Data Processing Agreement

ENDOXIA B.V.

DATA PROCESSING AGREEMENT

Data Processing Agreement

Data Processing Agreement — part of every Agreement between Endoxia B.V. and the Customer.

Endoxia B.V.

Tweede Jan van der Heijdenstraat 16-1, 1073 VH Amsterdam, The Netherlands

endoxia.com · privacy@endoxia.com

Confidential · © 2026 Endoxia B.V. · All rights reserved.

DATA PROCESSING AGREEMENT endoxia.com

Table of Contents

1. Parties 2

2. Purpose and scope 2

3. Definitions 2

4. Subject matter of the processing 3

5. Categories of data subjects 3

6. Categories of personal data 3

7. Instructions 4

8. Confidentiality 4

9. Security 4

10. AI processing 5

11. Location of processing 5

12. Sub-processors 5

13. Requests from data subjects 6

14. DPIA and supervisory authorities 6

15. Data breaches 6

16. Audits 6

17. Retention periods 7

18. Deletion and return 7

19. Liability 7

20. Order of precedence 7

21. Applicable law 7

Annex 1 — Processing Specification 8

Endoxia B.V. — Data Processing Agreement Page of

DATA PROCESSING AGREEMENT endoxia.com

This Data Processing Agreement (“DPA”) forms an integral part of every agreement between Endoxia B.V. (“Processor”) and the Customer (“Controller”).

1. Parties

CONTROLLER

The Customer using the Platform.

PROCESSOR

Endoxia B.V.

Tweede Jan van der Heijdenstraat 16-1

1073 VH Amsterdam

The Netherlands

Website: endoxia.com

Email: privacy@endoxia.com

2. Purpose and scope

2.1 This Data Processing Agreement governs any processing of Personal Data that Endoxia performs on behalf of the Customer in the context of providing the Platform and Services.

2.2 This Data Processing Agreement applies solely to processing where the Customer qualifies as controller and Endoxia as processor within the meaning of the GDPR.

2.3 If Endoxia processes personal data for its own purposes, Endoxia’s Privacy Statement shall apply.

3. Definitions

For the purposes of this Data Processing Agreement, terms from the GDPR have the same meaning. Among others, the following definitions apply:

GDPR
Regulation (EU) 2016/679.

Personal Data
any information relating to an identified or identifiable natural person.

Data Subject
the person to whom Personal Data relates.

Processing
any operation or set of operations performed on Personal Data as referred to in Article 4 of the GDPR.

Sub-processor
any third party engaged by Endoxia for processing Personal Data.

Personal Data Breach (Data Breach)
a breach as referred to in Article 4 of the GDPR.

4. Subject matter of the processing

4.1 Endoxia processes Personal Data solely for the purpose of executing the Agreement.

4.2 The processing may include, among other things:

storage;

hosting;

structuring;

document analysis;

search functionalities;

AI processing;

text generation;

summarisation;

classification;

indexing;

security;

logging;

backup;

support.

4.3 Endoxia processes Personal Data solely on the basis of documented instructions from the Customer, unless a legal obligation requires otherwise.

5. Categories of data subjects

The processing may relate to, among others:

clients of the Customer;

counterparties;

employees;

directors;

shareholders;

contractual partners;

suppliers;

advisors;

parties to legal proceedings;

End Users;

other individuals appearing in documents processed by the Customer.

6. Categories of personal data

The processing may relate to:

names;

contact details;

email addresses;

telephone numbers;

addresses;

identification data;

financial data;

contract data;

correspondence;

litigation documents;

client files;

metadata;

log data;

documents;

special categories of personal data;

criminal data,

insofar as such data is entered by the Customer.

7. Instructions

7.1 Endoxia processes Personal Data solely in accordance with:

a. the Agreement;

b. this Data Processing Agreement;

c. written instructions from the Customer.

7.2 If Endoxia is of the opinion that an instruction infringes the GDPR or other privacy legislation, Endoxia shall inform the Customer thereof.

8. Confidentiality

8.1 Endoxia shall ensure that all persons who have access to Personal Data are bound by appropriate confidentiality obligations.

8.2 These confidentiality obligations shall continue to exist after termination of the activities.

9. Security

9.1 Endoxia shall take appropriate technical and organisational measures as referred to in Article 32 GDPR.

9.2 These measures include, among other things:

access control;

role-based authorisations;

encryption in transit;

secure storage;

network security;

logging;

monitoring;

multi-factor authentication where appropriate;

backups;

recovery procedures;

patch management;

vulnerability management.

9.3 Endoxia periodically assesses these measures and adjusts them where necessary.

10. AI processing

10.1 Endoxia uses Personal Data solely to provide the agreed functionalities.

10.2 Personal Data of the Customer will not be used for:

training AI models;

fine-tuning AI models;

improving AI models,

unless the Customer has given explicit prior consent for this.

10.3 Endoxia shall take reasonable measures to prevent Personal Data from being used for unauthorised model training by engaged suppliers.

11. Location of processing

11.1 Personal Data is stored and processed within the European Economic Area.

11.2 If a transfer outside the EEA becomes necessary, Endoxia shall only use a valid transfer mechanism under the GDPR.

11.3 Endoxia implements appropriate safeguards, including Standard Contractual Clauses where necessary.

12. Sub-processors

12.1 The Customer grants general consent for the use of Sub-processors.

12.2 Endoxia maintains an up-to-date overview of the Sub-processors used.

12.3 Endoxia shall announce new Sub-processors in advance.

12.4 The Customer may object on motivated grounds within fourteen (14) days if a new Sub-processor poses a demonstrable privacy or security risk.

12.5 Endoxia shall impose privacy obligations on each Sub-processor that are materially equivalent to this Data Processing Agreement.

12.6 Endoxia remains responsible for the performance of its Sub-processors.

13. Requests from data subjects

13.1 Insofar as possible, Endoxia enables the Customer to handle requests from data subjects.

13.2 This concerns, among others, requests regarding:

access;

rectification;

erasure;

data portability;

restriction;

objection.

13.3 Endoxia does not handle such requests independently, unless this is legally required.

14. DPIA and supervisory authorities

14.1 Endoxia provides reasonable assistance with:

Data Protection Impact Assessments;

prior consultations;

investigations by supervisory authorities.

14.2 Endoxia may charge reasonable costs for this if the work exceeds normal service provision.

15. Data breaches

15.1 Endoxia shall inform the Customer without unreasonable delay after becoming aware of a Data Breach.

15.2 The notification shall contain, insofar as available:

the nature of the incident;

the categories of data concerned;

the categories of data subjects concerned;

the likely consequences;

the measures taken;

a contact person.

15.3 Endoxia provides reasonable assistance with investigation and remediation.

15.4 The Customer remains responsible for notifications to supervisory authorities and data subjects, unless otherwise required under applicable law.

16. Audits

16.1 The Customer may perform an audit once per calendar year.

16.2 Audits must:

be announced at least thirty (30) days in advance;

take place during normal office hours;

not unreasonably disrupt business operations.

16.3 Instead of a physical audit, Endoxia may make recent audit reports, certifications, or security assessments available.

16.4 The costs of audits shall be borne by the Customer.

17. Retention periods

17.1 Personal Data is not retained longer than necessary for the execution of the Agreement.

17.2 Upon termination of the Agreement, Endoxia shall delete Personal Data in accordance with its deletion policy, unless:

legal retention obligations apply;

a dispute is pending;

security reasons require temporary retention.

17.3 Backups are deleted according to the regular backup cycles.

18. Deletion and return

18.1 At the request of the Customer, Endoxia shall return the available Personal Data.

18.2 If return is not requested, Endoxia shall delete the data within a reasonable period after termination of the services.

18.3 Technical backup copies may remain in existence during the normal retention period, provided they are adequately secured.

19. Liability

19.1 The liability arrangements from the Agreement fully apply to this Data Processing Agreement.

19.2 To the extent permitted by law, Endoxia's total liability is limited to the amount paid by the Customer to Endoxia during the twelve (12) months preceding the event causing the damage.

19.3 Nothing in this Data Processing Agreement limits liability to the extent that such limitation is not permitted under the GDPR.

20. Order of precedence

In the event of any conflict between (a) the Agreement, (b) this Data Processing Agreement, and (c) the General Terms and Conditions, the following order of precedence shall apply:

Data Processing Agreement;

Agreement;

General Terms and Conditions.

21. Applicable law

21.1 This Data Processing Agreement is exclusively governed by Dutch law.

21.2 Any disputes shall be submitted exclusively to the competent court in Amsterdam.

Annex 1 — Processing Specification