LeadVixo Data Processing Agreement

1. GENERAL

1.1 Roles. The Vendor shall process the Client's Personal Data solely as a data Processor acting on behalf of the Client, who acts as the Controller of such Personal Data within the meaning of applicable data protection laws, including the EU General Data Protection Regulation 2016/679 ("GDPR") where applicable. 1.2 Scope of Processing. The Client hereby instructs the Vendor to process Personal Data only for the limited and specified purpose of providing the Vendor's Services to the Client as described in this DPA and the Agreement. The Vendor shall not process any Personal Data for its own purposes, and shall not independently determine the means or purposes of any such processing. 1.3 Data Subject Rights. The Vendor shall reasonably assist the Client in responding to requests from Data Subjects exercising their rights under applicable data protection laws (including, without limitation, rights of access, rectification, erasure, restriction, portability, and objection). The Vendor shall:

• Promptly notify the Client — and in any case within 5 business days — upon receiving a request from a Data Subject relating to the Client's Personal Data;
• Not respond to such requests except on the documented instructions of the Client, or as strictly required by applicable law.

1.4 Data Breach Notification. In the event of an actual or reasonably suspected personal data breach, the Vendor shall notify the Client without undue delay and in any case within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR. Such notification shall include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. 1.5 Return and Deletion of Data. Upon expiration or termination of the Agreement, the Vendor shall promptly delete or return all copies of the Client's Personal Data, at the Client's written election, except where retention is required by applicable law. Upon the Client's written request, the Vendor's Chief Privacy Officer (or equivalent) shall provide written certification of full compliance with this section within 30 days of the request.

2. DESCRIPTION OF PROCESSING

Categories of data subjects: Business professionals identified or requested by the Client. Categories of personal data (the "Personal Data"): Business and Shared Data as defined in the Privacy Policy. No special categories of personal data (as defined under Article 9 GDPR) will be processed. Nature of processing: Collection, recording, storage, consultation, use, disclosure by transmission, adaptation, and erasure. Purpose(s) of processing: The provision of LeadVixo's Services to the Client as described in the Agreement. Retention period: Personal Data shall be retained for the duration of the Agreement (as specified in the Terms of Use). Following termination, LeadVixo may retain Personal Data solely for statistical or financial purposes, provided that all personally identifiable attributes have been removed or the data is maintained in fully aggregated form. Lawful basis: The Client may only instruct LeadVixo to process Personal Data on the basis of a recognised and applicable lawful basis under the GDPR. The Client warrants that all instructions provided to LeadVixo are lawful and will not cause LeadVixo to be in breach of applicable data protection laws.

3. TECHNICAL AND ORGANISATIONAL MEASURES

LeadVixo implements and maintains the following technical and organisational security measures to protect Personal Data against unauthorised access, loss, destruction, or alteration: 3.1 Security Policies and Procedures. LeadVixo maintains and regularly reviews internal security policies and procedures to ensure that all employees and contractors process Personal Data in accordance with this DPA and applicable law. 3.2 Intrusion Prevention. LeadVixo's security infrastructure is maintained in line with leading industry standards, including virus protection, firewalls, and intrusion detection and prevention technologies designed to prevent unauthorised access to LeadVixo's network, systems, servers, and applications. 3.3 Security Awareness Training. All employees and contractors with access to Personal Data receive regular security awareness training covering the secure handling of confidential and sensitive information, consistent with applicable law and industry best practices. 3.4 Physical Access Controls. Access to data centres and office facilities is restricted to authorised personnel through physical controls such as coded badge access and visitor management procedures. 3.5 Logical Access Controls. LeadVixo enforces strict user authentication for all personnel with access to Personal Data, including:

• Assignment of unique access credentials to each employee and contractor;
• Prohibition on sharing access credentials;
• Access granted on a need-to-know basis only;
• Logging and monitoring of access to production systems;
• Periodic access reviews covering authentication, authorisation, and auditing;
• Immediate revocation of access upon termination of employment or contract.

3.6 Environmental Controls. Data centres are maintained with appropriate environmental controls, including temperature and humidity management, and protections against power failures and physical damage. 3.7 Disaster Recovery and Backup. LeadVixo maintains: (i) periodic backups of production file systems and databases on a defined schedule; and (ii) a formal disaster recovery plan for production data centres, subject to regular testing to verify effectiveness. 3.8 Business Continuity and Incident Response. LeadVixo maintains business continuity and cyber incident response plans designed to manage and minimise the impact of unplanned events (cyber, physical, or natural). These plans include response procedures for actual or potential security breaches, with a stated objective of resuming routine services within 36 hours. Root cause analysis and remediation records are maintained for all incidents. 3.9 Data Transmission and Storage Security. All Personal Data processed by LeadVixo is encrypted in transit and at rest, using industry-standard protocols at a minimum of 256-bit encryption. 3.10 Internal and External Audits. LeadVixo conducts regular internal security audits and commissions annual external security assessments and penetration tests, covering cloud architecture, business processes, access controls, and encryption measures. 3.11 Risk Assessment. LeadVixo operates a risk assessment programme to identify foreseeable internal and external risks to its information resources and to evaluate the adequacy of existing controls, policies, and procedures on an ongoing basis. 3.12 Sub-Processors and Third-Party Vendors. Prior to engaging any new sub-processor, contractor, or service provider who will have access to Personal Data, LeadVixo conducts a due diligence assessment of their data security practices. LeadVixo shall enter into written agreements with all sub-processors that impose data protection obligations no less protective than those set out in this DPA. LeadVixo shall remain liable to the Client for the acts and omissions of its sub-processors. A current list of sub-processors is available upon written request. 3.13 Change and Configuration Management. LeadVixo maintains policies and procedures governing changes to production systems, applications, and databases, including documentation, testing, approval workflows, security patching, and authentication requirements.

4. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the European Economic Area (EEA) or another jurisdiction with an adequacy decision, such transfers shall be made only: (i) to countries recognised by the European Commission as providing an adequate level of data protection; (ii) subject to Standard Contractual Clauses approved by the European Commission; or (iii) pursuant to another lawful transfer mechanism under applicable data protection law.

5. CONTACT AND GOVERNING LAW

For any questions, notices, or requests relating to this DPA, please contact our Data Protection team at legal@leadvixo.com. This DPA shall be governed by and construed in accordance with the laws applicable to the Agreement between the parties. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection matters.