Data Protection Addendum

In this Addendum, the following terms shall have the meanings set out below:

a. "Affiliate"

— an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Customer or MindStaq, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity.

b. "Customer Personal Data"

— any Personal Data provided by or made available by Customer to MindStaq or collected by MindStaq on behalf of Customer which is Processed by MindStaq to perform the Services.

c. "Controller to Processor SCCs"

— the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries, including EU SCCs, the UK Transfer Addendum, and any similar clauses adopted by a data protection regulator.

d. "Data Protection Laws"

— any local, state, or national law regarding the processing of Personal Data applicable to MindStaq in the jurisdictions in which the Services are provided to Customer, including privacy, security, and data protection law.

e. "EU Area"

— the European Union, European Economic Area, United Kingdom, and Switzerland.

f. "EU Area Law"

— EU GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Data Protection Act, and any successor or amendments thereto.

g. "Security Incident"

— any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by MindStaq.

h. "Services"

— the services to be supplied by MindStaq to Customer or Customer's Affiliates pursuant to the Agreement.

i. "Third Country"

— countries that have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data.

The terms "Business", "Controller", "Data Subject", "Personal Data", "Process", "Processor", "Subprocessor", "Supervisory Authority", and "Third Party" have the same meanings as described in applicable Data Protection Laws. Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

This Addendum applies to MindStaq's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

Customer acts as a Business or Controller, and MindStaq acts as a Service Provider or Processor. This Addendum shall apply solely to the Processing of Customer Personal Data by MindStaq acting as a Processor, Subprocessor, or Third Party (as specified in Annex 1).

Customer shall be solely responsible for ensuring timely communications to Customer's Affiliates or the relevant Controller(s) who receive the Services, as required by applicable Data Protection Laws. Customer is also solely responsible for complying with Security Incident notification laws and fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents.

The Parties have mutually set out their understanding of the subject matter and details of the Processing of Customer Personal Data in Annex 1 to this Addendum. The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement and any Order Form(s).

Customer shall comply with all applicable Data Protection Laws in connection with the Processing of Customer Personal Data and shall provide MindStaq with instructions in accordance with those laws. Customer agrees not to provide MindStaq with any data concerning a natural person's health, religion, or any special categories of data as defined in Article 9 of the GDPR.

MindStaq shall comply with all applicable Data Protection Laws and specifically shall:

• Process Customer Personal Data only on the documented instructions of Customer and solely for the purpose of providing the Services.
• Not Sell or Share Customer Personal Data, nor use it outside of its business relationship with Customer, except as required or permitted by law.
• Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures in accordance with Article 32 of the GDPR, including pseudonymization and encryption, ongoing integrity and availability, timely restoration following incidents, and regular testing of security measures.
• Obtain Customer's general authorization for Sub-processors, notifying Customer at least 30 calendar days in advance of any intended changes and remaining liable for each Sub-processor's compliance.
• Promptly notify Customer of any legally binding disclosure requests for Customer Personal Data and maintain records of all such disclosures.
• Promptly notify Customer of any communication from a Data Subject or Supervisory Authority regarding Customer Personal Data, and provide reasonable assistance in responding to data subject rights requests.
• Notify Customer without undue delay upon becoming aware of a Personal Data Breach, including all timely information reasonably required by Customer to meet its reporting obligations.
• Provide reasonable assistance with obligations under Articles 32–36 of the GDPR.
• Cease Processing Customer Personal Data upon termination or expiry of the Agreement and, at Customer's option, return or delete all copies.
• Maintain records to demonstrate compliance and allow for audits by Customer or an independent third-party auditor upon reasonable prior notice.

The Parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the term of the Agreement.

When the transfer of Customer Personal Data from Customer (as exporter) to MindStaq (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs:

• EU GDPR transfers: Module Two of the EU SCCs will apply, governed by Irish law, with disputes resolved before the courts of the Republic of Ireland.
• Swiss DPA transfers: EU SCCs apply with modifications to reference Swiss law and the Swiss FDPIC as the competent supervisory authority.
• UK GDPR transfers: EU SCCs apply as modified by the UK Transfer Addendum, with any conflicts resolved per Sections 10 and 11 of the UK Addendum.
• AI processing: MindStaq shall process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany, in accordance with the GDPR. AI processing is limited to the purposes of the Services provided by MindStaq.

MindStaq shall not participate in any other Restricted Transfers of Customer Personal Data unless made in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses. Customer should routinely review all international transfers of Personal Data and implement additional safeguards (such as encryption or pseudonymization) where necessary.

Where a party is located outside the EEA or an adequate country and receives Personal Data, it will act as the data importer and the relevant Transfer Mechanism will apply. Transfer Mechanisms include: Standard Contractual Clauses (European Commission Decision of 4 June 2021), International Data Transfer Agreements and Addendums issued by the UK ICO under Section 119A of the Data Protection Act 2018. If a Transfer Mechanism is insufficient, the data importer will promptly implement supplementary measures.

This Addendum is supplemental to the Agreement. In the event of any inconsistency, priority shall be: (a) any Standard Contractual Clauses or Cross-Border Transfer Mechanisms, (b) this Addendum, (c) the Agreement. In the event that any provision of this Addendum and/or the Agreement contradicts the Controller to Processor SCCs, the Controller to Processor SCCs will control.

To the extent permissible by law, Customer shall defend MindStaq and its Affiliates from and against any and all claims, demands, suits, or proceedings made or brought by any third party arising from any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws. MindStaq may participate in the defense and/or settlement of any such claim with counsel of its choosing at its own expense.

If any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

This Addendum covers the following principles and requirements:

• Privacy by Design and default
• Achieving security of Processing
• Notification of breaches involving Customer Personal Data to the relevant Supervisory Authority and to Customer
• Conducting Privacy Impact Assessments where appropriate and required by applicable Data Protection Law
• Prior consultations with relevant Supervisory Authorities where needed and required by applicable Data Protection Laws

MindStaq shall comply with all statutory and regulatory requirements, ISO 27001:2022, ISO 27701:2019, and EU GDPR. There are no temporary files generated during processing.

To exercise data subject rights under applicable Data Protection Law (including access, correction, and/or erasure), or to raise concerns or complaints related to Customer Personal Data, please contact MindStaq's Data Protection Officer:

Sivakumar Sugasi
sivakumar.sugasi@mindstaq.com

List of Parties

Processing Information

• Categories of data subjects: Customer's authorized users of the Services.
• Categories of personal data: Names and email IDs (processed automatically); address, date of birth, and past employment details (where provided by Customer in connection with audit services).
• Sensitive personal data transferred: None.
• Frequency of transfer: Continuous.
• Purpose: Provision of Services to Customer, including querying, cleansing, standardizing, enriching, and storing data to facilitate the performance of the Services.
• Retention period: As more fully described in the Agreement, Addendum, and accompanying order forms.

Security Management

• MindStaq designates qualified security personnel responsible for development, implementation, and ongoing maintenance of its Information Security Program.
• Management reviews and supports all security-related policies at least annually.
• MindStaq engages an independent third party to perform risk assessments at least annually.
• MindStaq maintains a formal risk treatment program including penetration testing, vulnerability management, and patch management.
• MindStaq operates an information security management system compliant with ISO/IEC 27001:2022.

Personnel Security

• MindStaq conducts appropriate background checks on employees with access to client data, to the extent legally permissible.
• Personnel are required to execute confidentiality agreements and complete privacy and security training. Personnel handling Customer Personal Data must complete additional role-appropriate requirements.
• MindStaq's personnel will not process Customer Personal Data without authorization.

Access Controls

• MindStaq maintains a formal access management process to limit access to Customer Personal Data to properly authorized persons on a need-to-know, least-privilege basis.
• Administrators and end users must authenticate via Multi-Factor Authentication or Single Sign-On.
• Access rights are reviewed periodically. All changes are managed by workflow tools maintaining audit records.
• Password policies follow industry standards including complexity, expiry, lockout, and restrictions on password reuse.

Data Centre and Network Security

• Infrastructure: MindStaq uses DigitalOcean as its data centre, with Multi Availability Zones enabled and regular Backup Restoration Testing.
• Server Security: Servers are customised and hardened for the application environment. MindStaq employs a code review process to increase security.
• Disaster Recovery: Data is replicated over multiple systems. MindStaq designs, plans, and regularly tests its disaster recovery program.
• Security Logs: Logging is enabled across systems to support security audits and detect actual and attempted attacks.
• Vulnerability Management: Regular vulnerability scans are performed across all infrastructure components. Critical, High, and Medium patches are installed as soon as commercially possible.
• Network Transmission: Production environment transmissions use internet standard protocols. A DigitalOcean Security Group acts as a virtual firewall for the production environment.
• Incident Response: MindStaq maintains incident management policies and procedures, including security incident escalation procedures and multi-channel monitoring.
• Encryption: HTTPS (SSL/TLS) is available for data in transit; encryption technologies are implemented for data at rest.
• Data Storage and Isolation: Data is stored in a multi-tenant environment on DigitalOcean servers, replicated between multiple availability zones, and logically isolated per customer. A central authentication system is used across all Services.

For a current list of MindStaq's Sub-processors, please refer to our Trust Vault or contact us at legal@cittacorp.com.