This Data Processing Agreement, including the Standard Contractual Clauses attached hereto (collectively, the "DPA" or "Addendum"), is made and entered into as of the effective date (the "Effective Date") of the applicable customer's ("Customer") acceptance of the Terms of Service between Delalify ("Company", "we", "us", or "our") and Customer to which this DPA is attached and incorporated (the "Agreement").

This Addendum shall become legally binding upon Customer entering into the Agreement or upon execution of this Addendum. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement or our Terms of Service.

Last Updated

This Data Processing Agreement was last updated on November 7th, 2025.

• Affiliate
  Means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
• Authorized Sub-Processor
  Means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Company to perform its obligations under this DPA or the Agreement, and who is authorized under Section 4 of this DPA.
• Company Account Data
  Means personal data that relates to Company's relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
• Company Usage Data
  Means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
• Customer Data
  Means any content, data, information or other materials (including Personal Data) submitted or shared by or for Customer to or through the Service.
• Data Exporter
  Means Customer.
• Data Importer
  Means Company.
• Data Protection Laws
  Means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the Ghana Data Protection Act, 2012 (Act 843) ("Ghana DPA"), (ii) the California Consumer Privacy Act ("CCPA"), (iii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") (together, collectively, the "GDPR"), (iv) the Swiss Federal Act on Data Protection, (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor", "controller", and "supervisory authority" shall have the meanings set forth in the applicable Data Protection Laws.
• Data Subject
  Means an identified or identifiable natural person whose Personal Data is processed under this DPA, including (i) an identified or identifiable natural person who is in the EEA or whose rights are protected by EU Data Protection Laws; (ii) a "Consumer" as the term is defined in the CCPA; or (iii) a "Data Subject" as defined under the Ghana DPA.
• EU SCCs
  Means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
• ex-EEA Transfer
  Means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
• ex-UK Transfer
  Means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
• Personal Data or Personal Information
  Means information relating to a living individual or household who is, relates to, describes or can be, reasonably identified or linked, directly or indirectly from information, either alone or in conjunction with other information, within the Company's or Customer's control and which is stored, collected, processed or submitted to or via the Service as Customer Data.
• Services
  Means the Delalify services as defined in the Agreement, including Conjoin, Channels, People, OneCloud, Teams, Commerce, Builder, Wallet, and Tables.
• Standard Contractual Clauses
  Means the EU SCCs and the UK SCCs.
• UK SCCs
  Means the EU SCCs, as amended by the UK International Data Transfer Agreement ("UK IDTA").

Roles and Responsibilities

The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, Company is a processor. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws.

Customer shall ensure that the processing of Personal Data in accordance with Customer's instructions will not cause Company to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data.

Processing Instructions

Company shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A of this DPA, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law or Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws.

Customer hereby instructs Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.

Details of Processing

The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.

Data Retention and Deletion

Following completion of the Services, at Customer's choice, Company shall return or delete Customer's Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. The timeframe for data deletion varies by Service but generally occurs within ninety (90) days of account termination or Customer's deletion request, unless otherwise specified in the applicable Service documentation.

If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.

Customer Obligations

Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Customer represents and warrants that it has obtained all necessary consents and provided all required notices to Data Subjects for the processing of their Personal Data in accordance with this DPA.

Authorized Sub-Processors

Customer acknowledges and agrees that Company may engage third-party sub-processors to process Personal Data on Customer's behalf. Company shall: (i) enter into a written agreement with each sub-processor imposing data protection terms that require the sub-processor to protect the Personal Data to the standard required by Data Protection Laws, and (ii) remain responsible for each sub-processor's compliance with the obligations of this DPA and for any acts or omissions of such sub-processor that cause Company to breach any of its obligations under this DPA.

Current Sub-Processors

Company currently uses the following categories of sub-processors:

• Cloud Infrastructure Providers: Google Cloud Platform (GCP), Amazon Web Services (AWS), Cloudflare - for hosting, storage, and content delivery services
• Communication Services: Sinch - for SMS and communication services
• Payment Processors: Stripe, Paystack - for payment processing (note: these processors do not have access to full cardholder data, which is tokenized)

A current list of sub-processors, including their locations and the services they provide, is available at delalify.com/company/legal/subprocessors.

Changes to Sub-Processors

Company shall provide Customer with at least thirty (30) days' advance notice (email notification to the administrative email address associated with Customer's account) of the addition or replacement of any sub-processor. If Customer reasonably objects to the use of a new sub-processor on legitimate data protection grounds, Customer must notify Company in writing within fifteen (15) days of receiving notice. Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable alternative to avoid processing of Personal Data by the objected-to sub-processor.

If Company is unable to provide such alternative within a reasonable time period (not to exceed sixty (60) days), either party may terminate the applicable Service by providing written notice to the other party. Company will refund Customer any prepaid fees covering the remainder of the term of the terminated Service following the effective date of termination with respect to such terminated Service.

Security Measures

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. These measures are described in Exhibit B to this DPA and are designed to ensure a level of security appropriate to the risk, including as appropriate:

• Pseudonymization and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Compliance and Certifications

Company maintains compliance with industry-recognized security standards and frameworks, including but not limited to:

• ISO 27001:2022 (certification in progress)
• PCI DSS (certification in progress)
• EU-US Data Privacy Framework
• GDPR readiness
• HIPAA compliance for applicable Services

Detailed information about Company's security practices, compliance status, and certifications is available at delalify.com/company/trust.

Personnel Security

Company shall ensure that all personnel who have access to Personal Data: (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training on their responsibilities, (iii) have executed written confidentiality agreements, and (iv) are subject to background checks to the extent legally permissible and in accordance with applicable local law.

Company shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services and that such personnel are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

Assistance with Data Subject Requests

Taking into account the nature of the processing, Company shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations to respond to requests to exercise Data Subject rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making and profiling

Data Subject Request Procedures

If Company receives a request from a Data Subject to exercise any of the above rights in relation to Customer's Personal Data, Company will redirect the Data Subject to Customer. Customer shall be responsible for responding to any such request. Company will, upon Customer's written request and at Customer's expense, provide reasonable cooperation to assist Customer in responding to such Data Subject request, to the extent legally permitted and to the extent Customer is unable to respond to such request through its own use of the Services.

Self-Service Tools

The Services provide Customer with the ability to access, correct, delete, and export certain Personal Data through the administrative interface. Customer is responsible for using these self-service tools to assist with Data Subject requests where possible.

Data Storage and Processing Locations

Customer acknowledges that Company processes and stores Personal Data primarily in the United States. For certain Services, specifically Conjoin, Customer may select data storage locations across the United States, European Union, or Asia regions. Company is working to establish data residency options in Ghana.

Legal Basis for Transfers

Where Company processes Personal Data protected by the GDPR or other Data Protection Laws requiring specific safeguards for international transfers, and such processing involves a transfer of Personal Data outside the EEA, UK, or other protected jurisdiction, Company shall ensure that such transfers are made in accordance with the requirements of applicable Data Protection Laws. The parties agree to rely on the following mechanisms for such transfers:

• Standard Contractual Clauses: For transfers from the EEA, the EU SCCs shall apply, incorporated by reference into this DPA and completed as set forth in Exhibit C. For transfers from the UK, the UK SCCs shall apply. The EU SCCs and UK SCCs form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict.
• EU-US Data Privacy Framework: Company participates in and complies with the EU-US Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States.
• Adequacy Decisions: Where the European Commission, UK Secretary of State, or other relevant authority has made an adequacy decision recognizing a third country as providing adequate protection, Company may rely on such adequacy decision for transfers to that country.

Standard Contractual Clauses Details

To the extent the EU SCCs apply to transfers of Personal Data under this DPA, the parties agree that:

• Module Two (Controller to Processor) or Module Three (Processor to Processor) of the EU SCCs shall apply, depending on whether Customer acts as a controller or processor of the Personal Data;
• In Clause 7 (Docking clause), the optional docking clause shall apply;
• In Clause 9 (Use of sub-processors), Option 2 (General written authorization) shall apply, and the time period for prior notice of sub-processor changes is thirty (30) days as set forth in Section 4 of this DPA;
• In Clause 11 (Redress), the optional language requiring the data importer to notify data subjects of a change of sub-processor shall not apply;
• In Clause 17 (Governing law), the EU SCCs shall be governed by the laws of Ireland;
• In Clause 18 (Choice of forum and jurisdiction), the courts of Ireland shall have jurisdiction;
• Exhibit C contains the information required in Annex I and Annex II of the EU SCCs;
• By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

Supplementary Measures

Company shall implement appropriate supplementary measures to ensure that the level of protection of Personal Data is not undermined when relying on the Standard Contractual Clauses for transfers. Such measures include encryption in transit and at rest, access controls, and regular security assessments as described in Exhibit B.

Notification to Customer

Company shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Such notification shall be made as follows:

• General Services (Channels, People, OneCloud, Teams, Commerce, Builder, Wallet, Tables): Within seventy-two (72) hours of Company becoming aware of the Personal Data Breach
• Conjoin Platform: Within forty-eight (48) hours of Company becoming aware of the Personal Data Breach, given the developer platform nature and Customer's responsibility to their end-users

Breach Notification Contents

The notification shall, to the extent possible and legally permissible, include the following information:

• A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• The name and contact details of Company's data protection officer or other contact point where more information can be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken by Company to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Cooperation and Assistance

Company shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach. Company shall not inform any third party of any Personal Data Breach without first obtaining Customer's prior written consent, except as required by applicable law or to the extent necessary to fulfill Company's obligations under this Section.

Customer Notification Obligations

Customer acknowledges that it is solely responsible for complying with any applicable Data Protection Laws requiring notification of Data Subjects, supervisory authorities, or other parties regarding Personal Data Breaches. Company's notification to Customer under this Section does not constitute an acknowledgment by Company of any fault or liability with respect to the Personal Data Breach.

Audit Rights

Company shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the following conditions:

Audit Procedures

Option 1: Third-Party Certification Review

Company is pursuing ISO 27001:2022 certification and shall provide Customer with a copy of any obtained third-party security certifications, audit reports, and compliance documentation upon reasonable request, subject to the execution of a non-disclosure agreement. Once obtained, these certifications shall be deemed to satisfy Customer's audit rights unless Customer has reasonable grounds to believe Company is not in compliance with its obligations under this DPA.

Option 2: Remote Audit

If Customer has reasonable grounds to believe that Company is not in compliance with this DPA, or if required by applicable Data Protection Laws or a supervisory authority, Customer may conduct a remote audit of Company's relevant processing operations, subject to the following:

• Customer shall provide Company with at least sixty (60) days' prior written notice of any intended audit;
• Audits shall not occur more than once per calendar year, unless required by a supervisory authority or in response to a Personal Data Breach;
• Audits shall be conducted remotely through secure video conferencing, document review, and system demonstrations during regular business hours and in a manner that does not unreasonably interfere with Company's business operations;
• Customer shall bear all costs and expenses associated with such audits, including reasonable costs incurred by Company in facilitating the audit;
• The auditor must be bound by confidentiality obligations and must not be a competitor of Company;
• Customer shall provide Company with a written report of the audit findings and shall treat all audit information as Company's Confidential Information.

Third-Party Certifications

Company maintains and makes available various third-party audit reports and certifications demonstrating compliance with applicable security and data protection standards. For more information, review Company's Trust page delalify.com/company/trust.

Remediation

If an audit reveals any non-compliance with this DPA, Company shall, at its own cost, use reasonable efforts to remedy such non-compliance within a reasonable timeframe agreed upon by the parties, taking into account the nature and severity of the non-compliance.

Data Return

Upon termination or expiration of the Agreement, or upon Customer's written request, Company shall, at Customer's choice, delete or return to Customer all Personal Data (including copies) processed under this DPA, unless applicable law requires continued storage of the Personal Data.

Deletion Timeframes

The timeframes for Personal Data deletion vary by Service and are as follows:

• User-Initiated Deletion: When Customer deletes Personal Data through the Services, such data is generally deleted from active systems within thirty (30) days, and from backup systems within ninety (90) days.
• Account Termination: Upon account termination, Personal Data is deleted within ninety (90) days, except where legal obligations require retention.
• Service-Specific Retention: Certain Services may have different retention periods as documented in the Service-specific terms or as controlled by Customer through Service settings.

Legal Retention Requirements

Notwithstanding the above, Company may retain Personal Data to the extent required by applicable law, regulation, or legal process, including but not limited to:

• Financial records for tax and accounting purposes;
• Transaction records as required by anti-money laundering or know-your-customer (KYC) regulations;
• Data necessary to comply with legal holds or ongoing litigation;
• Data required for fraud prevention and security purposes for a limited period.

Certification of Deletion

Upon Customer's written request, Company shall provide written certification that Personal Data has been deleted or returned in accordance with this Section, except to the extent prohibited by applicable law.

Backup Systems

Customer acknowledges that Personal Data may remain in Company's backup systems for up to ninety (90) days following deletion from active systems. During this period, such Personal Data will not be accessible for normal processing operations and will be protected in accordance with Company's security measures as described in Exhibit B.

General Cooperation

Company shall, taking into account the nature of the processing and the information available to Company, provide reasonable cooperation and assistance to Customer to enable Customer to comply with its obligations under Data Protection Laws, including:

• Obligations to conduct data protection impact assessments;
• Obligations to consult with supervisory authorities;
• Obligations to maintain records of processing activities;
• Obligations to implement appropriate security measures.

Data Protection Impact Assessments (DPIAs)

To the extent that Company has information relevant to any data protection impact assessment required under Data Protection Laws, Company shall provide reasonable cooperation and assistance to Customer in connection with such assessment, including by providing:

• Information about the technical and organizational measures implemented by Company;
• Information about sub-processors used by Company;
• Information about data security incidents and breaches;
• Other information reasonably necessary for the assessment.

Prior Consultation

If Customer is required to consult with a supervisory authority under Data Protection Laws regarding the processing of Personal Data by Company under this DPA, Company shall provide reasonable cooperation and assistance to Customer in connection with such consultation.

Additional Assistance

Any assistance provided by Company under this Section may be subject to additional fees if such assistance requires significant time or resources beyond the scope of the Services. The parties shall agree on such fees in advance.

Limitation of Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, Company's total liability for all claims arising out of or related to this DPA shall not exceed the liability cap set forth in the Agreement.

Data Protection Violations

Without limiting the generality of the foregoing, Company shall not be liable for any claims, damages, or losses arising from:

• Customer's failure to comply with its obligations under Data Protection Laws or this DPA, including failure to obtain necessary consents or provide required notices to Data Subjects;
• Customer's instructions to Company that violate Data Protection Laws or this DPA;
• Actions or omissions of Customer, its employees, agents, or end users;
• Processing by Company in accordance with Customer's documented instructions;
• Any force majeure event or circumstances beyond Company's reasonable control.

Customer Indemnification

Customer shall indemnify, defend, and hold harmless Company from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

• Customer's failure to comply with Data Protection Laws or its obligations under this DPA;
• Any claim that the Personal Data provided by Customer infringes or misappropriates any third party's intellectual property rights or violates applicable law;
• Customer's instructions to Company that violate Data Protection Laws or cause Company to violate Data Protection Laws.

Regulatory Fines and Penalties

In the event that a supervisory authority or court determines that both parties are responsible for damage or regulatory fines arising from the same processing operation, each party shall be liable only for the portion of the damage or fines attributable to its own breach of this DPA or applicable Data Protection Laws, to the extent permitted by applicable law.

Relationship to the Agreement

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data. For the avoidance of doubt, the Standard Contractual Clauses shall take precedence over the rest of this DPA to the extent of any conflict.

Changes to this DPA

Company reserves the right to update or modify this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or Company's data processing practices. Company shall provide Customer with notice of any material changes to this DPA by:

• Posting the updated DPA on Company's website with a notice of the change;
• Sending an email notification to the administrative email address associated with Customer's account at least thirty (30) days prior to the effective date of the change.

Customer's continued use of the Services after the effective date of any changes to this DPA constitutes acceptance of such changes. If Customer does not agree to the changes, Customer may terminate the Agreement in accordance with its terms.

Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired. The parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid, legal, and enforceable provision that achieves, to the greatest extent possible, the original intent and economic effect of the invalid, illegal, or unenforceable provision.

Governing Law and Jurisdiction

Except as otherwise set forth in the Standard Contractual Clauses (which shall be governed by the laws specified therein), this DPA shall be governed by the same governing law and jurisdiction provisions as set forth in the Agreement.

Order of Precedence

In the event of any conflict or inconsistency between the terms of this DPA and other documents, the following order of precedence shall apply:

1. Standard Contractual Clauses (if applicable);
2. This Data Processing Agreement;
3. The Terms of Service;
4. Any other agreement between the parties.

Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.

Contact Information

For questions or concerns regarding this DPA or Company's processing of Personal Data, please contact:

For general inquiries, please contact wecare@delalify.com.

Subject Matter of Processing

The subject matter of the processing is the provision of the Services by Company to Customer in accordance with the Agreement.

Nature and Purpose of Processing

Company will process Personal Data as necessary to provide the Services pursuant to the Agreement, to comply with Customer's instructions, and as required by applicable law. The specific nature and purpose of processing depends on the Service(s) used by Customer:

• Conjoin: Cloud platform services including, but not limited to, messaging, storage, billing, database, AI, and authentication.
• Channels: Communication and messaging services
• People: Contact management and relationship management services
• OneCloud: Cloud storage and file management services
• Teams: Unified access control and permission management services
• Commerce: E-commerce platform and transaction processing services (excluding payment card processing)
• Builder: Website and application building services
• Wallet: Digital wallet services for storing value and managing transactions
• Tables: Data management and database services

Duration of Processing

Company will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law. Following termination or expiration of the Agreement, Company will delete or return Personal Data in accordance with Section 9 of this DPA.

Categories of Data Subjects

Data Subjects may include, but are not limited to:

• Customer's employees, contractors, and authorized users
• Customer's customers and end users
• Customer's business contacts and partners
• Website visitors and application users
• Individuals whose Personal Data is processed through Customer's use of the Services

Types of Personal Data

The types of Personal Data processed may include, depending on the Service(s) used:

• Contact Information: Names, email addresses, phone numbers, postal addresses
• Account Information: Usernames, passwords (hashed), account preferences, profile information
• Identification Data: Government-issued identification numbers for KYC purposes (where applicable and required by law)
• Financial Information: Transaction history, billing information, payment method tokens (not full payment card details)
• Usage Data: IP addresses, device information, browser type, log data, cookies
• Content Data: Files, documents, messages, and other content uploaded or created by Customer through the Services
• Communication Data: Email content, SMS messages, chat messages

Special Categories of Personal Data

Unless otherwise agreed in writing or required for specific Services (such as HIPAA-compliant healthcare applications), Customer shall not provide Company with any special categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation).

If Customer intends to process special categories of Personal Data through the Services, Customer must contact Company in advance to execute appropriate addenda and ensure proper safeguards are in place.

Security Governance

Delalify maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help customers secure their data processed using Delalify's Services against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Services, and (c) minimize security risks, including through risk assessment and regular testing.

The information security program covers the following core functions:

• Application security (secure development, security feature design, security champions program, and secure development training)
• Infrastructure security (data centers, cloud security, and strong authentication mechanisms)
• Monitoring and incident response (cloud-native and custom monitoring solutions)
• Vulnerability management (vulnerability scanning, penetration testing, and timely resolution)
• Compliance and technical privacy (regulatory compliance, privacy by design, and data protection)
• Security awareness (onboarding training, ongoing awareness campaigns, and security culture development)

Access Control

Preventing Unauthorized Product Access

• Third-Party Data Hosting and Processing: We host our Services with third-party cloud infrastructure providers including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Cloudflare. We maintain contractual relationships with vendors to provide the Services in accordance with this DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
• Physical and Environmental Security: We host our infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of such providers are audited for ISO 27001 compliance, among other certifications.
• Authentication: Customers who interact with the Services via the user interface are required to authenticate before they can access their non-public data. We support multi-factor authentication (MFA), social login, and Single Sign-On (SSO).
• Authorization: Customer Content is stored in multi-tenant storage systems accessible to Customers only via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model ensures that only appropriately assigned individuals can access relevant features, views, and customization options.
• API Access: Public APIs may be accessed using API keys or through OAuth authorization. Authorization credentials are stored encrypted using industry-standard encryption algorithms.

Preventing Unauthorized Product Use

• Access Controls: Network access control mechanisms prevent network traffic using unauthorized protocols from reaching the infrastructure. Technical measures include Virtual Private Cloud (VPC) implementations, security group assignments, and firewall rules.
• Static Code Analysis: Automated security reviews of code stored in source code repositories are performed through static code analysis, checking for coding best practices and identifiable software vulnerabilities.
• Penetration Testing: We maintain relationships with industry-recognized penetration testing service providers for regular penetration tests. The intent is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Limitations of Privilege and Authorization Requirements

• Product Access: A limited subset of personnel have access to the Services and Customer Data via controlled interfaces. Access is provided to support effective customer support, troubleshoot problems, detect and respond to security incidents, and implement data security.
• Personnel Security: Personnel are required to conduct themselves consistent with Company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Company conducts appropriate background checks to the extent legally permissible and in accordance with applicable local law.
• Confidentiality Commitments: Personnel are required to execute confidentiality agreements and must acknowledge receipt of, and compliance with, Company's confidentiality and security policies. Personnel receive regular security training.

Encryption Technologies

• In-Transit Encryption: We make HTTPS encryption (also referred to as SSL or TLS) available on all Services interfaces. Our HTTPS implementation uses industry-standard algorithms (TLS 1.2 or higher) and certificates.
• At-Rest Encryption: We store passwords following industry-standard practices for security (bcrypt or similar). We have implemented technologies to ensure that stored data is encrypted at rest using AES-256 or equivalent encryption standards.
• Key Management: Encryption keys are managed using industry-standard key management practices, including key rotation, access controls, and secure storage.

Monitoring and Incident Response

• Detection: We designed our infrastructure to log extensive information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Security, operations, and support personnel are responsive to known incidents.
• Response and Tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, we take appropriate steps to minimize damage or unauthorized disclosure. Notifications are made in accordance with Section 7 of this DPA.

Data Deletion and Portability

Delalify enables customers to request deletion or export of their account and data in a manner consistent with the functionality of the Services and as described in Section 9 of this DPA.

Availability Controls

Services are designed to ensure redundancy and automatic failover. The server instances that support the Services are architected with a goal to prevent single points of failure. This design assists operations in maintaining and updating applications and backend systems while limiting downtime.

• Redundancy: Infrastructure providers use designs to eliminate single points of failure and minimize the impact of anticipated environmental risks. Services are designed to allow certain types of preventative and corrective maintenance without interruption.
• Business Continuity: Delalify has designed and regularly plans and tests its business continuity planning and disaster recovery programs to ensure service availability and data protection.

Compliance and Certifications

Delalify maintains compliance with the following standards and frameworks:

• ISO 27001:2022 (certification in progress)
• PCI DSS (certification in progress)
• EU-US Data Privacy Framework
• GDPR readiness and compliance
• HIPAA compliance for applicable Services
• Ghana Data Protection Act, 2012 (Act 843)

Detailed information about our security measures, compliance status, and certifications is available at delalify.com/company/trust.

Updates to Security Measures

Company reserves the right to update or modify these security measures from time to time, provided that such updates and modifications do not result in a material decrease in the overall level of security provided for the protection of Personal Data.

Applicability

This Exhibit C applies to the extent that Company processes Personal Data protected by the GDPR on behalf of Customer and such processing involves a transfer of Personal Data outside the EEA or UK that is not governed by an adequacy decision.

Standard Contractual Clauses

The parties agree to be bound by the Standard Contractual Clauses as approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 ("EU SCCs"). For transfers from the UK, the EU SCCs as amended by the UK International Data Transfer Agreement ("UK IDTA") shall apply ("UK SCCs").

Module Selection

Depending on whether Customer acts as a controller or processor of the Personal Data, the applicable module shall be:

• Module Two: Controller to Processor (where Customer is a controller)
• Module Three: Processor to Processor (where Customer is a processor)

Clause-Specific Selections

• Clause 7 (Docking clause): The optional docking clause applies.
• Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies. The time period for prior notice of sub-processor changes is thirty (30) days.
• Clause 11 (Redress): The optional language requiring notification of sub-processor changes to Data Subjects does not apply.
• Clause 13 (Supervision): Where Customer is established in the EU, the supervisory authority shall be the authority in Customer's EU member state. Where Customer is not established in the EU, the supervisory authority shall be the Data Protection Commission of Ireland.
• Clause 17 (Governing law): The EU SCCs shall be governed by the laws of Ireland.
• Clause 18 (Choice of forum and jurisdiction): The courts of Ireland shall have jurisdiction over disputes arising from the EU SCCs.

Annex I: List of Parties

Annex II: Technical and Organizational Measures

The technical and organizational measures implemented by the Data Importer are described in Exhibit B of this DPA.

Annex III: List of Sub-Processors

The current list of sub-processors is described in Section 4 of this DPA and is available at delalify.com/company/trust.

UK IDTA

For transfers from the UK, the UK IDTA shall apply in addition to the EU SCCs. The tables and information required by the UK IDTA shall be populated with the information set forth in this Exhibit C and elsewhere in this DPA.