DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") forms part of the terms and conditions of use between Native Platform Ltd ("Native Platform") and users of its website and services, including quilgo.com ("Agreement") in relation to use of such website and services (the "Service") in accordance with the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

This DPA is an addendum to and forms a part of the Agreement, and shall be legally binding with effect from the commencement of the Agreement. If any terms of this DPA are inconsistent with the terms of the Agreement, including the exhibits thereto, then the terms of this DPA shall prevail.

1. BACKGROUND
   1. This DPA applies to Personal Data provided by Customer and its End Users as a Data Controller in connection with the use by End Users of the Service. It states the technical and organizational measures Native Platform uses to protect Personal Data in the course of acting as a Data Processor when providing the Service.
   2. If processing of Personal Data involves an International Transfer, the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, as the case may be, apply, and as stated in Section 5 and are incorporated by reference.
2. APPENDICES
   1. Customer as a Data Controller determines the purposes of collecting and processing Personal Data in the Service. Appendix 1 states the details of the processing Native Platform will provide via the Service under the Agreement. Appendix 2 states the technical and organizational measures Native Platform applies to the Service, unless the Agreement states otherwise. Appendix 3 defines the applicable modules and options for the EU Standard Contractual Clauses and the UK Standard Contractual Clauses.
3. NATIVE PLATFORM OBLIGATIONS
   1. Native Platform will follow instructions received from Customer with respect to Personal Data, unless they are (i) legally prohibited or (ii) require material changes to the Service. In the event and to the extent the functionality of the Service does not allow Customer or authorized users to do so, Native Platform may correct, block or remove any Personal Data in accordance with Customer's instruction. If Native Platform cannot comply with an instruction, it will notify Customer (email permitted) without undue delay
   2. Native Platform will use the appropriate technical and organizational measures to protect all Personal Data.
   3. Native Platform shall notify Customer without undue delay but in no event later than seventy-two (72) hours of its discovery of a Security Breach. Native Platform shall only notify End Users with Customer's prior authorization.
   4. At Customer's request, Native Platform will reasonably support Customer in dealing with requests from Data Subjects or regulatory authorities regarding Native Platform's processing of Personal Data.
   5. Upon termination of the Agreement for whatever reason, and upon Customer's written request made within thirty (30) days after such termination, Native Platform will (as applicable) return to Customer or destroy all Personal Data. After such 30-day period, Native Platform will destroy such Personal Data.
4. SUBPROCESSORS
   1. Customer authorizes Native Platform to subcontract the processing of Personal Data to Subprocessors. Native Platform is responsible for any breaches of the Agreement caused by its Subprocessors.
   2. Subprocessors will have the same obligations in relation to Native Platform as Native Platform does as a Data Processor (or Subprocessor) with regard to their processing of Personal Data.
   3. Native Platform will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection. Subprocessors may have security certifications that evidence their use of appropriate security measures. If not, Native Platform will regularly evaluate each Subprocessor's security practices as they relate to data handling.
   4. Native Platform's use of Subprocessors is at its discretion, provided that:
      1. Native Platform will notify Customer in advance (by email or such other means which Native Platform makes available to its customers) of any changes to the list of Subprocessors in place as of the commencement of provision of the Service (except for Emergency Replacements or deletions of Subprocessors without replacement).
      2. If Customer has a legitimate reason that relates to the Subprocessors' processing of Personal Data, Customer may object to Native Platform's use of a Subprocessor, by notifying Native Platform in writing within thirty days after receipt of Native Platform's notice. If Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. Native Platform may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options are reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days' written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
      3. If Customer's objection remains unresolved sixty days after it was raised, and Native Platform has not received any notice of termination, Customer is deemed to accept the Subprocessor.
      4. The list of Subprocessors current as of the commencement of provision of the Service is set out in Appendix 1.
   5. Native Platform may change a Subprocessor where the reason for the change is outside of Native Platform's reasonable control. In this case, Native Platform will inform Customer of the replacement Subprocessor as soon as possible. Customer retains its right to object to a replacement Subprocessor under Section 4.4.2.
5. INTERNATIONAL TRANSFERS
   1. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported to or accessed by Native Platform or its Subprocessors outside the EEA, the UK, or Switzerland, as applicable ("International Transfer"):
      1. if the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or
      2. in accordance with Section 5.2.
   2. The EU and UK Standard Contractual Clauses apply where:
      1. there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by a regulatory body of competent jurisdiction, and/or
      2. there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorisation granted by a regulatory body of competent jurisdiction.
   3. For Third Country Subprocessors, Native Platform shall ensure that such Subprocessor has entered into the unchanged version of the UK or EU Standard Contractual Clauses prior to the Subprocessor's processing of Personal Data.
   4. Nothing in this DPA will be construed to prevail over any conflicting clause of the UK or EU Standard Contractual Clauses.
6. DEFINITIONS

   "Customer" means the organisation or person subject to the Agreement and engaging Native Platform to provide the Service.

   "Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

   "Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

   "Data Protection Law" means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement.

   "Data Subject" means an identified or identifiable natural person.

   "EEA" means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.

   "End Users" means individuals using the quilgo.com platform to participate in assessments at the Customer's request.

   "EU Standard Contractual Clauses" shall mean the standard contractual clauses promulgated by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972) on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR completed in accordance with Appendix 3.

   "Personal Data" means any information relating to a Data Subject. For the purposes of this DPA, it includes only personal data entered into by or on behalf of Customer or its authorized users of the Service or derived from their use of the Service. It also includes personal data supplied to or accessed by Native Platform or its Subprocessors in order to provide support under the Agreement.

   "Security Breach" means a confirmed accidental or unlawful destruction, loss, alteration, or disclosure that results in the compromise of the integrity and/or confidentiality of Personal Data. They include Appendices 1 and 2 attached to this DPA.

   "Subprocessor" means Native Platform affiliates and third parties engaged by Native Platform or Native Platform's affiliates to process Personal Data.

   "Third Country Subprocessor" means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

   "UK Standard Contractual Clauses" means the UK Data Transfer Addendum, being the applicable EU Standard Contractual Clauses as amended by a data transfer addendum in a form adopted by the UK ICO, as amended, superseded or replaced from time to time and completed in accordance with Appendix 3.

APPENDIX 1

DETAILS OF DATA PROCESSING

Data Exporter

Name: The Customer acting as a Data Controller subscribed to a Service that allows End Users to enter, amend, use, delete or otherwise process Personal Data, as identified in the Agreement.

Address: As stated in the Agreement.

Role: (Controller/Processor): Controller

Data Importer

Name: Native Platform Ltd and its Subprocessors, each as identified in the Agreement.

Address: As stated in the Agreement.

Role: (Controller/Processor): Processor

Purpose(s) of the data transfer and further processing

Provision by Native Platform of the Service, including:

• Archival of Data
• Reporting on user data in aggregated, anonymised reports
• Sending notifications to users
• Processing, in aggregate, of user data for analysis purposes
• Monitoring the Service
• Release and development of fixes and upgrades to the Service
• Monitoring, troubleshooting and administering the underlying Service infrastructure
• Security monitoring, network-based intrusion detection support, penetration testing

Description of Transfer

Categories of Data Subjects whose personal data is transferred

Transferred Personal Data relates to the End Users of the software made available by Native Platform.

Categories of personal data transferred

• Data subject name and contact information
• Records of use of the Service

Sensitive data transferred

None.

Processing Operations (Activities relevant to the data transferred under the DPA)

The transferred Personal Data is subject to the following basic processing activities:

• use of Personal Data to set up, operate, monitor and provide the Service
• communication to authorized users
• upload any fixes or upgrades to the Service
• execution of instructions of Customer in accordance with the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

As defined in the Agreement.

Competent supervisory authority

United Kingdom

List of Subcontractors as of the Effective Date

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL MEASURES

The following sets out Native Platform's current technical and organizational security measures. Native Platform may change these at any time without notice so long as it maintains a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.

1. Storage limitation
   1. The Data Processor is required to limit the storage of personal data processed for the Data Controller by:
      • Deletion of test proctoring data after 3 months
      • Upon request from the Data Controller delete personal data concerning users of services or customer service representatives.
2. Information security policy
   1. The Data Processor shall have a documented information security policy, which is defined and approved by the management, published and communicated to its staff and other relevant parties.
3. Information security organisation
   1. The Data Processor shall have staff with appointed responsibilities for ensuring an appropriate information security.
4. Staff security
   1. The Data Processor shall in the recruitment process conduct adequate controls for applicants according to applicable legislation, which shall be in proportion to the business operations, the categories of personal data given access to and risk levels.
   2. The Data Processor shall ensure that all personnel with access to personal data processed for the Data Controller have a confidentiality obligation towards the Data Processor and receive continued information security training.
   3. The Data Processor shall have an employee offboarding process which includes removal of access rights and return of IT equipment.
5. Personal data handling
   1. The Data Processor shall handle personal data processed for the Data Controller as confidential information.
6. Access Control
   1. Users shall only have access to personal data, personal data processing resources, networks and network services that are needed to perform their duties and for which they have received explicit permission to access.
   2. The Data Processor shall prevent unauthorised access to personal data processed for the Data Controller by (at least) implementing activity logs which register user activities and can give information about what personal data has been exposed to unauthorised access, modification, erasure or destruction.
7. Physical security
   1. Physical access to the Data Processor's systems and processing environment shall be restricted to authorised personnel.
   2. Physical access to personal data processed for the Data Controller shall be restricted and require identifiable and personal authentication scheme.
   3. Equipment shall be placed and protected to minimise risks for environment related threats and dangers and unauthorised access.
8. Communication security
   1. Personal data processing resources containing personal data or which are part of the system of the processing shall be protected by firewalls.
   2. The Data Processor shall apply up-to-date security measures for electronic messages to actively protect against viruses, malware, ransomware and other harmful software.
   3. Development, test and production environments shall be separated to minimise the risk for unauthorised access or changes in the production and other environments.
   4. Data from the Data Controller cannot be used in test or development environments without removing or anonymising personal data.

APPENDIX 3

STANDARD CONTRACTUAL CLAUSES

EU Standard Contractual Clauses

UK Standard Contractual Clauses

This document was last updated: March 22nd, 2024