Data Processing Agreement

TABLE OF CONTENTS

1 Definitions

2 Scope, Roles, and Nature of Processing

2.1 Roles of the Parties

2.2 Details of Processing

2.3 Customer's Obligations

2.4 Processor's Processing of Personal Data

2.5 Sensitive Data

2.6 CCPA — No Sale or Sharing of Personal Information

2.7 Anonymisation and Aggregation

2.8 Service Metadata Processing

3 Processing Instructions

4 Confidentiality of Processing

5 Security of Processing

5.1 Technical and Organisational Measures

5.2 Access Controls and Authorisation

5.3 Incident Management

5.4 Security Certifications and Compliance

5.5 Government and Law Enforcement Access Requests

6 Sub-Processors

6.1 Appointment and General Authorisation

6.2 Sub-Processor List and Notification

6.3 Objection Rights

6.4 Sub-Processor Contractual Obligations

7 Data Subject Rights

8 Assistance with Compliance Obligations

8.1 Security Obligations — GDPR Article 32

8.2 Data Protection Impact Assessments

8.3 Prior Consultation

9 Data Incident Management and Notification

9.1 Incident Notification Obligations

9.2 Incident Response and Cooperation

9.3 Customer Disclosure Restrictions

10 International Data Transfers and Cross-Border Transfers

10.1 Adequacy Decisions

10.2 EEA, Switzerland, and UK Direct Transfers

10.3 Onward Sub-Processor Transfers

10.4 Transfers from Other Jurisdictions

10.5 Additional Safeguards

11 Records of Processing Activities

12 Audits and Inspections

13 Return and Deletion of Personal Data

14 Authorised Affiliates

14.1 Contractual Relationship

14.2 Communication

15 Liability and Indemnification

16 Term and Termination

17 Governing Law and Dispute Resolution

18 Modifications and Amendments

19 General Provisions

19.1 Order of Precedence

19.2 Severability

19.3 Entire Agreement

19.4 Waiver

19.5 Counterparts and Electronic Execution

20 Execution and Signatures

SCHEDULES / ANNEXES

Schedule 1 Details of Processing (GDPR Annex I)

Schedule 2 Technical and Organisational Measures (GDPR Annex II)

Schedule 3 List of Sub-Processors (GDPR Annex III)

Schedule 4 Standard Contractual Clauses — Applicability Matrix

Schedule 5 Additional Transfer Safeguards

IMPORTANT — PLEASE READ CAREFULLY: This Data Processing Agreement is a legally binding agreement. By executing a Master Service Agreement, accepting an Order Form, clicking 'I Agree', or otherwise accessing the Services, Customer represents and warrants that it has full authority to bind the Customer entity to these terms. If you do not agree to be bound by this DPA, do not provide Personal Data to Uonyx and do not access or use the Services.

INCORPORATION INTO GOVERNING AGREEMENT

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Master Service Agreement, subscription agreement, order form, or other written agreement (collectively, the "Agreement") entered into between the Customer and Uonyx governing the Customer's access to and use of the Services. Where a Customer subscribes to the Services through Uonyx's online Terms of Service or other click-through or electronic agreement, this DPA forms part of and is incorporated into such Terms of Service.

In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.

THIS DATA PROCESSING AGREEMENT is entered into by and between:

Uonyx, a corporation incorporated under the laws of the State of California, United States of America, with its principal place of business at 7421 Edinger Ave, Huntington Beach, CA 92647, United States ("Uonyx" or "Processor");

AND

The entity identified as the "Customer" in the Agreement or, where Customer accesses the Services through Uonyx's online Terms of Service, the entity that accepted such Terms of Service (hereinafter referred to as the "Controller" or "Customer").

Uonyx and Customer are each hereinafter referred to as a "Party" and collectively as the "Parties".

WHEREAS:

• Uonyx provides an AI-powered multi-tenant enterprise resource planning software-as-a-service platform (the "Services") that enables Customer to manage business operations including, without limitation, customer relationship management, accounting and financial management, human resources and payroll, inventory and procurement, project and task management, customer support, document management, advanced analytics, and AI-powered automation;
• In connection with the provision of the Services, Uonyx processes Personal Data on behalf of Customer, as Customer's Processor, pursuant to Customer's documented instructions;
• This DPA is incorporated into the Agreement and governs all Processing of Personal Data by Uonyx on behalf of Customer, and applies equally to enterprise customers contracting under a Master Service Agreement and to self-serve customers contracting under Uonyx's online Terms of Service; and
• The Parties wish to reflect their agreement with regard to such Processing in accordance with applicable Data Protection Laws, including the GDPR, UK GDPR, Swiss revFADP, CCPA/CPRA, and other applicable privacy regulations.

NOW THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

The following defined terms shall have the meanings set forth below throughout this DPA. Additional defined terms may appear in other sections of this DPA and shall have the meanings ascribed to them in such sections. All other capitalised terms used but not defined herein shall have the meanings assigned to them in the MSA.

2. SCOPE, ROLES, AND NATURE OF PROCESSING

2.1 Roles of the Parties

2.1.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data by Uonyx in connection with the provision of the Services: (a) Customer is the Controller of Personal Data, in that Customer determines the purposes and means of the Processing; and (b) Uonyx is the Processor of such Personal Data, in that Uonyx Processes Personal Data on behalf of Customer solely in accordance with Customer's documented instructions and the terms of this DPA. The terms 'Controller' and 'Processor' as used throughout this DPA shall signify Customer and Uonyx, respectively.

2.1.2 To the extent the CCPA applies, within this DPA: 'Controller' shall also be interpreted to mean 'Business' as defined under the CCPA; and 'Processor' shall also be interpreted to mean 'Service Provider' as defined under the CCPA. References to Processor's Sub-Processors shall correspondingly refer to the concept of Service Provider under the CCPA.

2.1.3 Each Party shall be individually responsible for ensuring its own compliance with applicable Data Protection Laws in the performance of its respective obligations under this DPA. Notwithstanding any other provision of this DPA, nothing herein shall constitute Uonyx as a Controller of any Personal Data processed on behalf of Customer under this DPA.

2.2 Details of Processing

2.2.1 The subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects applicable to the Processing of Personal Data by Uonyx on behalf of Customer are further specified in Schedule 1 (Details of Processing) to this DPA, which is incorporated herein by reference.

2.2.2 Uonyx processes Personal Data as part of and in connection with providing the Services, which include an AI-powered multi-tenant cloud-based enterprise resource planning platform encompassing, without limitation, the following functional modules: (a) Customer Relationship Management (CRM); (b) Accounting, Finance, and Financial Reporting; (c) Human Resources and Payroll Management; (d) Inventory and Procurement Management; (e) Project and Task Management; (f) Customer Support and Service Management; (g) Document and Content Management; (h) Business Intelligence, Analytics, and Reporting; and (i) AI Automation and AI-Assisted Workflow features.

2.2.3 The nature and scope of Processing activities include the collection, storage, organisation, retrieval, use, disclosure by transmission, and erasure of Personal Data submitted to or generated through the Services by Customer and its Authorised Users in the course of using the platform for legitimate business operations.

2.3 Customer's Obligations

2.3.1 Customer, in its use of the Services and in issuing instructions to Uonyx, shall at all times comply with applicable Data Protection Laws, the terms of the MSA, and the terms of this DPA. Customer acknowledges and agrees that it is solely responsible for:

• establishing, maintaining, and documenting a valid and sufficient legal basis under applicable Data Protection Laws (including Article 6 and, where applicable, Article 9 of the GDPR) for each Processing activity it causes or authorises Uonyx to conduct on its behalf;
• ensuring that it has lawfully collected and is lawfully authorised to transfer or cause to be transferred all Personal Data that it submits to the Services;
• providing all required notices to, and obtaining all required consents from, Data Subjects whose Personal Data is submitted to the Services, to the extent required under applicable Data Protection Laws;
• ensuring that its instructions to Uonyx are at all times lawful, reasonable, and consistent with applicable Data Protection Laws;
• ensuring that any use of the Services by its Authorised Users and Authorised Affiliates complies with the terms of the MSA, this DPA, and applicable Data Protection Laws;
• the accuracy, quality, and legality of the Personal Data submitted to the Services; and
• maintaining its own records of processing activities as required by Article 30(1) of the GDPR and equivalent provisions of applicable Data Protection Laws.

2.3.2 Customer shall promptly notify Uonyx in writing if Customer becomes aware of any instruction or use of the Services that may cause Uonyx to be in breach of applicable Data Protection Laws.

2.4 Processor's Processing of Personal Data

2.4.1 Uonyx shall Process Personal Data exclusively: (a) in accordance with the terms of this DPA and the MSA; (b) in connection with and to the extent necessary for the provision of the Services; (c) in compliance with Customer's reasonable and documented instructions, where such instructions are consistent with the terms of this DPA and the MSA; (d) to facilitate the sharing of Personal Data with Sub-Processors or third parties in accordance with Customer's instructions and/or pursuant to Customer's configuration and use of the Services (including integrations between the Services and third-party applications configured by or on behalf of Customer); (e) to de-identify, pseudonymise, or anonymise Personal Data where directed by Customer or as otherwise contemplated by this DPA; and (f) as required or permitted by applicable laws governing Uonyx, provided that Uonyx shall, to the extent permitted by applicable law, notify Customer of the applicable legal requirement before so Processing.

2.4.2 Uonyx shall promptly inform Customer without undue delay if, in Uonyx's reasonable opinion, an instruction from Customer infringes applicable Data Protection Laws, unless Uonyx is prohibited from notifying Customer under applicable law. It is acknowledged and agreed that Uonyx bears no independent obligation to assess whether each instruction issued by Customer complies with applicable Data Protection Laws. In the event Uonyx notifies Customer that an instruction is potentially unlawful, Uonyx shall be entitled to suspend compliance with such instruction until it is modified to become lawful, and Customer shall modify or withdraw such instruction as appropriate.

2.4.3 Uonyx shall not Process Personal Data for any purpose other than as set out in this DPA and the MSA, including for Uonyx's own commercial purposes, for direct marketing to Data Subjects on Uonyx's own account, or for the benefit of any third party, except as required by law.

2.5 Sensitive Data

2.5.1 The Parties acknowledge and agree that the Services are not designed or intended for the Processing of Sensitive Data, including special categories of personal data as defined in Article 9 of the GDPR, on a systematic or large-scale basis.

2.5.2 If Customer wishes to use the Services to Process Sensitive Data, Customer must: (a) first obtain Uonyx's explicit prior written consent; (b) enter into such additional agreements or execute such addenda as Uonyx may reasonably require; and (c) ensure that a valid and explicit legal basis exists under applicable Data Protection Laws for each category of Sensitive Data to be Processed.

2.5.3 Customer assumes full responsibility and liability for any Sensitive Data uploaded to the Services, including without limitation ensuring that appropriate technical and organisational safeguards, special handling obligations, and enhanced security measures required under applicable Data Protection Laws are in place.

2.6 CCPA — No Sale or Sharing of Personal Information

2.6.1 Uonyx acknowledges and confirms that it does not receive, and shall not receive, any Personal Information as consideration for any services or items provided to Customer under the MSA or this DPA. Uonyx certifies that it understands the rules, requirements, and definitions of the CCPA and agrees to refrain from:

• selling or sharing (as those terms are defined in the CCPA) any Personal Information Processed under this DPA, without Customer's prior written consent or explicit instruction;
• taking any action that would cause any transfer of Personal Information to or from Uonyx under this DPA or the MSA to qualify as a 'sale' or 'sharing' of such Personal Information under the CCPA;
• retaining, using, or disclosing Personal Information outside the direct business relationship between the Parties as described in the MSA, or for any purpose other than the specific Business Purpose of performing the Services or as otherwise permitted by the CCPA;
• combining, by way of logical merger, Personal Information that Uonyx Processes on behalf of Customer with Personal Information Uonyx receives from or Processes on behalf of other parties, unless expressly permitted under the CCPA and this DPA; and
• engaging in any practice that would constitute 'cross-context behavioural advertising' as defined under the CPRA using Customer's Personal Information.

2.6.2 Uonyx acknowledges that Customer discloses Personal Information to Uonyx only for the limited and specified purposes set out in this DPA and the MSA. Uonyx shall Process all Personal Information only for such limited and specific purposes, and in compliance with applicable provisions of the CCPA.

2.6.3 Customer retains the right, upon written notice to Uonyx, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Personal Information by Uonyx. Uonyx shall promptly notify Customer if Uonyx makes a determination that it can no longer meet its obligations under the CCPA in connection with the Services.

2.7 Anonymisation and Aggregation

2.7.1 Subject to Customer's prior written instructions or as contemplated under the MSA, Uonyx may render Personal Data into anonymised or aggregated information that does not identify Customer, any Data Subject, or any individual ('Anonymous Information'). Anonymous Information generated or derived from Personal Data in accordance with this Section 2.7 shall not be considered Personal Data for the purposes of this DPA, and Uonyx may use and disclose such Anonymous Information to improve the Services, develop new features, and for other internal business purposes, provided that such Anonymous Information: (a) cannot reasonably be used to identify any individual or Customer; and (b) is not sold or otherwise disclosed to third parties in a manner that would constitute a 'sale' or 'sharing' under the CCPA.

2.7.2 AI Processing Safeguards. Uonyx shall not use Personal Data to train, fine-tune, or develop any AI or machine learning models that are shared with or made available to third parties, without Customer's prior explicit written consent. AI processing within the Services occurs exclusively to provide the specific features and functions requested by the Customer and its Authorised Users, and for no other purpose. Uonyx may use aggregated, de-identified, and anonymised data (which cannot reasonably be used to identify any individual or Customer) to improve and develop the Services, including AI-powered features. Uonyx shall implement appropriate technical controls to ensure that Customer Data is logically isolated from the training data of any shared or third-party AI models deployed within the Services. Customers who do not wish their anonymised operational metadata to be used for platform improvement purposes may opt out by contacting privacy@uonyx.com.

2.8 Service Metadata Processing

2.8.1 In addition to Personal Data submitted by Customer, Uonyx may process limited operational metadata generated through Customer's and its Authorised Users' use of the Services. Such metadata may include: (a) system and application logs; (b) authentication and access logs; (c) platform usage and feature interaction data; (d) billing and subscription records; and (e) technical support communications and correspondence. Uonyx processes such metadata solely for the following purposes: (i) operating, maintaining, and improving the Services; (ii) detecting and preventing fraud, abuse, and unauthorised access; (iii) security monitoring, incident response, and vulnerability management; (iv) operational analytics for service reliability and performance monitoring; and (v) billing, licensing, and account administration. Uonyx shall not use service metadata for advertising purposes, for the sale of Personal Information as defined under the CCPA, or for any purpose not described in this Section 2.8 or Uonyx's Privacy Policy.

2.8.2 Service metadata of the type described in Section 2.8.1 is not subject to the Data Subject rights provisions of Section 7 of this DPA to the extent such metadata cannot reasonably be used to identify a specific natural person and is processed solely for operational purposes. Where service metadata does constitute Personal Data within the meaning of applicable Data Protection Laws, Uonyx shall process it in accordance with its Privacy Policy (available at https://uonyx.com/legal) and applicable law.

3. PROCESSING INSTRUCTIONS

3.1 Uonyx shall Process Personal Data only on the basis of Customer's documented instructions. Customer's documented instructions are set forth in: (a) this DPA; (b) the MSA and any applicable Order Forms or Statements of Work; and (c) any additional written instructions provided by Customer from time to time in accordance with the procedures established in the MSA or this DPA.

3.2 Customer may issue instructions relating to the manner in which Processing shall be performed. All instructions shall be reasonable, consistent with applicable Data Protection Laws, and shall not require Uonyx to perform Processing activities that are technically impracticable or commercially unreasonable within the scope of the Services.

3.3 Uonyx shall, upon receipt of an instruction from Customer that in Uonyx's reasonable view: (a) falls outside the scope of this DPA or the MSA; (b) would constitute a breach of applicable Data Protection Laws; or (c) is technically impracticable, promptly notify Customer in writing. In such circumstances, Uonyx shall be entitled to decline to execute the instruction pending clarification or modification by Customer and shall not be liable to Customer for any failure to execute such instruction.

3.4 Where Uonyx is required by a law of the European Union, a Member State, the United Kingdom, or any other applicable jurisdiction to Process Personal Data other than in accordance with Customer's instructions, Uonyx shall notify Customer of that requirement before Processing, to the fullest extent permitted by applicable law, to allow Customer to seek appropriate protective measures.

3.5 Nothing in this DPA or the MSA shall prevent Uonyx from Processing Personal Data as required by a court of competent jurisdiction, a Supervisory Authority, or another competent governmental authority, provided that Uonyx uses commercially reasonable efforts to notify Customer in advance of such Processing to the extent not prohibited by applicable law.

4. CONFIDENTIALITY OF PROCESSING

4.1 Uonyx shall ensure that all of its personnel, employees, contractors, agents, and Authorised Affiliates who are engaged in or otherwise have access to the Processing of Personal Data are subject to appropriate and binding confidentiality obligations, either by written contract or applicable statutory obligation, that prohibit them from disclosing Personal Data except as necessary to perform their duties in connection with the Services or as required by applicable law.

4.2 Uonyx shall implement and maintain appropriate access controls to ensure that access to Personal Data within the Uonyx platform and infrastructure is limited on a strict 'need-to-know' and 'least-privilege' basis, and that only those personnel and contractors who require access to Personal Data to fulfil Uonyx's obligations under this DPA and the MSA are granted such access.

4.3 Uonyx shall ensure that any personnel or contractors with access to Personal Data receive appropriate and periodic data protection and information security training commensurate with their role and the sensitivity of the data they access.

4.4 Uonyx's confidentiality obligations under this Section 4 shall survive the termination or expiration of this DPA and the MSA for a period not less than five (5) years, or for such longer period as may be required by applicable law.

4.5 Nothing in this Section 4 shall be construed to restrict Uonyx from disclosing Personal Data to: (a) Uonyx's external legal counsel, auditors, or professional advisers under an obligation of confidentiality; (b) competent courts, Supervisory Authorities, or governmental authorities as required by applicable law; or (c) Sub-Processors appointed in accordance with Section 6 of this DPA.

5. SECURITY OF PROCESSING

5.1 Technical and Organisational Measures

5.1.1 Uonyx shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing, and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, as set out in Schedule 2 (Technical and Organisational Security Measures) to this DPA. Such measures shall be designed to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons posed by the Processing, taking into account: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context, and purposes of Processing; and (d) the likelihood and severity of risks to Data Subjects.

5.1.2 The technical and organisational measures implemented by Uonyx as of the Effective Date of this DPA are described in Schedule 2. Uonyx may update or modify such measures from time to time at its reasonable discretion provided that: (a) any such updates or modifications shall not materially reduce the overall level of security afforded to Personal Data; and (b) Uonyx shall notify Customer of any material reduction in security measures in a timely manner.

5.1.3 Uonyx's current Security Documentation is accessible at https://uonyx.com/legal/security. Upon Customer's reasonable written request, Uonyx shall provide Customer with additional information reasonably necessary to verify compliance with the security obligations under this DPA and applicable Data Protection Laws. Security enquiries and vulnerability disclosures may be directed to security@uonyx.com.

5.2 Access Controls and Authorisation

5.2.1 Uonyx shall implement and maintain an access management framework that includes, at a minimum, the following controls with respect to Personal Data:

• Role-based access controls (RBAC) and least-privilege policies, ensuring that access to Personal Data within the Uonyx platform is restricted to authorised personnel and systems with a documented business need;
• Multi-factor authentication (MFA) for all privileged access to production systems containing Personal Data;
• Unique user IDs and strong authentication credentials for all personnel with access to Personal Data;
• Automated and manual access review processes, conducted at least annually, to validate that access rights remain appropriate and to revoke access upon changes in role or employment status; and
• Audit logging of all access to Personal Data by Uonyx personnel, with logs retained in accordance with Uonyx's security policies.

5.3 Incident Management

5.3.1 Uonyx shall maintain a formal information security incident management programme that includes documented procedures for: (a) the detection, reporting, and investigation of actual or suspected security incidents; (b) the classification and prioritisation of incidents by severity; (c) the containment, eradication, and recovery from incidents; (d) post-incident review and root-cause analysis; and (e) notification of Data Incidents to Customer as further described in Section 9 of this DPA.

5.3.2 Uonyx's incident management procedures shall meet the requirements of Article 32 of the GDPR and equivalent provisions of applicable Data Protection Laws, including the obligation to restore availability and access to Personal Data in a timely manner following a physical or technical incident.

5.4 Security Certifications and Compliance

5.4.1 Uonyx maintains, or is actively pursuing, the following industry-recognised information security certifications and compliance frameworks as part of its commitment to enterprise-grade security: (a) SOC 2 Type II — an independent audit of Uonyx's security, availability, and confidentiality controls in accordance with AICPA Trust Services Criteria; and (b) ISO/IEC 27001 — an internationally recognised Information Security Management System (ISMS) certification. Uonyx shall make evidence of its then-current security certifications (including the most recent SOC 2 Type II report summary and ISO 27001 certificate, as applicable) available to Customer upon reasonable written request, subject to execution of a non-disclosure agreement where required.

5.4.2 Uonyx's security posture is also aligned with, but not limited to, the following frameworks: (a) NIST Cybersecurity Framework (CSF); (b) OWASP Application Security Verification Standard (ASVS); and (c) AWS Well-Architected Framework. Uonyx's Security Documentation, accessible at https://uonyx.com/legal/security, describes the current technical and organisational measures in further detail.

5.5 Government and Law Enforcement Access Requests

5.5.1 Uonyx takes the privacy and security of Customer Data seriously and maintains a documented policy for responding to government, regulatory, and law enforcement requests for Customer Data. In the event Uonyx receives a legally binding demand, subpoena, court order, governmental directive, or other compulsory process requiring the disclosure of, access to, or production of Personal Data or Customer Data ('Government Access Request'), Uonyx shall:

• review each Government Access Request for legal validity, scope, and compliance with applicable law before responding or disclosing any Personal Data;
• challenge or seek to limit the scope of any Government Access Request that Uonyx determines to be: (i) unlawful or in excess of the authority of the requesting body; (ii) overbroad or disproportionate to the stated purpose; or (iii) contrary to applicable Data Protection Laws, to the fullest extent permitted by applicable law;
• notify Customer in writing as promptly as practicable prior to disclosing any Personal Data in response to a Government Access Request, unless Uonyx is legally prohibited from providing such notice (for example, by a legal prohibition on disclosure contained in the Government Access Request itself or by applicable law), in which case Uonyx shall: (i) endeavour to obtain a waiver of any such prohibition; and (ii) notify Customer immediately upon expiration or lifting of any such prohibition; and
• limit any disclosure made pursuant to a Government Access Request to the minimum scope of Personal Data required or compelled by applicable law or the relevant order, and shall not disclose Customer Data beyond the scope strictly required by the Government Access Request.

5.5.2 Uonyx shall maintain records of all Government Access Requests received that relate to Customer Data, including the nature of the request, the requesting authority, the scope of data requested, and Uonyx's response. Uonyx shall, to the extent permitted by applicable law, provide Customer with a summary of Government Access Requests received relating to Customer's Personal Data upon written request.

5.5.3 Nothing in this Section 5.5 shall require Uonyx to violate applicable law or to take actions that are prohibited by law, or to expose Uonyx or its personnel to legal liability. Uonyx shall use commercially reasonable efforts to redirect Government Access Requests directly to the Customer where the requesting authority permits such redirection.

6. SUB-PROCESSORS

6.1 Appointment and General Authorisation

6.1.1 Customer acknowledges and agrees that: (a) Uonyx's Affiliates may be engaged as Sub-Processors in connection with the provision of the Services; and (b) Uonyx and Uonyx's Affiliates may engage third-party Sub-Processors to perform specific Processing activities on their behalf in connection with the provision of the Services. By entering into this DPA, Customer grants Uonyx a general written authorisation to engage Sub-Processors as provided in this Section 6.

6.1.2 Uonyx shall remain fully liable to Customer for the acts, omissions, and data protection obligations of its Sub-Processors as if they were acts, omissions, or failures by Uonyx itself, to the extent that Uonyx's liability for such acts or omissions is not limited or excluded under the MSA.

6.2 Sub-Processor List and Notification

6.2.1 A current and complete list of all Sub-Processors engaged by Uonyx to Process Personal Data in connection with the Services as of the Effective Date is provided in Schedule 3 (List of Sub-Processors) to this DPA and at https://uonyx.com/legal/subprocessors (the 'Sub-Processor Page'). By entering into this DPA, Customer grants general written authorisation to Uonyx's engagement of the Sub-Processors listed on the Sub-Processor Page as of the Effective Date.

6.2.2 The Sub-Processor Page offers a notification subscription mechanism by which Customer may subscribe to receive advance notifications of the engagement of new Sub-Processors and the replacement or removal of existing Sub-Processors (each, a 'Sub-Processor Notice'). Customer acknowledges that it shall subscribe to this notification mechanism upon entering into this DPA, and that notifications sent through this mechanism shall constitute sufficient notice by Uonyx of new or changed Sub-Processor engagements.

6.2.3 Uonyx shall provide Customer with advance written notice of not less than fourteen (14) calendar days prior to engaging any new Sub-Processor or making any material change to an existing Sub-Processor arrangement that may affect the Processing of Customer's Personal Data. Such notice shall be provided via the Sub-Processor Page notification mechanism and/or by email to the Customer's designated privacy or data protection contact.

6.2.4 Uonyx maintains a publicly accessible and up-to-date list of Sub-Processors at: https://uonyx.com/legal/subprocessors. This page is updated from time to time to reflect operational changes, including the addition, replacement, or removal of Sub-Processors. The public Sub-Processor page serves as the primary reference for the current list of Sub-Processors and supplements Schedule 3 of this DPA, which reflects the list as of the Effective Date. Customers may contact privacy@uonyx.com at any time to request information regarding Sub-Processors, to subscribe to notifications of changes to the Sub-Processor list, or to raise any questions regarding Uonyx's Sub-Processor arrangements.

6.3 Objection Rights

6.3.1 Upon receipt of a Sub-Processor Notice, Customer may object to Uonyx's engagement of a new or replacement Sub-Processor for legitimate and documented reasons relating to the protection of Personal Data. Any such objection must be submitted in writing to privacy@uonyx.com within seven (7) calendar days of the publication of the relevant Sub-Processor Notice, and must set out in reasonable detail the specific, documented reasons for the objection.

6.3.2 Where Customer fails to object within the period specified in Section 6.3.1, Customer shall be deemed to have accepted the new Sub-Processor.

6.3.3 In the event Customer submits a timely and reasoned objection to a new Sub-Processor, Uonyx will use reasonable commercial efforts to make available to Customer: (a) a change in the configuration or provision of the Services to avoid Processing of Personal Data by the objected-to Sub-Processor; or (b) a commercially reasonable alternative to the objected-to Sub-Processor that is acceptable to Customer. If Uonyx is unable to make available such accommodation within thirty (30) days following receipt of Customer's written objection, Customer may, as its sole and exclusive remedy, terminate the affected Services by providing written notice to Uonyx. Any outstanding amounts due under the MSA prior to the termination date shall remain payable. Pending resolution of the objection, Uonyx may temporarily suspend the Processing of the affected Personal Data.

6.4 Sub-Processor Contractual Obligations

6.4.1 Uonyx shall enter into, or has entered into, a written agreement with each Sub-Processor that imposes data protection obligations on the Sub-Processor that are materially equivalent to those set out in this DPA, including in particular obligations to implement appropriate technical and organisational measures such that the Sub-Processor's Processing will meet the requirements of applicable Data Protection Laws, including Article 28(3) of the GDPR.

6.4.2 For international transfers of Personal Data to Sub-Processors, Uonyx shall ensure that appropriate transfer mechanisms are in place in accordance with Section 10 of this DPA, including, as applicable, the Standard Contractual Clauses (Module 3: Processor to Sub-Processor) pursuant to Commission Implementing Decision (EU) 2021/914.

6.4.3 Where a Sub-Processor fails to fulfil its data protection obligations, Uonyx shall remain responsible to Customer for the performance of the Sub-Processor's data protection obligations to the full extent of Uonyx's own obligations under this DPA.

7. DATA SUBJECT RIGHTS

7.1 If Uonyx receives any Data Subject Request (whether from a Data Subject, Consumer, Supervisory Authority, or other party) relating to Personal Data Processed by Uonyx on behalf of Customer under this DPA, Uonyx shall:

• promptly forward such request to Customer, without undue delay and in any event within five (5) Business Days of receipt;
• refrain from responding directly to the Data Subject or Consumer on Customer's behalf, except as may be expressly instructed by Customer in writing, or as required by applicable law; and
• where applicable, direct the Data Subject or Consumer to Customer or to Customer's account administrator for the handling of the request, or advise them of self-service features available within the Uonyx platform for exercising their data subject rights.

7.2 Taking into account the nature of the Processing and the information available to Uonyx, Uonyx shall provide Customer with all reasonable cooperation and technical assistance to enable Customer to fulfil its obligations to respond to Data Subject Requests within the timescales required by applicable Data Protection Laws, including the ability to:

• access, extract, and provide a portable copy of Personal Data relating to a specific Data Subject;
• restrict or cease the Processing of specific Personal Data;
• correct or rectify inaccurate Personal Data;
• erase or delete Personal Data, subject to Uonyx's retention obligations under applicable law; and
• provide information sufficient to enable Customer to determine what Processing of a Data Subject's Personal Data is taking place within the Services.

7.3 Uonyx shall provide such cooperation and assistance at Customer's reasonable cost and expense, to the extent that such assistance is not already included within the Services as standard features.

7.4 Uonyx shall not charge Customer for reasonable assistance with Data Subject Requests relating to the exercise of rights under GDPR Articles 15–22 where such assistance is necessary to enable Customer to meet its obligations under applicable Data Protection Laws and where such requests are not excessive or manifestly unfounded.

8. ASSISTANCE WITH COMPLIANCE OBLIGATIONS

8.1 Security Obligations — GDPR Article 32

8.1.1 Upon Customer's reasonable written request, Uonyx shall reasonably assist Customer, at Customer's reasonable cost and expense, in ensuring compliance with the security obligations applicable to Customer under Article 32 of the GDPR (and equivalent provisions of applicable Data Protection Laws), taking into account: (a) the nature of the Processing; (b) the information available to Uonyx; and (c) Uonyx's role as Processor.

8.1.2 Such assistance may include, without limitation, providing Customer with access to Uonyx's Security Documentation, assisting with security questionnaires, and providing information reasonably necessary to assess the security of Uonyx's Processing activities.

8.2 Data Protection Impact Assessments (DPIAs)

8.2.1 Upon Customer's reasonable written request and at Customer's cost and expense, Uonyx shall provide Customer with reasonable cooperation and assistance needed to: (a) enable Customer to fulfil its obligations to carry out data protection impact assessments ('DPIAs') under Article 35 of the GDPR or equivalent provisions of applicable Data Protection Laws, related to Customer's use of the Services; and (b) enable Customer to consult with Supervisory Authorities in connection with any DPIA conducted pursuant to Article 36 of the GDPR. Uonyx's obligation to assist is limited to the extent that: (i) Customer does not otherwise have access to the relevant information; and (ii) such information is available to Uonyx.

8.2.2 Uonyx's assistance obligations under this Section 8.2 shall include, where reasonably requested by Customer: (a) providing information about the nature and scope of Uonyx's Processing activities; (b) providing descriptions of the technical and organisational security measures implemented by Uonyx; (c) completing standardised information security questionnaires submitted by Customer or Customer's appointed DPIA consultant; and (d) participating in reasonable consultations relating to risk mitigation measures.

8.3 Prior Consultation with Supervisory Authorities

8.3.1 Where a DPIA conducted by Customer indicates a high residual risk that cannot be mitigated by available measures, and prior consultation with a Supervisory Authority is required under Article 36 of the GDPR or equivalent provisions of applicable Data Protection Laws, Uonyx shall provide Customer, at Customer's reasonable cost, with such assistance and information as may be reasonably required by Customer to satisfy such prior consultation requirements.

8.3.2 Uonyx shall, upon Customer's reasonable request, designate a point of contact to liaise with Customer in connection with any DPIA or prior consultation with a Supervisory Authority.

9. DATA INCIDENT MANAGEMENT AND NOTIFICATION

9.1 Incident Notification Obligations

9.1.1 Uonyx maintains and enforces a formal information security incident management policy and programme. To the extent required under applicable Data Protection Laws (including Article 33 of the GDPR and Section 1798.82 of the CCPA), Uonyx shall notify Customer without undue delay after becoming aware of a Data Incident, and in any event shall use reasonable efforts to provide such notification within seventy-two (72) hours of becoming aware of the Data Incident, to the extent it is technically and operationally practicable to do so. Customer may report suspected Data Incidents to security@uonyx.com. General support enquiries relating to data processing under this DPA may be directed to support@uonyx.com.

9.1.2 Uonyx's notification to Customer regarding a Data Incident shall include, to the extent then available and known:

• a description of the nature of the Data Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records affected;
• the name and contact details of Uonyx's data protection officer or another relevant point of contact from whom more information can be obtained;
• a description of the likely consequences of the Data Incident;
• a description of the measures taken or proposed to be taken by Uonyx to address the Data Incident, including, where appropriate, measures to mitigate its possible adverse effects; and
• where the foregoing information cannot be provided simultaneously, the initial notification shall include information then available, with further details to be provided in subsequent communications as they become available.

9.1.3 Uonyx's notification obligations under Section 9.1.1 shall not apply to any Data Incident: (a) that is caused by the acts or omissions of Customer, its personnel, Authorised Users, or Authorised Affiliates; or (b) that involves only Personal Data for which Uonyx does not act as Processor under this DPA.

9.2 Incident Response and Cooperation

9.2.1 Following a Data Incident, Uonyx shall: (a) make reasonable efforts to identify the root cause of the Data Incident; (b) take those steps as Uonyx deems necessary and reasonable to remediate and/or mitigate the effects of the Data Incident, to the extent that remediation and mitigation is within Uonyx's reasonable control; (c) keep Customer reasonably informed of the status of the Data Incident investigation and remediation; and (d) cooperate reasonably with Customer and competent Supervisory Authorities in the investigation of the Data Incident, to the extent permitted by applicable law.

9.2.2 Customer shall cooperate with and support Uonyx's reasonable investigation and remediation efforts by promptly providing information, resources, and access as may be reasonably requested by Uonyx in connection with the Data Incident.

9.3 Customer Disclosure Restrictions

9.3.1 Customer shall not make, disclose, release, or publish any finding, admission of liability, communication, notice, press release, or report concerning any Data Incident that directly or indirectly identifies Uonyx (including in any legal proceeding or in any notification to a Supervisory Authority or affected individuals) without Uonyx's prior written approval, unless, and solely to the extent that, Customer is legally compelled to do so pursuant to applicable Data Protection Laws.

9.3.2 In the event Customer is legally compelled to make such a disclosure, Customer shall, to the extent permitted by applicable law: (a) provide Uonyx with reasonable prior written notice (and in any event not less than five (5) Business Days' notice where practicable) to allow Uonyx the opportunity to object or seek a protective order; and (b) limit the scope of the disclosure to the minimum required by applicable law.

10. INTERNATIONAL DATA TRANSFERS

10.1 Adequacy Decisions

10.1.1 Personal Data may be transferred from EEA Member States, Norway, Iceland, Liechtenstein (collectively, the 'EEA'), Switzerland, and the United Kingdom ('UK') to countries that have received an applicable Adequacy Decision without the need for any further safeguard under this DPA. For the avoidance of doubt, 'Adequacy Decisions' include the European Commission's adequacy decision of 10 July 2023 establishing the EU-US Data Privacy Framework, the adequacy decision of the UK Secretary of State with respect to the US Data Privacy Framework, and any equivalent Swiss adequacy recognition, as applicable.

10.2 Direct Transfers from the EEA, Switzerland, and the UK

10.2.1 Where the Processing of Personal Data by Uonyx involves a direct transfer of Personal Data by or at the direction of Customer to Uonyx, and such transfer:

• constitutes an EEA Transfer: from the EEA to a country that has not been subject to an applicable Adequacy Decision and that is not otherwise covered by a recognised transfer mechanism adopted by Uonyx (an 'EEA Transfer'), the terms of the EU SCCs (Module 2: Controller to Processor) shall automatically apply and are incorporated herein by reference;
• constitutes a UK Transfer: from the UK to a country that has not been subject to an applicable Adequacy Decision and that is not otherwise covered by a recognised transfer mechanism adopted by Uonyx (a 'UK Transfer'), the terms of the UK IDTA (or, at Uonyx's election, the UK Addendum to the EU SCCs) shall automatically apply and are incorporated herein by reference; or
• constitutes a Switzerland Transfer: from Switzerland to a country that has not been subject to an applicable Adequacy Decision and that is not otherwise covered by a recognised transfer mechanism adopted by Uonyx (a 'Switzerland Transfer'), the terms of the Switzerland Addendum shall automatically apply and are incorporated herein by reference.

10.2.2 For the purposes of the EU SCCs, UK IDTA, and Switzerland Addendum incorporated by this Section 10.2:

• the 'data exporter' is the Customer, as the Controller;
• the 'data importer' is Uonyx, as the Processor;
• the subject matter, nature, purpose, type of Personal Data, and categories of Data Subjects as set out in Schedule 1 shall constitute Annex I.A to the SCCs;
• the technical and organisational measures as set out in Schedule 2 shall constitute Annex II to the SCCs; and
• the List of Sub-Processors set out in Schedule 3 shall constitute Annex III to the SCCs.

10.3 Onward Sub-Processor Transfers

10.3.1 Where Uonyx onward transfers Personal Data to Sub-Processors located in countries outside the EEA, UK, or Switzerland that are not subject to an Adequacy Decision, Uonyx shall enter into the Standard Contractual Clauses (Module 3: Processor to Sub-Processor) pursuant to Commission Implementing Decision (EU) 2021/914, and/or the applicable UK IDTA or Switzerland Addendum, as applicable, with each such Sub-Processor. Schedule 4 sets out the applicability matrix for SCCs across Uonyx's current Sub-Processor arrangements.

10.4 Transfers from Other Jurisdictions

10.4.1 If Customer's use of the Services involves a transfer of Personal Data from a jurisdiction other than the EEA, UK, or Switzerland, and applicable Data Protection Laws of that jurisdiction mandate a specific compliance mechanism for such transfers, Customer shall promptly notify Uonyx of the applicable legal requirements. The Parties shall cooperate in good faith and, where necessary, execute any additional contractual instruments required to ensure the lawfulness of the relevant transfer.

10.5 Additional Safeguards

10.5.1 Where the Standard Contractual Clauses apply to any EEA Transfer, UK Transfer, or Switzerland Transfer, the additional safeguards described in Schedule 5 (Additional Transfer Safeguards) shall also apply to such transfers. These supplementary measures have been assessed by Uonyx as being necessary to ensure an essentially equivalent level of protection to that provided within the EEA and UK for the applicable data transfers.

10.5.2 Uonyx shall maintain a Transfer Impact Assessment (TIA) in respect of material cross-border data transfers and shall make a summary of such TIA available to Customer upon written request, subject to appropriate confidentiality undertakings.

11. RECORDS OF PROCESSING ACTIVITIES

11.1 In accordance with Article 30(2) of the GDPR and equivalent provisions of applicable Data Protection Laws, Uonyx shall maintain comprehensive Records of Processing Activities with respect to the Processing carried out on behalf of Customer. Such records shall include, at a minimum: (a) Uonyx's name and contact details; (b) the name and contact details of Uonyx's data protection officer; (c) the categories of Processing carried out on behalf of each Controller; (d) details of any transfers of Personal Data to third countries or international organisations; and (e) a general description of the technical and organisational security measures implemented.

11.2 Uonyx shall, upon Customer's reasonable written request and subject to applicable confidentiality obligations, make its Records of Processing Activities available to competent Supervisory Authorities as required by applicable Data Protection Laws.

11.3 Uonyx shall maintain appropriate documentation of its Sub-Processor relationships, including the nature and scope of each Sub-Processor's Processing activities and the applicable transfer mechanisms.

11.4 Customer acknowledges that it is also responsible for maintaining its own records of Processing activities as Controller under Article 30(1) of the GDPR and equivalent provisions of applicable Data Protection Laws.

12. AUDITS AND INSPECTIONS

12.1 Upon Customer's reasonable written request (submitted with not less than fourteen (14) calendar days' prior notice) and at reasonable intervals not exceeding once in any rolling twelve (12) month period (unless otherwise required by applicable Data Protection Laws, a court order, or a Supervisory Authority), Uonyx shall make available to Customer (or Customer's independent, reputable, third-party auditor that: (a) is not a direct competitor of Uonyx; (b) is not in a conflict of interest with Uonyx; and (c) is bound by confidentiality and non-compete undertakings satisfactory to Uonyx) such information as is reasonably necessary to demonstrate Uonyx's compliance with its obligations under this DPA.

12.2 Uonyx may satisfy its obligations under Section 12.1 by:

• responding to Customer's written questionnaire-based audit inquiries;
• providing Customer with access to Uonyx's then-current Security Documentation;
• providing Customer with copies of attestations, certifications (e.g., SOC 2 Type II, ISO 27001), and summaries of audit reports conducted by accredited third-party auditors that are relevant to Uonyx's compliance with this DPA; and
• where none of the foregoing is sufficient, allowing for and contributing to an on-site or remote inspection of Uonyx's relevant systems and processes, subject to the procedural requirements and limitations set out in this Section 12.

12.3 In conducting any audit or inspection under this Section 12, Customer shall ensure that it and each of its mandated auditors: (a) shall not access or review Personal Data belonging to other Uonyx customers; (b) shall treat all information obtained during the audit as Uonyx's confidential information and shall not use it for any purpose other than assessing Uonyx's compliance with this DPA; (c) shall not cause or, to the extent not avoidable, shall minimise any damage, injury, disruption, or interference with Uonyx's operations, premises, equipment, personnel, or business; (d) shall comply with Uonyx's reasonable site access, information security, and operational policies; and (e) shall not access any Uonyx systems or data outside the scope of the agreed audit.

12.4 Customer shall bear its own costs in connection with any audit or inspection, including the fees and expenses of any third-party auditors appointed by Customer. Uonyx reserves the right to charge Customer for Uonyx's reasonable internal costs incurred in connection with facilitating audits under this Section 12, at Uonyx's standard time and materials rates.

12.5 Upon completion of an audit or inspection, Customer shall promptly transfer to Uonyx all records and documentation obtained from Uonyx or generated during the audit, and shall retain only those records that are strictly necessary for Customer's compliance purposes. Customer shall not disclose the outcome or findings of any audit to any third party without Uonyx's prior written approval, unless required to do so by applicable Data Protection Laws or a competent authority.

12.6 The audit rights set forth in this Section 12 shall only apply to the extent not otherwise superseded by or inconsistent with audit rights provided elsewhere in the MSA. To the extent that Standard Contractual Clauses apply, nothing in this Section 12 shall vary or modify the SCCs nor limit any Supervisory Authority's or Data Subject's rights thereunder.

13. RETURN AND DELETION OF PERSONAL DATA

13.1 Following the termination or expiration of the MSA (or cessation of the relevant Services), and subject to any applicable legal obligation to retain Personal Data, Uonyx shall, at Customer's election (communicated through the Uonyx platform interface or by written notice to Uonyx):

• securely delete or destroy all Personal Data Processed by Uonyx on behalf of Customer under this DPA; or
• return to Customer all Personal Data in a commonly used, machine-readable format as specified by Customer, including without limitation: (i) Comma-Separated Values (CSV); (ii) JavaScript Object Notation (JSON); or (iii) via available API export mechanisms as documented in Uonyx's technical documentation at the time of the return request,

in each case within ninety (90) days of the effective date of termination or expiry, unless applicable laws require or permit Uonyx to retain the Personal Data for a longer period, in which case Uonyx shall notify Customer of such obligation and the expected retention period.

13.2 Following the deletion or return of Personal Data pursuant to Section 13.1, and upon Customer's written request, Uonyx shall provide Customer with a written attestation or certificate confirming that all Personal Data (including any copies and backups) has been securely deleted or returned in accordance with this Section 13, subject to any applicable legal retention obligations.

13.3 Data Retention Principles. Uonyx shall not retain Personal Data for longer than is necessary for the purposes set out in this DPA and the MSA. Upon expiration of the applicable retention period, Uonyx shall securely delete or anonymise Personal Data. Notwithstanding the foregoing, Uonyx may retain Personal Data for longer periods where required or permitted by applicable law, including without limitation: (a) compliance with applicable legal, regulatory, tax, or accounting obligations; (b) establishment, exercise, or defence of legal claims; (c) compliance with a governmental, regulatory, or judicial order; or (d) technical retention in system backup and disaster recovery infrastructure in accordance with Uonyx's documented backup retention policy, provided that such backup data is not actively accessed or Processed except for the purposes of disaster recovery, and is subject to the security protections described in this DPA for as long as it is retained. Uonyx shall notify Customer of any legally required retention of Personal Data beyond the ninety (90) day deletion period specified in Section 13.1.

13.4 Notwithstanding Section 13.1, Uonyx may retain anonymised or aggregated information derived from Personal Data provided that such information does not identify Customer or any individual, and Uonyx may retain service metadata of the type described in Section 2.8 where required for ongoing service operation, security monitoring, billing audit, or legal compliance purposes.

13.5 Customer acknowledges that, following the completion of the deletion or return process under Section 13.1, Uonyx may continue to retain certain residual Personal Data in its backup or archival systems for a limited period in accordance with Uonyx's standard backup and disaster recovery policies (and in no event longer than ninety (90) days beyond the date of active system deletion), provided that such residual data shall be subject to the protections of this DPA until permanently deleted.

14. AUTHORISED AFFILIATES

14.1 Contractual Relationship

14.1.1 By entering into this DPA, Customer does so on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates that are explicitly permitted to use the Services. Each Authorised Affiliate shall be bound by the obligations of Customer as Controller under this DPA to the extent that Uonyx Processes Personal Data on behalf of such Authorised Affiliates, and each such Authorised Affiliate shall be treated as a 'Controller' for the purposes of the Personal Data Processed on its behalf.

14.1.2 All access to and use of the Services by Authorised Affiliates shall comply with the terms and conditions of the MSA and this DPA. Any violation of the MSA or this DPA by an Authorised Affiliate shall be deemed a material breach by Customer. Customer shall be responsible for ensuring that Authorised Affiliates are made aware of and comply with the terms of this DPA.

14.1.3 To the extent that any Authorised Affiliate has separate legal obligations as Controller under applicable Data Protection Laws (for example, separate obligations under the GDPR as a separately established legal entity), such Authorised Affiliate shall ensure its own compliance with such obligations and shall not rely solely on Customer's compliance with this DPA.

14.2 Communication

14.2.1 Customer shall remain the primary and responsible party for coordinating all communications with Uonyx under the MSA and this DPA. Customer is entitled to make and receive all communications in relation to this DPA on behalf of its Authorised Affiliates, unless Uonyx specifically agrees in writing to deal directly with a particular Authorised Affiliate.

14.2.2 Uonyx shall have no obligation to deal directly with Authorised Affiliates in connection with this DPA unless separately agreed in writing between Uonyx and the relevant Authorised Affiliate.

15. LIABILITY AND INDEMNIFICATION

15.1 Each Party's liability under this DPA (whether arising under contract, tort, statute, or otherwise) is subject to the exclusions and limitations of liability set out in the MSA, which are incorporated herein by reference and apply equally to this DPA.

15.2 Notwithstanding any limitation of liability in the MSA, nothing in this DPA or the MSA shall limit either Party's liability to Data Subjects or to a Supervisory Authority to the extent that such liability cannot lawfully be excluded or limited under applicable Data Protection Laws. In particular, the limitations of liability in the MSA shall not apply to: (a) liability for damages awarded to Data Subjects pursuant to Article 82 of the GDPR; or (b) administrative fines imposed by a Supervisory Authority pursuant to Article 83 of the GDPR, in each case to the extent such liability cannot be contractually excluded or limited.

15.3 Customer shall indemnify, defend, and hold harmless Uonyx and its Affiliates, officers, directors, employees, and agents from and against any and all claims, damages, penalties, fines, costs, and liabilities (including reasonable legal fees) arising directly from: (a) Customer's breach of its obligations as Controller under this DPA or applicable Data Protection Laws; (b) Customer's issuance of unlawful or unauthorised instructions to Uonyx; (c) Customer's failure to obtain lawful legal bases for the Processing; (d) Customer's failure to provide adequate notices to Data Subjects; or (e) any Processing carried out by Uonyx strictly in accordance with Customer's instructions that nonetheless results in a breach of applicable Data Protection Laws solely as a result of those instructions.

15.4 Uonyx shall indemnify, defend, and hold harmless Customer and its Affiliates from and against any and all third-party claims, damages, fines, and liabilities (including reasonable legal fees) arising directly from Uonyx's material breach of its obligations as Processor under this DPA, to the extent such losses are attributable to Uonyx's own acts or omissions and are not covered by Customer's indemnification obligations under Section 15.3.

15.5 Each Party agrees to: (a) promptly notify the other Party of any claim or Supervisory Authority proceeding for which it may seek indemnification under this Section 15; (b) cooperate fully with the indemnifying Party in the defence of such claim; and (c) not make any admission of liability or settlement without the indemnifying Party's prior written consent (not to be unreasonably withheld).

16. TERM AND TERMINATION

16.1 This DPA shall be effective as of the Effective Date and shall remain in full force and effect for the duration of the MSA and provision of the Services thereunder, unless earlier terminated in accordance with this Section 16 or the MSA.

16.2 This DPA shall automatically terminate upon the expiration or termination of the MSA in its entirety, subject to the survival provisions set out in Section 16.4.

16.3 Either Party may terminate this DPA with immediate effect by written notice to the other Party if: (a) the other Party commits a material breach of this DPA that is not remediable or is not remedied within thirty (30) days of the non-breaching Party's written notice specifying the breach; (b) the other Party becomes insolvent, is subject to bankruptcy or insolvency proceedings, or ceases to trade; or (c) a competent Supervisory Authority issues a binding order or injunction prohibiting the continuation of the Processing described in this DPA.

16.4 The following provisions of this DPA shall survive its termination or expiration for as long as necessary to fulfil their purpose: Sections 1 (Definitions), 4 (Confidentiality), 11 (Records), 13 (Return and Deletion), 15 (Liability), 17 (Governing Law), and 19 (General Provisions), and all provisions of the Schedules that are required to remain in force for the purpose of ongoing data protection compliance.

17. GOVERNING LAW AND DISPUTE RESOLUTION

17.1 This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the State of California, United States of America, without regard to its conflict of laws principles.

17.2 Any dispute, claim, or controversy arising out of or relating to this DPA, or the breach, termination, validity, or enforceability of any term hereof, shall be subject to the dispute resolution provisions set out in the MSA.

17.3 Notwithstanding the foregoing, each Party acknowledges and agrees that: (a) the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established or, where the data exporter is not established in an EU Member State, the law of the Republic of Ireland, in accordance with the applicable SCC Governing Law Clause; and (b) to the extent that a Supervisory Authority of a Member State has supervisory jurisdiction, such Supervisory Authority may bring any claims or proceedings before the courts of its respective Member State in accordance with applicable Data Protection Laws.

17.4 Nothing in this DPA shall be construed to limit or restrict either Party's right to seek emergency injunctive or equitable relief from a court of competent jurisdiction in order to prevent irreparable harm to its rights under applicable Data Protection Laws or this DPA.

18. MODIFICATIONS AND AMENDMENTS

18.1 Each Party may, by at least forty-five (45) calendar days' prior written notice to the other Party, request variations to this DPA if they are reasonably required as a result of any change in applicable Data Protection Laws (including any new or amended regulatory guidance, court judgment, or Supervisory Authority decision) to allow the Processing of Personal Data to continue in compliance with applicable Data Protection Laws. Pursuant to such notice, the Parties shall use commercially reasonable efforts to agree upon, and implement, those or alternative variations designed to address the relevant Data Protection Law requirements as identified in the requesting Party's notice.

18.2 Uonyx may amend this DPA at any time without prior notice to Customer, provided that: (a) such amendment is not adverse in any material respect to Customer's rights or to Uonyx's obligations under this DPA (e.g., corrections of errors, typographical fixes, technical adjustments, clarifications without substantive change); or (b) such amendment is necessary to comply with applicable Data Protection Laws or binding regulatory guidance. Where Uonyx makes a material adverse change to Customer's rights or to Uonyx's obligations under this DPA, Uonyx shall provide prior written notice to Customer by: (i) posting an announcement on the Uonyx platform; (ii) updating the DPA on Uonyx's website at https://uonyx.com/legal/dpa with a revised Effective Date; and/or (iii) sending an email notification to Customer's designated data protection or legal contact.

18.3 Any amendment or modification to this DPA agreed by the Parties shall be made in writing and signed by duly authorised representatives of both Parties.

19. GENERAL PROVISIONS

19.1 Order of Precedence

19.1.1 In the event of any conflict between certain provisions of this DPA and the provisions of the MSA, the provisions of this DPA shall prevail over the conflicting provisions of the MSA solely with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to the subject matter of international data transfers to which they apply.

19.2 Severability

19.2.1 If any provision or part-provision of this DPA is or becomes invalid, unenforceable, or illegal under applicable law, such provision shall be deemed deleted and the Parties shall negotiate in good faith to agree a replacement provision that achieves as closely as possible the same legal and commercial effect as the deleted provision. The remaining provisions of this DPA shall remain in full force and effect.

19.3 Entire Agreement

19.3.1 This DPA (together with the MSA and all Schedules hereto) constitutes the entire agreement between the Parties with respect to the Processing of Personal Data in connection with the Services, and supersedes all prior understandings, negotiations, representations, warranties, and agreements between the Parties relating to such subject matter.

19.4 Waiver

19.4.1 No failure or delay by either Party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise thereof. Any waiver of any provision of this DPA must be in writing signed by the waiving Party.

19.5 Counterparts and Electronic Execution

19.5.1 This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute a single instrument. Electronic signatures (including signatures via DocuSign or similar electronic signature platforms) shall have the same legal effect and validity as original handwritten signatures.

19.5.2 Customer's acceptance of this DPA may also be evidenced by: (a) Customer's execution of the MSA, which incorporates this DPA by reference; or (b) Customer's use or continued use of the Services after having been notified of this DPA.

20. EXECUTION AND SIGNATURES

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their respective duly authorised representatives as of the Effective Date.

SCHEDULE 1 — DETAILS OF THE PROCESSING (GDPR ANNEX I)

This Schedule forms Annex I to the Standard Contractual Clauses (EU SCCs Module 2 and 3) where applicable to cross-border transfers under Section 10 of this DPA.

A. Parties

Data Exporter (Controller)

Data Importer (Processor)

B. Subject Matter of Processing

The provision by Uonyx to Customer of an AI-powered multi-tenant cloud-based enterprise resource planning (ERP) SaaS platform hosted on Amazon Web Services (AWS) infrastructure located in the United States of America (primary regions: us-east-1 N. Virginia; us-west-2 Oregon), comprising all Services and modules described in the MSA. The platform includes, without limitation, the following functional modules: CRM; Newsletter; Selling; Point of Sale; Buying; Stock and Inventory; Manufacturing; Quality Management; Projects; Accounting; HR and Payroll; Lending; Asset Management; Helpdesk; Raven (communication and collaboration); Telephony; LMS (Learning Management System); Wiki; Drive (Document Management); Healthcare; and Property Management. The categories of Personal Data Processed by the Services depend on the modules enabled by the Customer and the data submitted by the Customer when using the platform. Additional modules and features may be introduced over time in accordance with the MSA.

C. Duration of Processing

For the duration of the MSA and the provision of the Services thereunder, unless otherwise agreed in writing. Following termination, Uonyx will Process Personal Data only to the limited extent required to fulfil its obligations under Section 13 of this DPA (Return and Deletion) and as required or permitted by applicable law.

D. Nature and Purpose of Processing

Processing shall be carried out for the following purposes:

• Providing the Services to Customer in accordance with the MSA and this DPA, including the operation, maintenance, and improvement of the Uonyx platform;
• Performing the contractual obligations set out in the MSA, Order Forms, Statements of Work, and other agreements between the Parties;
• Acting upon Customer's documented instructions consistent with the terms of this DPA and the MSA;
• Facilitating the sharing of Personal Data with third-party applications and Sub-Processors as configured by or on behalf of Customer (e.g., third-party integrations enabled by Customer through the Services);
• De-identification, pseudonymisation, or anonymisation of Personal Data as directed by Customer or as required for security and platform improvement purposes;
• Maintaining security, preventing fraud and abuse, and ensuring the integrity of the Services;
• Complying with applicable laws and regulations; and
• All activities ancillary or incidental to the above.

E. Types of Personal Data

The type and extent of Personal Data Processed is determined and controlled by Customer in its sole discretion, and may include the following categories:

Customer acknowledges that it shall not submit Sensitive Data to the Services without Uonyx's prior written consent, as required under Section 2.5 of this DPA.

F. Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed under this DPA are dependent on Customer's use of the Services and may include, without limitation:

• Employees, contractors, agents, advisors, and freelancers of Customer (who are natural persons);
• Prospects, customers, clients, business partners, and vendors of Customer (who are natural persons);
• Employees, representatives, or contact persons of Customer's prospects, customers, business partners, and vendors;
• Job applicants and candidates processed through HR modules;
• End users and consumers whose data is managed by Customer through CRM, Customer Support, or other Service modules; and
• Any other third-party individual whose Personal Data is submitted to or Processed through the Services by Customer.

G. Competent Supervisory Authority

The competent Supervisory Authority for the purposes of the Standard Contractual Clauses shall be: (a) for EEA-established data exporters: the Supervisory Authority of the EEA Member State in which the data exporter is established; (b) for UK-established data exporters: the Information Commissioner's Office (ICO); and (c) for Switzerland-established data exporters: the Swiss Federal Data Protection and Information Commissioner (FDPIC). Where the data exporter is not established in any of the above jurisdictions, the Supervisory Authority of the EEA Member State agreed by the Parties shall be competent.

SCHEDULE 2 — TECHNICAL AND ORGANISATIONAL MEASURES (GDPR ANNEX II)

This Schedule forms Annex II to the Standard Contractual Clauses where applicable. Uonyx may update the measures described herein from time to time, provided that any updates shall not materially reduce the overall level of security afforded to Personal Data.

A. Infrastructure and Cloud Security

B. Data Encryption

C. Access Controls and Identity Management

D. Application Security

E. Audit Logging and Monitoring

F. Data Minimisation and Retention

G. Organisational and Personnel Security

H. Business Continuity and Disaster Recovery

I. Third-Party and Supplier Security

J. Certifications and Compliance

SCHEDULE 3 — LIST OF SUB-PROCESSORS (GDPR ANNEX III)

This Schedule forms Annex III to the Standard Contractual Clauses where applicable. The current and complete list of Sub-Processors is maintained at https://uonyx.com/legal/subprocessors and is updated in accordance with Section 6.2 of this DPA. Customers are encouraged to subscribe to the Sub-Processor notification mechanism at that URL to receive advance notice of any changes.

The following Sub-Processors are currently engaged by Uonyx to Process Personal Data in connection with the provision of the Services. All Sub-Processors are engaged pursuant to written data processing agreements containing data protection obligations materially equivalent to those set out in this DPA, consistent with the requirements of GDPR Article 28.

Notes and Safeguards:

• All Sub-Processors listed above are required to comply with GDPR-equivalent data protection obligations under written data processing agreements with Uonyx, consistent with GDPR Article 28(4).
• Where Sub-Processors are located outside the EEA, UK, or Switzerland (including in the United States), appropriate international data transfer mechanisms are in place, including Standard Contractual Clauses (EU SCCs Module 3), the EU-US Data Privacy Framework (where applicable), or other lawful transfer mechanisms recognised under applicable Data Protection Laws.
• Communication sub-processors (email delivery and SMS/messaging providers) process only the minimum data necessary to deliver individual messages — specifically, recipient addresses or phone numbers, message content as generated by the platform, and delivery metadata. They do not have access to broader Customer Data stored in the Uonyx platform.
• Uonyx does not permit any Sub-Processor to use Customer Personal Data for its own commercial purposes, advertising, marketing, or product development without Customer's prior written consent.
• Providers listed as '[Provider — e.g., ...]' represent the category of service. Uonyx will confirm the specific provider upon Customer request or via the Sub-Processor Page at https://uonyx.com/legal/subprocessors.
• This list is subject to change in accordance with Section 6 of this DPA. Uonyx will provide at least fourteen (14) days' advance written notice of material changes to this list.

SCHEDULE 4 — STANDARD CONTRACTUAL CLAUSES APPLICABILITY MATRIX

The following matrix summarises the applicable Standard Contractual Clauses and transfer mechanisms for the principal cross-border data transfer scenarios under this DPA:

The SCCs incorporated by this DPA are the version approved by Commission Implementing Decision (EU) 2021/914. In the event the European Commission adopts new or revised SCCs, Uonyx shall transition to the updated SCCs within the applicable transition period and shall notify Customer accordingly.

SCHEDULE 5 — ADDITIONAL TRANSFER SAFEGUARDS

This Schedule sets out supplementary technical and organisational measures ('Additional Safeguards') implemented by Uonyx to ensure an essentially equivalent level of data protection for EEA, UK, and Switzerland Personal Data transferred to countries that have not received an Adequacy Decision, in accordance with the EDPB Recommendations 01/2020 and applicable regulatory guidance.

A. Encryption Safeguards

Uonyx implements end-to-end encryption for all Personal Data transmitted across international borders:

• All data transferred to and from the Uonyx platform is encrypted in transit using TLS 1.3 (minimum TLS 1.2), ensuring that data cannot be intercepted or read by any third party (including network intermediaries) during transmission;
• All Personal Data stored in the destination country is encrypted at rest using AES-256, with encryption keys managed by Uonyx in a manner that prevents the key from being accessed by the local cloud provider or local authorities without Uonyx's involvement; and
• Customer-managed encryption keys (BYOK) are available for Enterprise customers, providing an additional layer of protection by ensuring that Uonyx and its Sub-Processors cannot decrypt Customer Data without Customer's active participation.

B. Contractual Safeguards

Uonyx has implemented the following contractual safeguards:

• Standard Contractual Clauses (Module 2 or Module 3 as applicable) are executed with all Sub-Processors in non-adequate countries;
• Sub-Processor agreements include binding obligations to notify Uonyx of any legally binding government access requests before complying, to the extent permitted by applicable law; and
• Sub-Processors are contractually prohibited from accessing or disclosing Personal Data in response to government access requests without first notifying Uonyx and, where possible, seeking to obtain a protective order.

C. Technical and Operational Safeguards for Government Access

To mitigate the risk of disproportionate or unlawful government access to Personal Data:

• Uonyx's data processing architecture is designed to ensure that Personal Data stored in third countries cannot be decrypted or accessed by local Sub-Processors or cloud infrastructure providers without the use of Customer-held decryption keys (where BYOK is enabled);
• Uonyx maintains a documented Governmental Access Policy setting out the procedures for handling and challenging government access requests; and
• Uonyx publishes a Transparency Report (or equivalent disclosure) summarising the number and nature of government access requests received in each reporting period, to the extent permitted by applicable law.

D. Pseudonymisation

Where technically feasible and appropriate to the nature of the Processing, Uonyx applies pseudonymisation techniques to Personal Data transferred to non-adequate countries, such that the transferred data cannot, by itself, be attributed to a specific Data Subject without additional information that is held separately and securely within the EEA or UK.

E. Transfer Impact Assessment

Uonyx has carried out a Transfer Impact Assessment (TIA) for all material cross-border transfers of Personal Data under this DPA. The TIA assessed: (a) the laws and practices of the destination country relevant to government access to Personal Data; (b) the adequacy of the technical and contractual safeguards described in this Schedule 5; and (c) the likelihood of government access resulting in unjustified interference with the rights and freedoms of Data Subjects. The TIA concluded that, taking into account the Additional Safeguards described in this Schedule 5, an essentially equivalent level of protection is ensured for the relevant transfers.

A summary of the TIA is available to Customer upon written request, subject to execution of an appropriate non-disclosure agreement.

UONYX OPERATIONAL CONTACT DIRECTORY

The following table sets forth the official operational email addresses for Uonyx referenced throughout this Data Processing Agreement. All communications under this DPA should be directed to the applicable address below.

All notices required or permitted under this DPA to be given to Uonyx shall be submitted in writing to the applicable email address listed above, or by postal mail to: Uonyx, 7421 Edinger Ave, Huntington Beach, CA 92647, United States, Attn: Legal Department. Notices to Uonyx are effective upon confirmed receipt. Notices to Customer shall be sent to the contact information provided in the MSA or applicable Order Form.