Data Processing Addendum

Effective: January 16, 2026

THIS DATA PROCESSING ADDENDUM (THE "DPA") GOVERNS THE PROCESSING OF PERSONAL DATA BY COMPANY ON BEHALF OF CUSTOMER IN CONNECTION WITH CUSTOMER'S USE OF THE SERVICES. If the parties have entered into any terms of service, master services agreement, order form, statement of work, or other contract that governs Customer's use of the Services and that references this DPA (each, a "Service Agreement", AND TOGETHER THE, "services aGREEMENT"), this DPA is incorporated into and forms part of the applicable Service Agreement. If no Service Agreement exists, this DPA applies to the extent COMPANY Processes Personal Data on behalf of Customer in connection with the Services.

It is agreed as follows:

1. Interpretation

1.1 In this DPA, unless the context otherwise requires, the following words and phrases have the following meanings:

Term Definition
"Company" means Northell Partners Ltd, a HH Global Limited ("HH Global") group company;
"DPA" this Data Processing Addendum (including the schedules and any annexures to it);
"DP Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (i) GDPR; (ii) UK GDPR; (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA 2018"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vii) any guidance or statutory codes of practice issued by the relevant DP Regulator, in each case, as updated, amended or replaced from time to time;
"DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the DP Laws;
"Data Subject Request" means a request from a Data Subject to exercise its rights under the DP Laws in respect of that Data Subject's Personal Data;
"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as set out in the European Commission's Implementing Decision 2021/914 of 4 June 2021, as such may be amended, replaced or superseded by the European Commission from time to time;
"EU SCCs Transfer" has the meaning given in clause 10.4;
"GDPR" the EU General Data Protection Regulation 2016/679;
"Government Agency Requests" has the meaning given in clause 10.6(a);
"ICO" Means the Information Commissioner's Office or such other DP Regulator responsible for monitoring or enforcing compliance with DP Laws in the UK;
"Permitted Region" means the United Kingdom and the European Economic Area;
"Personal Data" means the personal data made available by the Customer to Company, or processed by Company on behalf the Customer;
"Security Breach" means any actual loss, unauthorised or unlawful processing, destruction, damage, or alteration, or unauthorised disclosure of, or access to the Personal Data;
"Services" means any products, services, features, functionality, support, websites, platforms, applications, or other offerings provided by the Company to the Customer, whether accessed online, through an account, via API, under a contract, or otherwise made available by the Company in connection with the processing of Personal Data.
"Sub-Processor" means a subcontractor (including any affiliates of Company) appointed by Company to process Personal Data in accordance with this DPA;
"UK Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0, as may be amended, replaced or superseded by the ICO from time to time (including as formally issued by the ICO under section 119A(1) Data Protection Act 2018);
"UK Addendum Transfer" has the meaning given in clause 10.5;
"UK GDPR" means GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.2 The terms "data subject", "data processor", "data controller", "personal data", "process", "processing", "transfer" (in the context of transfers of Personal Data) and "technical and organisational measures" shall have the meanings and otherwise be interpreted in accordance with the applicable DP Laws.

1.3 If there is any conflict or ambiguity between any of the provisions of this DPA and the Services Agreement in relation to the processing of personal data, the provisions of this DPA shall prevail.

2. Term

2.1 This DPA shall commence on the same date it is incorporated into and forms part of the Services Agreement and shall remain in effect until the Company no longer processes any Personal Data on behalf of the Customer.

3. Compliance with Data Protection Laws

3.1 Company shall comply with its obligations under the DP Laws as they apply to it as a data processor of the Personal Data.

3.2 The Customer shall comply with its obligations under the DP Laws as they apply to it as a data controller of the Personal Data.

3.3 Company shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the DP Laws, and shall make such information available to any DP Regulator on request.

4. Nature of processing; Security

4.1 Company will process Personal Data only as necessary to provide the Services and for business operations incident to providing the Services, and only in accordance with this DPA and Customer's documented instructions.

4.2 The parties acknowledge and agree that:

(a) Subject Matter. The subject-matter of the processing is Personal Data submitted to or collected through the Services.

(b) Duration. The Company will process Personal Data for the duration set forth in this DPA until deletion or return in accordance with this DPA.

(c) Nature and Purpose. The nature and purpose of the processing are to provide, operate, maintain, secure, support, and improve the Services, and to perform the Company's obligations under this DPA.

(d) Categories of Personal Data. Personal Data submitted to or collected through the Services, the scope of which is determined and controlled by Customer.

(e) Categories of Data Subjects. Individuals whose Personal Data is submitted to or collected through the Services, including Customer's employees, contractors, clients, suppliers, end users, and any other categories of Data Subjects as identified in records maintained by Customer acting as data controller pursuant to applicable DP Laws.

4.3 In processing the Personal Data, Company shall:

(a) not process the Personal Data for any purpose other than those set out in this DPA, the Services Agreement or otherwise expressly authorised by the Customer;

(b) notify the Customer within forty eight (48) hours if it receives a Data Subject Request in respect of Personal Data;

(c) provide the Customer with its full co-operation and assistance in relation to any Data Subject Request in respect of Personal Data;

(d) not disclose any Personal Data to any Data Subject or to a third party (including any subcontractor or affiliate) other than at the written request of the Customer or as expressly provided for in this DPA;

(e) taking into account:

(i) the state of the art;

(ii) the nature, scope, context and purposes of the processing; and

(iii) the risk and severity of potential harm,

protect the Personal Data by ensuring that it has in place appropriate technical and organisational measures, including measures to protect the Personal Data against the risks of a Security Breach; and

(f) ensure that only persons authorised by Company in accordance with this DPA process Personal Data and that such persons are (i) subject to binding obligations to maintain the confidentiality of the Personal Data; and (ii) trained on both (1) the requirements of the DP Laws, and (2) their obligations in respect of Personal Data under this DPA.

4.4 Company shall, without undue delay (and in any event within twenty four (24) hours) after discovering any Security Breach or any failure or defect in security which leads, or might reasonably be expected to lead, to a Security Breach (together a "Security Issue") notify the Customer of the same.

4.5 Where a Security Issue arises, Company shall:

(a) as soon as reasonably practicable, provide the Customer with full details of the Security Issue, the actual or expected consequences of it, and the measures taken or proposed to be taken to address or mitigate it;

(b) co-operate with the Customer, and provide the Customer with all reasonable assistance in relation to the Security Issue; and

(c) unless required by applicable law, not make any notifications to a DP Regulator or any Data Subjects about the Security Issue without HH Associate's prior written consent (not to be unreasonably withheld or delayed).

5. Return or destruction of Personal Data

5.1 Subject to clause 5.2, Company shall (at the Customer's option) return or irretrievably delete all Personal Data in its control or possession when it no longer requires such Personal Data to exercise or perform its rights or obligations under this DPA, and in any event on expiry or termination of this DPA or (of earlier) the Services Agreement.

5.2 To the extent that Company is required by applicable law to retain all or part of the Personal Data (the "Retained Data"), Company shall:

(a) cease all processing of the Retained Data other than as required by the applicable law;

(b) keep confidential all such Retained Data in accordance with clause 4.2(e); and

(c) continue to comply with the provisions of this DPA in respect of such Retained Data.

6. Audit

6.1 Company shall comply with all requests from the Customer (and its auditors, and its and their internal or external representatives) to access and inspect Company's (and its Sub-Processors') premises, records and personnel relevant to any processing of Personal Data, in each case to enable the Customer to audit and verify that Company (and its Sub-Processors) is complying fully with its obligations under this DPA and under the DP Laws in relation to Personal Data.

6.2 Where appropriate, Company may satisfy audit requests by providing relevant third-party reports or certifications, security summaries, and supporting evidence where sufficient. Company shall otherwise provide such information, co-operation and assistance in relation to any request made by the Customer (or its auditors, or its or their representatives) under clause 6.1 as the Customer may reasonably require.

7. Co-operation and assistance

7.1 Company shall promptly co-operate with the Customer, and promptly provide such information and assistance as the Customer may reasonably require, to enable the Customer to:

(a) comply with the Customer's obligations under the DP Laws (including Articles 32-36 of GDPR and UK GDPR, as applicable) in respect of Personal Data; and

(b) deal with and respond to all investigations and requests for information relating to the Personal Data from any DP Regulator.

7.2 If Company receives any complaint, notice or communication from a DP Regulator or other third party (excluding a Data Subject Request) which relates directly or indirectly to Personal Data or to either party's compliance with the DP Laws, it shall notify the Customer as soon as reasonably practicable.

7.3 Where any provision of this DPA places an obligation on Company, that obligation shall be construed as an obligation on Company to procure that all its Sub-Processors, and its own and its Sub-Processors' personnel, comply with such obligation.

8. Sub-Processors

8.1 Company is authorised by the Customer to appoint Sub-Processors in connection with the processing of Personal Data. Customer expressly acknowledges and agrees that:

(a) Company's affiliates within the HH Global group may act as Sub-Processors, including without limitation HH Associates U.S., Inc. and H H Associates Limited; and

(b) Company uses Microsoft Corporation and its affiliates as a Sub-Processor for cloud hosting, storage, compute, and related infrastructure services in connection with the Services.

8.2 Company shall maintain a current list of Sub-Processors involved in the processing of Personal Data in connection with the Services ("Sub-Processor List"). Company will make the Sub-Processor List available to Customer upon request or via a URL notified to Customer.

8.3 Company shall ensure:

(a) such Sub-Processor shall only process Personal Data in order to perform one or more of Company's obligations under this DPA; and

(b) it enters into a written agreement with that Sub-Processor, prior to any processing by the Sub-Processor, requiring the Sub-Processor to:

(i) process Personal Data only in accordance with the written instructions of Company in accordance with and pursuance of its obligations under this DPA, or the Customer; and

(ii) comply with data protection obligations equivalent in all material respects to those imposed on Company under this DPA.

8.4 Notwithstanding the appointment of a Sub-Processor, Company is responsible and liable to the Customer for any processing by the Sub-Processor in breach of this DPA.

8.5 For the purposes of clause 10 (Transfers of Personal Data), the Customer provides its prior written authorisation and consent for Company to transfer Personal Data outside the Permitted Region to any Sub‑Processor authorised in accordance with this DPA, provided that such transfers are made in compliance with applicable DP Laws, including the implementation of appropriate transfer mechanisms.

9. Customer warranty

9.1 The Customer warrants to Company that processing in accordance with its instructions provided pursuant to clause 4.2(a) and 4.2(b) shall be lawful and in particular, that it shall be compliant with DP Laws. The Customer further warrants to Company that it has all appropriate consents, authorisations and lawful grounds required for Company to process the Personal Data in accordance with this DPA.

10. Transfers of Personal Data

10.1 Company may transfer or access Personal Data outside the Permitted Region to the extent permitted under this DPA, including where such transfers relate to authorised Sub‑Processors, provided that Company ensures such transfers are made in compliance with applicable DP Laws (including by implementing appropriate transfer mechanisms such as the EU SCCs, the UK Addendum, Binding Corporate Rules, or other lawful safeguards).

10.2 Company shall ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with applicable DP Laws when it is transferred or accessed outside of the Permitted Region. Such adequate protection and appropriate safeguards may include Company or the applicable Sub-Processor or third party:

(a) taking such steps, and/or providing such legally binding assurances, as may reasonably be required by the Customer on an on-going basis; and/or

(b) entering into the EU SCCs (and, where applicable, the UK Addendum) with the Customer or Company.

10.3 Where Personal Data is transferred by the Customer to Company outside the Permitted Region, then, to the extent that the GDPR applies to the Customer's processing when making that transfer, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR, such transfer shall constitute an "EU SCCs Transfer".

10.4 Where Personal Data is transferred by the Customer to Company outside the Permitted Region, then to the extent that the UK GDPR applies to the Customer's processing when making that transfer, and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA 2018, such transfer shall constitute a "UK Addendum Transfer".

10.5 In respect of any EU SCCs Transfers and UK Addendum Transfers, the following supplementary measures shall apply:

(a) Company warrants that, at the time of the transfer, it has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the relevant Personal Data is being exported, for access to (or for copies of) any personal data that has been transferred to Company in that country ("Government Agency Requests");

(b) if, upon commencement of the term of this DPA, Company receives any Government Agency Requests which concern the Personal Data, it will (unless prohibited by law from doing so) inform the Customer in writing as soon as reasonably practicable and the Customer and Company shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and

(c) the Customer and Company will review whether:

(i) the protection afforded by the laws of the country in which Company is located to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the European Economic Area and/or the UK;

(ii) additional measures are reasonably necessary to enable the transfer to be compliant with the DP Laws; and

(iii) it is still appropriate for Personal Data to be transferred to Company, taking into account all relevant information available to the parties, together with guidance provided by the DP Regulators.

11. EU SCCs Transfers and UK Addendum Transfers

11.1 Where the transfer of Personal Data from the Customer (as Data Exporter) to Company (as Data Importer) constitutes an EU SCCs Transfer or a UK Addendum Transfer, then that transfer shall be governed as set out in this clause 11.

11.2 Where there is an EU SCCs Transfer, such transfer shall be permitted provided that where Company processes Personal data as a Processor, and the Customer is a data controller, the parties shall be bound by and comply with the Module 2 EU SCCs and the following shall apply:

(a) Clause 7 (docking) shall not apply;

(b) In respect of Clause 9 (sub-processors), Option 1 (specific prior authorisation) applies, and the Data Importer shall submit any request for specific authorisation at least 30 days prior to the engagement of any sub-processor together with the information necessary for the Data Exporter to decide on the authorisation;

(c) The "OPTION" in Clause 11(a) shall not apply and the wording in square brackets in that Clause shall be deleted;

(d) In respect of Clause 17 (governing law), the parties agree that the governing law shall be the law set out in the Services Agreement, or where the law set out in the Services Agreement is not a valid governing law for the purpose of Clause 17, it shall be the law of Ireland;

(e) In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be the courts identified in the Services Agreement, or where the courts identified in the Services Agreement are not a valid forum and jurisdiction for the purpose of Clause 18, it shall be the courts of Ireland;

(f) Annex I, Section A of the Standard Contractual Clauses shall be completed with the information set out in clause 4 of this DPA and the signature and date shall be deemed to be as at the date of this DPA;

(g) Annex I, Section B of the Standard Contractual Clauses shall be completed with the information set out in or in the form set out in clause 4 of this DPA;

(h) Annex I, Section C shall be completed as follows: the Data Exporter's competent supervisory authority as determined by the EU GDPR; and

(i) Annex II of the Standard Contractual Clauses shall be completed with the information set out in Schedule 1 of this DPA.

11.3 Where there is a UK Addendum Transfer, such transfer shall be governed by the EU SCCs as amended by the UK Addendum which for these purposes are hereby incorporated into this DPA by reference and deemed to have been entered into by Company as a Processor and the Customer as a data controller.

11.4 For the UK Addendum, the following shall apply:

(a) Table 1 shall be deemed completed with the relevant information from this DPA;

(b) In Table 2, the first option shall be selected with the date being the date of this DPA in accordance with clause 2 and the reference being to the EU SCCs identified in clause 11.2;

(c) Table 3 shall be deemed completed with the relevant information as set out in this DPA; and

(d) Table 4 shall be deemed completed such that Company has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum.

11.5 If, during the term of this DPA, either (a) the EU SCCs are amended, replaced or superseded by the European Commission; or (b) the UK Addendum is formally issued on different terms or is subsequently amended, replaced or superseded by the ICO, then Company may, by written notice to the Customer and with effect from the date set out in such notice, make such consequential amendments as Company reasonably considers necessary to this DPA to ensure that it remains compliant with the provisions of the DP Laws and any other applicable law.

11.6 If there is any conflict or ambiguity between any of the provisions of this DPA and the EU SCCs and/or the UK Addendum, the EU SCCs and/or the UK Addendum (as applicable) shall prevail.

12. Exclusion of third party rights

Unless expressly provided in this DPA, no term of this DPA is enforceable pursuant to the Contracts (Rights of Third Parties) Act 1999 by any person who is not a party to it.

13. Variation

No purported variation of this DPA shall be valid unless it is in writing (which excludes email) and signed by or on behalf of each party.

14. Other terms and conditions

14.1 Each party acknowledges that:

(a) upon commencement of this DPA, it does not rely, and has not relied, upon any representation (whether negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this DPA or not) except those expressly set out in this DPA;

(b) the liability of each party, including without limitation applicable limitations of liability, shall be governed by the Services Agreement; and

(c) the only remedy available in respect of any misrepresentation or untrue statement made to it shall be a claim for damages for breach of contract as may be applicable.

14.2 Nothing in this clause 14 shall limit or exclude any liability for fraud.

15. Governing law and jurisdiction

15.1 This DPA and any dispute or claim (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the law set out in the Services Agreement or, if not so set out, the laws of England and Wales.

15.2 Each party irrevocably agrees that the courts identified in the Services Agreement shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this DPA, its subject matter or formation.

16. Contact

16.1 The Company's privacy contact is the Data Management and Cybersecurity Committee (DMCC), reachable at dmc@northell.com.

Schedule 1

Capitalised terms used in this Schedule 1 are defined as set out in the DPA.

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the parties as set out in this Schedule 1.

Improvements to Security

The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Company will therefore evaluate the measures as implemented in accordance with clause 4 of the DPA on an on-going basis in order to maintain compliance with the requirements set out in clause 4 of the DPA and Article 32 of the UK GDPR. The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in DP Laws or by a DP Regulator.

Company shall:

1. Ensure that it has physical security controls in place designed to secure relevant facilities, server rooms, infrastructure, data centers, hard copy files, servers, backup systems, and equipment (including mobile devices) used to access Personal Data pursuant to this DPA including controls to prevent, detect, and respond to attacks, intrusions, or other system failures;

2. Ensure that the Personal Data processed pursuant to this DPA can be accessed only by authorised personnel. This may include but not be limited to:

(a) Company assigning access rights to Personal Data to the minimum extent necessary for the performance of the services under the Services Agreement and the processing under this DPA;

(b) Company cancelling access rights to Personal Data processing pursuant to this DPA without delay when access to Personal Data is no longer required for the purpose of this DPA;

(c) Company recording the details of authorisations, alterations or cancellations and keeping the records for a minimum of three (3) years;

(d) Company issuing unique user accounts for all Personal Data access which Company shall not permit to be shared;

(e) Company taking all reasonable measures to prevent unauthorised access to Personal Data through the use of appropriate physical and logical access controls, securing areas for data processing, and implementing procedures for monitoring the user of data processing facilities.

3. Build in system and audit trails to ensure that Company logs and monitors the details of all access to Personal Data on networks, systems and devices operated by Company. Company's logging and monitoring systems shall meet applicable industry standards and Company shall maintain access logs for at least twelve (12) months. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed regularly. Log information should be protected against tampering and unauthorised access;

4. Use secure passwords, network intrusion detection technology, encryption and authentication technology, segregated networks for data processing and secure logon procedures and virus protection;

5. Account for risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Personal Data;

6. Ensure pseudonymisation and/or encryption of Personal Data, where appropriate using a reasonable encryption standard;

7. Maintain security patches and maintain controls and processes designed to ensure that networks, systems, and devices (including operating systems and applications) that process Personal Data are up-to-date, including prompt implementation of all security patches when issued;

8. Maintain a reasonable Security Breach response program which includes ensuring that employees of Company and its affiliates are aware of the procedure for reporting information security events and the point of contact to which the events should be reported. If Company becomes aware of a Security Breach, it will promptly take reasonable steps to:

(a) Minimise harm and risk to Data Subjects;

(b) Secure the Personal Data under threat;

(c) Notify Customer as quickly as possible and in any such case in accordance with this DPA; and

(d) Assist Customer in ensuring compliance with its Security Breach notification obligations under applicable laws and as otherwise reasonably requested.

9. On request, Company will provide reasonable information about any Security Breach, including:

(a) A description of the Personal Data subject to the Security Breach (including the categories and number of data records and Data Subjects concerned);

(b) The date and time of the Security Breach;

(c) A description of the likely consequences of the Security Breach;

(d) A description of the circumstances that led to the Security Breach (e.g. loss, theft, copying);

(e) A description of recommended measures to mitigate any adverse effects of the Security Breach;

(f) A description of the measures Company proposes to address the Security Incident; and

(g) Relevant contact people who will be reasonably available until the parties mutually agree that the Security Incident has been resolved.

10. At Company's cost, take appropriate steps to promptly remediate the root cause(s) of any Security Breach, and will reasonably cooperate with Customer with respect to the investigation and remediation of such incident. Company will promptly provide Customer the results of the investigation and any remediation already undertaken;

11. except as required by applicable laws, not make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references Customer, unless Customer provides its explicit written authorization;

12. Maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

13. Maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. Company shall prepare and periodically check countermeasures such as the crisis response manual for the protection of the personal information processing system in case of a disaster such as fire, flood, or power failure;

14. Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;

15. Monitor compliance on an ongoing basis;

16. Implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to Customer.

17. Provide reasonable ongoing privacy and information security training for all employees and contractors who access Personal Data.

18. Except with respect to Personal Data, Company in its capacity as a data processor, within ninety (90) calendar days of the termination or completion of services, or sooner if requested by Customer, Company will destroy all copies of Personal Data (including any automatically created archival copies). If required by applicable law, Company may retain a copy of the Personal Data for so long as required, but only if Company:

(a) Notifies Customer in advance and in writing that such copy is required and the reason for such retention;

(b) Ensures that such copy is encrypted and protected in accordance with this DPA; and

(c) Does not access the Personal Data for any other purpose. On request, Company will provide a signed certification that Company deleted the Protected Information in accordance with this DPA.