The purpose of this data processing addendum ("DPA") is to ensure compliance with Article 28(3) and (4) of the EU General Data Protection Regulation ("GDPR") and Article 9 of the Swiss Federal Act

on Data Protection ("FADP"), with respect to each law only if and to the extent applicable to the respective processing activity.

This DPA applies with respect to the processing of personal data as specified in Section A.

1. Definitions

1.1 Controller

The party (organization) that determines why and how personal data is processed.

1.2 Processor

The party that processes personal data on behalf of the Controller — in this case, Envision Cloud.

1.3 Personal Data

Any information relating to an identified or identifiable natural person, such as name, email, IP address, etc.

1.4 Processing

Any operation performed on personal data — collection, storage, modification, deletion, consultation, etc.

1.5 Sub-processor

A third party engaged by the Processor to carry out (parts of) the processing.

1.6 Personal Data Breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

1.7 Controller’s Instructions

The documented guidelines the Controller provides to the Processor on how personal data may be processed.

1.8 Duration of Processing

The period of time during which the Processor is allowed to process personal data — as set out in the DPA or the main agreement between the parties.

1.9 International Transfer

The movement of personal data to a country outside the EU/EEA or Switzerland — permitted only if adequate safeguards are in place.

1.10 Technical and Organizational Measures

Security measures (such as encryption, access restrictions, etc.) the Processor must implement to protect personal data from unauthorized access or damage.

1.11 Deletion or Return of Data

Upon termination of the agreement, the Processor must delete or return personal data to the Controller, unless legal obligations prevent this.

2. Processing of Data

2.1 Instructions

The Processor shall process Personal Data solely on the documented instructions of the Controller, unless otherwise required to do so by applicable Union, Member State, or Swiss law to which the Processor is subject. In such cases, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law on important grounds of public interest.

The Controller may issue additional documented instructions during the term of this DPA. All such instructions shall be binding on the Processor and must be documented in writing (including electronically).

2.2 Details of the Processing

The subject matter, duration, nature, and purpose of the Processing of Personal Data by the Processor are strictly limited to the performance of the Services under the Agreement. The types of Personal Data and categories of Data Subjects processed are further set out in Annex A of this DPA

2.3 CCPA

In accordance with the California Consumer Privacy Act of 2018 (as amended, “CCPA”), and with respect to Personal Data subject to the CCPA:

1. The Processor shall not “sell” Personal Data, as that term is defined under the CCPA.

2. The Processor shall not collect, retain, use, disclose, or otherwise process Personal Data for any purpose other than as necessary to provide the Services to the Controller, as specified in the Agreement.

3. The Processor shall not use Personal Data for its own commercial benefit or for any purpose outside the direct business relationship between the Controller and the Processor.

3. Organizational Security

3.1 Technical and Organizational Measures

The Processor shall implement the technical and organizational measures described in Annex B: Security control to ensure the security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“Personal Data Breach”). These measures shall be applied in accordance with Articles 5, 28(3)(c), and 32 GDPR, and Article 8 FADP.

When assessing the appropriate level of security, the Processor shall consider:

• the risks associated with the Processing,

• the sensitivity and categories of the Personal Data, and

• the nature, scope, context, and purposes of the Processing.

3.2 Personal Data Breach Notification

In the event of a Personal Data Breach involving data processed by the Processor, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.

The notification shall include, at a minimum:

• a designated contact point for further information;

• a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and data records concerned;

• the likely consequences of the breach; and

• measures taken or proposed to mitigate any adverse effects.

If complete information is not available at the time of the initial notification, the Processor shall provide the available details and update the Controller as additional information becomes available.

The Processor shall cooperate fully with the Controller and provide assistance as reasonably necessary to enable the Controller to comply with obligations to notify the competent supervisory authority and, where applicable, the affected Data Subjects.

3.3 Access and Confidentiality

Access to Personal Data shall be restricted to personnel of the Processor strictly necessary for the performance, management, or monitoring of the Agreement. The Processor shall ensure that all authorized personnel are subject to a binding duty of confidentiality, either contractual or statutory.

4. Data Erasure

4.1 Obligation upon Termination

Upon expiration or termination of the Agreement, the Processor shall, at the Controller’s written election, either:

• delete all Personal Data processed on behalf of the Controller; or

• return such Personal Data to the Controller.

This obligation applies to all copies of the Personal Data in the Processor’s possession or control.

4.2 Exceptions

The above requirement shall not apply to:

• Personal Data that the Processor is required to retain under applicable Union, Member State, Swiss, or other relevant law; or

• Personal Data stored in back-up systems, provided that such data is securely isolated, protected from further Processing, and deleted in accordance with the Processor’s standard deletion policies.

4.3 Certification

The Processor shall certify the deletion of Personal Data as described in Clauses 8.5 and 16(d) of the 2021 SCCs, where applicable. Such certification shall be provided upon the Controller’s written request.

4.4 Duration of Processing

Processing by the Processor shall only take place for the duration specified in Section A of this DPA.

5. International Transfer(s)

Any transfer of data to a country outside of the EU/EEA and Switzerland ("Third Country") or an international organization by the Processor shall be undertaken only if authorized in accordance with Annex A and shall take place in compliance with Chapter V of the GDPR and Articles 16 to 18 of the FADP, as applicable.

The Controller agrees that where the Processor engages a Sub-processor in accordance with Clause 4.6 for carrying out specific processing activities on behalf of the Controller in a Third Country and those processing activities involve transfer of personal data within the meaning of the GDPR or the FADP, as applicable, the Processor and the Sub-processor may use standard contractual clauses adopted by the Commission on the basis of Article 46(2) GDPR in order to comply with the requirements of Chapter V of the GDPR, provided the conditions for the use of those clauses are met and provided that an internal assessment concluded that such transfer meets the level of data protection of the GDPR and the FADP.

For more detailed guidance on international data transfers, please refer to the European Commission’s official page: Rules on international data transfers.

6. Use of Sub-processor(s)

The Processor is generally authorized by the Controller to engage Sub-processors. The current list of Sub-processors is provided in Section A. The Processor shall notify the Controller in writing at least 7 days in advance of any intended additions or replacements of Sub-processors, giving the Controller the opportunity to object, provided such objection is reasonable. The Processor shall ensure that all Sub-processors are bound by the same obligations as the Processor under this DPA and comply with Articles 28(2)–(4) GDPR and Article 9(3) FADP.

Upon the Controller’s request, the Processor shall provide a copy of the Sub-processor agreement and any subsequent amendments. The Processor remains responsible to the Controller for the performance of the Sub-processor’s obligations and shall promptly notify the Controller of any failure by a Sub-processor to fulfil its contractual duties.

7. Miscellaneous

Confidentiality:

The Parties agree to keep the terms and existence of this Agreement as well as any information exchanged under this Agreement confidential unless agreed otherwise between the Parties.

Entire agreement:

This DPA is the entire agreement, and supersedes all prior agreements, between the Parties relating to the scope of this DPA.

No assignment:

Neither Party may assign any of its rights, obligations or claims under this

Agreement unless agreed otherwise.

Amendments:

No modification or amendment of this DPA, nor any waiver of any rights under it, shall be effective unless made in writing and signed by both parties.

Severability:

If any provision of this DPA (in whole or part) is held to be illegal, invalid or otherwise unenforceable, the other provisions will remain mutatis mutandis in full force and effect.

Governing Law:

This DPA shall be governed by and construed in accordance with the laws applicable to the underlying Agreement, unless mandatory provisions of the GDPR require otherwise, in which case the laws of the Netherlands shall apply.