Data Processing Agreement

2.1 The subscribing organisation ("Controller") has entered into a service agreement with VER&IT AB ("Processor") for use of Securapilot's governance, risk and compliance (GRC) platform ("Service").

2.2 As the Processor, in the course of performing the service agreement, will carry out processing of personal data on behalf of the Controller for which the Controller is the data controller, and thereby act as the Controller's data processor, this DPA is entered into.

2.3 This DPA is designed to meet the requirements of Applicable Data Protection Law in relation to the processing that the Processor carries out on behalf of the Controller within the framework of the parties' cooperation.

2.4 If and to the extent that another company in the same group as the Controller is to be considered a data controller (alone or together with the Controller) for processing covered by this DPA, the Controller hereby confirms that it has obtained the necessary authorisations to enter into this DPA also on behalf of such company.

4.1 The Processor shall process the Data solely in accordance with this DPA, the Controller's documented instructions and Applicable Data Protection Law. The instructions in force upon entering into this DPA are set out herein.

4.2 The Processor may not process the Data in any other manner, for other purposes or in accordance with other instructions than those set out in this DPA. If the Processor determines that necessary instructions are missing, or that instructions conflict with Applicable Data Protection Law, the Processor shall immediately notify the Controller and await further instructions. The Processor is not obliged to follow any instruction it considers contrary to Applicable Data Protection Law.

4.3 The Controller has the right to issue ongoing written instructions to the Processor regarding the processing of the Data, and the Processor has a corresponding obligation to comply with such documented instructions.

4.4 Any adjustments to the Controller's instructions regarding security and processing shall be communicated to the Processor with reasonable notice. Changes and new instructions take effect no later than thirty (30) days after notification, unless a shorter period is required due to requirements under Applicable Data Protection Law.

4.5 The Processor has the right to withdraw from the engagement if the Controller's instructions cannot reasonably be fulfilled.

9.1 All personal data is stored and processed within the European Union, hosted in Sweden. The Processor may under no circumstances transfer the Data outside the EU/EEA without the Controller's prior written approval. This means the Processor may not, without the Controller's consent, process the Data on equipment or using resources located outside the EU/EEA.

9.2 Should the parties agree that the Data is to be transferred to a location outside the EU/EEA, the parties shall ensure that the transfer is permitted under Applicable Data Protection Law and, where necessary, execute the required standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914, or take other necessary measures.

9.3 Securapilot's architecture supports configurable AI model selection per customer. The Controller may choose to use Sweden-based AI services (such as Berget AI) to ensure full Swedish data sovereignty. No personal data is sent to AI providers unless the Controller explicitly enables AI features, and the choice of provider is always under the Controller's control.

10.2 The Processor undertakes to inform the Controller of any plans to engage new sub-processors and/or replace existing sub-processors at least forty-five (45) days before such plans are implemented. The Controller has the right to object to the proposal. If the Controller does not respond within 45 days, the Controller is deemed to have accepted the Processor's plan.

10.3 If the Controller objects to a new sub-processor and no resolution can be reached, the Controller has the right to terminate the affected service. An up-to-date list of sub-processors is available upon request.

10.4 Agreements with sub-processors shall be in writing and impose on the sub-processor the same obligations and commitments as this DPA imposes on the Processor. The Processor is responsible for ensuring that engaged sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures.

10.5 Where processing of the Data is planned to be carried out by a sub-processor in a third country, the provisions of Section 9 above shall apply.

10.6 If a sub-processor fails to fulfil its obligations regarding the processing of the Data, the Processor shall remain fully liable to the Controller for the sub-processor's performance of its obligations under this DPA.

11.1 The Processor undertakes to ensure that relevant personnel at all times comply with this DPA and the instructions given by the Controller, and that personnel are kept informed of the provisions of Applicable Data Protection Law.

11.2 Access to the Data within the Processor's organisation shall be limited to those persons who need it to perform their agreed duties. The Processor shall ensure that such persons are bound by a duty of confidentiality or subject to a statutory obligation of secrecy.

12.2 The Controller can export and delete user data directly via the platform's administration interface. For requests requiring additional assistance, the Processor will respond within ten (10) working days.

12.3 If a Data Subject, Supervisory Authority or third party contacts the Processor with requests relating to the processing of the Data, the Processor shall refer them to the Controller. The Processor may not disclose the Data or other information about the processing without an explicit instruction from the Controller, unless disclosure is required by law.

12.4 The Processor shall without undue delay inform the Controller of any contacts with the Supervisory Authority that relate to, or may be of significance for, the Processor's processing of the Data. The Processor has no right to represent the Controller or act on its behalf vis-à-vis the Supervisory Authority or Data Subjects.

13.1 In the event of a personal data breach, the Processor shall notify the Controller no later than twenty-four (24) hours after the Processor has discovered completed or attempted instances of unauthorised access, destruction or alteration of the Data.

13.2 The notification shall include information about:

1. The nature of the breach and the categories and approximate number of Data Subjects and personal data records concerned
2. Contact details for the data protection officer or other function at the Processor from which the Controller can obtain further information
3. The likely consequences of the breach
4. The measures the Processor has already taken or plans to take to address the breach and, where applicable, to mitigate its negative effects
5. Any other information the Controller needs to fulfil its reporting obligations to the Supervisory Authority and/or the Data Subjects

13.3 The Processor shall assist the Controller in fulfilling its notification obligations to Supervisory Authorities and Data Subjects.

15.1 The Processor may not retain the Data longer than is necessary for the fulfilment of the purpose, or as otherwise required by Applicable Data Protection Law, this DPA or the Controller's instructions. The Processor shall ensure that technical solutions for automatic retention and deletion are in place, or that manual retention procedures are documented.

15.2 Upon termination of the agreement, the following applies:

• The Controller may export all data via the platform's export function during a transition period of thirty (30) days
• After the transition period, all of the Controller's data — including database content, uploaded files and vector embeddings — is permanently deleted from all systems, including backups, within thirty (30) days
• The Processor provides written confirmation of deletion upon request

15.3 If deletion is not technically feasible, the Processor guarantees that the Data will be anonymised in a manner that prevents re-identification.

15.4 The Processor guarantees that, at the request of the Controller or the Supervisory Authority after termination of this DPA, it will account for all processing of the Data that is occurring or has occurred, including processing carried out by sub-processors.

16.1 The Controller has the right to audit the Processor's compliance with this DPA and Applicable Data Protection Law, either itself or through an independent third-party auditor. Audits are conducted with reasonable advance notice and subject to confidentiality obligations.

16.2 The Processor shall cooperate in audits and provide access to relevant documentation, systems and personnel. Where possible, the Processor may satisfy audit requests by providing independent third-party audit reports or certifications.

16.3 If the Controller engages a third party to conduct an inspection, the Controller shall ensure that such third party signs an appropriate confidentiality agreement before the inspection is carried out.

16.4 Inspections shall as far as possible be scheduled and conducted in a manner that causes minimum disruption to the parties' ordinary operations. Audits shall be conducted in accordance with the security measures imposed by the Processor, provided these do not prevent or substantially impede the audit.

16.5 If the Controller finds during an audit that the Processor is processing the Data in breach of this DPA or Applicable Data Protection Law, the Processor is obliged to immediately remedy the issue. If remediation does not occur in time and this may cause harm to the Controller, the Controller has the right to terminate this DPA and the service agreement with immediate effect.

16.6 Unless otherwise agreed in a separate written arrangement, each party shall bear its own costs in connection with an audit.

17.1 The Processor undertakes not to disclose the Data or other information about the processing of the Data to third parties without an explicit instruction or prior approval from the Controller, unless disclosure is required by law.

17.2 Each party undertakes not to disclose confidential information that a party has directly or indirectly received during the cooperation with the other party to third parties.

17.3 The parties undertake to comply with applicable rules on trade secrets in force from time to time.

17.4 The Processor shall ensure that persons with access to the Data are bound by a duty of confidentiality or subject to a statutory obligation of secrecy, and are informed of how they may process the Data. Sub-processors engaged in accordance with Section 10 shall have corresponding confidentiality obligations.

17.5 The confidentiality obligations in this section shall survive termination of this DPA.

19.1 If a party (including persons acting under a party's direction or sub-processors engaged by a party) acts in breach of this DPA or Applicable Data Protection Law, that party shall indemnify the other party for any resulting damage. This shall not apply if the defaulting party can demonstrate that it is not in any way responsible for the event or omission that caused the damage.

19.2 Under no circumstances shall a party be liable for indirect damages, such as loss of profit, loss of income, loss of data, inability to fulfil obligations to third parties, liability to third parties or other consequential losses. This limitation of liability shall not apply in cases of gross negligence or wilful misconduct.

19.3 The parties' liability towards third parties shall be governed in accordance with Article 82 of the GDPR. The party that has paid full compensation for damage caused to a third party has the right to recover from the other party, where that party was involved in the same processing, the portion of the compensation corresponding to that party's share of the liability.

19.4 Liability for breaches of this DPA is otherwise governed by the terms of the service agreement between the parties.

20.1 The Controller may amend the content of this DPA to the extent necessary to meet requirements under Applicable Data Protection Law. Such amendment takes effect thirty (30) days after the notification of the amendment has reached the Processor. If the Processor does not accept such amendment, the Controller has the right to terminate the service agreement with immediate effect.

20.2 All other amendments and additions to this DPA must, to be binding, be made in writing and approved by both parties.

21.1 This DPA is in force from the time it is entered into and for as long as the Processor processes the Data on behalf of the Controller.

21.2 Upon termination of this DPA, the Processor and any sub-processors shall, depending on the Controller's instructions, either return all the Data and copies thereof to the Controller, or delete all the Data and certify to the Controller that this has been done. The measures shall be carried out in accordance with Section 15.

21.3 The confidentiality provisions of Section 17 shall survive termination of this DPA.

23.1 All notices and other communications under this DPA shall be in writing and delivered by email, courier or registered post to the parties' designated contact persons as set out in Section 1.

23.2 A notice shall be deemed to have reached the recipient:

• When sent by email: at the time of sending, provided no negative acknowledgement is received
• When delivered by courier: at the time of delivery
• When sent by registered post: on the third (3rd) working day after posting

23.3 Each party is responsible for keeping its contact details up to date.

24.1 Swedish law shall apply to this DPA including all processing of the Data under this DPA.

24.2 Disputes arising in connection with this DPA shall be resolved in accordance with the dispute resolution mechanism set out in the service agreement.