Data Processing Addendum

Last revised Nov 10, 2025

Customer Acceptance: By continuing to use the services after this DPA is posted, you acknowledge and accept the terms of this DPA.

This GDPR Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing service agreement (the “Agreement”) between you (“Customer”) and One System Software LLC (“Processor”) with respect to Personal Data.

Defined Terms

• EU Data Protection Laws: GDPR, UK GDPR, Swiss data protection law, and applicable EU/EEA member state laws.

• Personal Data: Information relating to an identified or identifiable natural person in the EEA, UK, or Switzerland.

• CCPA / CPRA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any regulations or guidance promulgated thereunder, including amendments and successor legislation, applicable to Personal Information of California residents.

• Standard Contractual Clauses (SCCs): Model clauses approved by the European Commission under Implementing Decision 2021/914.

Data Processing Description

GDPR Contractual Terms

1. Sub-processor authorization: Processor may use affiliates and third-party sub-processors with prior notification to Customers.

2. Customer obligations:

   • Determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement.

   • Be responsible for the accuracy of Personal Data;

   • Comply with its obligations under Data Protection Laws, including, when applicable

     • ensuring Customer has a lawful basis to collect Personal Data

     • providing Data Subjects with any required notices

     • obtaining the Data Subject’s consent to process the Personal Data.

3. Processor obligations:

   • Process Personal Data only per documented instructions from Customer.

   • Ensure confidentiality of personnel processing data.

   • Implement security measures per Article 32 GDPR.

   • Assist Customer with data subject requests (Articles 15–22 GDPR).

   • Delete or return Personal Data at the end of service.

   • Allow audits or inspections by Customer.

Addition of Sub-Processors

1. Right to Engage: The Processor may engage additional sub-processors to perform processing activities under this DPA, provided that the Processor ensures each sub-processor agrees to the same data protection obligations as set forth in this DPA.

2. Notification: The Processor shall inform the Customer of any intended addition or replacement of a sub-processor at least 30 days in advance. Notification may be made via email or published in the sub-processor list provided in Annex III.

3. Objection: The Customer may object in writing to the engagement of a new sub-processor within the notification period if there is a reasonable basis to believe that the sub-processor will not comply with applicable data protection laws or the obligations in this DPA. If the Customer objects, the parties will use reasonable efforts to resolve the objection.

4. Liability: The Processor remains fully liable for the acts and omissions of its sub-processors in accordance with this DPA and applicable Data Protection Laws.

California Consumer Privacy Act (CCPA / CPRA)

For Personal Information of California residents, the Processor acts as a "Service Provider" as defined under the CCPA/CPRA. Processor agrees to:

1. Process Personal Information only for the purposes specified in this DPA and the Agreement.

2. Not sell, share, or use the Personal Information for any other purpose.

3. Comply with Customer’s instructions to respond to consumer requests under the CCPA/CPRA, including access and deletion requests.

4. Flow down these obligations to sub-processors.

International Transfers

Personal Data may be transferred from the EEA, UK, or Switzerland to the United States or other countries outside the EEA/UK/CH that do not have an adequacy decision.

1. Standard Contractual Clauses (SCCs): All such transfers are governed by the European Commission-approved SCCs (Module 2 or 3 as applicable), which are incorporated into this DPA by reference.

2. Transfer Impact Assessment (TIA): The Processor has conducted a Transfer Impact Assessment evaluating the legal environment of the recipient country, including the potential access of public authorities and other applicable laws. The TIA assesses whether the combination of SCCs, technical, organizational, and contractual measures provides an adequate level of protection for Personal Data.

3. Technical and Organizational Measures: Personal Data transferred internationally will be protected by the measures described in Appendix 2 (Annex II of the SCCs), including encryption in transit and at rest, access controls, monitoring, and breach response procedures.

4. Sub-Processor Oversight: Any sub-processor involved in international transfers is bound by the same contractual obligations and security measures. The Customer may review sub-processors as listed in Annex III.

5. Residual Risks: Where residual risks exist despite these safeguards, the Processor documents and manages them in accordance with the TIA, ensuring that transfers remain compliant with applicable Data Protection Laws.

Relationship between DPA Appendices and SCC Annexes:

• Appendix 1 → Annex I (Description of the Transfer)

• Appendix 2 → Annex II (Technical and Organizational Measures)

• Sub-processor list → Annex III (List of Sub-Processors included in this DPA)

Limitation of Liability

Liability under this DPA is subject to the limitations in the Agreement.

Modification

The parties will cooperate to amend the DPA or enter into further agreements to comply with EU Data Protection Laws as needed.

General

• DPA supplements the Agreement.

• Governing law: Ireland

• Jurisdiction: The courts of Ireland shall have exclusive jurisdiction.

• No third-party beneficiaries.

• Applies only to Personal Data processed by Processor on Customer’s behalf.

Exhibits