Schedule 4: Details of the Processing

I. LIST OF PARTIES

Data exporter(s):

• Name: The entity identified as Customer in the DPA.

• Address: The address specified in the DPA or in the Agreement.

• Contact person's name, position and contact details: The contact details specified in the DPA or in the Agreement.

• Activities relevant to the data transferred under these Clauses: Use of the Scaleflex Product(s).

• Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses set forth under schedule 5, including their Annexes, as of the Effective Date of the Agreement.

• Role (Controller/Processor): Controller

Data importer(s):

• Name: The entity identified as Scaleflex in the DPA

• Address: The address specified in the DPA or in the Agreement.

• Contact person's name, position and contact details: The contact details specified in the DPA or in the Agreement.

• Activities relevant to the data transferred under these Clauses: Provision of the Scaleflex Product(s).

• Signature and date: By entering into the Agreement, data importer is deemed to have signed these Standard Contractual Clauses set forth under schedule 5, including their Annexes, as of the Effective Date of the Agreement.

• Role (Controller/Processor): Processor

II. DESCRIPTION OF TRANSFER

Nature of the processing. Scaleflex will Process Personal Data as necessary to provide the Product pursuant to the Agreement and as further instructed by Customer in its use of the Product.

Categories of Data Subjects whose Personal Data is transferred. Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion. The sole Personal Data required for the use of the Product relates to the following categories of Data Subjects:

• Employees of Customer

• Customer’s Users

Upon Customer’s sole discretion, additional Data Subjects might be relevant for the use of (opt-in) AI features within the Product:

• Data Subjects in Customer Assets

Categories of Personal Data transferred. Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion. The sole categories of Personal Data required for the use of the Product are:

• First and last name

• Email address

• IP addresses

Upon Customer’s sole discretion, additional categories might be used for the use of (opt-in) AI features within the Product:

• Biometric data

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The Product is not intended for Customer to store sensitive categories of data, which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person (unless AI features have been enabled), data concerning health or data concerning a natural person’s sex life or sexual orientation, or Personal Data relating to criminal convictions and offences.

Notwithstanding the foregoing, when AI features have been enabled, Scaleflex highly advises Customer against including Special Categories of Data within Scaleflex' asset labelling taxonomy, particularly in tags or free-form text.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). The frequency of the transfer is a continuous basis for the duration of the Agreement, unless otherwise agreed upon in writing.

Purpose(s) of the data transfer and further processing. Scaleflex will Process Personal Data as necessary to provide the Product pursuant to the Agreement and as further instructed by Customer in its use of the Product.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. Scaleflex may delete Personal Data six months after termination or expiration of the Agreement, unless European Union law or the laws of an EU member state requires that Scaleflex retains the Personal Data for a longer period. Personal Data stored in Scaleflex' auto-backup or archival systems will be deleted automatically after 180 days after back-up, or otherwise as soon as technically possible.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. Specified on Scaleflex' website at https://legal.scaleflex.com/privacy/global-privacy-policy/sub-processors (“Sub-Processors”). Sub-Processors will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.