Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between V MATRIX TECHNOLOGIES LLC ("Processor") and the client identified in the underlying services agreement ("Controller") for the provision of services that involve processing personal data. This DPA is intended to comply with Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and equivalent provisions of the UK GDPR and applicable U.S. state privacy laws.

A signed copy is available on request and is included as an annex to each engagement-specific Statement of Work.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR unless otherwise defined. "Personal Data," "Processing," "Data Subject," "Controller," and "Processor" carry their GDPR meanings. "Services" means the services V MATRIX provides under the underlying agreement.

2. Roles

Controller determines the purposes and means of Processing. Processor processes Personal Data on behalf of Controller under documented instructions. Where Processor processes Personal Data for its own purposes (such as operating its business and the Site), Processor is the Controller for that processing and its Privacy Policy applies.

3. Subject Matter, Duration, Nature, and Purpose

The subject matter, duration, nature, and purpose of Processing are defined in the underlying agreement and the applicable Statement of Work. In general:

• Subject matter: Personal Data necessary for V MATRIX to deliver the Services
• Duration: the duration of the engagement plus any retention period required by law or the underlying agreement
• Nature and purpose: developing, deploying, operating, or consulting on systems agreed in the Statement of Work

4. Categories of Personal Data and Data Subjects

Categories are documented in Annex 1 per engagement. Typical categories include identifiers, contact information, professional information, and content created by Data Subjects within Controller systems. Sensitive categories (Article 9 GDPR) are processed only when explicitly contracted with appropriate safeguards.

5. Processor Obligations

Processor will:

1. Process Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required by law (in which case Processor will notify Controller before such processing, except where prohibited by law)
2. Ensure that personnel authorized to process Personal Data have committed to confidentiality
3. Implement appropriate technical and organizational measures (Annex 3) to ensure a level of security appropriate to the risk
4. Engage subprocessors only as permitted in Section 7
5. Assist Controller, taking into account the nature of processing, in fulfilling its obligation to respond to Data Subject rights requests
6. Assist Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to Processor
7. At Controller's choice, delete or return all Personal Data to Controller upon termination, and delete existing copies unless retention is required by law
8. Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as set out in Section 10

6. Controller Obligations

Controller:

• Has a lawful basis under applicable law for the Processing it instructs
• Has provided required notices to Data Subjects and obtained any required consents
• Will document Processor's instructions in writing (the underlying agreement and Statement of Work satisfy this)
• Will ensure that Personal Data transferred to Processor is accurate and adequate for the purpose

7. Subprocessors

Controller grants Processor general authorization to engage subprocessors to perform the Services. Processor will:

• Maintain a current list of subprocessors (Annex 2)
• Impose data protection obligations on each subprocessor that are no less protective than those in this DPA
• Notify Controller of any intended changes to subprocessors with at least 14 days' notice, giving Controller opportunity to object on reasonable grounds
• Remain liable to Controller for the performance of subprocessors' obligations

8. International Transfers

Where Processor transfers Personal Data outside the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the transfer will be governed by:

• The EU-U.S. Data Privacy Framework (and UK Extension) where Processor or its subprocessors are DPF-certified
• The EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by Commission Implementing Decision (EU) 2021/914, incorporated by reference, or
• An equivalent valid transfer mechanism under applicable law

Processor will implement additional safeguards consistent with Schrems II as appropriate to the data and the destination.

9. Data Subject Rights

Processor will, to the extent legally permitted, promptly notify Controller of any Data Subject request received directly. Processor will not respond to such requests directly unless authorized by Controller, except to confirm that the request relates to Controller. Processor will assist Controller in responding within applicable legal timeframes.

10. Audits

Controller may audit Processor's compliance with this DPA once per twelve-month period, with at least thirty days' prior written notice, during business hours, and in a manner that does not unreasonably disrupt Processor's operations. Processor may satisfy audit obligations by providing third-party audit reports or certifications where available. Audits beyond this frequency, or arising from a confirmed material breach, are at Controller's expense.

11. Personal Data Breaches

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected, where known
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects
• Contact details for further information

Controller is responsible for notifying supervisory authorities and Data Subjects where required.

12. Liability

Liability under this DPA is subject to the limitations of liability in the underlying agreement, except that liability arising from breaches of GDPR Article 82 or equivalent statutory liability is governed by applicable law.

13. Term and Termination

This DPA takes effect on the effective date of the underlying agreement and continues for the duration of Processing. Upon termination, Processor will, at Controller's choice, return or delete Personal Data per Section 5(7).

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Florida, United States, except where the GDPR or other mandatory law requires otherwise. Disputes are resolved as set out in the underlying agreement.

15. Order of Precedence

In the event of conflict, the order of precedence is: (1) this DPA, (2) the Standard Contractual Clauses where incorporated, (3) the underlying agreement.

16. Execution

This DPA is executed and incorporated into each engagement by reference in the applicable Statement of Work. A separately signed counterpart is available on request at info@vmatrix.io.

Annex 1 — Description of Processing (Template, completed per engagement)

Categories of Data Subjects:[Controller's end users / employees / customers / other — specify per engagement]

Categories of Personal Data: [identifiers, contact, professional, content, technical, other — specify per engagement]

Sensitive Data: [None / specify if applicable, with safeguards]

Frequency of Processing: [Continuous / periodic / one-time]

Duration: [Per engagement timeline plus retention requirement]

Purpose: [Per Statement of Work]

Retention: [Per Statement of Work and applicable law]

Annex 2 — Approved Subprocessors

The following subprocessors are approved as of the date of this DPA. Engagement-specific subprocessors may be added per Section 7.

Engagement-specific subprocessors (such as cloud providers used to operate Controller's systems) are typically engaged by Controller directly and are not subprocessors of V MATRIX.

Annex 3 — Technical and Organizational Measures

Processor implements the following measures, as detailed in the Security page at vmatrix.io/security:

Access control: Multi-factor authentication; least privilege; named identities; revocation on engagement completion.

Encryption: TLS 1.3 in transit; encryption at rest by underlying cloud provider defaults.

Code security: Work in Controller-controlled source-control; signed commits where supported; no long-term storage of Controller code on personal devices.

Infrastructure: Deployment into Controller-controlled cloud accounts; Controller-controlled identity providers; Controller-controlled secret management.

Personnel: Confidentiality undertakings; endpoint protection; security training appropriate to role.

Incident response: Documented response process; 72-hour notification commitment.

Subprocessor management: Written agreements; periodic review; notification of material changes.

Data minimization: Collect and process only what is necessary for the Services.

Continuity: Documented engagement state in Controller systems for clean handover.