Data Processing Agreement

WE.VESTR Coöperatie U.A., a private company with limited liability organised and existing under the laws of the Netherlands, having its corporate seat in Amsterdam and its official address at Kattenburgerstraat 5, 1018 JA The Netherlands, registered with the Trade Register of the Chambers of Commerce under number 77192516 (“WE.VESTR”, the “Data Processor” or the “Processor”), and the customer (the “Customer”, the “Data Controller” or the “Controller”), hereby agree as follows:

1. Scope

1.1. This Data Processing Agreement ("Agreement") applies exclusively to the processing of Personal Data that is subject to European Union (EU), United Kingdom (UK), and Swiss data privacy laws in the scope of the Services Agreement between the Data Controller and the Processor (each a "Party" and together the "Parties") for the provision of the Services.

1.2. For the purpose of this Agreement, EU data privacy law ("EU Data Privacy Law") means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). UK data privacy law ("UK Data Privacy Law") means all laws relating to data protection, the processing of Personal Data, privacy, and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. Swiss data privacy law means the Federal Act of 19 June 1992 on Data Protection, including any future revision thereof ("Swiss Data Privacy Law"). EU Data Privacy Law, UK Data Privacy Law, and Swiss Data Privacy Law are collectively referred to as "Data Privacy Law".

1.3. Terms such as "Processing", "Personal Data", "Data Controller", and "Processor" shall have the meaning ascribed to them in EU Data Privacy Law, UK Data Privacy Law, and Swiss Data Privacy Law, as applicable.

1.4. This Data Processing Agreement shall apply to the processing of Personal Data of the Data Controller subject to EU Data Privacy Law, UK Data Privacy Law, and Swiss Data Privacy Law by the Data Processor in the course of performing the Services Agreement with the Data Controller. An overview of the categories of Personal Data, the types of Data Subjects, and the Purposes for which the Personal Data are being processed is provided below.

2. Binding

The Parties agree to be bound by the provisions and obligations set forth in this Agreement with respect to all of their data protection obligations and data processing relationships. The Parties further agree that any previous data protection and data processing obligations agreed to among them shall be deleted and repealed in its entirety and replaced with this Agreement.

3. Information required by Data Privacy Law

3.1. Subject matter of processing

The processing of Personal Data by WE.VESTR for the provision of equity management services via an online software application ("Application") and the fulfillment of contractual obligations under the Services Agreement and this Data Processing Agreement.

3.2. Duration of processing

The processing of Personal Data shall be carried out for the duration of the Services Agreement until termination or until the processing of any Personal Data by WE.VESTR is no longer necessary for the performance of its relevant obligations under the Services Agreement or Agreement or for its other legitimate interests.

3.3. Purpose of processing

The processing of Customer Personal Data and equity data for the purpose of providing the Services. Customer Personal Data will be provided by the Customer.

3.4. Customer Personal Data

3.4.1. Equity data

Shareholder information (including their General Personal Data), company information, share ledger transaction history, legal documents, and other cap table details.

3.4.2. General Personal Data

Names, email addresses, titles, and positions.

3.5. Data Subjects

The Data Subjects include shareholders, other third parties such as lawyers, and any other individuals whose Personal Data is processed in connection with the provision of the Services.

4. WE.VESTR as Processor

The Customer and WE.VESTR agree that, for the purposes of this Agreement, WE.VESTR (and each permitted subcontractor) shall act as the Data Processor.

5. Obligations

5.1. As the Data Processor, WE.VESTR shall:

5.1.1. Process the Customer Personal Data only as necessary to perform its obligations under the Services Agreement and as required by applicable laws (provided that WE.VESTR informs the Customer of any legal requirement before processing, unless such disclosure is prohibited by law on important grounds of public interest);

5.1.2. Ensure that all staff who have access to Customer Personal Data have committed themselves to appropriate obligations of confidentiality;

5.1.3. Maintain appropriate technical and organizational measures to ensure the security of the Customer Personal Data. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. WE.VESTR will, therefore, evaluate the measures on an ongoing basis and will tighten, supplement, and improve them as necessary. The Parties will negotiate the cost, if any, and an amendment to the Services Agreement, if required, to implement material changes required by specific updated security requirements set forth in applicable Data Privacy Law or by data protection authorities of the competent jurisdiction. A summary of the current technical and organizational measures can be found on the website wevestr.com, as amended from time to time;

5.1.4. Assist the Customer, to the extent possible, in fulfilling its obligations in responding to requests for exercising Data Subject rights set out in applicable Data Privacy Law;

5.1.5. Not engage any other processor in relation to the Services except in accordance with the Customer's general authorization. See the Subprocessors Register for the list of current subprocessors used by WE.VESTR. Upon the Customer's request, the Customer shall have the right to be informed of any new processors and to veto proposed changes in good faith for material grounds within 30 days of publication. For the avoidance of doubt, WE.VESTR shall enter into an agreement with each sub-contractor containing obligations that are equivalent to those set out in this Clause 5;

5.1.6. Not consider ancillary services such as telecommunications, maintenance, user service, data hosting, cleaning staff, inspectors, or the disposal of data media as subcontracting relationships within the meaning of this Clause 5. However, WE.VESTR shall be obliged to make appropriate contractual agreements in accordance with the law and to take control measures to ensure the protection and security of the Customer's Personal Data, even in the case of ancillary services provided by third parties.

5.1.7. Permit the Customer or a third-party auditor acting under the Customer's direction, subject to reasonable access arrangements and save for disclosure of information that is confidential, commercially sensitive, or privileged, to conduct, at the Customer's cost, data protection audits, assessments, and inspections concerning WE.VESTR's data protection procedures relating to its compliance with this Clause 5. For the avoidance of doubt, the Customer's audit, access, and inspection rights under this Clause are limited to WE.VESTR's records only and do not apply to WE.VESTR's physical premises;

5.1.8. Notify the Customer in writing and as soon as reasonably practicable if it becomes aware of a reportable data breach, and provide the Customer with assistance in responding to and mitigating it, according to the Data Breach Procedure;

5.1.9. Assist the Customer in complying with Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the GDPR (or the respective definitions in the Swiss and UK Data Privacy Law) in respect of any new type of processing proposed, in accordance with EU Data Privacy Law, UK Data Privacy Law, and Swiss Data Privacy Law;

5.1.10. Unless otherwise stipulated in the Services Agreement, upon termination or expiry of this Agreement, either destroy all Customer Personal Data or transfer it to the Customer or a nominated third party (in a mutually agreed format and by a mutually agreed method).

5.1.11. Limit its aggregate liability to the Customer hereunder and in relation to all of WE.VESTR's data protection obligations under Data Privacy Law to 100% of the fees paid by the Customer in a Contract Year under the Services Agreement for each such Contract Year, and in no event exceed, in aggregate for the entire duration of the Services Agreement and thereafter, 200% of the fees paid by the Customer in the Contract Year with the lowest fees. For the purposes of this Clause, "Contract Year" shall mean each period of 12 months following on from the effective date of the Services Agreement or its anniversary and shall include such 12-month periods that continue after the termination of the Services Agreement.

5.1.12. For cross-border transfers to countries that do not provide an adequate data protection level as determined by the European Commission ("EC"), WE.VESTR will implement adequate security measures, including the Standard Contractual Clauses ("SCCs") issued by the EC. The most current version of the SCCs will be deemed entered into and incorporated into this Agreement by reference.

5.2. The Customer, acting as the Controller, hereby warrants and represents that:

5.2.1. All processing of Customer Personal Data will be in compliance with all Data Privacy Law, and that the processing of the Customer Personal Data by WE.VESTR in accordance with this Agreement will not breach Data Privacy Law;

5.2.2. Customer Personal Data provided to WE.VESTR are accurate and will be updated to ensure continued accuracy as and when required;

5.2.3. It has notified Data Subjects of any applicable period for which Customer Personal Data or any element of Customer Personal Data will be stored by WE.VESTR;

5.2.4. The Customer has the right to provide Customer Personal Data to WE.VESTR and has provided Data Subjects with all necessary information and data protection notices on or in connection with the collection of such Customer Personal Data from data subjects, including, but not limited to, the supply of Customer Personal Data to WE.VESTR and details of the purposes for which such Customer Personal Data will be processed by WE.VESTR, including, if applicable, as set out in WE.VESTR's Data Retention Policy;

5.2.5. The Customer warrants and represents:

5.2.5.1. That the Customer will not provide WE.VESTR with nor request WE.VESTR to process the types and categories of Personal Data listed, defined, or referenced in Articles 7–10 of the GDPR or respective definitions in the UK and the Swiss Data Privacy Law (collectively "High-Risk Personal Data").

5.2.5.2. That the Customer will not provide WE.VESTR with nor pass to WE.VESTR personal data for which WE.VESTR has no knowledge of, is unaware of, or which is not explicitly provided for under this Data Protection Agreement. Further, where applicable, the Customer will not enter any personal data into free text fields embedded in relevant WE.VESTR products and/or Services and will not incorporate any personal data outside of the scope of Personal Data as contemplated in the Services Agreement and this Agreement into any attachments that are to be uploaded into WE.VESTR's Application;

5.2.6. The Customer shall keep the login credentials used to access the Services secure and shall procure its employees, contractors, and/or agents to do the same. The Customer shall be liable for the access to the Services through such login credentials. The Customer further warrants that it shall promptly notify WE.VESTR of any unauthorized use of any login credentials or other breaches of security, including loss, theft, or unauthorized disclosure of login credentials.

6. Liability

The Customer acknowledges that WE.VESTR relies on the Customer's instructions as to the extent to which WE.VESTR is entitled to use and process the Customer Personal Data. Therefore, WE.VESTR shall not be liable for any costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill, and profits), actions, proceedings, and liabilities of any nature incurred by WE.VESTR or for which WE.VESTR may become liable due to any claim brought by a Data Subject or Supervisory Authority arising from any action or omission by WE.VESTR, to the extent that such action or omission resulted from the Customer's instructions.

The Customer shall, on demand, fully indemnify and keep WE.VESTR effectively indemnified against all such costs, claims, demands, expenses, losses, actions, proceedings, and liabilities arising out of or in connection with such claims by Data Subjects or Supervisory Authorities.

7. Indemnification

The Customer shall fully indemnify WE.VESTR and keep WE.VESTR fully and effectively indemnified against all costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill, and profits), actions, proceedings, and liabilities of any nature arising from or incurred by WE.VESTR or its affiliates in connection with any failure of the Customer or any third party appointed by the Customer to comply with any of the provisions of Clause 5 and/or Data Privacy Law in respect of its processing of Customer Personal Data.

Upon demand, the Customer shall make payment to WE.VESTR in respect of any such indemnity claims, which may include any costs incurred by WE.VESTR in defending such claims. The Customer shall promptly notify WE.VESTR of any such claims and provide WE.VESTR with all necessary assistance in defending such claims.

8. Prevalence

In the event of any conflict between this Data Protection Agreement and any parts of the Services Agreement, this Data Protection Agreement shall prevail, govern, and supersede. The provisions of this Data Protection Agreement and the obligations hereunder shall survive the termination or expiry of the Services Agreement, however effected or arising.

9. Compensation

9.1. Subject to Clause 5.1.11, if either Party (the "Claiming Party") is entitled under Data Privacy Law to claim compensation from the other Party (the "Compensating Party") paid to a data subject as a result of a breach of Data Privacy Law, to which the Compensating Party contributed, the Compensating Party shall be liable only for the amount directly related to its responsibility for any damage caused to the relevant data subject. The Compensating Party shall make payment to the Claiming Party only upon receipt of satisfactory evidence from the Claiming Party that clearly demonstrates the Compensating Party:

9.2. where WE.VESTR is the Compensating Party only, that WE.VESTR has acted outside of the instructions of the Customer;

9.3. has breached applicable Data Privacy Law; and

9.4. that such breach contributed (in part or in full) to the harm caused and entitling the relevant data subject to receive compensation in accordance with the applicable Data Privacy Law; and

9.5. the proportion of responsibility for the harm caused to the relevant data subject which is attributable to the Compensating Party.

The Parties shall work together in good faith to determine the appropriate proportion of responsibility for the harm caused to the relevant data subject, to the extent possible.

10. Force majeure

If WE.VESTR is unable to comply with its obligations under this Agreement due to a Force Majeure Event, WE.VESTR shall promptly notify the Customer of such inability.

11. Law and Jurisdiction

This Agreement and any disputes arising out of or in connection with them shall be governed by and construed in accordance with the laws of the Netherlands, without giving effect to any choice or conflict of law provision or rule (whether of the Netherlands or any other jurisdiction).

Any legal action or proceeding arising out of or in connection with this Agreement shall be brought exclusively in the courts of the Netherlands. You agree to submit to the personal jurisdiction of the courts of the Netherlands for the purpose of litigating all such claims or disputes.

11.1. Communication Channels

If you need to contact WE.VESTR regarding any issues related to this Agreement, you may do so via email at [email protected] or by registered letter to WE.VESTR Coöperatie U.A., Kattenburgerstraat 5, 1018 JA, Amsterdam, The Netherlands.

Any dispute or claim arising out of or in connection with this Agreement, including any non-contractual disputes or claims, shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands. You agree to submit to the personal jurisdiction of the courts of Amsterdam for the purpose of resolving any such disputes or claims.