EXHIBIT F - CONTROLLER TO CONTROLLER DATA PROCESSING AGREEMENT 

This Controller-to-Controller Data Processing Agreement (DPA) sets forth the terms and conditions under which  and the Customer shall process Picker Data, and the performance data of the pickers that will be created by Deliverect in connection with Picker Data (“Performance Data”).Capitalized terms used herein that are not defined, shall have the meaning given to them under the Agreement and/or the General Data Protection Regulation (EU) 2016/679 ("GDPR"). 

1. Roles of the Parties. Deliverect and the Customer are independent controllers of the Picker Data, and as such, each of them independently determines the means and the purpose of the Processing of Picker Data. 

2. Data Sharing and Processing. The Personal Data (including Picker Data) to be shared between Controllers includes the following categories of data: (a) Email address, first name, and last name of the Customer’s staffers that are using Quest; (b) Performance Data created by Deliverect from Picker Data. 

3. Lawfulness of Processing. Each Controller warrants that it has valid and adequate legal basis under GDPR for the processing of Picker Data, including if applicable, obtaining any required consent from the Data Subject. 

4. Purpose of the Processing. The Controllers agree that Picker Data and Performance Data will only be shared and processed for the Controllers to provide and use Quest and any other purposes that legally requires the Controllers to process Picker Data and Performance Data.

5. Obligations of the Controllers. Each Controller shall comply with the GDPR in relation to the Processing of Picker Data and Performance Data under this DPA. 

6. Security Measures. Each Controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing, including measures to protect against unauthorized or unlawful Processing and accidental loss, destruction, or damage of Personal Data.

7. Data Subject Rights. Each Controller shall cooperate with the other to ensure compliance with Data Subject requests, including requests for access, rectification, erasure, restriction of Processing, data portability, and the right to object to the Processing of their Personal Data, as required under GDPR.

8. Notification of Data Breach. Each Controller shall promptly inform the other if it becomes aware of a Personal Data Breach affecting the Personal Data shared under this DPA. The notifying Controller shall provide all necessary information to enable the other Controller to comply with its obligations under Article 33 and 34 of the GDPR.

9. Transfer of Personal Data to Third Countries. If either Controller intends to transfer Personal Data to a third country outside the European Economic Area (EEA), it shall ensure that such transfer complies with Chapter V of the GDPR, including the use of appropriate safeguards such as Standard Contractual Clauses or any other mechanism that provides legal basis for the transfer of Personal Data to a Third Country. 

10. Liability. Each Controller shall be liable for its own Processing of Personal Data under this DPA. Neither Controller shall be liable to the other for any indirect, consequential, or punitive damages arising from or in connection with this DPA. 

11. Term and Termination. This DPA shall remain in effect until terminated by either Controller, following the same notice that is required for the termination of the Agreement, or immediately upon termination of the Agreement, in which case, each Controller shall cease all Processing of Personal Data shared under this DPA and shall either return or delete such Personal Data, unless otherwise required to retain it by applicable law or to comply with the Controller’s contractual obligations towards the respective Data Subjects.

12. General: (a) This DPA is governed by the governing law of the Agreement; (b) This DPA constitutes the entire agreement between the Controllers with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter; (c) This DPA may be amended only by a written instrument executed by both Controllers; (d) If this DPA is held to be invalid or unenforceable, such provision shall be severed, and the remaining provisions shall continue in full force and effect.