Data Protection Addendum

This Data Protection Addendum ("Addendum") between Nexura Technologies ("Nexura") and the Customer (as defined in the Agreement) forms part of the Nexura Technologies Terms of Service set forth at https://wyzard.ai/terms-conditions/ or such other written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services (the “Agreement”).

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Nexura Technologies. For the purposes of this Addendum only, and except where otherwise indicated, references to “Customer” shall include Customer and such Affiliates.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or Nexura Technologies (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
• "Client Personal Data" means any Personal Data provided by or made available by Customer to Nexura Technologies or collected by Nexura Technologies on behalf of Customer which is Processed by Nexura Technologies to perform the Services
• "Controller to Processor SCCs" means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner's Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto;
• "Data Protection Laws" means any local, state, or national law regarding the processing of Personal Data applicable to Nexura Technologies in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law;
• “EU Area” means the European Union, European Economic Area, United Kingdom, and Switzerland;
• “EU Area Law” means
  • Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("EU GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons;
  • the Data Protection Act 1998 of the United Kingdom and the EU GDPR as saved into United Kingdom Law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”);
  • the swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”);
  • any other law relating to the data protection, security, or privacy of individuals that applies in the EU Area; or
  • any successor or amendments thereto (including, without limitation, implementation of the EU GDPR by Member States into their national law);
• "Privacy Shield" means the EU-US Privacy Shield Framework; and
• "Services" means the services to be supplied by Nexura Technologies to Client or Client Affiliates pursuant to the Terms.
• “Third Country” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

1.2 The terms “Business”, “Business Purpose”, “commercial purpose”, “Contractor”, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor", “Sell”, “Service Provider”, “Share”, “Subprocessor”, "Supervisory Authority", and “Third Party” have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.

2.Formation of this Addendum

This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii) Nexura Technologies 3.Roles of the PartiesThe Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller and Nexura Technologies acts as a Processor (as defined in section 5.2.4 below).

4. Description of Personal Data Processing

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by Nexura Technologies pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.

5. Data Processing Terms

Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Nexura Technologies of Client Personal Data. Client agrees not to provide Nexura Technologies with any data concerning a natural person's health, religion, or any special categories of data as defined in Article 9 of the GDPR.

5.2.1

Process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Client Personal Data to a third country outside to an international organization; Nexura Technologies shall immediately inform Client if, in Nexura Technologies's opinion, an instruction infringes applicable Data Protection Laws;

5.2.2

Ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

5.2.3

(a) pseudonymization and encryption of Client Personal Data; (b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that process Client Personal Data; (c) restoring availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and (d) regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data. Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between Nexura Technologies and Client;

5.2.4

Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes Nexura Technologies to engage another Processor to Process the Client Personal Data ("Other Processor"), and specifically the Other Processors listed in Annex 2 hereto, subject to Nexura Technologies's:

(a)notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing notice of the intended change to Client;

(b) including data protection obligations in its contract with each Other Processor that are materially the same as those set out in this Addendum; and

(c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in relation to the Processing of the Client Personal Data.

In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty) days from the date of the notice to inform Nexura Technologies in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days

5.2.5

to the extent legally permissible, promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of the Processing, assist Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client's, Client's Affiliates' or the relevant Controller(s)' obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR; Client agrees to pay Nexura Technologies for time and for out of pocket expenses incurred by Nexura Technologies in connection with the performance of its obligations under this Section 5.2.5; Upon Nexura Technologies's becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws;

5.2.6

Upon Nexura Technologies's becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws;

5.2.7

To the extent required by the applicable Data Protection Laws, provide reasonable assistance to Client, Client's Affiliates' or the relevant Controller(s)' with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to Nexura Technologies; Client agrees to pay Nexura Technologies for time and for out of pocket expenses incurred by Nexura Technologies in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;

5.2.8

Cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option of Client, Client's Affiliates or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by Nexura Technologies, unless (and solely to the extent and for such period as) Country law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, Nexura Technologies may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms, and

6.Restricted Transfers

Nexura Technologies shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, Nexura Technologies will have the option of (i) promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the Terms. Nexura Technologies acts as a Processor with respect to Personal Data received pursuant to a data transfer. In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the relevant Controller(s), as the case may be), if applicable (as "data exporter") and Nexura Technologies (as "data importer"), with effect from the commencement of the relevant transfer, shall enter into the Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer) from Client or Client Affiliate to Nexura Technologies, where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in place to address applicable Data Protection Laws. Appendix 1 to the Controller to Processor SCCs shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in the Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to be prepopulated with the following "Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of the varying likelihood for the rights and freedoms of natural persons, Nexura Technologies shall implement appropriate technical and organizational measures as set forth in the Addendum."

7. Precedence

The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.

8.Indemnity

To the extent permissible by law, Client shall indemnify and hold harmless Nexura Technologies against all

• (i) losses
• (ii) third-party claims
• (iii) administrative fines and
• (iv) costs and expenses (including without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or (iii), suffered by Nexura Technologies and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.

9.Severability

The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

9.Others

The organization ensures that the contract to process PII addresses the organization's role in providing assistance with the customer's obligations. The Agreement considers the following and follows

a. Privacy by Design and default

b. Achieving Security of Processing

c. Notification of breaches involving PII to a Supervisory authority

d. Notification of breaches involving PII to Customers and PII Principals,

e. Conducting Privacy Impact Assessment

f. Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection authorities are needed.

g. Nexura Technologies shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation or regulation.

h. The organization does not use PII processed under a contract for the purposes of Marketing and Advertising

j. Nexura Technologies shall use AWS and PIPL as sub processors with Security and Privacy requirements fulfilled.

k. The organization shall comply with all statutory and regulatory requirements, ISO 27701:2022, and EU GDPR requirements.

l. The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected is complete).

m. Nexura Technologies shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.

n. For Access, Correction, and/or Erasure of the PII of Data subjects can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related with PII that can be done by contacting the Data Protection Officer below:

Name: Abhishek Verma

Email ID: abhishek.verma@roundcircle.tech

Annex 1 to Data Protection Addendum

Description of Processing Activities for Customer Personal Data

This Annex includes certain details of the Processing of Customer Personal Data by Nexura Technologies in connection with the Services.

List of Parties

Data Importer

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

As determined by application of Clause 13 of the EU SCCs.

3.Technical and Organisational Security Measures

Description of the technical and organisational security measures implemented by Nexura Technologies as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security

• Security Management System.
  • Organization. Nexura Technologies designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
  • Policies. Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data. These policies are updated at least once annually.
  • Assessments. Nexura Technologies engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
  • Risk Treatment. Nexura Technologies maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
  • Vendor Management. Nexura Technologies maintains an effective vendor management program
  • Incident Management. Nexura Technologies reviews security incidents regularly, including effective determination of root cause and corrective action.
  • Standards. Nexura Technologies operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard.
• Personnel Security
  • Nexura Technologies personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Nexura Technologies conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, including in relation to employment history and criminal records, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.
  • Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times. Personnel must acknowledge receipt of, and compliance with, Nexura Technologies's confidentiality, privacy and security policies. Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). Nexura Technologies's personnel will not process Customer Personal Data without authorization.
• Access Controls
  • Access Management. Nexura Technologies maintains a formal access management process for the request, review, approval and provisioning of all personnel with access to Customer Personal Data to limit access to Customer Personal Data and systems storing, accessing or transmitting Customer Personal Data to properly authorized persons having a need for such access. Access reviews are conducted periodically to ensure that only those personnel with access to Customer Personal Data still require it.
  • Infrastructure Security Personnel. Nexura Technologies has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Nexura Technologies's infrastructure security personnel are responsible for the ongoing monitoring of Nexura Technologies's security infrastructure, the review of the Services, and for responding to security incidents.
  • Access Control and Privilege Management. Nexura Technologies's and Customer's administrators and end users must authenticate themselves via a Multi-Factor authentication system or via a single sign on system in order to use the Services
  • Internal Data Access Processes and Policies – Access Policy. Nexura Technologies's internal data access processes and policies are designed to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data. Nexura Technologies designs its systems to only allow authorized persons to access data they are authorized to access based on principles of “least privileged” and “need to know”, and to prevent others who should not have access from obtaining access. Nexura Technologies requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel's job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with Nexura Technologies's internal data access policies and training. Approvals are managed by emails that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies follow industry standard practices. These standards include password complexity, password expiry, password lockout, restrictions on password reuse and re-prompt for password after a period of inactivity.
• Data Center and Network Security
  • Data Centers.
    • Infrastructure. Nexura Technologies has AWS as its data center.
    • Resiliency. Multi Availability Zones are enabled on AWS and Nexura Technologies conducts Backup Restoration Testing on a regular basis to ensure resiliency.
    • Server Operating Systems. Nexura Technologies's servers are customized for the application environment and the servers have been hardened for the security of the Services. Nexura Technologies employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
    • Disaster Recovery. Nexura Technologies replicates data over multiple systems to help to protect against accidental destruction or loss. Nexura Technologies has designed and regularly plans and tests its disaster recovery programs.
    • Security Logs. Nexura Technologies's systems have logging enabled to their respective system log facility in order to support the security audits, and monitor and detect actual and attempted attacks on, or intrusions into, Nexura Technologies's systems.
    • Vulnerability Management. Nexura Technologies performs regular vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis, with Critical, High and Medium security patches for all components installed as soon as commercially possible.
  • Networks and Transmission.
    • Data Transmission. Transmissions on production environment are transmitted via Internet standard protocols.
    • External Attack Surface. Cloudflare WAF and AWS Security Group which is equivalent to virtual firewall is in place for the Production environment on AWS.
    • Incident Response. Nexura Technologies maintains incident management policies and procedures, including detailed security incident escalation procedures. Nexura Technologies monitors a variety of communication channels for security incidents, and Nexura Technologies's security personnel will react promptly to suspected or known incidents, mitigate harmful effects of such security incidents, and document such security incidents and their outcomes.
    • Encryption Technologies. Nexura Technologies makes HTTPS encryption (also referred to as SSL or TLS) available for data in transit.
  • Data Storage, Isolation, Authentication, and Destruction Nexura Technologies stores data in a multi-tenant environment on AWS servers. Data, the Services database and file system architecture are replicated between multiple availability zones on AWS. Nexura Technologies logically isolates the data of different customers. A central authentication system is used across all Services to increase uniform security of data. Nexura Technologies ensures secure disposal of Client Data through the use of a series of data destruction processes.

Annex 1: Description of Processing of Client Personal Data

This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR and, as applicable, Controller to Processor SCC.

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Client's Personal Data are set out in Section 2 of the Terms.

The nature and purpose of the Processing of Personal Data

Due diligence and Background Verification of Organizations and Individuals.

The categories of Data Subject to whom the Client's Personal Data relates

- - Employees and Contractors of Clients.

The types of Client Personal Data to be Processed

Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, and Username

Special categories of data

None

The obligations and rights of Client

The obligations and rights of Client are set out in the Terms and this Addendum.

Data exporter (as applicable)

The data exporter is: Client of Nexura Technologies that uses the Services

Data importer (as applicable)

The data importer is: PIPL, a company that provides services to the client, which requires receiving the Client's query data

Processing operations (as applicable)

The personal data transferred will be subject to the following basic processing activities: The provision of Nexura Technologies Limited to Client for Due Dillegence and Background Verification as per Client requirements.