Parties. This Addendum is part of the agreement between Defastra Tech Inc. (dba "Prospeo") and the "Customer" identified in an ordering document or online sign-up.

Purpose. This Addendum allocates responsibilities for personal data processed in connection with the Services, including controller-to-controller dataset arrangements where enabled.

Modular structure. This Addendum contains Modules A, B, and C. The applicable module(s) depend on Customer's role and enabled features/orders. Module selection rules are in Section 0.

Precedence. If incorporated, the EU SCCs and UK Addendum prevail over this Addendum and the Agreement in case of conflict.

Table of Contents

• 0. Scope selector and module activation
• 1. Definitions
• 2. General terms (confidentiality, security, subprocessors, assistance, breach, deletion, audits)
• 3. Module A - Customer as Controller; Prospeo as Processor
• 4. Module B - Customer as Processor; Prospeo as Sub-processor
• 5. Module C - Controller-to-controller data sharing
• 6. International data transfers (Data Privacy Framework / EU SCCs / UK Addendum / Swiss)
• 7. U.S. state privacy terms (CPRA and similar)
• 8. Canada / Quebec Law 25 / PIPEDA
• 9. Liability, indemnity, and miscellaneous
• Schedules 1-5

0. Scope selector and module activation

0.1 Processing activities are evaluated separately. Module selection is determined per processing activity and may differ across features (for example, direct enrichment vs dataset supply).

0.2 Module A (Controller to Processor) applies where Customer determines the purposes and means of processing of Customer Personal Data submitted to the Services, and Prospeo processes that data on Customer's behalf.

0.3 Module B (Processor to Sub-processor) applies where Customer acts as a processor on behalf of an End Customer Controller (for example, Customer is a reseller, platform, agency, or service provider processing personal data for its own customers), and Prospeo processes personal data as Customer's sub-processor.

0.4 Module C (Controller to Controller) applies in the following circumstances: (a) automatically, when Customer Personal Data is matched against or enriched using the Prospeo Dataset, at which point Prospeo becomes an independent controller of such matched data to maintain and improve the Prospeo Dataset for the benefit of all Prospeo users; or (b) where expressly enabled in an Order, SOW, or in-product setting for dataset supply, redistribution rights, or dataset contribution features.

0.5 Order of precedence for roles. If Customer's role is unclear for a given activity, the default assumption is Module A. If Customer acts as a processor for that activity (for example, Customer's end customer is the controller), Module B applies. Module C applies as described in Section 0.4.

1. Definitions

Applicable Data Protection Laws means all data protection and privacy laws and regulations applicable to a party's processing under the Agreement and this Addendum, including EU GDPR, UK GDPR, Swiss FADP, PIPEDA, Quebec Law 25, and U.S. state privacy laws where relevant.

Customer Personal Data means Personal Data processed by Prospeo on behalf of Customer through the Services under Modules A or B.

Data Privacy Framework means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced.

End Customer Controller means the controller on whose behalf Customer acts as a processor in Module B.

Output Data means results delivered to Customer by the Services (for example, enrichments, verifications, and match flags).

Personal Data / Personal Information has the meaning given in Applicable Data Protection Laws.

Prospeo Dataset means Prospeo's independent B2B dataset that Prospeo maintains as an independent controller.

Restricted Transfer means a cross-border transfer requiring an appropriate safeguard under EU GDPR, UK GDPR, or Swiss FADP.

Services means Prospeo's web app, API, browser extension, and CSV enrichment tools provided under the Agreement.

Sub-processor means any processor engaged by Prospeo to process Customer Personal Data.

2. General terms (applies to Modules A and B)

2.1 Confidentiality. Prospeo will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations (contractual or statutory).

2.2 Security. Prospeo will implement and maintain appropriate technical and organizational measures ("TOMs") as described in Schedule 2, taking into account the nature, scope, context, and purposes of processing and the risks to individuals. Customer is responsible for securing its own environments, endpoints, credentials, and configurations, and for configuring the Services to align with Customer's risk posture.

2.3 Sub-processors.

2.3.1 Authorization. Customer authorizes Prospeo to engage Sub-processors to provide the Services.

2.3.2 List and notice. Prospeo maintains a current list of Sub-processors at prospeo.io/subprocessors. Prospeo will provide at least 30 days' advance notice of any material addition or replacement of a Sub-processor by updating that page and sending notice to Customer's designated notice email (or to subscribed contacts via privacy@prospeo.io).

2.3.3 Objection. If Customer reasonably objects in writing within the notice period, the parties will attempt to resolve in good faith. If unresolved, Customer may terminate the affected Service component (not the entire Agreement) and receive a pro-rata refund of prepaid fees for the terminated portion.

2.3.4 Liability for Sub-processors. Prospeo will impose data protection obligations on Sub-processors that are no less protective than this Addendum for the relevant processing. Prospeo will be liable to Customer for the acts and omissions of any Sub-processor as if they were Prospeo's acts and omissions.

2.4 Assistance and data subject requests. Taking into account the nature of the processing, Prospeo will provide reasonable assistance to Customer (by appropriate technical and organizational measures) to help Customer respond to data subject requests. If Prospeo receives a data subject request directly relating to Customer Personal Data, Prospeo will, where feasible, notify Customer and will not respond except on Customer's documented instructions or as required by law.

2.5 Personal data breach. Prospeo will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information as it becomes available (nature of breach, categories and approximate number of data subjects and records, likely consequences, and measures taken or proposed).

2.6 Return and deletion. During the term, Customer may export Customer Personal Data via the Services where available, or request an export. Upon termination or expiry of the Agreement, Customer may instruct Prospeo to delete or return Customer Personal Data. Unless legally required or technically unavoidable in backups, Prospeo will remove Customer Personal Data from active systems within 90 days. Backups are deleted on a rolling 90-day cycle thereafter. Shorter timelines may be agreed in a signed Order. Prospeo may retain minimal records as necessary for billing, dispute resolution, security, and legal compliance.

2.7 Opt-out and suppression handling. Prospeo may make opt-out and suppression information available through Customer's account dashboard, API, or a designated secure webpage. If Customer continues to hold any Output Data, Customer agrees to apply all such opt-out or deletion requests to that Output Data in a timely manner. If Prospeo notifies Customer of a valid deletion or opt-out request from a data subject regarding their personal data, Customer agrees to promptly cease any further processing, use, or retention of that individual's personal data obtained through the Services, except if Customer has obtained and can demonstrate a separate, valid legal basis to continue such processing independent of Customer's relationship with Prospeo.

2.8 Audits and reviews.

2.8.1 Information: Upon request, Prospeo will provide information reasonably necessary to demonstrate compliance with this Addendum. Examples include security overviews, policies, and third-party test summaries.

2.8.2 Audit limitations: If the information provided under 2.8.1 is insufficient, Customer may conduct one audit per 12-month period, or following a material breach. Such audits require reasonable notice and must occur during normal business hours, subject to confidentiality and safety rules. Audits are primarily remote and document-based; onsite inspections are permitted only if strictly necessary.

2.8.3 Onsite conditions: Any onsite audit requires at least 30 days' prior written notice. It also necessitates the execution of an onsite Non-Disclosure Agreement (NDA) or safety addendum if requested by Prospeo, and compliance with Prospeo's and its providers' security policies. The scope of the audit must be limited to systems and controls relevant to the Services. It explicitly states that the audit may not include vulnerability scanning, penetration testing, source code review, or access to third-party confidential information without Prospeo's prior written approval.

2.8.4 Costs: Audits are generally at Customer's expense, unless they reveal material non-compliance that is attributable to Prospeo.

3. Module A - Customer as Controller; Prospeo as Processor

3.1 Roles and instructions: For Customer Personal Data processed under the Services, Customer is the Controller and Prospeo is the Processor. Prospeo will process Customer Personal Data only on Customer's documented instructions, including those in the Agreement, this Addendum, and Customer's in-product configurations and use of the Services. Prospeo will promptly inform Customer if it reasonably believes an instruction infringes Applicable Data Protection Laws (without providing legal advice).

3.2 Prohibited purposes by Prospeo: Prospeo will not sell or share Customer Personal Data. Prospeo will not use Customer Personal Data for cross-context behavioral advertising or other purposes unrelated to providing the Services, except as required by law or expressly permitted in this Addendum.

3.3 Output Data: Output Data is provided to Customer upon delivery. Customer is solely responsible for its lawful basis, transparency obligations, and downstream use of Output Data (including any required notices to individuals and compliance with marketing and anti-spam laws). Nothing in this Addendum grants Customer rights in or to the Prospeo Dataset, the Services, or Prospeo's underlying methodologies, except as expressly set out in the Agreement or an applicable Module C schedule.

3.4 Customer responsibilities and warranties: Customer represents and warrants that it: (a) has a valid lawful basis and has provided required notices for Customer Personal Data it submits; (b) will not submit special category data, children's data, or unlawful data; (c) will use the Services and Output Data in compliance with Applicable Data Protection Laws and applicable marketing and anti-spam laws. Customer will not use the Services or Output Data for consumer credit, employment, housing, insurance underwriting, or similarly high-risk decisions, except where permitted by law and agreed in writing.

4. Module B - Customer as Processor; Prospeo as Sub-processor

4.1 Roles and authorization: Where Customer acts as a processor on behalf of an End Customer Controller, Customer is a Processor and Prospeo is a Sub-processor. Customer represents and warrants that it has been authorized in writing by the End Customer Controller to appoint Prospeo as a sub-processor and to provide Prospeo with instructions that reflect the End Customer Controller's instructions. Prospeo will process personal data only on Customer's documented instructions, which Customer warrants reflect the End Customer Controller's instructions for the relevant processing.

4.2 Flow-down requirement. Customer must maintain a written agreement with each End Customer Controller that (a) appoints Customer as processor, (b) permits Customer to use sub-processors such as Prospeo, and (c) includes protections at least as protective as this Addendum for the relevant processing. Failure to maintain such agreements is a material breach. Customer will indemnify Prospeo for claims arising from Customer's failure to obtain or maintain the required authorizations and flow-down terms, to the extent permitted by law.

5. Module C - Controller-to-controller data sharing

5.1 Automatic controller status upon matching: When Customer Personal Data is matched against or enriched using the Prospeo Dataset, Prospeo becomes an independent controller of such matched data. Prospeo uses this data to verify, enrich, and improve the Prospeo Dataset for the benefit of all Prospeo users, subject to individuals' rights under Applicable Data Protection Laws.

5.2 Additional Module C features: Module C applies when explicitly enabled in an Order, SOW (Statement of Work), or an in-product setting for features like dataset supply, redistribution rights, or dataset contribution. If these features are enabled, the terms in Schedule 4 and/or Schedule 5 apply.

5.3 Independent controllers: Under Module C, the parties act as independent controllers for the processing described in Section 5 and its applicable schedules. Module C is not an Article 28 processor agreement.

5.4 Transparency and rights: Prospeo commits to maintaining public notices (including Article 14 disclosure where applicable) and providing an opt-out/deletion mechanism for its controller processing. Individuals' rights under Applicable Data Protection Laws prevail.

6. International data transfers (Data Privacy Framework / EU SCCs / UK Addendum / Swiss)

Prospeo may process Customer Personal Data internationally as needed to provide the Services. For "Restricted Transfers," the parties will rely on an appropriate transfer mechanism as detailed below.

6.1 Data Privacy Framework: Prospeo participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, Prospeo will: (a) Provide at least the same level of privacy protection as required by the Data Privacy Framework Principles. (b) Notify Customer if Prospeo determines it can no longer meet its obligation to provide the required level of protection, in which case Prospeo will cease processing or take other reasonable and appropriate remedial steps. Where applicable, Prospeo will use the Data Privacy Framework to lawfully receive Customer Personal Data and/or Personal Data in the United States.

6.2 EU/EEA: To the extent legally required (e.g., if the Data Privacy Framework does not cover the transfer or is invalidated), the parties are deemed to have entered into and signed the EU Standard Contractual Clauses (2021/914) with the module determined by the applicable role: Module 2 (Controller to Processor) for processing under Module A; Module 3 (Processor to Processor) for processing under Module B; Module 1 (Controller to Controller) where Module C applies. Schedules 1, 2, and 3 form Annex I, Annex II, and Annex III of the SCCs, as applicable. The docking clause is enabled.

6.3 United Kingdom: For transfers subject to UK GDPR, the parties incorporate the UK ICO Addendum to the EU SCCs (Template A, as amended or replaced). The tables are completed by reference to Schedules 1-3 and the parties' details in the Agreement.

6.4 Switzerland: Where Swiss FADP applies, references to the EU GDPR shall be read to include Swiss law; the competent authority is the FDPIC, and governing law and jurisdiction are adapted as required.

6.5 Onward transfers: Prospeo will ensure onward transfers to Sub-processors occur under a valid transfer mechanism and with protections no less protective than those set out in the SCCs/UK Addendum.

7. U.S. state privacy terms (CPRA and similar)

General Provisions: For Customer Personal Data subject to CPRA or similar laws where Prospeo acts as a service provider/processor, Prospeo commits not to sell, share, retain, use, or disclose such Personal Information except to perform Services and permitted business purposes. Prospeo will not use the data for cross-context behavioral advertising. Prospeo will assist Customer with verifiable consumer requests as applicable. Prospeo will comply with applicable restrictions under the CCPA on combining Customer Personal Data with other data. Prospeo will provide the same level of protection for Customer Personal Data subject to the CCPA as required of Customer under the CCPA. Prospeo will notify Customer if it determines it can no longer comply with its CCPA obligations.

Remediation right: Where explicitly provided under the CCPA, Customer retains the right, upon reasonable notice to Prospeo, to take steps to: (a) ensure Prospeo uses Customer Personal Data consistent with Customer's CCPA obligations; (b) stop and remediate unauthorized use of Customer Personal Data.

8. Canada / Quebec Law 25 / PIPEDA

Privacy Officer and Security: Prospeo designates a Privacy Officer and maintains security safeguards appropriate to data sensitivity.

Privacy Impact Assessment (Quebec Law 25): For cross-border communications of personal information requiring a privacy impact assessment under Quebec Law 25, Prospeo will, upon reasonable request, provide information for Customer's assessment, including: (a) jurisdictions where processing occurs; (b) categories of Sub-processors and their general processing purpose; (c) a general description of safeguards (including encryption and access controls); (d) retention and deletion practices. Prospeo may withhold information that would compromise security or disclose third-party confidential information.

Breach Notification (PIPEDA): For PIPEDA, Prospeo will notify Customer as soon as feasible of a breach creating a real risk of significant harm and will maintain breach records as required by law.

9. Liability, indemnity, and miscellaneous

9.1 Liability: Each party's liability under this Addendum is subject to the limitations and exclusions in the Agreement. However, nothing limits liability where prohibited by law or under the SCCs/UK Addendum.

9.2 Customer indemnity (pro-vendor allocation): To the extent permitted by law, Customer will indemnify and hold harmless Prospeo from third-party claims, regulatory demands, and losses arising from: (a) Customer's unlawful instructions, use, or disclosures; (b) Customer's failure to provide required notices or lawful basis; (c) Customer's downstream sharing or marketing, including by End Customers, where Prospeo complied with this Addendum and Customer's instructions. This indemnity does not apply if a claim is caused by Prospeo's breach of this Addendum.

9.3 Amendments: Prospeo may update this Addendum to reflect changes in law or the Services. Material adverse changes will be notified and will take effect on the stated date.

9.4 Governing law: This Addendum follows the governing law of the Agreement, except where the SCCs/UK Addendum specify otherwise.

Schedule 1 (Annex I): Details of processing

A. Parties:

Controller (Customer): Name: As set out in the Order/Account; Address: As set out in the Order/Account; Contact (privacy): As designated by Customer.

Processor/Sub-processor (Prospeo): Name: Defastra Tech Inc. (dba "Prospeo"); Address: 1102-20 Eglinton Ave W, Toronto, ON M4R 1K8, Canada; Contact (privacy/security): privacy@prospeo.io / security@prospeo.io.

EU Representative (GDPR Art. 27): Name: Kevin Viotti; Address: 20 Rue de Belleville, 75020 Paris, France; Email: gdpr-rep@prospeo.io.

UK Representative (UK GDPR Art. 27): Name: Sales Upskill LTD; Address: 20 Wenlock Road, London, N1 7GU, United Kingdom; Email: gdpr-rep@prospeo.io.

B. Description of processing (Modules A/B):

Subject matter: Provision of the Services to Customer under the Agreement.

Duration: Term of the Agreement plus deletion period in Section 2.6.

Nature and purpose: Ingesting, storing, enriching, verifying, and returning professional contact and company data per Customer configurations; security and reliability; support; billing.

Categories of data subjects: Customer end users; Customer leads/prospects; Customer clients and business contacts; (Module B) End Customer Controller data subjects.

Categories of personal data: Professional identifiers (name, role/title, employer), business contact details (email, phone), public professional profile links, company attributes, limited technical identifiers for security/operations.

Sensitive/special categories: Not required nor intended. Customer will not submit special category data or children's data.

Frequency of transfer: Continuous and as needed.

Retention: As per Section 2.6.

C. Competent supervisory authority:

For the SCCs: Determined per EU GDPR (generally where the Customer's EU establishment is located).

For Swiss transfers: FDPIC.

For UK transfers: ICO.

Schedule 2 (Annex II): Technical and organizational measures (TOMs)

1. Governance and policy: Security program aligned with risk, policies reviewed at least annually, security training, and confidentiality obligations.

2. Access control and identity: Role-based access control, least privilege, unique credentials, MFA/SSO where supported, provisioning/de-provisioning, and periodic access reviews.

3. Encryption and key management: TLS for data in transit, encryption at rest, and managed key services with access logging.

4. Network and infrastructure security: Hosting in AWS (primary region: us-east-1), VPC isolation, firewalls/security groups, DDoS protections via provider, and patching and hardening.

5. Application security: Secure SDLC practices (code review, dependency scanning, secrets management), protections against common OWASP Top 10 threats, and environment segregation.

6. Monitoring and logging: Centralized logging, alerting on anomalous activity, time-synchronized logs, and retention aligned to operational and legal needs.

7. Vulnerability management and testing: Regular vulnerability scanning, remediation SLAs based on severity, periodic independent penetration testing, and remediation tracking.

8. Data minimization and segregation: Logical tenant isolation, minimization of stored personal data where feasible, and configuration controls where available.

9. Business continuity and backup: Backups with rolling retention, periodic restore testing, and documented disaster recovery procedures.

10. Incident response: 24/7 on-call, incident triage, containment, eradication, and post-incident review, along with notification obligations per Section 2.5.

11. Vendor and Sub-processor management: Security and privacy due diligence, contractual flow-down, and monitoring of significant changes.

12. Independent assurance (if available): Where Prospeo maintains independent attestations or certifications (e.g., SOC 2 Type II, ISO 27001), Prospeo may provide summaries or reports under NDA upon request.

Schedule 3 (Annex III): Sub-processors

Prospeo engages Sub-processors to provide the Services, including cloud hosting, email delivery, analytics, and support tooling. The current list (including locations and purposes) is available at prospeo.io/subprocessors. Prospeo will provide at least 30 days' advance notice of any material changes as described in Section 2.3.

Schedule 4 (Optional): Dataset contribution schedule (Controller to Controller)

This Schedule 4 applies only if Customer affirmatively enables the "Dataset Contribution" feature in the Services or signs an Order referencing it. If not enabled, this schedule does not apply.

1. Roles. For contributed records, each party acts as an independent controller.

2. Scope. Customer authorizes Prospeo to ingest, verify, and use contributed professional contact data to maintain and improve the Prospeo Dataset under Prospeo's legitimate interests, subject to individuals' rights.

3. No public source attribution. Prospeo will not publicly attribute specific records to Customer.

4. Transparency and rights. Prospeo will maintain public notices (including Article 14 disclosure where applicable) and provide an opt-out/deletion mechanism. Individuals' rights prevail over this Schedule.

5. Revocation. Customer may disable contribution at any time. This does not require Prospeo to purge data already integrated into the Prospeo Dataset prior to revocation, without prejudice to individuals' rights.

6. Data limitations. Customer will not contribute special category data, children's data, or data obtained unlawfully.

7. Precedence. This Schedule governs controller-to-controller contribution. Otherwise, this Addendum governs processor/sub-processor activities.

Schedule 5 (Optional): Prospeo Dataset supply and redistribution terms (Controller to Controller)

This Schedule 5 applies only if an Order expressly grants Customer rights to access the Prospeo Dataset as a dataset or to redistribute Prospeo-provided records beyond Customer's internal use. If not expressly granted, this schedule does not apply.

1. Roles: Each party acts as an independent controller for its processing under this Schedule 5.

2. License and permitted purpose: Prospeo grants Customer a limited, non-exclusive, non-transferable license to use the Prospeo Dataset strictly for the permitted purpose stated in the Order (the "Permitted Purpose"). No other rights are granted.

3. No standalone resale: Customer may not sell, license, publish, or disclose the Prospeo Dataset (or any substantial portion) as a standalone dataset, list, or data feed. If redistribution is permitted in the Order, it may occur only as an embedded feature within Customer's application for Customer's end users and only to the extent necessary for the Permitted Purpose.

4. Downstream restrictions: Where redistribution is permitted, Customer must impose written downstream terms that prohibit further resale or re-distribution, require compliance with Applicable Data Protection Laws, and require honoring opt-outs and suppression requests.

5. Customer compliance: Customer is solely responsible for lawful basis, notices (including Article 13/14 where applicable), marketing compliance, and maintaining suppression lists for its processing and any downstream recipients.

6. Rights handling: Each party will handle requests relating to its own processing. Customer will promptly forward to Prospeo any request that reasonably relates to Prospeo's dataset provenance, global opt-out, or Prospeo's independent controller obligations.

7. No representations on behalf of Prospeo: Customer will not make statements on Prospeo's behalf regarding the Prospeo Dataset, including sources or collection methods, and will direct such inquiries to Prospeo.

8. Warranty disclaimer and liability cap: To the maximum extent permitted by law, the Prospeo Dataset is provided "as is" and Prospeo disclaims warranties of accuracy, completeness, fitness for a particular purpose, and non-infringement, except as required by law. Notwithstanding any other provision of this Addendum or the Agreement, Prospeo's total liability for any claims relating to data accuracy, completeness, or quality of the Prospeo Dataset shall not exceed the fees actually paid by Customer to Prospeo in the 12 months immediately preceding the claim giving rise to such liability.

9. Indemnity: To the extent permitted by law, Customer will indemnify Prospeo for claims arising from Customer's use, redistribution, or downstream sharing of the Prospeo Dataset contrary to this Schedule 5 or Applicable Data Protection Laws, except to the extent caused by Prospeo's breach of this Schedule 5.

Signatures

The parties agree to this Addendum as of the effective date of the Agreement (or the date Customer clicks to accept online). If a signature is required, the parties may execute this Addendum in counterparts, including electronically.