(1) MEFERI Technologies Co., Ltd., a company incorporated under the laws of China, with its registered office at 5F, A5, Tianfu Software Park, No. 1129, Century City Road, High-tech Zone, 610000, Chengdu, Sichuan, P.R.China (“MEFERI”, “Processor”, “We”, “Us”, or “Our”); and

(2) The Customer (“Customer”, “Controller”, or “You”), the legal entity that has subscribed to or uses MEFERI’s Services as defined below and has agreed to MEFERI’s main terms of service or other master agreement (“Main Agreement”).

This DPA forms an integral part of the Main Agreement and reflects the parties’ agreement with regard to the Processing of Personal Data by MEFERI on behalf of the Customer in connection with the Services.

By accepting the Main Agreement, or by accessing or using the Services after this DPA has been made available, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its authorized Users.

If there is any conflict between this DPA and the Main Agreement, this DPA shall prevail to the extent of such conflict in relation to the Processing of Personal Data.

1. DEFINITIONS

1.1. “Main Agreement” means the primary written agreement (which may be titled as Terms of Service, General Terms of Service, Master Services Agreement, Service Contract, Subscription Agreement, or similar) entered into between Customer and MEFERI (or a Contracting MEFERI Affiliate as per Section 18.4) for the provision of the Services, including any specific service plan terms (such as “MeCare (Plan Name): General Terms of Service”) and any order forms or statements of work executed thereunder. This DPA forms an integral part of such Main Agreement.

1.2. “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including but not limited to the GDPR and any national implementing laws, regulations, and secondary legislation, as amended or updated from time to time.

1.3. “Controller” has the meaning set out in Article 4(7) of the GDPR. For the purposes of this DPA, Customer is the Controller.

1.4. “Data Subject” has the meaning set out in Article 4(1) of the GDPR.

1.5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.6. “Personal Data” has the meaning set out in Article 4(1) of the GDPR, and is limited to the Personal Data Processed by MEFERI on behalf of Customer in the provision of the Services as further described in Appendix 1.

1.7. “Personal Data Breach” has the meaning set out in Article 4(12) of the GDPR, specifically a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by MEFERI.

1.8. “Processing” has the meaning set out in Article 4(2) of the GDPR. “Process” and “Processed” shall be interpreted accordingly.

1.9. “Processor” means MEFERI Technologies Co., Ltd., (MEFERI) or, where applicable as per Section 18.4 of this DPA, the Contracting MEFERI Affiliate party to the Main Agreement with Customer.

1.10. “Services” means the products and services provided by MEFERI to Customer under the Main Agreement, specifically including but not limited to MEFERI’s Shadowalk MDM/EMM Cloud Solution, cloud-hosted components of the CIAO Intelligent Shopper Assistant (ISA) solution where MEFERI acts as a processor, and any associated support services (including but not limited to services provided under a MEFERI MeCare service contract) where MEFERI Processes Customer Personal Data. For clarity, Services do not include on-premise deployments of MEFERI software where ongoing Processing of Personal Data is performed solely within Customer’s environment, except where MEFERI accesses such systems for support under Customer’s instruction.

1.11. “Sub-processor” means any third party engaged by MEFERI to Process Personal Data on behalf of Customer in connection with the Services.

1.12. “Technical and Organizational Measures” or “TOMs” means the security measures implemented by MEFERI to protect Personal Data, as further described in Appendix 2.

1.13. “Third-Party Partner Solutions” means software or services provided by third parties that may be integrated with or used in conjunction with MEFERI’s hardware or Services, such as payment solutions (e.g., WorldLine “Tap on Mobile”) or retail self-scanning software (e.g., 4MAX “Scan & Go”), where Customer may have a direct contractual relationship with such third party.

2. ROLES AND RESPONSIBILITIES

2.1. Parties’ Roles: Customer is the Controller and MEFERI is the Processor of Customer Personal Data. Each party will comply with its respective obligations under Applicable Data Protection Law.

2.2. Customer’s Obligations as Controller: Customer represents and warrants that:

a. It has complied, and will continue to comply, with all applicable provisions of Applicable Data Protection Law in respect of its Processing of Personal Data and any processing instructions it issues to MEFERI;

b. It has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data, including obtaining all necessary consents, providing all necessary notices, and having a valid legal basis for the Processing of Personal Data by MEFERI in accordance with this DPA and the Main Agreement; and

c. Its instructions to MEFERI for the Processing of Personal Data shall comply with Applicable Data Protection Law.

2.3. MEFERI’s Obligations as Processor: MEFERI shall:

a. Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which MEFERI is subject; in such a case, MEFERI shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR). The Main Agreement and this DPA constitute Customer’s documented instructions to MEFERI to Process Personal Data.

b. Immediately inform Customer if, in MEFERI’s opinion, an instruction infringes Applicable Data Protection Law (Article 28(3) GDPR).

3. DETAILS OF PROCESSING

3.1. The subject-matter of the Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Appendix 1 (Details of Processing) to this DPA.

4. CONFIDENTIALITY

4.1. MEFERI shall ensure that its personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).

5. SECURITY OF PROCESSING

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, MEFERI shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as described in Appendix 2 (Technical and Organizational Measures) (Article 28(3)(c) and Article 32 GDPR).

5.2. MEFERI may update or modify the TOMs from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services.

6. SUB-PROCESSING

6.1. General Authorization: Customer grants MEFERI general written authorization to engage Sub-processors to Process Personal Data on Customer’s behalf in connection with the provision of the Services (Article 28(2) GDPR).

6.2. Current Sub-processors and Notification of New Sub-processors: MEFERI shall maintain a list of its current Sub-processors, which shall be made available to Customer upon request or via a designated webpage (see Appendix 3). MEFERI shall inform Customer of any intended changes concerning the addition or replacement of other Sub-processors at least thirty (30) calendar days in advance, thereby giving Customer the opportunity to object to such changes.

6.3. Objection to New Sub-processors: If Customer has a reasonable basis to object to MEFERI’s use of a new Sub-processor, Customer shall notify MEFERI promptly in writing within ten (10) business days after receipt of MEFERI’s notice. In the event Customer objects, MEFERI will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If MEFERI is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) calendar days, Customer may terminate the applicable part of the Services which cannot be provided by MEFERI without the use of the objected-to new Sub-processor by providing written notice to MEFERI.

6.4. Sub-processor Obligations: MEFERI shall ensure that any Sub-processor it engages is subject to a written contract or other legal act under Union or Member State law imposing data protection obligations that are at least equivalent to those imposed on MEFERI under this DPA, particularly providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Law (Article 28(4) GDPR).

6.5. Liability: MEFERI shall remain fully liable to Customer for the performance of its Sub-processors’ data protection obligations.

7. DATA SUBJECT RIGHTS

7.1. Taking into account the nature of the Processing, MEFERI shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR (e.g., right of access, rectification, erasure, etc.) (Article 28(3)(e) GDPR).

7.2. If MEFERI receives a request directly from a Data Subject relating to Customer Personal Data, MEFERI shall promptly notify Customer of such request and shall not respond to the Data Subject, except to confirm that the request relates to the Customer. Customer shall be responsible for responding to all such Data Subject requests.

8. ASSISTANCE TO THE CONTROLLER

8.1. Taking into account the nature of Processing and the information available to MEFERI, MEFERI shall provide reasonable assistance to Customer in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Personal Data Breach notification to the supervisory authority, communication of a Personal Data Breach to the Data Subject, Data Protection Impact Assessment, and prior consultation with the supervisory authority) (Article 28(3)(f) GDPR).

9. PERSONAL DATA BREACH NOTIFICATION

9.1. Notification to Customer:

MEFERI shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data (Article 28(3)(f) and Article 33(2) GDPR).

9.2. Such notification shall, to the extent possible, describe:

a. The nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

b. The name and contact details of MEFERI’s Data Protection Officer or other contact point where more information can be obtained;

c. The likely consequences of the Personal Data Breach; and

d. The measures taken or proposed to be taken by MEFERI to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3. Where, and in so far as, it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

9.4. Customer is solely responsible for complying with its own data breach notification obligations under Applicable Data Protection Law. MEFERI’s notification of or response to a Personal Data Breach under this Section 9 will not be construed as an acknowledgement by MEFERI of any fault or liability with respect to the Personal Data Breach.

10. DELETION OR RETURN OF DATA

10.1. At the choice of Customer, MEFERI shall delete or return all Personal Data to Customer after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR). The specific retention and deletion timelines will be as set forth in the Main Agreement or as otherwise agreed.

11. AUDITS AND INSPECTIONS

11.1. MEFERI shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (Article 28(3)(h) GDPR).

11.2. Such audits shall be conducted during MEFERI’s normal business hours, subject to reasonable prior written notice not less than thirty (30) calendar days, and shall not unreasonably interfere with MEFERI’s business activities. Customer and MEFERI shall mutually agree on the scope, timing, and duration of the audit.

11.3. Customer shall ensure that any auditor acts under a written confidentiality agreement. Customer shall bear its own costs and any costs of its mandated auditor. If the audit reveals a material breach of this DPA by MEFERI, MEFERI shall bear the reasonable costs of the audit, up to a mutually agreed cap.

11.4. To the extent permitted by law, MEFERI may satisfy its audit obligations by providing Customer with relevant certifications from an independent third-party auditor (e.g., ISO 27001, SOC 2 Type II), or summaries thereof, subject to appropriate confidentiality obligations.

12. INTERNATIONAL DATA TRANSFERS

12.1. MEFERI shall not transfer Personal Data to any country outside the European Economic Area (EEA) or a country deemed adequate by the European Commission under Article 45 of the GDPR without ensuring that appropriate safeguards are in place as required by Chapter V of the GDPR (e.g., by entering into Standard Contractual Clauses as approved by the European Commission).

12.2. The primary data processing locations for the Services, specifically where Customer Personal Data is hosted by MEFERI on its main cloud infrastructure, will be within the European Economic Area (EEA), utilizing the Amazon Web Services (AWS) region eu-west-3 (Paris, France). Further details on sub-processors, including cloud infrastructure providers and their locations, are provided in Appendix 3.

12.3. If MEFERI engages in a transfer of Personal Data to a Sub-processor in a third country (i.e., outside the EEA or a country not deemed adequate by the European Commission) that does not ensure an adequate level of protection, MEFERI shall ensure that such transfer is covered by an appropriate transfer mechanism under Chapter V of the GDPR, such as the Standard Contractual Clauses. This includes transfers that may occur if MEFERI utilizes services from a sub-processor whose infrastructure or support personnel are located in such third countries, even if the primary processing location specified in 12.2 is within the EEA.

13. MEFERI’S USE OF THIRD-PARTY PARTNER SOLUTIONS

13.1. Customer acknowledges that MEFERI’s hardware or Services may be used in conjunction with Third-Party Partner Solutions (e.g., payment processing solutions on CIAO devices, specific retail management software).

13.2. Where Customer elects to use such Third-Party Partner Solutions, Customer may enter into a direct contractual relationship with the providers of such solutions. In such cases, the third-party provider may act as a Controller or Processor for the Personal Data they handle in connection with their services, as determined by Customer’s agreement with that third party.

13.3. This DPA governs only the Processing of Personal Data by MEFERI as a Processor for Customer. It does not apply to Processing activities conducted by providers of Third-Party Partner Solutions where Customer has a direct relationship with such providers, unless such a provider is acting as a Sub-processor to MEFERI under Section 6 of this DPA.

14. LIABILITY AND INDEMNITY

14.1. The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Main Agreement.

14.2. Customer shall indemnify and hold MEFERI harmless against all claims, actions, third-party claims, losses, damages, and expenses (including reasonable legal fees) incurred by MEFERI arising from any breach by Customer of its obligations under this DPA or Applicable Data Protection Law.

15. TERM AND TERMINATION

15.1. This DPA shall commence on the effective date of the Main Agreement and shall remain in effect until the termination or expiry of the Main Agreement, or until MEFERI ceases to Process Personal Data on behalf of Customer, whichever is later.

15.2. Obligations of confidentiality, deletion/return of data, and any provisions which by their nature should survive termination, shall survive termination or expiry of this DPA.

16. CHANGES TO THIS DPA

16.1. MEFERI may amend this DPA from time to time by posting the amended version on its website or by otherwise notifying Customer.

16.2. If MEFERI makes a material change to this DPA, MEFERI will provide Customer with reasonable notice of the change (e.g., via email to the Customer’s designated contact or a notification within the Services). Customer’s continued use of the Services after such notice period will constitute acceptance of the amended DPA. If Customer objects to a material change, Customer may terminate the Main Agreement in accordance with its terms.

17. GOVERNING LAW AND DISPUTE RESOLUTION

17.1. Governing Law: This DPA shall be governed by and construed in accordance with the laws stipulated as the governing law in the Main Agreement entered into between the Customer and the MEFERI entity party to such Main Agreement (“Contracting MEFERI Entity”).

17.2. Dispute Resolution:

a. The Parties shall endeavor to resolve any dispute, controversy, or claim arising out of or relating to this DPA, its interpretation, validity, breach, or termination (“Dispute”) amicably through good faith negotiations between their authorized representatives. b. If a Dispute cannot be resolved through negotiation within thirty (30) calendar days of a Party’s written notice initiating negotiations, such Dispute shall be resolved in accordance with the dispute resolution mechanism (e.g., arbitration or court proceedings) and venue as specified in the Main Agreement. c. In the event the Main Agreement provides for arbitration:

i. Such arbitration shall be the primary mechanism for resolving Disputes under this DPA. ii. Unless otherwise specified in the Main Agreement, or if the Main Agreement is silent on the specifics of arbitration for matters related to this DPA, the Parties agree that any such Dispute may be submitted to arbitration administered by a mutually agreed internationally recognized arbitration institution (such as the Shenzhen Court of International Arbitration (SCIA), the Singapore International Arbitration Centre (SIAC), or the Hong Kong International Arbitration Centre (HKIAC), or an appropriate institution within the European Union if the Contracting MEFERI Entity is an EU-based affiliate). iii. The arbitration shall be conducted in English. The seat or legal place of arbitration shall be as specified in the Main Agreement or, if not specified or if a different location is mutually agreed for a specific Dispute, a location chosen by mutual agreement of the Parties, or failing such agreement within a reasonable period, by the Contracting MEFERI Entity. iv. The arbitration award shall be final and binding on both Parties, subject to any rights of appeal permitted by the laws of the seat of arbitration for procedural unfairness or lack of jurisdiction.

d. If the Main Agreement specifies court litigation, the courts specified therein shall have jurisdiction, subject to Section 17.3 below.

17.3. Mandatory Data Protection Law Considerations: a. Notwithstanding any other provision in this DPA or the Main Agreement, where Applicable Data Protection Law (including, but not limited to, the GDPR) grants a Data Subject mandatory rights to bring proceedings before the courts of their habitual residence or place of work, or the place where an alleged infringement occurred, or to lodge a complaint with a supervisory authority, such rights shall not be prejudiced by the terms of this DPA. b. Where the GDPR applies, MEFERI and Customer will ensure that any choice of governing law or jurisdiction does not prevent Data Subjects from benefiting from any mandatory provisions of the law of the European Union Member State in which they reside.

17.4. Continued Performance: Pending the resolution of a Dispute, the Parties shall continue to perform their respective obligations under this DPA to the extent practicable, unless the DPA or the Main Agreement is terminated.

18. CONTACT INFORMATION / DATA PROTECTION

18.1. Processor: MEFERI Technologies Co., Ltd. Address: 5F, A5, Tianfu Software Park, No. 1129, Century City Road, High-tech Zone, 610000, Chengdu, Sichuan, P.R.China

– Email for data protection inquiries: legal@meferi.com

18.2. Data Protection Enquiries and DPO (for MEFERI Technologies Co., Ltd.): All inquiries related to data protection under this DPA should be directed to the email address specified for MEFERI Technologies Co., Ltd. in Section 18.1 above.

18.3. EU Representative for MEFERI Technologies Co., Ltd. (pursuant to Article 27 GDPR): Name of EU Representative: MEFERI Poland Sp. z o.o. Address: Ul. Modelarska 18/2, 40-142 Katowice, Poland Email for EU data protection inquiries (for Data Subjects and Supervisory Authorities in the EU concerning processing by MEFERI Technologies Co., Ltd.): poland@meferi.com

18.4. Processing by MEFERI Affiliates: Where Customer enters into a Main Agreement with an affiliate of MEFERI Technologies Co., Ltd. (e.g., MEFERI Poland Sp. z o.o.) (“Contracting MEFERI Affiliate”), and such Contracting MEFERI Affiliate acts as the Processor for Personal Data under that Main Agreement:

a) This DPA shall apply to the processing activities performed by the Contracting MEFERI Affiliate, and all references to “MEFERI” or “Processor” herein shall be deemed to refer to such Contracting MEFERI Affiliate.

b) The contact information for data protection inquiries related to processing by such Contracting MEFERI Affiliate shall be as specified in the Main Agreement or as otherwise communicated by the Contracting MEFERI Affiliate to the Customer. For MEFERI Poland Sp. z o.o., the contact details are: Address: Ul. Modelarska 18/2, 40-142 Katowice, Poland

Email: poland@meferi.com

Phone: +48 734-143-579

c) The governing law and dispute resolution for this DPA in such cases shall be determined by the Main Agreement with the Contracting MEFERI Affiliate.

19. ENTIRE AGREEMENT

19.1. This DPA, including its Appendices, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.

IN WITNESS WHEREOF, the parties acknowledge their agreement to this Data Processing Agreement as of the Effective Date of the Main Agreement or Customer’s use of the Services.

—

APPENDIX 1

DETAILS OF PROCESSING

This Appendix 1 forms part of the DPA and describes the Processing of Personal Data by MEFERI on behalf of Customer.

A. LIST OF PARTIES

Controller(s) / Customer(s):

The legal entity that has entered into the Main Agreement with MEFERI for the provision of the Services. The Customer determines the purposes and means of the Processing of Personal Data.

Processor(s) / MEFERI:

MEFERI Technologies Co., Ltd., or, where applicable as per Section 18.4 of this DPA, the Contracting MEFERI Affiliate party to the Main Agreement with Customer, providing the Services to the Customer.

B. DESCRIPTION OF PROCESSING

1. Subject-matter of the Processing:

The Processing of Personal Data in the context of providing, maintaining, supporting, and improving the MEFERI Services subscribed to by the Customer under the Main Agreement, including but not limited to MEFERI Shadowalk MDM/EMM Cloud Solution and cloud-hosted components of the CIAO Intelligent Shopper Assistant (ISA) solution.

2. Duration of the Processing:

For the term of the Main Agreement between MEFERI and Customer, and until all Personal Data is deleted or returned in accordance with Section 10 of the DPA.

3. Nature and Purpose of the Processing:

– For MEFERI Shadowalk MDM/EMM Cloud Solution: To enable Customer to remotely manage, secure, monitor, and support its fleet of mobile devices. This includes device provisioning, configuration management, application management, security policy enforcement, device tracking (if enabled by Customer), remote diagnostics, and generating reports on device status and usage for the Customer.

– For MEFERI CIAO ISA Cloud Components (where MEFERI is Processor): To facilitate the operation of the intelligent shopper assistant solution for the Customer (retailer). This may include user authentication, management of shopping lists, processing of product information, customer interaction data (for analytics provided to the retailer), and enabling integrations with third-party services as directed by the Customer.

– MeCare Service Contracts: For MEFERI MeCare Services (where MEFERI acts as Processor): To provide contracted support, maintenance, repair, monitoring, and device management services as described in the applicable “MeCare (Plan Name): General Terms of Service” and the MeCare Support Services Guide, which may involve accessing, collecting, or otherwise Processing Personal Data stored on or transmitted by Customer’s devices, or provided by Customer in the course of service delivery.

– For Support Services: To provide technical support, troubleshooting, maintenance, and updates for the Services, which may involve accessing Personal Data processed within the Services or on Customer’s systems upon Customer’s request and instruction.

– To comply with Customer’s documented instructions as set out in this DPA and the Main Agreement.

– To comply with applicable legal obligations.

4. Categories of Data Subjects:

– Customer’s employees, contractors, and authorized users: Individuals who administer or use the Services on behalf of the Customer (e.g., IT administrators using Shadowalk, retail staff managing or using CIAO).

– End-users of Customer’s managed devices (for Shadowalk): Individuals (e.g., Customer’s employees) using mobile computers or other devices managed by the Customer through the Shadowalk solution.

– Customer’s customers (shoppers) (for CIAO, if MEFERI processes their Personal Data in a cloud backend on behalf of the retailer Customer): Individuals using the CIAO ISA devices in the retailer’s store.

5. Types of Personal Data Processed:

The specific types of Personal Data Processed will depend on the Services used by the Customer and how Customer configures and uses those Services. Personal Data may include:

– User Account and Contact Information: Name, email address, username, passwords, phone number, job title, department, employee ID, role/permissions within the Services (if applicable for service administration by Customer).

– Device Information (for Shadowalk): Device identifiers (e.g., serial number, IMEI, MAC address, UDID), device model, operating system version, IP address, network information, device configuration settings, installed applications, device location data (if enabled by Customer).

– Usage and Log Data (for Shadowalk & CIAO cloud): System logs, audit trails, activity logs, performance data, diagnostic data related to the use of the Services.

– Shopper Data (for CIAO, if applicable): Shopper account details (e.g., loyalty ID, email if provided by shopper for registration through retailer’s app on CIAO), shopping lists, product scan history, interaction data with the CIAO device.

– Support Data: Information provided by Customer during support interactions, including contact details, description of issues, system configuration details, and any Personal Data contained within logs or files shared with MEFERI for troubleshooting.

– Any other Personal Data that Customer (or its authorized users or Data Subjects) chooses to submit to the Services.

6. Special Categories of Personal Data (if any):

MEFERI does not intend to Process any Special Categories of Personal Data (as defined in Article 9 GDPR) on behalf of Customer. Customer shall not upload, provide, or instruct MEFERI to Process any Special Categories of Personal Data unless explicitly agreed in writing with MEFERI and subject to appropriate safeguards. If Customer does provide such data without prior agreement, Customer is solely responsible for ensuring a valid legal basis for such Processing.

—

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (TOMS)

This Appendix 2 describes the Technical and Organizational Measures implemented by MEFERI to ensure an appropriate level of security for the Processing of Personal Data. MEFERI may update these measures from time to time, provided that such updates do not materially degrade the overall security of the Services.

1. Information Security Policies and Governance:

a. MEFERI maintains internal policies and procedures designed to protect Personal Data.

b. Responsibilities for information security are defined and allocated.

c. Regular risk assessments are conducted to identify and mitigate threats to Personal Data.

2. Personnel Security:

a. Employees and contractors with access to Personal Data are subject to confidentiality obligations.

b. Security awareness training is provided to relevant personnel regarding their data protection and security responsibilities.

c. Background checks may be conducted for personnel in sensitive roles, where permitted by applicable law.

3. Physical Access Control:

a. Measures are in place to prevent unauthorized physical access to MEFERI’s premises and facilities where Personal Data may be Processed (e.g., offices).

b. This includes security perimeters, access control systems, surveillance, and logging of physical access where appropriate.

c. For data centers used by MEFERI for the Services (i.e., those of its primary cloud service provider, Amazon Web Services – AWS), MEFERI relies on the robust physical security measures implemented by AWS.

4. System Access Control (Logical Access):

a. Access to IT systems Processing Personal Data is restricted to authorized personnel.

b. Unique user IDs and strong authentication mechanisms (e.g., complex passwords, multi-factor authentication where appropriate and feasible) are used.

c. Access rights are granted based on the principle of least privilege (role-based access control).

d. Regular reviews of access rights are conducted.

e. Secure protocols are used for remote access.

5. Data Access Control:

a. Measures are in place to ensure that persons authorized to use a data-processing system can access only the Personal Data to which their access right refers, in accordance with their assigned roles and responsibilities.

b. Personal Data is not read, copied, modified, or removed without authorization during Processing, use, and after storage, except as necessary for the provision of the Services or as instructed by the Customer.

c. Segregation of duties and data is implemented where appropriate.

6. Transmission Control:

a. Personal Data is protected against unauthorized reading, copying, modification, or removal during electronic transmission or transport.

b. Encryption technologies (e.g., Transport Layer Security – TLS/Secure Sockets Layer – SSL for data in transit) are used to protect Personal Data transmitted over public networks.

c. Secure methods are used for the transfer of physical media containing Personal Data, if any such transfers occur.

7. Input Control:

a. Measures are implemented to ensure that it can be subsequently checked and established whether and by whom Personal Data have been entered into, modified in, or removed from data-processing systems (e.g., through audit logs).

b. Logging and auditing capabilities are implemented for critical system activities related to the Processing of Personal Data.

8. Data Backup and Recovery:

a. Regular backups of Personal Data Processed within the Services are performed to ensure data availability and integrity.

b. Backup and recovery procedures are defined and tested periodically.

c. Backups are stored securely.

9. Availability Control and Resilience:

a. Systems are designed and configured to ensure the availability of Personal Data and the resilience of processing systems and services.

b. This includes measures such as redundancy, fault tolerance, and disaster recovery capabilities, primarily leveraging the infrastructure of MEFERI’s main cloud service provider (Amazon Web Services – AWS).

10. Data Segregation:

a. Customer Personal Data is logically segregated from the data of other MEFERI customers within the Services.

11. Secure Software Development (for MEFERI’s cloud platforms):

a. Secure coding practices and principles are incorporated into MEFERI’s software development lifecycle for its cloud platforms.

b. Security testing (e.g., vulnerability scanning, penetration testing) is conducted as appropriate for the Services.

c. Procedures for identifying, assessing, and remediating vulnerabilities in MEFERI’s software are in place.

12. Incident Management:

a. MEFERI maintains an incident response plan and procedures for detecting, responding to, and recovering from security incidents, including Personal Data Breaches.

b. Incidents are investigated, documented, and appropriate remedial actions are taken.

c. Communication plans are established for internal and external notifications as required by Applicable Data Protection Law and this DPA.

13. Sub-processor Management:

a. Due diligence is performed before engaging Sub-processors to ensure they can provide an adequate level of data protection.

b. Contractual agreements are in place with Sub-processors imposing data protection obligations that are at least equivalent to those imposed on MEFERI under this DPA.

14. Monitoring and Logging:

a. Systems processing Personal Data are monitored for security events and anomalies, where appropriate and feasible.

b. Relevant logs are collected and reviewed as necessary to detect, investigate, and respond to security incidents.

15. Encryption:

a. Encryption of Personal Data at rest is implemented where appropriate and technically feasible (e.g., for database storage containing sensitive Personal Data).

b. Encryption of Personal Data in transit over public networks is implemented using industry-standard protocols (e.g., TLS).

*(Customer acknowledges that the Security Measures are subject to technical progress and development and that MEFERI may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.)*

—

APPENDIX 3

SUB-PROCESSORS

Customer provides general authorization to MEFERI to use the categories of Sub-processors listed below. MEFERI will maintain an up-to-date list of its specific Sub-processors, which will be made available to Customer by publishing it on a designated webpage on MEFERI’s website https://meferi.com/en/us/legal/subprocessors ). and will provide this list to Customer upon written request to MEFERI’s Data Protection contact (e.g., legal@meferi.com ).

Categories of Sub-processors and Purpose:

1. Cloud Infrastructure Providers: – Sub-processor & Specifics for Main Hosting of Services provided to Customer under the Main Agreement:

– Entity: Amazon Web Services EMEA SARL (or the relevant AWS contracting entity for services provided in the EEA).

– Purpose: To provide underlying cloud computing infrastructure (servers, storage, networking, databases) for hosting MEFERI’s Services (e.g., Shadowalk Cloud, CIAO Cloud backend) provided to Customer under the Main Agreement.

– Location of Processing for Customer Personal Data (Primary Hosting): The primary AWS region for processing Customer Personal Data under this DPA is eu-west-3 (Paris, France) within the European Economic Area (EEA).

– Data Transfer Safeguards: AWS provides a Data Processing Addendum (DPA) that includes Standard Contractual Clauses (SCCs) to govern transfers of personal data, which applies if any data is processed by AWS in or transferred by AWS to locations outside the EEA that are not covered by an adequacy decision. Customer can review AWS’s Data Processing Addendum at  https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf and information on AWS GDPR compliance at  https://aws.amazon.com/compliance/gdpr-center/

– Note on CDNs (if applicable): If MEFERI utilizes AWS CloudFront or similar content delivery network (CDN) services for performance enhancement of the Services, copies of certain data (typically static assets or cached content, which may or may not include Personal Data depending on configuration) may be temporarily cached at AWS edge locations globally. However, the authoritative storage and primary processing of Customer Personal Data for the Services will remain in the AWS region specified above (eu-west-3). MEFERI will ensure that any Customer Personal Data distributed via CDN is handled in accordance with GDPR requirements.

– Other Cloud Infrastructure Providers for Services provided to Customer under the Main Agreement:

– At present, MEFERI does not utilize other third-party cloud infrastructure providers for the primary hosting or direct provision of the Services defined in the Main Agreement, beyond what is described above.

2. Communication Service Providers:

– Purpose: To facilitate essential communications to Customer or its authorized users in connection with the provision and use of the Services (e.g., email delivery for service notifications, password resets, security alerts, and SMS delivery for critical alerts or two-factor authentication codes).

– Specific Sub-processors Used:

– For Email Communications:

– Entity: Amazon Web Services EMEA SARL (utilizing Amazon Simple Email Service – SES).

– Specific Purpose for MEFERI: For sending transactional and service-related email notifications to Customer’s authorized users (e.g., account alerts, password resets, service updates, critical security information) in connection with the Services.

– Location of Processing: Email sending infrastructure is primarily located within the AWS regions MEFERI utilizes for its Services (e.g., configured to send from an EEA region like eu-west-1 Ireland or eu-west-3 Paris where feasible). The processing of any Personal Data (such as email addresses and email content) via SES is governed by the AWS Data Processing Addendum.

– Data Transfer Safeguards: Covered by the Amazon Web Services Data Processing Addendum, which includes Standard Contractual Clauses. Available

at: https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf.

– For SMS Communications:

– Entity: Twilio Inc.

– Specific Purpose for MEFERI: For sending SMS notifications to Customer’s authorized users as part of the Services, such as for critical alerts or delivery of two-factor authentication (2FA) codes, if such features are enabled and used by Customer.

– Nature of Data Processed: Typically includes phone numbers of Customer’s authorized users and the content of the SMS messages (e.g., authentication codes, alert text).

– Location of Processing: Primarily USA.

– Data Transfer Safeguards: Transfers of Personal Data are governed by Twilio’s Data Processing Addendum, which incorporates Standard Contractual Clauses (SCCs). Customer can review Twilio’s DPA at: https://www.twilio.com/legal/data-protection-addendum.

– Other Communication Service Providers:

– At present, MEFERI does not utilize other third-party communication service providers for processing Customer Personal Data under this DPA beyond what is described above for email and SMS. If specific features requiring other types of communication services are introduced and opted into by Customer, MEFERI will update this list and notify Customer in accordance with Section 6.2 of this DPA.

3. Analytics and Service Performance Monitoring Providers:

– Purpose: To monitor the performance, identify errors, and analyze usage patterns of MEFERI’s Services (e.g., Shadowalk Cloud, CIAO Cloud backend) to maintain and improve service stability, functionality, and user experience. Data processed by these providers for MEFERI’s Services is typically pseudonymized, aggregated, or consists of technical/operational data. MEFERI does not use these providers to analyze the specific content of Customer Personal Data within the Services unless explicitly instructed or agreed with Customer for support or troubleshooting purposes.

– Specific Sub-processors Used:

– Entity: Functional Software, Inc. (doing business as Sentry).

– Specific Purpose for MEFERI: For real-time error tracking, diagnostics, and performance monitoring within MEFERI’s cloud-based Services (Shadowalk Cloud, CIAO Cloud backend) to help identify and resolve technical issues.

– Nature of Data Processed: Typically includes error messages, stack traces, device/browser information, IP addresses (which MEFERI may configure to be anonymized or not stored where feasible within Sentry’s capabilities), and other operational metadata related to service events. MEFERI configures its integration with Sentry to minimize the capture of Customer Personal Data.

– Location of Processing: Primarily USA.

– Data Transfer Safeguards: Transfers are governed by Sentry’s Data Processing Addendum, which incorporates Standard Contractual Clauses. Available at: https://sentry.io/legal/dpa/

– Website and Portal Analytics (MEFERI as Controller):

– For analytics related to MEFERI’s corporate website (e.g., meferi.com) and other MEFERI-owned public portals where MEFERI acts as the Data Controller, details of analytics providers (such as Google Analytics) and data processing are described in MEFERI’s general Privacy Policy. These providers are not listed here as sub-processors under this DPA unless they also process Customer Personal Data on MEFERI’s behalf in the context of the Services provided to Customer.

4. Support and Customer Service Tools:

– Purpose: To manage customer support inquiries, provide helpdesk services, and facilitate communication related to support for MEFERI’s Services.

– Specific Tools Used:

– MEFERI utilizes its proprietary customer support portal and ticketing system, accessible at support.meferi.com. This system is developed and maintained by MEFERI and is hosted on MEFERI’s cloud infrastructure provided by Amazon Web Services (AWS), as detailed in Section 1 (“Cloud Infrastructure Providers”) of this Appendix.

– Personal Data submitted by Customer’s authorized users through this support portal (e.g., contact details, inquiry content) is processed within this MEFERI-operated system.

– MEFERI does not currently utilize third-party Software-as-a-Service (SaaS) providers for its customer support platform where Customer Personal Data under this DPA is processed. – Data Processing and User Consent on Support Portal:

– Users accessing support.meferi.com are subject to the terms of MEFERI’s Privacy Policy and any applicable User Agreement for the support portal, which govern MEFERI’s collection and use of Personal Data submitted directly by users to the portal.

– Future Engagement of Third-Party Providers:

– If MEFERI chooses to engage third-party support or customer service tool providers in the future for processing Customer Personal Data, this list will be updated, and Customer will be notified in accordance with Section 6.2 of this DPA.

5. Technical Sub-contractors (e.g., for specialized development, maintenance, or security testing):

– At present, MEFERI performs specialized technical services, software development, system maintenance, and security testing for its Services (such as MEFERI Shadowalk MDM/EMM Cloud Solution and cloud-hosted components of the CIAO Intelligent Shopper Assistant (ISA) solution) primarily using its in-house personnel.

– MEFERI does not currently engage third-party technical sub-contractors in a capacity that would require them to Process Customer Personal Data on MEFERI’s behalf under this DPA.

– Should MEFERI decide in the future to engage such technical sub-contractors who will Process Customer Personal Data, MEFERI will update this list of Sub-processors and notify Customer in accordance with Section 6.2 of this DPA, ensuring that any such engagement complies with the requirements for sub-processing set forth in this DPA, including the implementation of appropriate data transfer safeguards where necessary.

6. Authorized Repair Service Centers and Logistics Providers:

– Purpose: To provide device repair, diagnostics, refurbishment, and related logistics services for MEFERI products under applicable service contracts (such as MeCare service plans) or warranty terms.

– Entity/Category: Authorized third-party service centers or logistics partners contracted by MEFERI or its affiliates to perform repair and handling of MEFERI devices. (MEFERI maintains a network of such authorized providers; specific provider details for a given repair may depend on Customer’s location and the nature of the service request).

– Nature of Data Processed: May include:

– Contact information of the Customer’s representatives coordinating the repair (name, email, phone number, shipping address).

– Device identifiers (serial number, model).

– Description of the issue provided by the Customer.

Potentially, any Personal Data remaining on devices sent for repair if not deleted or secured by the Customer prior to shipment. MEFERI instructs Customers to back up and/or delete Personal Data from devices before sending them for repair, and MEFERI’s liability for loss of such data is limited as per the Main Agreement or applicable service terms. However, to the extent such data is accessed by the repair center in the course of diagnostics or repair, it is treated as Customer Personal Data.

– Location of Processing Personnel: Repair service centers may be located in various regions globally, including within the EEA, P.R. China, or other countries depending on the Customer’s location and MEFERI’s service network. MEFERI will provide information on the location of the specific repair center upon request or as part of the RMA process where feasible.

– Data Protection Safeguards: All authorized repair service centers and logistics providers who may access Customer Personal Data are subject to written agreements with MEFERI (or the contracting MEFERI affiliate) that include confidentiality obligations and data processing terms imposing data protection requirements at least equivalent to those set out in this DPA. For any transfer of Customer Personal Data to such providers located outside the European Economic Area (EEA) in a country not deemed adequate by the European Commission, MEFERI ensures that appropriate transfer mechanisms under Chapter V of the GDPR, such as Standard Contractual Clauses (SCCs), are in place. Access to Personal Data on devices is limited to what is necessary for diagnostics and repair.