Data Processing Agreement

This Data Processing Agreement (the "DPA") is entered into between [CUSTOMER LEGAL NAME], identified with Tax ID [VARIABLE], with registered address at [VARIABLE] (the "Controller" or "Customer"), and CLIO CIRCLE S.A.S., identified with Colombian Tax ID (NIT) [VARIABLE], with registered address at [VARIABLE], Bogotá D.C., Colombia ("Clio" or the "Processor"), collectively referred to as "the Parties".

This DPA forms an integral part of the Master Service Agreement ("MSA") executed between the Parties. In case of conflict between the MSA and this DPA regarding the processing of personal data, the provisions of this DPA shall prevail.

I. Background

The Controller, in the course of its activities, requires Clio's services for monitoring, evaluating, and analyzing the socio-emotional behavior of its employees, members, contractors, or other Data Subjects linked to its organization, through the use of Clio Circle's Software, including the Clio AI artificial intelligence tool.

For the provision of such services, the Controller transfers or makes available to the Processor Personal Data and, in some cases, Sensitive Personal Data of the Data Subjects.

The Parties enter into this DPA to govern the Processing of such Personal Data, in compliance with Colombia's Law 1581 of 2012, Decree 1377 of 2013, the European Union General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable legislation in the jurisdictions where the Data Subjects reside.

II. Definitions

Capitalized terms used in this DPA shall have the meaning attributed to them below. Terms not defined herein shall have the meaning assigned to them by applicable legislation.

Personal Data: any information relating to an identified or identifiable natural person, in accordance with Colombian Law 1581 of 2012 and Article 4(1) of the GDPR.

Sensitive Personal Data: data affecting the Data Subject's privacy or whose improper use may give rise to discrimination, including health data, data relating to mental state, socio-emotional behavior, sexual orientation, racial or ethnic origin, religious beliefs, among others, in accordance with Article 5 of Colombian Law 1581 of 2012 and Article 9 of the GDPR.

Data Subject: the natural person whose Personal Data is subject to Processing. In the context of this DPA, Data Subjects are typically employees, members, contractors, or persons linked to the Controller.

Processing: any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, suppression, transmission, or transfer.

Controller: the legal person who decides on the purpose, content, and use of the Processing of Personal Data. For purposes of this DPA, the Controller is the Customer.

Processor: the legal person who carries out Processing of Personal Data on behalf of the Controller. For purposes of this DPA, the Processor is Clio Circle.

Sub-processor: any third party engaged by the Processor to carry out Processing of Personal Data on behalf of the Processor.

Security Breach: any incident causing the destruction, loss, alteration, disclosure, or unauthorized access to Personal Data, whether accidental or unlawful.

International Transfer: the sending of Personal Data outside the territory of Colombia, the European Union, or any other applicable jurisdiction, in accordance with applicable law.

SIC: Superintendence of Industry and Commerce of Colombia, the Colombian data protection authority.

Standard Contractual Clauses (SCCs): the Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) of the GDPR for international data transfers.

III. Object of the DPA

The object of this DPA is to establish the conditions under which Clio, in its capacity as Processor, will carry out the Processing of Personal Data that the Controller delivers or makes available for the provision of the services contracted under the MSA, ensuring compliance with applicable data protection legislation.

The specific details of the Processing (categories of data, purposes, duration, categories of Data Subjects) are described in Annex 1 of this document.

IV. Roles of the Parties

The Customer acts as Controller. It determines the purposes and means of Processing, owns the Personal Data delivered to the Processor, and is responsible for obtaining the informed consent of Data Subjects when applicable.

Clio acts as Processor. It carries out Processing exclusively in accordance with the documented instructions of the Controller, without autonomously determining the purposes of Processing, except for services provided directly to individual Consumers (non-organizational), in which case Clio acts as an independent Controller.

When Clio processes Personal Data for purposes other than those instructed by the Controller (for example, Software improvement, internal research, fraud prevention), it shall do so only on previously anonymized or pseudonymized data, such that the Data Subject cannot be re-identified.

V. Duration

This DPA shall enter into force on the date of the last signature and shall remain in effect for the entire duration of the MSA, as well as for any subsequent period during which Clio retains Personal Data of the Controller, until the return or definitive deletion of such data is completed in accordance with Section XV.

VI. Processor's Obligations (Clio)

Clio agrees to:

1. Process Personal Data only in accordance with the documented instructions of the Controller and for the purposes described in Annex 1, except where applicable law requires different Processing, in which case Clio shall notify the Controller in advance.
2. Ensure that persons authorized to process Personal Data have committed themselves contractually to confidentiality or are under an equivalent statutory duty of confidentiality.
3. Implement and maintain the technical and organizational measures described in Annex 3 to ensure a level of security appropriate to the risk.
4. Not subcontract Processing without the prior authorization of the Controller, in accordance with Section VIII.
5. Assist the Controller, through appropriate technical and organizational measures, in responding to Data Subject requests in exercise of the rights described in Section IX.
6. Assist the Controller in complying with its obligations regarding security, breach notification, impact assessments, and prior consultation with the competent data protection authority.
7. Notify the Controller of any Security Breach without undue delay and, in any case, within seventy-two (72) hours after becoming aware of it, in accordance with Section XI.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations established in this DPA, and allow and contribute to audits in accordance with Section XIII.
9. Upon termination of the provision of services, return or delete the Personal Data in accordance with the Controller's instructions and Section XV.
10. Maintain an up-to-date record of Processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

VII. Controller's Obligations (Customer)

The Controller agrees to:

1. Obtain and maintain the informed, free, express, and specific consent of Data Subjects for the Processing of their Personal Data, on the terms required by Colombian Law 1581 of 2012, the GDPR, and applicable law in each jurisdiction.
2. When Processing includes Sensitive Personal Data (including data relating to emotional state, mental health, or responses to socio-emotional questionnaires), obtain express, written, and specific authorization from the Data Subject in accordance with Article 6 of Colombian Law 1581 of 2012 and Article 9 of the GDPR.
3. Inform Data Subjects about the existence of this DPA, the identity of Clio as Processor, the purposes of Processing, and the rights to which they are entitled.
4. Ensure that the Personal Data transferred to Clio is truthful, complete, accurate, up-to-date, verifiable, and understandable.
5. Address, in the first instance, requests from Data Subjects exercising their rights, and forward to Clio those requiring technical assistance, in accordance with Section IX.
6. Notify Clio of any modification to the purposes of Processing or to the categories of Personal Data processed, by updating Annex 1.
7. Comply with its own obligations as Controller in accordance with applicable law, including the registration of databases with the competent authority when required.

VIII. Sub-processors

The Controller authorizes Clio to engage Sub-processors for the Processing of Personal Data, provided that the following conditions are met:

1. The current list of authorized Sub-processors is set out in Annex 2.
2. Clio shall enter into a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those established in this DPA.
3. Clio shall be fully liable to the Controller for the actions or omissions of the Sub-processor in the Processing of Personal Data.
4. When Clio intends to engage a new Sub-processor or replace an existing one, it shall notify the Controller at least thirty (30) calendar days in advance, by updating Annex 2 published at cliocircle.com/en/dpa and by email notification to the contact designated by the Controller.
5. The Controller may, on reasonable grounds, object to the engagement of a new Sub-processor within fifteen (15) calendar days following the notification. In such case, the Parties shall negotiate in good faith an alternative solution. If no agreement is reached, the Controller may terminate the MSA without penalty with respect to the affected services.

IX. Data Subject Rights

Clio shall assist the Controller, insofar as possible and through appropriate technical and organizational measures, in responding to Data Subject requests in the exercise of their rights:

• Right of access: to know the Personal Data being processed about the Data Subject.
• Right of rectification: to correct inaccurate, incomplete, or outdated data.
• Right of erasure ("right to be forgotten"): to delete Personal Data where applicable.
• Right to object: to oppose Processing on legitimate grounds.
• Right to restriction of Processing.
• Right to portability: to receive Personal Data in a structured, commonly used, and machine-readable format.
• Right not to be subject to automated decisions, including profiling, that produce legal effects or significantly affect the Data Subject.
• Right to withdraw consent at any time.

When a Data Subject submits a request directly to Clio, Clio shall forward the request to the Controller within five (5) business days and provide the necessary assistance for the Controller to respond within applicable legal deadlines (fifteen [15] business days under Colombian Law 1581, thirty [30] days under the GDPR).

X. Security Measures

Clio shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 3.

These measures shall be reviewed and updated periodically to reflect the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects.

XI. Security Breach Notification

In the event of a Security Breach affecting the Controller's Personal Data, Clio shall:

1. Notify the Controller without undue delay and, in any case, within seventy-two (72) hours of becoming aware of the Breach.
2. Send notification by email to the security contact designated by the Controller, including at a minimum:
   • The nature of the Breach, including, where possible, the categories and approximate number of Data Subjects affected and the types and volumes of records affected.
   • The contact details of Clio's security officer to obtain further information.
   • The likely consequences of the Breach.
   • The measures adopted or proposed to address the Breach and mitigate its effects.
3. Document all Breaches, including the facts involved, their effects, and the corrective measures adopted.
4. Cooperate with the Controller to make the required notifications to the competent data protection authority and, where applicable, to the affected Data Subjects.

XII. International Transfers

Clio may transfer Personal Data outside the country of origin of the Data Subject, including to the United States, the European Union, or other countries where Clio or its Sub-processors operate. Such transfers shall be made only when at least one of the following conditions is met:

1. The destination country has been recognized by the European Commission or the SIC as providing an adequate level of data protection.
2. Adequate safeguards have been implemented, including the execution of Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) of the GDPR, which are incorporated into this DPA by reference.
3. When applicable to transfers from Colombia, the prior authorization of the SIC has been obtained or one of the exceptions of Article 26 of Law 1581 of 2012 and Decree 1377 of 2013 applies.
4. There is express and unequivocal consent from the Data Subject for the international transfer.

Clio shall maintain a record of the jurisdictions to which it transfers Personal Data and shall make this record available to the Controller upon request.

XIII. Audit and Inspection

Clio shall make available to the Controller all information necessary to demonstrate compliance with the obligations established in this DPA. Additionally:

1. The Controller may request, once per year during the term of the MSA, an audit of Clio's compliance with this DPA. Additional audits shall be permitted only in the event of a Security Breach or a requirement from a competent authority.
2. Audits shall be carried out during business hours, with a minimum notice of thirty (30) calendar days, and in a manner that does not unduly interfere with Clio's operations.
3. The Controller may carry out the audit directly or through an independent auditor subject to confidentiality obligations. Clio may object to the auditor on reasonable grounds.
4. As an alternative to an on-site audit, the Controller may accept valid external audit reports (e.g., SOC 2 Type II, ISO 27001) issued within the prior twelve (12) months.
5. Each Party shall bear its own audit costs, except where the audit reveals a material non-compliance by Clio, in which case Clio shall bear the reasonable costs of the Controller.

XIV. Liability and Indemnification

Each Party shall be liable for damages effectively caused to the other Party or to Data Subjects as a result of breach of its obligations under this DPA or applicable data protection legislation.

Clio's aggregate liability under this DPA shall be subject to the liability caps established in the MSA, except in the following cases, in which no cap shall apply: (i) willful misconduct or gross negligence; (ii) breach of confidentiality obligations; (iii) penalties imposed by data protection authorities exclusively attributable to Clio.

Each Party shall indemnify the other for fines, penalties, damages, and reasonable legal costs that it must pay to Data Subjects or authorities as a direct result of the breach by the indemnifying Party.

XV. Termination · Return and Deletion of Data

Upon termination of the MSA, for any reason, Clio shall:

1. Cease all Processing of the Controller's Personal Data, except as necessary to comply with the return or deletion obligation.
2. At the Controller's choice, return all Personal Data in a structured, commonly used, and machine-readable format, or delete all Personal Data in its possession and certify in writing to the Controller that deletion has been completed.
3. The Controller shall communicate its choice within thirty (30) calendar days following the termination of the MSA. After this period without a response, Clio shall proceed with definitive deletion.
4. Clio shall complete the return or deletion within ninety (90) calendar days following the termination of the MSA or the receipt of the Controller's instruction, whichever is later.
5. Clio may retain Personal Data only when required by applicable law, in which case the security and confidentiality obligations of this DPA shall continue to apply until deletion.
6. Encrypted backup copies shall be deleted according to the standard technical retention cycle, not exceeding thirty (30) additional days after the main deletion.

XVI. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Republic of Colombia, without prejudice to the mandatory application of the GDPR, CCPA, or other data protection rules when Data Subjects reside in jurisdictions where such rules apply.

Any dispute arising from this DPA shall be resolved in accordance with the dispute resolution clause of the MSA. In the absence of such clause, disputes shall be submitted to the jurisdiction of the courts of Bogotá D.C., Colombia.

XVII. Amendments to the DPA

Clio may update this DPA when necessary to reflect changes in applicable law, operational practices, or Sub-processors used. Material amendments shall be notified to the Controller at least thirty (30) calendar days in advance.

If the amendments materially diminish the protections afforded to the Controller's Personal Data, the Controller may object and, if no agreement is reached, terminate the MSA without penalty.

XVIII. Contact · Data Protection Officer

Clio Circle's Data Protection Officer (DPO) is the single point of contact for any matter related to this DPA or the Processing of Personal Data:

Email: dpo@cliocircle.com
General email: clio@cliocircle.com
Postal address: [VARIABLE — Clio Circle S.A.S. legal address]

Data Subject rights requests: privacy@cliocircle.com