processor; or

●

AT&T is a Data Processor and Supplier is its Sub-Data Processor.

2.1 Supplier Obligations Supplier shall:

(a)

Process such Personal Data in accordance with Data Protection Law and only in accordance with the instructions that are set forth in this Agreement and Exhibit 1 to this Appendix or as otherwise agreed to by the Parties in writing including as to the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects;

(b)

ensure that Supplier’s employees, agents, and contractors who Process such Personal Data are subject to written obligations of confidentiality;

(c)

implement appropriate technical and organizational security measures in relation to such Personal Data taking into account: (i) the state of the art, costs of implementation, nature, scope, context, and purposes of the Processing; and (ii) the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data that is Processed, including the measures that are set forth in this Agreement and Exhibit 2 to this Appendix;

(d)

not have such Personal Data Processed by another natural or legal person except to the extent that Supplier has:

●

received the prior specific or general written authorization of AT&T for such Processing;

●

imposed on such other natural or legal person data protection obligations that are the same in all material respects as those set forth in this Appendix, to the extent required pursuant to Data Protection Laws;

●

with respect to Sub-Data Processors for which Supplier has received general written authorization as per Section 2.2 below, informed AT&T in writing of any changes concerning the addition or replacement of such Sub-Data Processors and obtained AT&T’s written consent prior to allowing Processing by such Sub-Data Processor;

(e)

notify AT&T in writing through its business contact of any communications or requests in relation to Personal Data received from Data Subjects, Supervisory Authorities or other third parties without undue delay following receipt of such communications or requests (but no later than 24 hours after such receipt). Supplier shall provide such notices via e-mail to its business contact with a copy to privacypolicy@att.com with the subject line stating “URGENT - Personal Data Related;”

(f)

taking into account the nature of Supplier’s Processing activities, assist AT&T at AT&T’s request to enable AT&T and/or the Data Controller (if different to AT&T) (i) to fulfill its obligations to respond to requests by Data Subjects in relation to their rights under Data Protection Laws, and (ii) to fulfill its obligations to respond to requests by Supervisory Authorities and other third parties;

(g)

taking into account the nature of Supplier’s Processing of such Personal Data and information available to Supplier:

●

notify AT&T by calling AT&T Asset Protection (at 800-807-4205 within the U.S. or +1 908-658-0380 outside the U.S.) of any Personal Data Breach without undue delay after becoming aware of such breach (but no later than 12 hours after becoming aware); and

●

without undue delay provide reasonable assistance to AT&T and/or the Data Controller (if different to AT&T) in relation to any obligations including under Data Protection Laws in relation to:

a Personal Data Breach; and

the performance of data protection impact assessments by the AT&T and/or the Data Controller (if different to AT&T)

(h)

securely delete all such Personal Data, including all existing copies (or, to the extent AT&T so requests, securely return the Personal Data and copies to AT&T in a commonly used data format), when no longer needed for the purposes for which it was collected, which shall be at the end of the term of this Agreement at the latest unless otherwise requested by AT&T, provided, however, that no such deletion will be required to the extent that (a) applicable law requires storage of such data beyond such period; or (b) AT&T instructs Supplier in writing to retain such data beyond such period; and

Agreement No. 319103.A.011

(i)

at AT&T’s request, make available to AT&T all information necessary to demonstrate compliance with Supplier’s obligations under this Appendix and allow for and contribute to audits, including inspections, conducted by AT&T and/or the Data Controller (if different to AT&T) or another auditor mandated by AT&T and/or the Data Controller (if different to AT&T), provided that Supplier shall notify AT&T in writing if it believes in good faith that the exercise of rights under this Section 2.1(i) would infringe Data Protection Laws. Supplier agrees that AT&T has the right to disclose some, or all the information contained in, or obtained in connection with, this Appendix to:

●

Data Controllers, Supervisory Authorities, Data Subjects; and

●

other third parties to the extent required under Data Protection Laws.

(j)

provide and keep current its processing-related information, Data Protection Officer information, and point of contact information in a medium and form acceptable to AT&T.

Permitted Sub-Data Processors

2.2	AT&T acknowledges that it has authorized Supplier to engage the natural or legal persons identified by Supplier as of the date of this Appendix in Exhibit 3 to this Appendix to process Personal Data on behalf of AT&T and/or the Data Controller (if different to AT&T)

3. Cross-Border Transfers to Third Countries Application of the Standard Contractual Clauses

3.1	Where AT&T, acting as a Data Controller or a Data Processor (as applicable) of the Personal Data:

(a)

is established in an Extended EEA Country; or

(b)

is not established in an Extended EEA Country, but Processes Personal Data originating from an Extended EEA Country and: (i) is directly subject to the Data Protection Laws of the Extended EEA Country in relation to such Processing; or (ii) is contractually obliged to impose safeguards that are equivalent to those safeguards required under the Data Protection Laws of the Extended EEA Country on any third parties with whom they share the Personal Data,

and AT&T transfers Personal Data it Processes to the Supplier located in a Third Country, the Standard Contractual Clauses shall apply to the Supplier’s Processing of such Personal Data as set out in the remainder of this Section 3 below, except to the extent that AT&T agrees in writing that the Supplier is entitled to Process such Personal Data in that Third Country by virtue of: (i) adherence to another framework recognized by the relevant Supervisory Authority or courts in the Extended EEA Country as providing an adequate level of protection for the Personal Data; or (ii) an export derogation recognized by the applicable Data Protection Law. Where AT&T agrees in writing, such alternative framework or derogation shall apply. If AT&T does not agree to this in writing, the Standard Contractual Clauses shall apply to the Supplier’s Processing as set out in the remainder of this Section 3 below.

3.2

Where AT&T transfers Personal Data referred to in Sections 3.1(a) or 3.1(b) above to the Supplier located in an Extended EEA Country, the Supplier shall enter into the Standard Contractual Clauses with any third party located in a Third Country (including any Supplier Affiliate) to whom the Supplier transfers such Personal Data before making such transfer, unless AT&T agrees otherwise in writing and the Supplier shall in all cases comply with Data Privacy Law in relation to such transfer. Where this Section 3.2 applies:

(a)

the Supplier shall indemnify AT&T against all actions, claims, losses, and expenses suffered or incurred by AT&T arising from the Supplier breaching its obligations under this Section 3.2;

(b)

the Supplier warrants that it has provided AT&T that transfers the Personal Data to it with relevant information about: (i) which third parties the Supplier will transfer the Personal Data to and where those third parties are located, (ii) the laws and practices of any Third Countries to which Supplier transfers the Personal Data; and (iii) the contractual, technical and organisational safeguards that are in place to protect the Personal Data when Supplier or a relevant Sub-Data Processor transfers the Personal Data to a Third Country; and

Agreement No. 319103.A.011

(c)

no less than every six (6) months, the Supplier shall provide details of the number of legally binding requests that it or any Sub-Data Processor has received from a public authority in a Third Country.

Conflict and precedence

3.3

In the event of a conflict between the Standard Contractual Clauses and the Agreement (including this Appendix and any addenda), the Standard Contractual Clauses shall prevail.

Governing law, jurisdiction and interpretation

3.4

The parties to Standard Contractual Clauses agree that their respective obligations under the Standard Contractual Clauses shall be governed by the law(s) of, and subject to the jurisdiction of the courts of:

(a)

where AT&T is established in the EU, the Netherlands;

(b)

where AT&T is established outside the EU and Section 3.1(b) above applies and the Personal Data originates from the EU, the Netherlands;

(c)

where AT&T is established outside the EU, but within an Extended EEA County, the Extended EEA Country in which AT&T is established; and

(d)

subject to Section 3.4(b) above, where AT&T is established outside an Extended EEA Country and Section 3.1(b) above applies, the Extended EEA Country from which the Personal Data originated.

3.5

Where the applicable Extended EEA Country in which AT&T is established or from where the Personal Data originated is not a member state of the EU, references in the Standard Contractual Clauses to:

(a)

“Member States of the European Union” shall refer to the applicable Extended EEA Country in which AT&T is established or from where the Personal Data originated (as applicable);

(b)

“the GDPR” shall refer to the applicable Data Protection Laws of the Extended EEA Country in which AT&T is established or from where the Personal Data originated (as applicable); and

(c)

“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined by Section 3.9 below.

Incorporation and interpretation of the Standard Contractual Clauses

3.6

The Supplier agrees to comply with the obligations of a data importer as set out in the Standard Contractual Clauses which are incorporated herein by reference and construed as follows:

(a)

the Standard Contractual Clauses shall constitute a separate agreement between AT&T acting as a data exporter and the Supplier, acting as data importer;

(b)

where the applicable sections of the Standard Contractual Clauses require the data exporter and the data importer to select a module, the Supplier acknowledges that:

Module Two of the Standard Contractual Clauses (Transfer controller to processor) shall apply where the Supplier, as data importer, is acting as AT&T’s Data Processor; and

ii.

Module Three of the Standard Contractual Clauses (Transfer processor to processor) shall apply where the Supplier, as data importer, is acting as AT&T’s Sub-Data Processor.

(c)

for the purposes of Section II, Clause 8.1 (Module Two) and Section II, Clause 8.1 (Module Three) (as applicable) of the Standard Contractual Clauses, the instructions to the Supplier shall be as per Section 2.1(a) of this Appendix;

(d)

for the purposes of Section II, Clause 8.5 (Module Two) and Section II, Clause 8.5 (Module Three) (as applicable) of the Standard Contractual Clauses, the Supplier’s storage, erasure and return of Personal Data shall be construed by reference to Section 2.1(h) of this Appendix; and

(e)

for the purposes of Section II, Clause 9 (Module Two) and Section II, Clause 9 (Module Three) (as applicable) of the Standard Contractual Clauses, the Supplier’s ability to engage Sub-Data Processors shall be construed by reference to clauses 2.1(d) and 2.2 of this Appendix.

Agreement No. 319103.A.011

Completion of the Annexes of the Standard Contractual Clauses

3.7

Annex I, Part A (List of parties) of the Standard Contractual Clauses is hereby deemed to be completed with: (i) the details of AT&T making the export (as data exporter and Data Controller or Data Processor (as applicable)); and (ii) the details of the Supplier (as data importer and Data Processor or Sub-Data Processor (as applicable)), in each case as set out in Exhibit 1 of this Appendix.

3.8

Annex I, Part B (Description of the transfer) of the Standard Contractual Clauses is hereby deemed to be completed with the information set out in Exhibit 1 of this Appendix.

3.9

Annex I, Part C (Competent Supervisory Authority) of the Standard Contractual Clauses is hereby deemed to be completed with the information set out in Exhibit 1 of this Appendix.

3.10

Annex II of the Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed as follows: the Supplier shall implement and maintain technical and organisational security measures to adequately protect AT&T’s Personal Data against the risks inherent in the Processing of Personal Data for the purposes identified in the Agreement (as applicable), and risks from unauthorized or unlawful Processing and destruction, damage, misuse, and loss, including those specified in (i) the Agreement, including any relevant addendum or exhibit specifying security requirements, such as a security requirements exhibit; and (ii) Exhibit 2 of this Appendix.

3.11

The Supplier agrees to execute additional documents (including updates to the Annexes of the Standard Contractual Clauses) and apply additional protections,v as may be necessary for the transfer and storage of Personal Data transferred pursuant to the Standard Contractual Clauses.

Additional country requirements

3.12

If Supplier at any time processes AT&T personal data originating in any country which restricts the processing, export, or use of the personal data outside that country (including an Extended EEA Country), the Supplier will, on AT&T’s instructions, take all necessary actions and execute such agreements as may be necessary under applicable data protection law in such country to legitimise any processing or data transfer of personal data to the Supplier and to ensure an adequate level of protection for the relevant personal data.

3.13

In the event that any competent authority holds that a data transfer mechanism relied on by the parties (including pursuant to Section 3.12 above) is invalid, or any supervisory authority requires transfers of personal data made pursuant to such mechanism to be suspended, then AT&T may, at its discretion, require the Supplier to cease processing personal data, or co-operate with it to facilitate use of an alternative transfer mechanism.

Agreement No. 319103.A.011

EXHIBIT 1

DETAILS OF PROCESSING PURSUANT TO SECTION 2.1(a) OF THIS APPENDIX

AND

ANNEX I, PART A AND PART B OF THE STANDARD CONTRACTUAL CLAUSES (WHERE APPLICABLE)

[**]

Agreement No. 319103.A.011

EXHIBIT 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

[**]

Agreement No. 319103.A.011

EXHIBIT 3

SUB-DATA PROCESSORS (SUB-PROCESSORS) AUTHORIZED BY AT&T TO PROCESS PERSONAL DATA

[**]

Appendix K – Offshore Locations

[**]