Disclaimer: This Data Processing Agreement (DPA) outlines how AstrisNexus processes personal data on behalf of Clients. It has been carefully prepared but has not yet undergone final legal review. This version is non-binding and may be amended prior to the operational launch of the platform.

This Data Processing Agreement ("DPA") forms Schedule 1 to the Agreement between AstrisNexus B.V. ("Processor") and the Client ("Controller"), as defined in the AstrisNexus Terms and Conditions (“Terms”). Capitalised terms not defined herein shall have the meanings set out in the Terms or the Privacy Policy.

This DPA governs the processing of Personal Data by Processor on behalf of Controller in the context of the services provided via the AstrisNexus Platform.

This DPA applies only where Processor acts as a Processor within the meaning of Article 4(8) GDPR and supplements Section 9 of the Terms and the AstrisNexus Privacy Policy.

1. Purpose and Scope

Processor shall process Personal Data solely on documented instructions from the Controller and only as necessary to provide the Services as defined in the Terms.

2. Legal Requirements under Article 28 GDPR

Processor shall:

• Process Personal Data only on documented instructions from Controller.

• Promptly inform Controller if, in its opinion, any instruction infringes Union or Member-State data protection law.

• Ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.

• Implement and maintain appropriate technical and organisational measures (TOMs), as described in the Privacy Policy.

• Not engage any subprocessor without a written agreement imposing data protection obligations substantially similar to those set out in this DPA.

• Provide reasonable assistance to Controller in responding to data subject rights requests under Articles 12–23 GDPR.

• Provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations pursuant to Articles 35 and 36 GDPR, to the extent the processing carried out under this DPA is likely to result in a high risk to the rights and freedoms of natural persons.

• Notify Controller without undue delay and in any event within 24 hours after becoming aware of a Personal Data Breach.

• Upon termination of the Agreement, return or delete Personal Data in accordance with the Privacy Policy, unless otherwise agreed in writing or where continued retention is required by applicable law or for legitimate archiving or backup purposes.

• Make available to Controller, upon written request, information reasonably necessary to demonstrate compliance with this DPA, insofar as it relates to the processing of Controller’s Personal Data, and allow for and contribute to audits solely relating to such processing, subject to reasonable notice, scope limitations, and confidentiality obligations.

• Audits may occur no more than once per twelve (12) months, must be notified at least thirty (30) days in advance, and may not unreasonably disrupt Processor’s operations. No audit shall extend to other Clients’ data or general infrastructure unrelated to Controller’s Personal Data.

3. Restrictions on Use

Processor shall not:

• Use Personal Data for its own purposes or for the benefit of any third party, except as expressly permitted under the Privacy Policy.

• Use Personal Data to train or fine-tune any machine-learning or AI model.

4. Subprocessors and International Transfers

The identity of subprocessors and the legal mechanisms supporting international data transfers (including SCCs and the EU–US Data Privacy Framework) are set out in the Privacy Policy. Processor shall provide notice of any material changes in accordance with the procedure described therein.

5. Precedence

In the event of any conflict between this DPA and the Terms or Privacy Policy, this DPA shall prevail solely with respect to the processing of Personal Data under the GDPR.

6. Governing Law and Jurisdiction

This DPA is governed by Dutch law. Any dispute shall be submitted to the competent court of Amsterdam, the Netherlands.

7. Annexes

The following Annexes form an integral part of this DPA and shall be provided upon request or made available via the Platform:

• Annex I – Details of Processing Activities

• Annex II – Technical and Organisational Measures (TOMs)

• Annex III – Approved Subprocessors