1. DEFINITIONS

The following terms in this data processor agreement shall have the following meaning:

2. PROCESSING OF PERSONAL DATA

2.1 For processing of personal data under this data processor agreement, the Data Controller shall be considered as data controller and Data Processor as data processor.

2.2 Data Processor undertakes to only process personal data in accordance with instructions from the Data Controller. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set forth in this data processor agreement and in Appendix 1.

2.3 The Data Controller confirms that, except for any written instruction provided in specific cases according to clause 2.4, the obligations of Data Processor set out in this data processor agreement, including Appendix 1, constitutes the full and complete instructions to be carried out by Data Processor as data processor. Any changes to the Data Controller’s instructions shall be negotiated separately and, to be valid, documented in writing and duly signed by both parties.

2.4 The Data Processor shall, to the extent required under applicable data protection laws and in accordance with the Data Controller’s written instruction in each case, assist the Data Controller in fulfilling its legal obligations under such laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject's rights to information regarding processing of their personal data.

2.5 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction provided under this data processor agreement infringes applicable data protection laws.

2.6 If data subjects, competent authorities or any other third parties request information from Data Processor regarding the processing of personal data, Data Processor shall refer such request to the Data Controller. Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party. In the event Data Processor, according to applicable laws and regulations, is required to disclose personal data that Data Processor processes on behalf of the Data Controller, Data Processor shall be obliged to inform the Data Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

3. SUB-PROCESSORS

3.1 The Data Processor may engage sub-processors inside and outside of the European Union and may transfer personal data outside of EU without prior written consent from the Data Controller. Data Processor shall ensure that sub- processors are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this data processor agreement. If personal data is transferred outside the European Union, Data Processor shall ensure that legal grounds under applicable data privacy laws for such transfers exist, for example EU model clauses.

3.2 If the Data Processor intends to engage a new sub-processor that will process personal data covered by this data processor agreement, the Data Processor shall, prior to such engagement, immediately inform the Data Controller thereof, allowing the Data Controller to object. The Data Processor shall provide the Data Controller with any information reasonably requested by the Data Controller to enable the Data Controller to assess whether the use of the proposed sub- processor will ensure the Data Controller’s compliance with this data processor agreement and applicable data privacy legislation. If, in the Data Controller’s reasonable opinion, such compliance will not be enabled through the proposed new sub-processor, the Data Processor shall not be entitled to use the sub- processor for the purpose of this data processor agreement.

4. INFORMATION SECURITY AND CONFIDENTIALITY

4.1 Data Processor shall be obliged to take appropriate technical and organizational measures to protect the personal data which is processed. The measures shall result in a level of security which is appropriate taking into consideration:

(i) existing technical possibilities;

(ii) the costs for carrying out the measures;

(iii) the particular risks associated with the processing of personal data; and

(iv) the sensitivity of the personal data which is processed.

4.2 Data Processor shall maintain adequate security for the personal data. Data Processor shall protect the personal data against destruction, modification, unlawful dissemination, or unlawful access. The personal data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by Data Processor shall include as appropriate:

(i) the pseudonymisation and encryption of personal data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;

(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

4.3 Data Processor shall notify the Data Controller of any accidental or unauthorized access to personal data or any other security incidents (personal data breach) immediately upon becoming aware of such incidents. The notification at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.4 The Data Processor undertakes not to, without the Data Controller’s prior written consent disclose or otherwise make personal data processed under this data processor agreement available to any third party, except for sub-processors engaged in accordance with this data processor agreement.

4.5 The Data Processor shall be obliged to ensure that only such staff as directly requires access to personal data in order to fulfill the Data Processor’s obligations in accordance with this data processor agreement have access to such information. The Data Processor shall ensure such staff is bound by a confidentiality obligation concerning this information to the same extent as the Data Processor in accordance with this data processor agreement.

4.6 The duties of confidentiality set forth in this section 4 shall survive the expiry or termination of the data processor agreement.

5. AUDIT RIGHTS

The Data Controller shall be entitled, in its capacity as the data controller, to take measures necessary to verify that Data Processor is able to comply with its obligations under this data processor agreement, and that Data Processor has in fact undertaken the measures to ensure such compliance. Data Processor undertakes to make available to the Data Controller all information and all assistance necessary to demonstrate compliance with the obligations laid down in this data processor agreement and allow for and contribute to audits, including on-site inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

6. TERM

The provisions in this data processor agreement shall apply during such time that Data Processor processes personal data in respect of which the Data Controller is the data controller.

7. MEASURES UPON COMPLETION OF PROCESSING OF PERSONAL DATA

7.1 Upon expiry of this data processor agreement, the Data Processor will, if not instructed otherwise in writing by the Data Controller, erase any personal data processed under this data processor agreement, 90 days after the expiry date.

7.2 Upon request by the Data Controller, Data Processor shall provide a written notice of the measures taken regarding the personal data upon the completion of the processing.

8. COMPENSATION

8.1 Data Processor shall be entitled to compensation on a time and material basis, applying Data Processor’s at the time applicable hourly rates, for the processing of personal data under clause 2.4, 2.6, 5 and 7 of this data processing agreement.

Appendix 1

Data processing instructions

Version March 1^st, 2026