LAST UPDATED: 18/04/2025

This Data Processing Addendum along with the exhibits thereto (collectively referred to as "DPA") supplements the agreement signed by and between ATLAS LABS LIMITED, a company incorporated in England and Wales under company number 13988976 and having its registered offices at Wework, 1 Poultry, London, England, EC2R 8EJ ("Popp Al") and the Customer, defined in the ("Agreement") and is incorporated by reference. This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by Popp Al in the delivery of the Service for the Purpose pursuant to the Agreement, as required by the Applicable Data Protection Laws. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. Except as modified below, this DPA automatically expires upon deletion of all Personal Data as described herein. Popp Al reserves the right to modify or update this DPA in its sole discretion. Customer's acceptance of such modifications and/or updates shall be indicated by Customer's continued use of the Service and shall be effective immediately.

THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Agreement, between Customer and Popp Al.

1. Definitions

1.1. The following expressions are used in this DPA: (a) "Non-Adequate Country" means a country or territory that is not recognized under the GDPR or the UK GDPR, as applicable, as providing adequate protection for personal data. (b) "CCPA" means including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder. (c) "Data Protection Laws" means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of Personal Information, as amended, replaced or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws. (d) EU/UK Data Protection Laws" means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them. (e) "GDPR" means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). (f) "Personal Data" means all data which is defined and regulated as 'Personal Data' in the EU Data Protection Laws and that Popp Al processes on behalf of Customer in connection with the Service. (g) "UK GDPR" means the United Kingdom General Data Protection Regulation. (h) "United States Data Protection Laws" means any United States' state or federal data protection law as such law may be amended, replaced, or consolidated from time to time, including but not limited to the CCPA. (i) "processing", "data controller", "data subject", "supervisory authority" and "data processor" will have the meanings ascribed to them in the UK GDPR.

2. Status of the parties

2.1 The Agreement(s) determines the subject matter and the duration of Popp Al's processing of Personal Data, as well as the nature and purpose of any collection, use and other processing of Personal Data (collectively, the "Particulars") and the rights and obligations of Customer. Appendix 1 to the Standard Contractual Clauses specifies the Particulars and will apply to all processing of Personal Data subject to this DPA, regardless of whether such processing is subject to Section 8 of this DPA. 2.2 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that (a) for Customer Personal Data, Customer is the Data Controller and Popp Al is the Data Processor and accordingly, (b) for End Customer Personal Data, End Customer is the Data Controller, Customer is the Data Processor and Popp Al is the Data Processor or subprocessor. For the avoidance of doubt Partner(s) will be a Data Processor of End Customer Personal Data. 2.3 Popp Al agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA. 2.4 Each of Popp Al and Customer will notify each other of one or more individuals within its organisation authorised to respond from time to time to enquiries regarding Personal Data and each of Popp Al and Customer will deal with such enquiries promptly.

3. General Obligations Relating to the Processing of Personal Data

3.1 As between the parties, Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licences and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the "Customer Legal Basis Assurance"). Each of Customer and Popp Al warrant in relation to Personal Data that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the Data Protection Laws, provided, however, that Popp Al's warranty is subject to Customer Legal Basis Assurance. 3.2 To the extent that it provides its Personal Data to Popp Al, Company is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Popp Al including the means by which the Personal Data was obtained. 3.3 Company undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not cause Popp Al to be in breach of any Data Protection Laws. 3.4 Each of Customer and Popp Al agree that it shall notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA. 3.5 With respect to all Personal Data, Popp Al agrees that it will: (a) only process the Personal Data in order to provide the Services and will act only in accordance with this Agreement and Customer's written instructions. The terms of the Agreement and this DPA constitute the Customer's written instructions to Popp Al in relation to the processing of personal data. For the avoidance of doubt, the Customer can issue further instructions for processing at any time subject to the approval of Popp Al; (b) in the unlikely event that applicable law requires Popp Al to process Personal Data other than pursuant to Customer's instructions, immediately notify Customer (unless prohibited from so doing by applicable law); (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Popp Al's possession or under its control. Such measures include the security measures specified in Popp Al's information security policies, which can be found here: https://drive.google.com/drive/folders/1lqtQnyfPDEDwtEtdY8Wcx1zqrb_R4s3d?usp=drive_link; (d) ensure that its personnel have access to such Personal Data only as necessary to perform the Service in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA; (e) without delay after becoming aware and in any case within forty-eight (48) hours, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in Popp Al's possession or under its control (including when transmitted, stored or otherwise processed by Popp Al) (a "Security Breach"); (f) taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and information in Popp Al's possession concerning the Security Breach, including, to the extent known to Popp Al, the following: (i) the nature of the Security Breach; (ii) the categories and approximate number of data subjects concerned; (iii) the categories and approximate number of Personal Data records concerned; (iv) the likely consequences of the Security Breach; (v) a summary of the unauthorised recipients of the Personal Data; and (vi) the measures taken or proposed to be taken by Popp Al to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; (g) Insofar as a Security Breach relates to Customer, Popp Al will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Breach or disclosure request which directly or indirectly identifies Customer (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer's prior written approval, unless, and solely to the extent that, Popp Al is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Popp Al shall provide Customer with reasonable prior written notice to provide Customer with the opportunity to object to such disclosure and in any case, Popp Al shall limit the disclosure to the minimum scope required; (h) return or delete Customer's Personal Data within sixty (60) days of termination or expiration of the Term, save where otherwise agreed with the Customer. Popp Al shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Data. This requirement shall not apply to the extent Popp Al is required by any applicable law to retain some or all of the Personal Data, in which event Popp Al shall isolate and protect the Personal Data from any further processing except to the extent required by such law; (i) assist Customer when reasonably requested in relation to Customer's obligations under Data Protection Laws with respect to: (i) data protection impact assessments (as such term is defined in the applicable Data Protection Laws); (ii) subject access requests; (iii) notifications to the supervisory authority/regulators under applicable Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and (iv) Customer's compliance with its obligations under applicable Data Protection Laws with respect to the security of processing; (j) assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects' requests to exercise their rights under applicable Data Protection Laws. Popp Al will notify Customer of requests received by Popp Al, unless otherwise required by applicable law. Popp Al will not make changes to such Personal Data except as agreed in writing with Customer.

4. Obligations Relating to the Processing of Personal Data subject to EU/UK laws

4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, Popp Al agrees that it will: (a) as soon as possible after becoming aware, inform Customer if, in Popp Al's opinion, any instructions provided by Customer under Clause 3.1(a) infringe the GDPR or UK GDPR; (b) maintain records of its processing activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.

5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws

5.1 With respect to all Personal Data subject to United States Data Protection Laws, Popp Al agrees that it will: (a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Popp Al's provision of Services and in accordance with this DPA. (c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject. 5.2 Popp Al agrees that the terms "Aggregate Consumer Information", "Service Provider", "Approved Business Purpose" and "De-identified" will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that Popp Al will process such Personal Data accordingly. 5.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Popp Al is a Service Provider. 5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, Popp Al shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of Popp Al's performance of its Services or b) an Approved Business Purpose. 5.5 Subject to Popp Al's compliance with this DPA, Customer agrees to make Personal Data of Customer and, where relevant, End Customer available to Popp Al for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that Popp Al processes Personal Data in a manner consistent with Customer's obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.

6. Sub-processing

6.1 Customer grants Popp Al general authorisation to appoint sub-processors in accordance with this Section 6. The current list of authorised subprocessors ("Sub-processor List") is detailed below and further specified in Annex III:

• OpenAl Global, LLC (USA): Provides Large Language Model (LLM) capabilities for processing Personal Data (e.g., analysing CVs). Data is temporarily stored for 30 days solely for abuse monitoring purposes and then automatically deleted; it is not used for training OpenAI's models.
• Amazon Web Services (AWS) EMEA SARL (UK Branch): Provides cloud hosting infrastructure. Personal Data is stored on AWS servers physically located in London, UK.
• StackOne Technologies Limited (UK): Provides integration capabilities (e.g., with Applicant Tracking Systems). StackOne facilitates data transfer but does not store the Personal Data processed.
• Twilio Inc. (USA): Provides communication services enabling engagement with candidates via channels like SMS.
• WhatsApp Inc. (USA) (Optional): Provides communication services enabling engagement with candidates via WhatsApp messaging, if utilized by the Customer. 6.2 Popp Al shall maintain an up-to-date list of its sub-processors, which shall be available to Customer upon request or as specified in Annex III. When any new sub-processor is engaged, Popp Al will add them to the Sub-processor List. Popp Al will give Customer prior written notice of any intended changes concerning the addition or replacement of sub-processors, including full details of the processing to be undertaken by that respective Sub-processor, thereby giving Customer the opportunity to object to such changes prior to the engagement of the sub-processor(s). Such notice shall be provided at least fourteen (14) days in advance of the engagement. 6.3 If Customer objects to the appointment of a sub-processor on reasonable data protection grounds within fourteen (14) days of receiving notice from Popp Al, Popp Al will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening the Customer. If Popp Al is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Agreement or Order Form(s) with respect only to those aspects of the Services which cannot be provided by Popp Al without the use of the objected-to new sub-processor by providing written notice to Popp Al. 6.4 Popp Al will enter into a written agreement with each sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as set out in this DPA, to the extent applicable to the nature of the services provided by such sub-processor. Popp Al shall remain fully liable to the Customer for the performance of the sub-processor's obligations in accordance with the terms of this DPA.

7. Audit and records

7.1 Popp Al will, in accordance with applicable Data Protection Laws, make available to Customer such relevant information in Popp Al's possession or control as Customer may reasonably request with a view to demonstrating Popp Al's compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data[cite: 203]. 7.2 Popp Al shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, of Popp Al's processing of Personal Data. Such audits may be undertaken no more than once in a twelve (12) month period upon reasonable notice, unless there is a specific reason to suspect non-compliance. Customer shall reimburse Popp Al for any time expended for any such on-site audit at Popp Al's then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Popp Al shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.

8. Data transfers

8.1 Customer acknowledges and agrees that Popp Al may process Personal Data in, and transfer Personal Data to, countries outside the Customer's country of residence, including outside the UK and the European Economic Area (EEA), as necessary to provide the Services, including via the use of authorised sub-processors listed in Section 6.1 and Annex III. Customer will ensure that Customer and Customer's authorised users are entitled to transfer the Personal Data to Popp Al so that Popp Al and its sub-processors may lawfully process the Personal Data in accordance with this DPA. 8.2 Customer has the option to select the primary jurisdiction for data storage (e.g., London, UK). However, Customer acknowledges that processing activities may occur in other locations, including the United States where certain sub-processors (OpenAI, Twilio, WhatsApp) are located. 8.3 Transfers from the EEA/Switzerland: Insofar as the Agreement involves the transfer of Personal Data subject to the GDPR or Swiss FADP from the EEA or Switzerland to a Non-Adequate Country, the parties agree to comply with the Standard Contractual Clauses - Module 2 (Controller to Processor), incorporated by reference in Exhibit 1. Annex III to Exhibit 1 provides amendments for Swiss data transfers. 8.4 Transfers from the UK: Insofar as the Agreement involves the transfers of Personal Data subject to the UK GDPR from the United Kingdom to a Non-Adequate Country, the International Data Transfer Addendum (IDTA) to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner, incorporated by reference in Exhibit 2, will apply. 8.5 Transfer Mechanisms for US Sub-processors: Popp Al shall ensure appropriate safeguards are in place for transfers to its US-based sub-processors. Transfers to OpenAI Global, LLC rely on the Standard Contractual Clauses supplemented by a Transfer Impact Assessment (TIA). Transfers to Twilio Inc. and WhatsApp Inc. rely on their certification under the EU-U.S. Data Privacy Framework (DPF) and/or the UK Extension thereof, as applicable. Popp Al will monitor the validity of these mechanisms and implement alternative safeguards if necessary. 8.6 Revision of Clauses: In the event that the European Commission, the UK Information Commissioner's Office, any applicable data protection authority, or other body with competent authority revises or replaces the Standard Contractual Clauses or IDTA, the parties agree to cooperate in good faith to amend this DPA as necessary to incorporate such revised or replacement clauses. 8.7 Prohibition: Except as authorised in this DPA (including via the use of authorised sub-processors and transfer mechanisms specified herein) or otherwise permitted by Data Protection Laws, Popp Al shall not process Personal Data outside the European Economic Area or the United Kingdom without the express written consent of the Customer.

9. General