Data Transfer and Processing Agreement

Introduction

This Data Transfer and Processing Agreement (“Agreement”) forms an integral part of a contract, agreement, or other legally binding document (“Contract”) between Naoma AI Inc., 1007 N Orange St. 4th Floor, 3932, Wilmington, DE 19801, New Castle, US (“Company”) and the other party of the Contract (“Partner”).

The Agreement provides the legal framework for the processing of personal data (personal information) the Company processes in the context of the Contract with the Partner.

In this Agreement, terms shall have the meanings assigned to them in the EU data protection law. If applicable law uses different terms to refer to the same persons, objects, or activities, the terms used in this Agreement shall be construed as referring to the corresponding terms used in such applicable law.

The effective date of the Agreement is the same as the effective date of the Contract.

Data Processing Details

The details of the data processing and types of personal data are as follows:

• Subject-matter of data processing: The Partner uses Naoma AI to demonstrate its products and services to customers and to collect their data.
• Purpose of data processing: To fulfill obligations under the Contract (to provide Naoma AI service, including technical support, fraud prevention, analytics).
• Categories of data subjects: Partner’s consumers (customers, end users).
• Type of personal data: Identifiers (name, online identifiers, IP address); consumer record information (contact information, company name, conversation transcript, conversation audio, session context); internet or other electronic network activity (telemetry events, button clicks, errors).
• Duration of data processing: For the duration of the Contract.

Roles in Data Processing

The Partner is a data controller or a data processor acting on behalf of another data controller.

The Company:

• Processes personal data on behalf of the Partner and acts as data processor.
• Processes, as data controller, data specified in Section 1(1)(d)(ii) and (iii) not linked to the customers for the purposes of product analysis and improving the Naoma AI product.
• Processes, as data controller, data specified in Section 1(1)(a) for the purpose of enhancing customers’ experience with the Naoma AI product.

The nature of the processing is a set of operations performed on personal data by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, making available to the Partner and to authorized subcontractors (sub-processors), alignment or combination, restriction, erasure or destruction.

The Partner warrants and represents that it:

• Does not transfer to the Company nor instruct the Company to process personal data of data subjects under the age of 18, or biometric, or sensitive personal data.
• Ensures the lawfulness of personal data processing, personal data minimization, and that the processing by the Company does not violate data protection principles and data subjects’ rights and freedoms.

Data Processing Framework

Security measures

The Company shall implement the following technical and organizational measures:

• Pseudonymization and encryption of personal data.
• Ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Event logging and access control including user identification and authorization procedure.
• Implementation of other appropriate measures to ensure a level of security appropriate to the risk.
• Regular testing, assessing and evaluating the effectiveness of security measures.

Compliance measures

• Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation.
• Ensure awareness of applicable data protection laws, data subject rights, and organizational policies.
• Assist the Partner to respond to data subject rights requests and supervisory authority tasks.
• Provide information necessary for the Partner to carry out impact assessments.
• Notify the Partner without undue delay if the Company can no longer meet its obligations under applicable law.
• Upon notice from the Partner, immediately stop, restrict, or limit processing of personal data as prescribed by applicable law.

Incident response

Without undue delay and, where feasible, not later than 48 hours after becoming aware of a personal data breach, the Company shall notify the Partner with information on the nature of the breach, contact point, likely consequences, and measures taken or proposed. The Company shall document breaches, assist with communication to data subjects where required by law, and take appropriate measures to address the breach.

Processing on Behalf of the Partner

When processing personal data on behalf of the Partner, the Company:

• Processes the personal data only as instructed by the Partner in the Agreement and the Contract.
• Informs the Partner without undue delay (not later than 48 hours) if: processing not instructed by the Partner is required by law; an instruction infringes applicable law; or the Company received a data subject’s request.
• Makes available to the Partner upon request all reasonable information and documents necessary to demonstrate compliance (audit).
• Does not sell or share personal data for targeted advertising; processes only for business purposes under the Contract or Partner’s instructions; permitted exceptions include sub-processors, internal use to build or improve services, and security/fraud prevention.
• By the end of the Agreement or Contract, without undue delay deletes all personal data received from the Partner unless otherwise required by law.

The Company may engage sub-processors under a general authorization, subject to: providing the Partner with a list (categories, name, address, contact, data processed, description); imposing the same data protection obligations; remaining liable for sub-processors’ performance; informing the Partner 30 days prior to changes, with a right to object.

Partner Notices and Controller Processing

Where the Company processes personal data as a data controller, the Partner shall ensure that its customers are provided with all information required under applicable law, including appropriate privacy notices and, where required, consents. The Partner may include in its notice the information about Naoma AI Inc.’s processing as data controller (product analysis, experience enhancement), opt-out at naoma.ai, and that Naoma does not sell or share data; and that for EU/UK GDPR, appropriate safeguards are in place including Standard Contractual Clauses and the ICO Data Transfer Addendum.

Where the Company processes personal data as a data controller, it shall: process for the purposes specified; provide a level of data protection as required of the Partner; grant the Partner audit rights and the right to take steps to stop and remediate unauthorized use.

International Data Transfer Clauses

Where EU data protection laws (in particular the GDPR) apply, the parties comply with the Standard Contractual Clauses (SCC) of Commission Implementing Decision (EU) 2021/914. Modules One, Two and Three apply; Clause 7 (docking) is excluded; Option 2 in Clause 9(a) (sub-processors, 30 days); Option 1 in Clause 17 (governing law – Member State of Data exporter); Clause 18(b) (jurisdiction – Member State of Data exporter). Data exporter is the Partner; Data importer is the Company. Details are in the Contract; categories, purposes, retention and nature of processing are in Section 1; sub-processors in Annex 1.

Swiss FADP: The same framework applies with amendments: adequacy decisions per FDPIC; references to GDPR read as Swiss FADP where applicable; data subjects in Switzerland may sue in Switzerland per Clause 18(c); competent authority FDPIC; governing law and jurisdiction as specified for Switzerland.

UK: The same framework applies with the International Data Transfer Addendum to the EU Commission SCCs issued by the ICO (Approved Addendum). Tables as in Section 3(1); Table 1 start date = effective date of Agreement; Table 4 ending = by Importer or Exporter. Mandatory Clauses: Addendum B.1.0 as revised. Adequacy regulations: ICO.

Amendments to the Agreement

The Company may amend the Agreement when: required to comply with applicable law, regulation, court order or supervisory guidance; personal data processing activities under the Contract change; or amendments do not degrade the security of personal data. Amendments may be effective on publication, 30 days after publication, or 30 days after prior notice (or shorter if legally required). The Company may make editorial changes without notice.

General Terms

• The term of the Agreement is the same as the term of the Contract.
• In the event of conflict, the Agreement prevails unless otherwise agreed in the Contract.
• The total liability of any party under this Agreement shall not exceed $10,000 USD. This supersedes any limitations in the Contract.
• Invalid or unenforceable provisions do not affect the remainder.
• The Company may disclose the Agreement to competent authorities as required by law.
• The Agreement survives termination of the Contract until all data protection obligations are fulfilled.

Annex 1 — List of Sub-Processors

As of Jan 30, 2026