DATA PROCESSING AGREEMENT

1. Definitions

Capitalized terms not defined herein shall have the meanings given in the GDPR. "Personal Data," "Processing," "Data Subject," and "Sub-processor" are as defined in GDPR Article 4.

2. Parties and Roles

2.1 The Controller is the data controller for the Personal Data processed under this DPA.

2.2 The Processor is NEO APP INTERNATIONAL, Ltd, acting as data processor on behalf of the Controller.

3. Subject Matter and Duration

3.1 This DPA governs the processing of Personal Data by Processor in connection with the provision of the NEO ONE SaaS platform, including mobile application backend services, user authentication, push notifications, scanner application, admin application, error monitoring, email delivery, and payment facilitation.

3.2 The duration of processing shall be for the term of the parties' commercial agreement and until all Personal Data is deleted or returned.

4. Nature and Purpose of Processing

Processing is performed to deliver, operate, and support the NEO ONE Services as instructed by the Controller.

5. Categories of Data Subjects

End users of the Controller's digital services, including:

• Customers of the Controller
• Employees or representatives of the Controller's clients
• Any natural person whose data is uploaded to or processed via the Services

6. Types of Personal Data Processed

• Identifiers: name, email address, phone number
• Account credentials (e.g., username, hashed password)
• Technical identifiers: IP address, device ID, browser/device type
• Usage data: session logs, timestamps, feature usage, error reports
• Payment tokens (transmitted securely to Viva Payments; not stored by Processor)
• User-uploaded business content (e.g., contacts, documents)

7. Obligations of the Processor

The Processor shall:

• (a) Process Personal Data only on documented instructions from the Controller;
• (b) Ensure that all personnel with access to Personal Data are bound by confidentiality obligations;
• (c) Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 10);
• (d) Not engage any sub-processor without the Controller's prior general authorization and 14-day advance notice;
• (e) Assist the Controller in fulfilling its obligations to respond to Data Subject Requests under GDPR Articles 15–22;
• (f) Notify the Controller of any Personal Data Breach without undue delay and no later than 48 hours after becoming aware of it;
• (g) Upon termination of the commercial agreement or at the Controller's election, delete or return all Personal Data and delete existing copies, unless retention is required by EU or Member State law.

8. Sub-Processors

8.1 The Controller hereby grants general authorisation for the Processor to engage the following sub-processors:

8.2 The Processor will notify the Controller via email at least 14 days before engaging any new sub-processor. The Controller may object on reasonable and documented grounds related to data protection.

8.3 All sub-processors are contractually bound to data protection obligations equivalent to those in this DPA.

9. International Data Transfers

9.1 All Personal Data originating from the European Economic Area (EEA) is processed exclusively within the EEA (via Google Cloud EU regions).

9.2 To the extent any transfer of Personal Data outside the EEA is required (e.g., for global support), it shall be safeguarded by the EU Standard Contractual Clauses (SCCs), Module 2 (Controller-to-Processor), which are incorporated by reference into this DPA.

10. Technical and Organisational Measures

The Processor implements the following measures:

• Encryption: AES-256 at rest; TLS 1.3+ in transit
• Access Control: Role-based permissions; mandatory MFA for administrative access
• Data Residency: EEA customer data stored only in Google Cloud EU regions
• Monitoring: 24/7 security monitoring; audit logs retained for 365 days
• Vulnerability Management: Annual third-party penetration testing; automated patching
• Certifications: ISO/IEC 27001 (targeting certification in 2026); SOC 2 Type II in progress
• Incident Response: Formal breach response plan aligned with GDPR Article 33

11. Audit and Compliance

11.1 The Processor shall, upon reasonable request, provide all information necessary to demonstrate compliance with GDPR Article 28.

11.2 Once per calendar year, the Controller may request a copy of the Processor's SOC 2 Type II report, ISO 27001 certificate (when available), or equivalent third-party audit documentation.

11.3 Any additional audit must be pre-approved in writing, conducted during normal business hours, and at the Controller's expense.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Cyprus and the GDPR. Any disputes shall be subject to the exclusive jurisdiction of the courts of Nicosia, Cyprus.

13. Lead Supervisory Authority

The Processor's lead supervisory authority under GDPR is the Office of the Commissioner for Personal Data Protection, Republic of Cyprus.