Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between MatchAudit UG (haftungsbeschränkt) i.G. ("MatchAudit" or "Processor") and the business customer using the Service ("Customer" or "Controller").

This DPA applies only to the extent MatchAudit processes personal data on behalf of the Customer in order to provide the Service.

• For customer-uploaded screening data and related workflow data, the Customer generally acts as controller and MatchAudit generally acts as processor.
• For MatchAudit's own account administration, billing, fraud prevention, abuse prevention, service security, and legal compliance activities, MatchAudit generally acts as controller and those activities are not governed by this DPA.

MatchAudit processes personal data solely to provide sanctions screening and related compliance software functionality to the Customer, including hosting, screening, matching, storing, exporting, logging, maintaining, securing, and supporting the Service.

Processing under this DPA begins when the Customer uploads or otherwise submits personal data to the Service and continues for the duration of the underlying customer relationship, unless earlier terminated in accordance with the main agreement or this DPA.

In the event of conflict between this DPA and the main agreement, this DPA prevails with respect to data protection matters only.

MatchAudit processes personal data for the limited purpose of providing the contracted Service to the Customer. Depending on the Customer's configuration and usage, such processing may include:

• receiving, importing, structuring, and storing screening data uploaded by the Customer;
• comparing names and related identifiers against sanctions data and other configured compliance datasets;
• generating potential matches, case records, reports, exports, and audit-trail entries;
• supporting customer-configured retention, deletion, retrieval, access control, and workflow settings;
• securing, troubleshooting, monitoring, and supporting the Service where necessary to perform the processor services.

The categories of personal data processed under this DPA are determined by the Customer and may include:

• names of natural persons and legal entities;
• aliases, transliterations, and related identity fields;
• dates of birth, nationality, addresses, and country data;
• KYC, onboarding, counterparty, vendor, customer, or beneficiary records;
• case notes, analyst annotations, decision records, and evidence files;
• related metadata, timestamps, and workflow history generated through use of the Service.

Data subjects may include customers, counterparties, vendors, beneficial owners, directors, authorized signatories, beneficiaries, employees, or other individuals whose data the Customer decides to screen or manage through the Service.

MatchAudit shall process personal data only on documented instructions from the Customer unless otherwise required by applicable law. The Customer's use of the Service, account configuration, API calls, uploads, exports, administrative choices, and written support instructions constitute documented instructions for purposes of this DPA.

The Customer remains solely responsible for:

• determining whether personal data may lawfully be processed and uploaded to the Service;
• establishing the legal basis, purpose, and scope of processing;
• providing required privacy notices and handling data subject requests where the Customer acts as controller;
• assessing whether any special-category data, criminal-offence data, or other restricted data may lawfully be processed;
• ensuring that its instructions do not violate applicable law.

MatchAudit shall:

• process personal data only in accordance with the Customer's documented instructions and applicable law;
• ensure that persons authorized to process personal data are bound by confidentiality obligations;
• implement technical and organizational measures appropriate to the risk of the processing;
• assist the Customer, taking into account the nature of the processing and the information available to MatchAudit, with the obligations described in Articles 32 to 36 GDPR where applicable;
• notify the Customer without undue delay after becoming aware of a personal data breach affecting data processed under this DPA;
• make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, proportionality, and security limitations.

MatchAudit shall ensure that access to personal data is limited to personnel, contractors, subprocessors, and service providers who need such access in order to provide, secure, maintain, or support the Service.

Such persons shall be subject to confidentiality obligations, statutory duties, or professional secrecy obligations appropriate to the nature of the data and the processing.

MatchAudit implements technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Such measures may include, as appropriate:

• role-based access controls and authentication controls;
• encryption in transit and other transport security measures;
• logging, monitoring, and security review processes;
• backup and recovery procedures;
• segregation of duties and least-privilege principles;
• change management and vulnerability management practices reasonably appropriate to the Service.

MatchAudit may update or replace such measures from time to time, provided that the overall level of security for the processor services is not materially reduced.

The Customer grants MatchAudit a general authorization to engage subprocessors for the provision of the Service.

MatchAudit remains responsible for the performance of its subprocessors to the extent required by applicable law and shall impose data protection obligations on subprocessors that are no less protective than the relevant obligations in this DPA.

MatchAudit will make current subprocessor information available on request or through procurement or legal materials. Where materially relevant, MatchAudit may notify customers of intended additions or replacements through written notice, account communications, or a subprocessor list update.

If the Customer reasonably objects to a new subprocessor on documented data protection grounds, the parties will discuss the objection in good faith. If no reasonable solution can be reached, either party may terminate the affected processor services to the extent required by applicable law.

MatchAudit may process personal data in the European Union and, in some cases, outside the European Economic Area through selected subprocessors or service providers.

Where required by applicable law, MatchAudit shall implement an appropriate transfer mechanism, such as an adequacy decision, standard contractual clauses, or another legally recognized safeguard.

Taking into account the nature of the processing, MatchAudit shall provide reasonable assistance to the Customer in responding to data subject requests and to the extent required by applicable law, subject to the Customer reimbursing MatchAudit for significant additional effort where such effort falls outside standard service support.

MatchAudit shall also provide reasonable assistance, to the extent required by law and taking into account the information available to MatchAudit, with:

• security incident assessment and notification obligations;
• data protection impact assessments;
• consultations with supervisory authorities;
• regulatory or audit requests related to processor services.

If MatchAudit becomes aware of a personal data breach affecting personal data processed under this DPA, MatchAudit shall notify the Customer without undue delay.

Such notification shall include, to the extent available at the time, a description of the nature of the breach, the categories of affected data, the likely consequences, and the measures taken or proposed to address the breach.

Upon termination or expiry of the relevant processor services, MatchAudit shall, at the Customer's choice and subject to the Customer's configuration, contractual retrieval rights, and applicable law, delete or return personal data processed on behalf of the Customer.

MatchAudit may retain personal data to the extent and for the period required by applicable law, for security logging, recordkeeping, dispute defense, or backup retention cycles, after which such retained data will remain protected in accordance with applicable confidentiality and security obligations.

MatchAudit shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits or inspections by the Customer or an auditor mandated by the Customer shall be subject to the following conditions:

• reasonable prior written notice;
• no more than once in any twelve-month period unless a personal data breach or regulator request justifies more frequent review;
• use of questionnaires, certifications, summaries, and remote reviews before any on-site review is requested;
• appropriate confidentiality protections for MatchAudit and third parties;
• no access to data of other customers or to information that would compromise the security or confidentiality of the Service;
• the Customer bearing its own costs and reimbursing MatchAudit for substantial additional time or expense caused by non-standard audit requests.

Liability between the parties under this DPA shall be governed by the liability provisions of the main agreement, except to the extent mandatory data protection law requires otherwise.

This DPA does not expand MatchAudit's role beyond processor obligations required by applicable law and does not transfer the Customer's underlying compliance, screening, or controller responsibilities to MatchAudit.

MatchAudit UG (haftungsbeschränkt) i.G.
Turmstrasse 7, 65611 Brechen, Germany

DPA, privacy, and procurement inquiries may be sent through MatchAudit's legal or commercial contact channels.