Data Processing Addendum (DPA)

Effective as of the date of execution

Last Updated: February 1, 2026

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) sets out the terms that apply to the Processing of Personal Information (as defined below) by Numoloo LLC, on behalf of Customer, in the course of providing the Services to Customer for the Business Purpose.

All capitalized terms not defined herein will have the meanings set forth in the Standard Terms & Conditions (the “Agreement”).

By using the Services, Customer accepts this DPA

1. Definitions and Interpretation.

1.1 The following definitions and rules of interpretation apply in this DPA.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Privacy and Data Protection Requirements, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Numoloo, but has not signed its own order form with Numoloo and is not a “Customer” as defined under the Agreement.

Authorized User means any individual authorized or otherwise enabled by Customer to use the Services through Customer’s account.

“Business” means an entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information and includes “Controller” and cognate terms under applicable Privacy and Data Protection Requirements.

Business Purpose means the Services to be provided by Numoloo according to the Agreement updated on February 1, 2026, which constitutes a legally binding agreement between the parties.

“Canadian Data Protection Law” means data protection laws applicable in Canada, including the Personal Information Protection and Electronic Documents Act (SC 2000, c.5), Alberta’s Personal Information Protection Act (SA 2003, c. P-6.5), the British Columbia Personal Information Protection Act (SBC 2003, c.63) and Quebec’s Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) (the “Québec Act”) and any binding regulations promulgated thereunder, in each case, as my be amended from time to time.

“CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, in each case, as may be amended from time to time.

Customer Data means what is defined in the Agreement as “Customer Data”.

Data Subject means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

“European Data Protection Law” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); UK Data Protection Laws and Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

“Europe” means the European Economic Area (“EEA”) (which comprises the member states of the European Union, Norway, Iceland and Liechtenstein), the United Kingdom and Switzerland.

Personal Information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with a particular Data Subject or Consumer (as defined in the CCPA, to the extent applicable), which is included in Customer Data processed by Numoloo on behalf of Customer under the Agreement, or such equivalent concept as defined under applicable Privacy and Data Protection Requirements.

"Processing”, “processes”, or “process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

Privacy and Data Protection Requirements means all applicable federal, state, and foreign laws and regulations relating to the Processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the CCPA, Canadian Data Protection Law and European Data Protection Law.

Personal Information Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed by Numoloo on behalf of Customer under the Agreement.

“Service Provider” means an entity that Processes Personal Information on behalf of a Business and includes “Processor,” “Contractor” and cognate terms under applicable Privacy and Data Protection Requirements.

"Standard Contractual Clauses" or “SCCs” means, as applicable to the relevant transfer, (i) the Annex to the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council, and which sets out standard contractual clauses that fulfil the requirements for international data transfers among controllers and processors in Article 28(3) and (4) of the GDPR, the approved version of which in force at present is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as may be amended, superseded or replaced from time to time), which as they relate to the Processing under the Agreement comprise Appendix B, (ii) the UK IDTA, or (iii) such other terms intended to provide adequate protection to transferred personal data pursuant to Privacy and Data Protection Requirements; in each case, as amended or replaced from time to time under the relevant Privacy and Data Protection Requirements. When applicable to the Processing, Appendix B forms a part of this DPA.

“Sub-Processor” means any third-party service provider engaged by Numoloo that Processes Personal Information under the instruction or supervision of Numoloo.

1.2 This DPA is subject to the terms of the Agreement and is incorporated into the

Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.3 The Appendices form part of this DPA and will have effect as if set out in full

in the body of this DPA. Any reference to this DPA includes the Appendices.

1.4 A reference to writing or written includes faxes and email.

1.5 In the case of conflict or ambiguity between:

  1. any provision contained in the body of this DPA and any provision

contained in the Appendices, the provision in the body of this DPA will prevail;

  1. certain provisions of this DPA and provisions of the Agreement, the

provisions of this DPA will prevail with respect to the Processing of Personal Information; and

  1. any of the provisions of this agreement and its Appendices and any

executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Scope and Personal Information Types and Processing Purposes

2.1 This DPA applies when Personal Information is processed by Numoloo strictly

on behalf of Customer for the Business Purpose. In this context and for the purposes of the Privacy and Data Protection Requirements (to the extent applicable), Customer is the “Business” or “Controller” and Numoloo is the “Service Provider” or “Processor”.

2.2 The Customer retains control of the Personal Information and remains

responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements and the Agreement, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Numoloo.

2.3 Appendix A describes the general Personal Information categories and related

types of Data Subjects that Numoloo may process to fulfill the Business Purpose. The Customer discloses Personal Information to Numoloo only for the limited and specified Business Purpose.

3. Customer’s Obligations and Instructions. Customer shall, in its use of the Services,

only submit or otherwise have Personal Information processed in accordance with the requirements of Privacy and Data Protection Requirements. Numoloo will only process Personal Information on behalf of and in accordance with Customer’s reasonable instructions. Customer instructs Numoloo to process Personal Information for the following purposes: (i) Processing to provide and ensure proper operation of the Business Purpose; (ii) Processing initiated or instructed by an Authorized User in their use of the Services; (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the Agreement; (iv) sharing Personal Information with, or receiving Personal Information from, third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer); (v) rendering Personal Information fully and irrevocably anonymous and non-personal, in accordance with applicable standards recognized by Privacy and Data Protection Requirements and guidance issued thereunder; and (vi) Processing as required under any applicable laws to which Numoloo is subject, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Numoloo shall inform Customer of the legal requirement before Processing, unless prohibited under such law or requirement. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Information shall comply with Privacy and Data Protection Requirements. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information. Where required by applicable data protection laws, Customer shall configure and utilize the consent management features of the Services, including dual-party consent functionality, to ensure lawful recording, Processing, and use of audio or other communications. Without limitation, Customer will provide all necessary notices to relevant Data Subjects, including a description of the Services, and secure all necessary permissions and consents, or other applicable lawful grounds for Processing Personal Information pursuant to this DPA and/or under Privacy and Data Protection Requirements, and shall indemnify, defend and hold harmless any claim, damages or fine against Numoloo arising from any failure to acquire or use the Personal Information with legal consent or legitimate business purpose or in violation of any Privacy and Data Protection Requirements. Numoloo will inform Customer, if in Numoloo’s opinion an instruction infringes any provision under any Privacy and Data Protection Requirements and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties.

To the extent that Numoloo cannot comply with an instruction from Customer, (i) Numoloo shall promptly inform Customer, providing relevant details of the problem, (ii) Numoloo may, without any kind of liability to Customer, temporarily cease all Processing of the affected Personal Information (other than securely storing such data) and/or suspend access to the Customer’s account, and (iii) if the parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing. Customer will have no further claims against Numoloo (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Agreement and the DPA as described in this paragraph.

4. Standard of Care

4.1 Numoloo acknowledges that Customer discloses Personal Information to

Numoloo only for the limited and specified Business Purpose set out in this DPA and the Agreement. Numoloo will only process, retain, use, or disclose the Personal Information (i) to the extent, and in such a manner, as is necessary for the Business Purpose and (ii) in compliance with applicable Privacy and Data Protection Requirements. Numoloo will not

  1. process, retain, use, or disclose the Personal Information for any other purpose, outside of

the parties' business relationship, or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements, nor (ii) combine Personal Information with personal information Numoloo processes on behalf of other parties unless expressly permitted under the Privacy and Data Protection Requirements and the Agreement between the parties.

4.2 Customer shall inform Numoloo of any request received from an individual

under the CCPA which requires Numoloo’s assistance in order to be fulfilled by Customer, and shall provide Numoloo all information necessary for it to assist with the request.

4.3 Numoloo will maintain the confidentiality of all Personal Information and will

not sell it to anyone, share it for cross-context behavioral advertising (targeted advertising) with anyone, or disclose it to third parties without specific authorization from the Customer or this DPA, unless required by law. If a law requires Numoloo to process or disclose Personal Information, Numoloo will first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

4.4 Numoloo will reasonably assist the Customer with meeting the Customer's

compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Numoloo’s Processing and the information available to Numoloo. The Customer acknowledges that Numoloo is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from an Authorized User or the Personal Information other than as required under the Privacy and Data Protection Requirements.

4.5 Subject to the audit provisions in this DPA, Numoloo acknowledges that

Customer has the right to take reasonable and appropriate steps to ensure that Numoloo uses Personal Information in a manner consistent with Customer’s obligations under Privacy and Data Protection Requirements. Numoloo further acknowledges that Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Numoloo, subject to the conditions agreed upon in this DPA, including audit provisions.

4.6 Numoloo shall notify Customer if Numoloo makes a determination that it can

no longer meet its obligations under the Privacy and Data Protection Requirements.

5. Numoloo’s Authorized Personnel

5.1 Numoloo will ensure that Numoloo’s access to Personal Information is limited

to those employees, contractors, agents, and auditors who require such access to perform the Services (“Authorized Personnel”).

5.2 Numoloo will ensure that Authorized Personnel (i) are informed of the

Personal Information's confidential nature and use restrictions and are obliged to keep the Personal Information confidential; (ii) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and (iii) are aware both of the Numoloo’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

5.3 Numoloo will take reasonable steps to ensure compliance with the Security

Measures defined herein by Authorized Personnel to the extent applicable to their scope of performance and that all Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Numoloo.

6. Security

6.1 Numoloo will implement and maintain appropriate technical and

organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage as set out in Appendix C (the “Security Measures”, available to those with login credentials).

6.2 Numoloo will periodically review the Security Measures to ensure they remain

current and complete. Numoloo may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

7. Personal Information Breaches and Personal Information Loss

7.1 Numoloo will notify the Customer of a Personal Information Breach or any

unauthorized or unlawful processing of Customer’s Personal Information as soon as reasonably practicable after Numoloo becomes aware of it.

7.2 Following any unauthorized or unlawful Personal Information processing or

Personal Information Breach, the parties will coordinate with each other to investigate the matter. Numoloo will reasonably cooperate with the Customer in the Customer's handling of the matter, including:

  1. assisting with any investigation;
  2. making available all relevant records, logs, files, data reporting, and

other materials required to comply with Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.

  1. taking reasonable and prompt steps to mitigate the effects and to

minimize any damage resulting from the personal data breach.

7.3 The Customer will not make, disclose, release or publish any finding,

admission of liability, communication, notice, press release or report concerning any Personal Information Breach which directly or indirectly identifies Numoloo (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Numoloo’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Privacy and Data Protection Requirements. In the latter case, unless prohibited by such laws, Customer shall provide Numoloo with reasonable prior written notice to provide Numoloo with the opportunity to object to such disclosure and in any case, Customer will limit the disclosure to the minimum scope required by such laws.

8. Cross-Border Transfers of Personal Information

8.1 If the Privacy and Data Protection Requirements restrict cross-border Personal

Information transfers, the Customer will only transfer that Personal Information to Numoloo under the following conditions:

  1. Numoloo, either through its location or participation in a valid cross-

border transfer mechanism under the Privacy and Data Protection Requirements, as identified in Appendix A, may legally receive that Personal Information, however Numoloo must immediately inform the Customer of any change to that status;

  1. the Customer obtained valid Data Subject consent to the transfer under

the Privacy and Data Protection Requirements; or

  1. the transfer otherwise complies with the Privacy and Data Protection

Requirements for the reasons set forth in Appendix A.

8.2 If any Personal Information transfer between Numoloo and the Customer

requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses contained in Appendix B, and take all other actions required to legitimize the transfer, including, implementing any needed supplementary measures or supervisory authority consultations.

8.3 Numoloo will not transfer any Personal Information to another country unless

the transfer complies with the Privacy and Data Protection Requirements.

9. Sub-Processors.

9.1 The Customer grants to Numoloo specific authorization to appoint the

categories of third parties (“sub-processor” or “sub-processors”) listed in Appendix A in connection with the Business Purpose.

9.2 Numoloo may only authorize a sub-processor to process the Personal

Information on behalf of the Customer if:

  1. the Customer is given an opportunity to object within fourteen (14)

days after Numoloo supplies the Customer with full details regarding such sub- processor;

  1. Numoloo enters into a written contract with the sub-processor that

contains terms substantially the same as those set out in this DPA; and

  1. the Provider maintains control over all Personal Information it entrusts

to the sub-processor.

9.3 Where the sub-processor fails to fulfill its obligations under such written

agreement, Numoloo remains fully liable to the Customer for the sub-processor’s performance of its agreement obligations.

10. Data Subject Requests, Complaints, and Third-Party Rights

10.1 The Provider must notify the Customer within seven (7) working days if it

receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other Processing actions.

10.2 Numoloo must notify the Customer immediately if it receives any complaint,

notice, or communication that directly or indirectly relates to the Processing of Personal Information on behalf of the Customer or to either party's compliance with the Privacy and Data Protection Requirements.

10.3 Numoloo will give the Customer its full cooperation and assistance in

responding to any complaint, notice, communication, or Data Subject request.

10.4 Numoloo must not disclose the Personal Information to any Data Subject or to

a third party unless the disclosure is either at the Customer's request or instruction, permitted by this DPA, or is otherwise required by law.

11. Term and Termination. This DPA will commence and become legally binding on the

earlier of (i) the effective date of the Agreement to which it relates, or (ii) the initiation of Numoloo’s Processing of Personal Information on behalf of Customer; and will continue until the Agreement expires or is terminated.

12. Data Return and Destruction

12.1 At the Customer's request, Numoloo will give the Customer a copy of or

access to all or part of the Customer's Personal Information in its possession or control.

12.2 On expiry or termination of this DPA, Numoloo will securely delete or destroy

or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this DPA in its possession or control.

12.3 If any law, regulation, or government or regulatory body requires Numoloo to

retain any documents or materials that Numoloo would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

13. Records; Audit.

13.1 Numoloo will make available to Customer, pursuant to Customer’s reasonable

written request, all information necessary for Customer to demonstrate compliance with its obligations under applicable Privacy and Data Protection Requirements and this DPA, in relation to the Processing of Personal Information under this DPA by Numoloo. Such information shall only be used by Customer to assess compliance with the aforesaid obligations, and may not be disclosed to any third party without Numoloo’s prior written approval. As soon as the purpose of such information is met, Customer will permanently dispose of all copies thereof.

13.2 Numoloo will allow for and contribute to audits, including inspections,

conducted by Customer or a reputable auditor mandated by Customer (who are each not a competitor of Numoloo or affiliated with such a competitor), to assess Numoloo’s compliance with its obligations under this DPA. Numoloo may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Numoloo, at least 45 days in advance and will be performed not more than once a year (except for an audit following a Personal Information Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Numoloo; (iii) the auditor will not have access to non- customer data; (iv) Customer will make sure that the audit will not interfere with or damage Numoloo’s business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; (vi) no audit shall include access to Numoloo’s network and/ or networks that contain Numoloo’s Customer Data, (vii) Customer will receive only the auditor’s report, without any Numoloo ‘raw data’ materials, and will keep the audit results in strict confidence and will use them solely for the specific purposes of the audit under this section; (viii) at the request of Numoloo, Customer will provide it with a copy of the auditor’s report; and (ix) as soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.

14. Limitation of Liability

14.1 Each of Numoloo’s and Customer’s, and all of Numoloo’s Affiliates’ and

Customer’s Affiliates’, liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates of Customer and Numoloo, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

14.2 For the avoidance of doubt, Numoloo’s and its Affiliates’ total liability for all

claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and its Authorized Affiliates and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

14.3 Also, for the avoidance of doubt, each reference to the DPA in this DPA means

this DPA including its schedules and appendices.

APPENDIX A

Personal Information Processing Purposes and Details Subject Matter: Numoloo’s provision of the Services to Customer as described in the Agreement and the DPA.

Data Subject Types: Customer may submit Personal Information to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of Data Subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural

persons);

  • Employees or contact persons of Customer’s prospects, customers, business partners and

vendors;

  • Employees, agents, advisors, freelancers of Customer (who are natural persons); and
  • Customer’s Authorized Users and other users of the Services.

Personal Information Categories: Categories of Personal Information processed may include, depending on the Services used by Customer:

  • Contact information such as name, physical address, e-mail address, phone number
  • Telephonic and digital communications, such as call recordings, call transcripts, chat

transcripts, emails, caller ID information, and voicemail messages

  • Account information
  • Personal identifiers: name, email, telephone number
  • Electronic identifiers: Device ID, IP address, tracking ID
  • Professional data: company name, company domain

The parties do not intend for any sensitive data to be processed under the Agreement.

Processing Duration: Personal Information will be transferred to Numoloo on a continuous basis throughout the duration of the Services Nature of the Processing and Purposes of the Information Transfer and Further Processing.

  • Providing Customers with, as elected by Customer, call tracking, customer conversation,

lead management and information collection services and other services identified on the Numoloo website located at www.numoloo.com.

  • Information transfers to Numoloo for the purpose of performing its obligations under the

Agreement, including the Services and any related technical support requested by the Customer in accordance with the Agreement and this DPA.

Approved Sub-Processors:

Customer authorizes Numoloo to engage the following categories of sub-processors to process Personal Information on Customer’s behalf for the purposes described in the Agreement and this DPA:

Category of Sub- Information Transferred Purpose Location Processor Personal Information contained in Cloud hosting and Application hosting, data Customer Data, including call United infrastructure storage, security, and recordings, transcripts, metadata, States providers infrastructure services and related communications Personal Information contained in Voice transport, call routing, Voice infrastructure United call recordings, call metadata, and and related voice providers States phone numbers infrastructure services Speech-to-text processing, AI and data Personal Information contained in call analysis, summarization, United processing call recordings and transcripts and related AI-driven States providers functionality Email addresses and Personal Email delivery Transactional messaging and United Information contained in providers service notifications States transactional or notification emails Authentication and Limited account and User authentication, access United identity providers authentication metadata control, and security States Internal Limited metadata and Personal Internal alerts, service collaboration and United Information contained in system notifications, and notification States notifications operational communications providers A current list of Numoloo’s sub-processors, including the identity of vendors within each category, is available to Customers upon written request or via a non-public location designated by Numoloo. Numoloo will notify Customers of material changes to its sub-processors as required by applicable law.

APPENDIX B

Standard Contractual Clauses Controller to Processor (incorporated herein by reference)

ANNEX I

A. LIST OF PARTIES Data exporter(s): The data exporter is the Customer identified in the DPA (and the Customer’s Affiliates if authorized to use the Services).

The activities relevant to the data transferred under these Clauses are those activities related to Customer’s use of the data importer’s Services as described in the Agreement between them, which includes personal data provided by or on behalf of the Customer for processing by the data importer upon the Customer’s instructions and in accordance with the Agreement and this DPA.

The identity and contact details of the data exporter are the Customer details described in the Agreement and the DPA, and the data exporter’s contact person with responsibility for data protection under these Clauses is the Customer’s authorized administrator.

The Customer is the data controller of the personal data that is subject to the DPA.

Data importer(s): The data importer is Numoloo LLC.

The activities relevant to the data transferred under these Clauses are Numoloo’s provision of the Services as described in the Agreement with the data exporter, under which Numoloo is authorized to process personal data on the Customer’s behalf and upon the Customer’s instructions in accordance with the Agreement and this DPA.

The identity and contact details of the data importer and the data importer’s contact person with responsibility for data protection is:

Name: Numoloo LLC Address: c/o ZenBusiness Inc., 611 South DuPont Highway, Suite 102, Dover, DE 19901 Numoloo is the data processor of the personal data that is subject to the DPA.

B. DESCRIPTION OF TRANSFER The description of the transfer of personal data as of the Effective Date is attached to the DPA as Appendix A.

C. COMPETENT SUPERVISORY AUTHORITY The supervisory authority of the member state in which the Data Subject whose personal data is transferred under these clauses in relation to the offering of goods or services to him or her, or whose behavior is monitored, shall act as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND

ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer will implement and maintain appropriate technical and organizational measures designed to ensure an appropriate level of security for the Customer Data, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. The specific technical and organizational measures employed by the data importer as of the Effective Date are attached to the DPA as Appendix C.

ANNEX III

LIST OF SUB-PROCESSORS

The categories of sub-processors currently engaged by Numoloo are listed in Appendix A. A current list of Numoloo’s sub-processors, including the identity of vendors within each category, is available to Customers upon written request or via a non-public location designated by Numoloo.

APPENDIX C

Security Measures Numoloo implements reasonable administrative, technical, and organizational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Such measures include, without limitation:

  • Access controls: Role-based access to systems and data, limited to authorized personnel with a business need to know.
  • Authentication: Secure authentication mechanisms, including password protection and, where supported by third-party services, multi-factor authentication.
  • Encryption: Encryption of Personal Information in transit using industry-standard encryption protocols (e.g., TLS).
  • Hosting and infrastructure security: Use of reputable cloud infrastructure providers that maintain commercially reasonable security practices.
  • Data minimization: Collection and processing of Personal Information limited to what is necessary to provide the Services
  • Monitoring and incident response: Monitoring for unauthorized access and procedures to respond to security incidents.
  • Vendor management: Engagement of third-party service providers that are subject to contractual obligations regarding data protection and security.

    Numoloo may update these measures from time to time to reflect changes in technology, risk, and industry practices.