Fifth Amendment to that Tour Operator Agreement, dated December 12, 2011, as amended

Exhibit 10.1

AMENDMENT NO. 5

This is the FIFTH Amendment (“Amendment 5”) dated as of September 9, 2022 (“Effective Date”) to that Tour Operator Agreement, dated December 12, 2011, as amended, between NGS and Lindblad, (collectively, the “Agreement”).

WHEREAS, the Parties wish to amend the Agreement to clarify and detail agreed upon procedures related to Personal Information (as defined herein), and data protection and security.

NOW THEREFORE, Lindblad and NGS hereby agree to amend the Agreement as follows:

“Exhibit H. Data Protection”

“Data Security and Protection: The parties agree as follows:

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 1 of 11

“Confidentiality.

SIGNATURE PAGE FOLLOWS

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 2 of 11

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 3 of 11

EXHIBIT H

In the event of any inconsistency or other conflict between this Exhibit H and any other provision or Exhibit of this Agreement relating to the collection, use, maintenance, disclosure or secure destruction of Personal Information (as defined below), the terms of this Exhibit will prevail.

Defined terms in this Exhibit shall have the meaning defined in the Agreement, unless such terms are otherwise defined in this Exhibit. For the avoidance of doubt, NGS is not an Other Provider for the purposes of this Exhibit.

DATA PROTECTION

This Data Protection Exhibit, in combination with other applicable requirements of the Agreement, shall constitute a material part of the Agreement between the parties. If there are any conflicts between this Exhibit and the terms of the Agreement, the terms of this Exhibit shall control with respect to such conflict. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement.

1.         Definitions.

(a)         “Argentinian Model Clauses” mean the model contract for the international transfer of “personal data” (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016.

(b)          [Intentionally Omitted.]

(c)         “Data Protection Laws” mean any applicable treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance regarding the same, whether of or by any legislative, administrative, judicial, or other government authority, that relates to the confidentiality, security, privacy, or Processing of Personal Information.

(d)         “Data Subject” means any identified or identifiable individual, and shall also have any meaning as set forth in Data Protection Laws.

(e)         “European Data Protection Laws” mean the Data Protection Laws of (i) the European Union and the European Economic Area (“EEA”), including the GDPR; (ii) states party to the EEA, including European Union Member States; (iii) the United Kingdom (“UK”), including the Data Protection Act 2018 (together with any amended or successor Data Protection Laws thereto) and including any subsequent UK Data Protection Laws that adopt, implement, or are otherwise designed to comply with the GDPR; (iv)  any state that subsequently becomes a Member State of the European Union or of the EEA; and (v)  the Swiss Confederation.

(f)         “European Personal Data” means Personal Information originating from or Processed in the European Union or otherwise subject to European Data Protection Laws.

(g)         “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) (together with any amended or successor Data Protection Laws thereto).

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 4 of 11

(h)         “European Model Clauses” mean the “standard contractual clauses for the transfer of personal data to processors established in third countries” as set out in European Commission Decision 2021/914, and any amendments or successors to the same.

(i)         “NGS Systems” means any computer, computer network, computer application, imaging device, desktop or laptop computer, mobile computing device, server, equipment, computing environment (including, but not limited to, any development, test, stage, production and/or backup application and computing environment), storage media or software controlled by NGS and its affiliates, subsidiaries, and parent entities, or a third party acting on behalf of NGS.

(j)          “Personal Information” means any information or combination of information that Lindblad (or any of its Other Providers) Processes in connection with the Services, that refers to, is related to, is associated with, or can be reasonably linked to, an identified or identifiable individual (a “Data Subject”) or to a specific computing device, and shall include, but is not limited to, all “personal data,” “personal information,” or similar terms, as defined in any Data Protection Laws.

(k)         “Process” or “Processing” means any operation or set of operations that is performed upon Confidential Information, whether or not by automatic means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification.

(l)         “Security Incident” means any known or reasonably suspected (i) loss or misuse, any unauthorized access, acquisition, use, disclosure, destruction, deletion, modification, or any other compromise, of Confidential Information; or (ii) other act or omission that compromises, or could compromise, the privacy, security, confidentiality, availability, or integrity of any Confidential Information or the proper functioning of NGS’s network resources.

2.         Processing of Personal Information by Lindblad and Lindblad’s Other Providers.

When Lindblad or Other Provider Processes Personal Information under the Agreement, Lindblad represents, warrants, and covenants both for itself and on behalf of each such Other Provider, that it shall:

(a)         acquire all necessary consents, waivers, disclosures, authorizations, notifications and approvals, as required by applicable law to the extent necessary to transfer, disclose, or share Personal Information with NGS pursuant to this Agreement or any Other Provider or third party;          

(b)         comply with all Data Protection Laws when Processing Personal Information, and shall not intentionally take any actions or intentionally fail to take any actions that would cause Lindblad , an Other Provider, or NGS to be in violation of Data Protection Laws;

(c)         Process Personal Information solely for the provision of the Services and/or otherwise on the documented instructions of NGS (acting on its own behalf or on behalf of an Affiliate, as applicable), which instructions may be specific or of a general nature as set forth in the Agreement, in any related statement of work or order form, as part of any configuration of the Services, or in a separate writing, unless Lindblad is required to Process Personal Information pursuant to Data Protection Laws. In the event Lindblad is required by Data Protection Laws to Process Personal Information, Lindblad shall provide prior written notice to NGS of such legal requirement, unless prohibited by such Data Protection Laws;

(d)          [Intentionally Omitted.]

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 5 of 11

(e)         not disclose any Personal Information to any third party, for any reason, whatsoever, unless such disclosure is: (1) to Other Provider, as necessary for the performance of the Services as required by the Agreement, if applicable, provided that Lindblad and Other Provider comply in all respects with Section 2(e) below; or (2) required by Data Protection Laws;

(f)         disclose, enable Processing of, or otherwise make accessible any Personal Information to Other Provider only under the following conditions: (1) Lindblad shall be responsible for all acts and omissions of the Other Provider; and (2) Lindblad agrees that it shall require each of its Other Providers, as a condition of performing work under the Agreement, to enter into a written agreement with Lindblad that contains obligations of confidentiality, security, and privacy at least as strict as those contained in the Agreement. Lindblad further agrees that it shall (x) conduct due diligence sufficient to ensure that each Other Provider (A) is competent to perform the Services subcontracted to it in conformance with the standards of the Agreement and (B) has adopted and can adequately implement comprehensive written protocols to carry out the obligations of confidentiality, security, and privacy required by the Agreement; (y) closely monitor all work by each Other Provider for compliance with the Agreement; and (z) prevent Other Providers from further assigning or subcontracting any part of their work without prior express written consent;

(g)         promptly, and in no event later than forty-eight (48) hours of such request, notify NGS if it receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including the right of access, right to rectification, right to restrict Processing, right to erasure (“right to be forgotten”), right to data portability, or right to object to the Processing, (collectively, a “Data Subject Request”). Lindblad shall provide to NGS, in writing (email shall suffice), all details surrounding such Data Subject Request. Further, Lindblad shall fully cooperate as requested by NGS to enable NGS to comply with any Data Subject Request;

(h)         [Intentionally Omitted.]

(i)         ensure that all Lindblad or Other Provider personnel engaged in Processing of Personal Information (1) Process Personal Information only as set forth in the Agreement and (2) have committed themselves to maintaining the confidentiality of Personal Information or are under an appropriate legal obligation of confidentiality;

(j)         provide assistance to NGS so that NGS may comply with its obligations under Data Protection Laws in connection with the Services provided under the Agreement, including, but not limited to, any assistance that Lindblad deems necessary to fulfill Data Subjects Requests;          

(k)         to the extent permitted by applicable law, make available to NGS all information necessary to demonstrate compliance with Data Protection Laws, including (1) allowing for and facilitating audits and inspections of Lindblad and Other Provider facilities conducted by NGS or NGS’s authorized representatives; (2) permitting NGS to regularly test Lindblad’s compliance with the security requirements under the Agreement, including, without limitation, testing security configurations (e.g., server parameters, security settings, and control environment) and network perimeter controls; and (3) providing NGS with accurate books and records (including, without limitation, all policies, procedures, papers, correspondence, data, information, reports, records, receipts, files, and other sources of information) consistent with generally accepted practices regarding Lindblad’s performance under the Agreement. Lindblad shall, at its own cost, make any changes reasonably requested by NGS to correct any compliance failures discovered during such audits, inspections, or tests;

(l)         maintain records of its Processing activities under the Agreement, which will include, without limitation, the name or title of Lindblad personnel who access Personal Information, the categories of Personal Information Processed on behalf of NGS, a description of any international data transfers conducted on behalf of NGS (including a list of any countries to which Personal Information has been transferred), a general description of the technical and organizational measures used to safeguard Personal Information, and any other information required by Data Protection Laws;

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 6 of 11

(m)         be directly liable (without seeking reimbursement or indemnification from NGS) to any Data Subject who has suffered damage as a result of Lindblad’s or Other Provider’s violation of the terms of this Exhibit or any violation by Lindblad or Other Provider of Data Protection Laws; and

(n)         limit any disclosure of Personal Information to those of its personnel and Other Providers who have a need to know the information to effect the use permitted herein, and keep a record of such disclosures.

3.         Security Practices/Information Security Program.

(a)    Lindblad shall implement, comply with, and maintain industry leading security procedures, technical measures, and practices (including, if applicable, adherence to any code of conduct approved by relevant government authorities), appropriate to the nature of the information, in connection with any Confidential Information that is Processed in connection with the Services. Such measures shall include, at a minimum, establishing, implementing and at all times complying with and maintaining a comprehensive, written information security program consistent with, and applying protective security measures at least as stringent as, the most protective standards set forth in (i) generally accepted technical industry standards (e.g., ISO/IEC 27001) and (ii) any applicable laws, including Data Protection Laws (the “Information Security Program”). The parties acknowledge that Lindblad is currently in the process of working towards reaching an ISO 27001 security standard.

(b)    The Information Security Program shall contain the following:

(i)         an organizational information security governance structure that is maintained in writing and that contains (1) comprehensive practices and procedures that address the entire organizational process, both physical and technical, and that ensure ongoing adherence to applicable laws, including Data Protection Laws, with accountability at the highest levels of senior management and executive staff; (2) training on the Information Security Program, on at least an annual basis, for all personnel and relevant Other Providers involved in Processing Personal Information; and (3) appropriate disciplinary measures for non-compliance with the Information Security Program;

(ii)         administrative, logical, technical, and physical controls, including anonymization, pseudonymization, and/or encryption of Personal Information, that Lindblad utilizes to: (1) monitor for, identify, assess, test, evaluate, and effectively protect against, internal and external risks to the security, confidentiality, and/or integrity of Confidential Information, or to the legal rights of Data Subjects; or (2) ensure the security of Lindblad’s Processing systems and services, with regular evaluation and testing of, and where appropriate, improvements to, the effectiveness of such controls; and

(iii)         detective and corrective controls that are designed to promptly recognize, escalate, and respond to Security Incidents and other incidents that threaten the security, availability, confidentiality, and/or integrity of Confidential Information, as well as minimize adverse impacts of such Security Incidents; facilitate the gathering of forensic evidence; restore the security, availability, confidentiality, and/or integrity of Confidential Information; and make systematic improvements to Lindblad’s management of data security risks as a consequence of any such incident.

(c)         Lindblad shall implement, maintain, comply with, and enforce its Information Security Program at each location from which Lindblad, or any of Lindblad’s Other Providers, provides any part of the Services or from which access is possible to Confidential Information or the systems on which Confidential Information is Processed. In addition, Lindblad shall ensure that its Information Security Program covers all networks, systems, servers, computers, mobile phones, and other devices and media that Process Confidential Information or provide access to NG Systems. Lindblad shall publish and communicate its Information Security Program to all personnel and relevant Other Providers on at least an annual basis.

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 7 of 11

4.         Data Transfer Requirements.

(a)         [Intentionally Omitted.]

(b)         [Intentionally Omitted.]

(c)         In the event that any Data Protection Laws that become effective after the Effective Date impose restrictions on the cross-border transfer of Personal Information that are not contemplated herein, the parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.

5.         Obligations Regarding Security Incident. In the event of a Security Incident, including an intrusion into, interference with, penetration of, unauthorized access to, or other compromise of, Lindblad’s or its Other Provider’s network, computer resources, or electronic or other media on which Confidential Information is Processed or from which Confidential Information may be accessed, Lindblad shall promptly and without undue delay (and in no event later than forty-eight (48) hours after a Security Incident) inform NGS of such Security Incident by contacting the Disney IT Support Center at ###-###-####, or at ***@***. Such notice from Lindblad shall include, to the extent available, the categories and approximate number of Data Subjects and records containing Personal Information concerned, shall describe the remediation measures implemented by Lindblad to resolve the Security Incident, and shall identify a point of contact at Lindblad for any NGS or any affiliate or parent entity inquiry regarding the Security Incident. Such notice shall be timely supplemented to the level of detail reasonably requested by NGS, inclusive of investigative or forensic reports. Lindblad shall provide NGS with the name and contact information of its data protection officer, if required by Data Protection Law. Lindblad also shall cooperate with NGS, and its applicable service providers, in the investigation and remediation of any Security Incident. Under no circumstances, other than as required by Data Protection Law, shall Lindblad send notice concerning a Security Incident to any third party (other than Other Providers engaged for cyber security or other data protection), including, without limitation, government authorities and affected Data Subjects, without NGS’s prior written approval. Further, unless prohibited or otherwise prescribed by Data Protection Laws, Lindblad shall reasonably confer with NGS as to whether to notify any third party of the Security Incident, to determine the content of any such notice, and to determine the nature and extent of any remediation offered to any Data Subject; however, if the parties cannot reasonably agree on any such aspects, then NGS shall have final decision-making authority related to any notification that directly affects NGS’s customers, unless prohibited or otherwise prescribed by Data Protection Laws or other applicable laws. Lindblad shall promptly investigate the Security Incident, at its cost and expense, and shall provide NGS with the results of that investigation as soon as they are available. In the event of legal action brought by NGS against a third party in connection with a Security Incident, Lindblad agrees that it shall cooperate and provide such assistance as may be reasonably necessary to enable NGS or any affiliate or parent entity to successfully prosecute such legal action. Without limiting any other remedy in the Agreement, Lindblad shall reimburse, indemnify, and hold NGS harmless for all reasonable investigation, remediation (including the cost of notice to Data Subjects and/or government officials, daily credit monitoring, access to credit reports, and identity theft services), forensic and legal costs (including, but not limited to, attorney’s fees) and any related damages, losses, judgments, settlements, liabilities, awards, fines, penalties, costs and expenses incurred by NGS in connection with a Security Incident within thirty (30) days following receipt from NGS of an invoice for the same, and Lindblad further stipulates and agrees that each of the foregoing shall be deemed direct damages.

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 8 of 11

6.         Security Audits. On or before execution of the Agreement and annually thereafter during the Term, Lindblad shall (a) cause a reputable independent third-party audit firm to conduct Type II SOC1 and SOC2 audits under the SSAE 18 standard or any successor standard (“SSAE Audits”) of Lindblad, its Other Providers, and its and their dedicated data Processing environments, which includes servers supported by any necessary equipment or software, that are used to deliver the Services (“Data Centers”), and (b) provide to NGS the audit reports resulting therefrom (“SSAE Reports”). The SSAE Reports shall describe the security control policies and procedures, including a statement on the operating effectiveness of those policies and procedures and remediation plans for any significant or material deficiencies, of Lindblad and its Data Centers. The audit firm shall determine whether the controls currently in place meet industry best practices such as ISO/IEC 27001. Lindblad shall respond promptly to all of NGS’s questions and concerns with respect to the SSAE Reports. Lindblad shall be responsible for promptly remediating, at its cost, all failures, deficiencies, and risks identified in the SSAE Reports.

7.         Security Reviews. On or before execution of the Agreement and annually thereafter during the Term, NGS may, in its discretion and cost, inspect and audit Lindblad’s compliance with the Agreement and applicable laws, including Data Protection Laws, and including but not limited to its Information Security Program and any facilities or systems used by Lindblad to provide the Services. Such inspections and audits may, at NGS’s option, be conducted on-site by NGS or NGS affiliates’ personnel or NGS’s contracted third-party assessors. On-site inspections and audits will be conducted upon reasonable prior notice by NGS.

8.         Retention of Confidential Information. During the Term of the Agreement, and subject to Lindblad’s retention obligations under applicable laws, including Data Protection Laws, Lindblad shall adhere to NGS’s reasonable instructions with regard to retention (including, without limitation, deletion) of Confidential Information Processed pursuant to the Agreement. Further, and subject to Lindblad’s retention obligations under applicable laws, including Data Protection Laws, Lindblad shall, and shall cause its Other Providers to, immediately securely destroy (by making unreadable, unreconstructable, and indecipherable) any or all Confidential Information (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following: (a) termination or expiration of the Agreement or any applicable statement of work for any reason; or (b) cessation of Lindblad’s need to retain such Confidential Information to perform the Services. Lindblad shall certify in writing that such destruction has been completed. If NGS requests return or transfer of all or a portion of such Confidential Information prior to the destruction described above, Lindblad shall promptly return to NGS all such Confidential Information, through a secure method designated by NGS, or shall promptly transfer such Confidential Information to NGS’s designee, in accordance with the instructions of, and using the secure method prescribed by, NGS, following NGS’s written demand therefor at the sole cost of Lindblad. In either event, Lindblad shall promptly provide NGS with a certification by an officer of Lindblad that all Confidential Information has been removed from Lindblad’s and any Other Provider’s possession and/or control.

9.         Survival. Lindblad’s data protection obligations in the Agreement, including its obligations under this Exhibit H, shall continue for so long as Lindblad, or any of Lindblad’s Other Providers, continues to Process Personal Information, even if all agreements between Lindblad and NGS have expired or been terminated.

10.       Certification. By executing the Agreement, Lindblad certifies that it understands the restrictions on Lindblad’s Processing of any Personal Information under the Agreement.

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 9 of 11

Attachment 1 to Exhibit H

Description of Processing of Personal Information

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 10 of 11

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 11 of 11