Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the Smarteaming Terms of Service between MBP Enterprises LTD, a company registered in England and Wales (company number 16058795), with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom ("Smarteaming", acting as Processor) and the customer subscribing to the Smarteaming service ("Customer", acting as Controller). It applies to all processing of personal data by Smarteaming on behalf of the Customer through the Smarteaming marketing website, web application, mobile application, and API. In the event of conflict with the Terms of Service, this DPA prevails for matters relating to data protection.

Terms not otherwise defined in this DPA have the meaning given in Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the UK Data Protection Act 2018 (the "UK GDPR"). "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor" and "Personal Data Breach" carry the meanings set out in the GDPR. "Customer Personal Data" means personal data processed by Smarteaming on behalf of the Customer through the service.

Smarteaming processes Customer Personal Data solely for the purpose of providing the scheduling, shift confirmation, time tracking, payroll export, leave management, account administration, and supporting features of the service, delivering transactional notifications to users, and providing support to the Customer. Processing is performed by automated means.

Categories of Customer Personal Data processed under this DPA typically include: (a) identification data — first name, last name, email address, phone number, profile picture, language preference; (b) employment data — assigned roles, competences, work schedules, shift confirmations, leave requests, worked-hour records, salary rates entered by the Customer; (c) technical data — IP address, device type, push-notification token; and (d) where the Customer activates the payroll feature, limited financial data such as IBAN. Categories of data subjects include the Customer's employees, contractors, and authorised administrators.

Smarteaming processes Customer Personal Data for the duration of the subscription agreement between Smarteaming and the Customer and for up to thirty (30) days thereafter, for the purpose of return or deletion under the "Return and Deletion" section below, unless a longer retention period is required by applicable law.

Smarteaming processes Customer Personal Data only on the documented instructions of the Customer, including as set out in this DPA, in the Terms of Service, and through the Customer's configuration and use of the service's features. Smarteaming will inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

Smarteaming ensures that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether of a contractual or statutory nature. Access to Customer Personal Data is granted on a strict need-to-know basis.

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks for data subjects, Smarteaming implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in place are described in the "Annex II: Technical and Organisational Measures" section below.

The Customer grants Smarteaming a general authorisation to engage the Sub-processors listed in "Annex III: Approved Sub-processors" for the purposes set out above. Smarteaming will give the Customer at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds. Where the Customer's objection cannot be resolved, the Customer may terminate the affected part of the service. Smarteaming imposes on each Sub-processor data-protection obligations materially equivalent to those set out in this DPA.

Primary Customer Personal Data is stored on DigitalOcean servers located in Frankfurt, Germany (European Union). Certain Sub-processors (Mailgun and Expo Push Service) may process limited personal data outside the European Economic Area. Where Customer Personal Data is transferred outside the EEA, Smarteaming relies on the European Commission's Standard Contractual Clauses set out in Implementing Decision (EU) 2021/914, or on the recipient's certification under the EU-US Data Privacy Framework where applicable.

Taking into account the nature of the processing, Smarteaming assists the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to requests by data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and not being subject to automated individual decision-making). Where a data subject contacts Smarteaming directly concerning Customer Personal Data, Smarteaming will forward the request to the Customer without undue delay and will not respond to the data subject except to refer them to the Customer, unless otherwise instructed.

Smarteaming notifies the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its adverse effects. Notification is sent to the administrative contact on file for the Customer.

Where reasonably requested and at the Customer's cost, Smarteaming provides assistance to the Customer with data-protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to Smarteaming.

Smarteaming makes available to the Customer, on reasonable prior written request, the information necessary to demonstrate compliance with this DPA and with Article 28 of the GDPR, and allows for and contributes to audits conducted by the Customer or a mandated third-party auditor bound by confidentiality. Audits are conducted no more than once per calendar year (except where required following a material Personal Data Breach or by a supervisory authority), during normal business hours, with reasonable prior notice, and in a manner that does not unreasonably disrupt the service. Costs of audits are borne by the requesting party.

At the Customer's choice, Smarteaming deletes or returns all Customer Personal Data after the end of the provision of the service and deletes existing copies, unless the retention of Customer Personal Data is required by EU or Member State law. Return or deletion is completed within thirty (30) days of the Customer's written request following termination, subject to legal retention obligations (for example, financial records required to be retained under UK tax law for up to six years).

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service.

Subject matter: provision of the Smarteaming service as described in the "Nature and Purpose of Processing" section. Duration: the term of the subscription agreement plus any period required for return or deletion. Nature and purpose of processing: as set out in the "Nature and Purpose of Processing" section. Categories of personal data and data subjects: as set out in the "Categories of Data and Data Subjects" section. Frequency of processing: continuous.

Access control: role-based access with unique authenticated accounts and the principle of least privilege. Encryption: TLS 1.2 or higher for data in transit; hashing of user passwords using industry-standard adaptive algorithms. Application security: Content Security Policy headers with per-request nonces, HTTP Strict Transport Security (HSTS) in production. Network and infrastructure security: hardened servers, firewall rules, regular security reviews, inherited physical-security controls from certified EU data centres operated by DigitalOcean. Backups: encrypted backups of production data, retained according to an internal retention schedule. Logging and monitoring: application and access logs with restricted visibility to authorised personnel. Personnel: confidentiality obligations for all staff with access to Customer Personal Data, and security-awareness practices.

DigitalOcean, LLC — cloud hosting and database infrastructure, Frankfurt (Germany, EU). Stripe Payments Europe, Limited — subscription payment processing; Stripe processes billing details as an independent Controller under its own privacy policy. Mailgun (Sinch Group) — transactional email delivery, United States. Expo Push Service (operated by 650 Industries, Inc.) — mobile push-notification delivery, United States. Google Ireland Limited — conversion tracking on the marketing website, activated only with the visitor's marketing-cookie consent. An up-to-date list is available on request to contact@smarteaming.com.

This DPA is governed by the laws of England and Wales. Disputes arising out of or relating to this DPA are subject to the exclusive jurisdiction of the courts of London, England, except where mandatory law provides otherwise for the protection of data subjects. For questions concerning this DPA, contact: MBP Enterprises LTD, 128 City Road, London, EC1V 2NX, United Kingdom — email: contact@smarteaming.com.