Neptune — Payments, reimagined for a new era.

1. About this Addendum This Data Processing Addendum (the "Addendum") forms part of the agreement between Unlshd Ltd, trading as NeptunePay ("Unlshd"), and the merchant or counterparty identified in the underlying agreement (the "Counterparty"). It applies where, in the course of performing the underlying agreement, one party processes personal data on behalf of, or jointly with, the other party. It is intended to satisfy the requirements of Article 28 of the GDPR and analogous obligations under applicable data-protection laws. Where there is any conflict between the underlying agreement and this Addendum in respect of personal-data processing, this Addendum prevails. 2. Definitions Capitalised terms not defined in this Addendum have the meanings given to them in the underlying agreement or in the GDPR. In this Addendum: • "Data Protection Laws" means the GDPR; the Cyprus Processing of Personal Data (Protection of Individuals) Law of 2018 (L. 125(I)/2018); and any other data-protection law applicable to a party in respect of the processing. • "Personal Data" means any personal data processed by a party on behalf of, or jointly with, the other party in the course of the underlying agreement. • "Processing" has the meaning given in Article 4(2) of the GDPR. • "Sub-processor" means any third party engaged by a Processor to carry out specific Processing activities on behalf of a Controller. 3. Roles of the Parties Unless the parties expressly agree otherwise in Schedule 1 to this Addendum, the parties' roles are as follows: • In respect of merchant-onboarding, due-diligence, and ongoing-monitoring data: Unlshd acts as an independent Controller; the Counterparty (where the data relates to the Counterparty's representatives) is, in respect of those representatives, a separate Controller. • In respect of cardholder data: neither party processes cardholder primary account numbers or other PCI cardholder data on behalf of the other; cardholder data is processed by the partner acquirer and its sub-processors. • In respect of website-visitor data of each party's own websites: each party is the Controller of its own visitor data. Where, in any specific processing activity, Unlshd acts as a Processor on behalf of the Counterparty (or vice versa), the obligations in Sections 5–11 below apply to that activity. 4. Compliance with Data Protection Laws Each party warrants that it complies with the Data Protection Laws applicable to its Processing under the underlying agreement. Each party is responsible for the lawfulness of its own Processing and for providing any notices and obtaining any consents required from data subjects in respect of its own Processing. 5. Processor Obligations Where a party (the "Processor") processes Personal Data on behalf of the other (the "Controller"), the Processor will: • process Personal Data only on the documented instructions of the Controller, including with regard to transfers outside the European Economic Area, except where required by applicable law (in which case the Processor will inform the Controller of that legal requirement, unless prohibited from doing so); • ensure that persons authorised to process Personal Data are bound by an obligation of confidentiality; • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, the cost of implementation, the nature, scope, context, and purposes of the Processing, and the rights and freedoms of natural persons; • respect the conditions for engaging Sub-processors set out in Section 6; • taking into account the nature of the Processing, assist the Controller, by appropriate technical and organisational measures and insofar as practicable, with the fulfilment of the Controller's obligation to respond to requests from data subjects exercising their rights; • assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of the Processing and the information available to the Processor; • at the Controller's choice, return or delete Personal Data on termination of the Processing, unless retention is required by applicable law; • make available to the Controller all information necessary to demonstrate compliance with this Section 5, and contribute to and allow audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with Section 9. 6. Sub-processors The Controller authorises the Processor to engage Sub-processors for the purposes of the Processing, subject to the following conditions: • the Processor maintains a current list of Sub-processors, available on request; • the Processor imposes data-protection obligations on each Sub-processor that are no less protective than those in this Addendum; • the Processor remains liable to the Controller for the acts and omissions of its Sub-processors; • the Processor will give the Controller reasonable advance notice of any new Sub-processor (or of any change to an existing Sub-processor) and will give the Controller a reasonable opportunity to object on data-protection grounds. 7. International Transfers Where Personal Data is transferred from the European Economic Area to a jurisdiction not the subject of an adequacy decision under Article 45 of the GDPR, the parties will put in place appropriate safeguards under Article 46. The default safeguard is the European Commission Standard Contractual Clauses adopted under Implementing Decision (EU) 2021/914, in the modules and configuration appropriate to the parties' roles, supplemented (where required by the recipient jurisdiction's law) by additional technical and organisational measures. 8. Personal-Data Breach Each party will notify the other party without undue delay (and, where the notifying party is a Processor on behalf of the other party, in any event within 48 hours) on becoming aware of a Personal-Data Breach affecting the other party's Personal Data. The notification will include the information required under Article 33(3) of the GDPR, to the extent then available, and will be supplemented as further information becomes known. 9. Audits Each party will make available to the other, upon reasonable advance written request and not more often than once in any twelve-month period (save in case of a Personal-Data Breach or a documented regulatory or partner-acquirer requirement), such information as is reasonably necessary to demonstrate compliance with this Addendum. On reasonable advance written notice, the Controller (or an independent auditor mandated by the Controller and bound by confidentiality) may conduct an audit, at the Controller's expense, during normal business hours and in a manner that minimises disruption to the Processor's business. 10. Records of Processing Each party will maintain records of the Processing carried out under the underlying agreement, in accordance with Article 30 of the GDPR. 11. Liability The liability of each party in respect of any breach of this Addendum is subject to the limitations of liability and aggregate caps set out in the underlying agreement, except to the extent that any liability cannot lawfully be limited (including liability for fraud, fraudulent misrepresentation, gross negligence, wilful misconduct, or, where applicable, regulatory fines for which liability cannot be capped). 12. Term and Termination This Addendum applies from the effective date of the underlying agreement and continues for so long as either party processes Personal Data within its scope. Termination of the underlying agreement does not affect any obligations in this Addendum that, by their nature, are intended to survive (including Sections 5(g), 7, 8, 9, 10, and 11). 13. Schedules Schedule 1 (Processing Description) sets out, in respect of each Processing activity, the subject-matter, duration, nature, purpose, type of Personal Data, and categories of data subject. Schedule 2 (Technical and Organisational Measures) sets out the technical and organisational measures applied by each party as Processor. Schedule 3 (Sub-processors) lists the Sub-processors engaged by each party. Schedules 1 to 3 are completed and agreed by the parties separately and form part of this Addendum. — END OF ADDENDUM —