ANNEX I – DATA PROTECTION AGREEMENT

Purpose

This Data Protection Agreement (“DPA”) establishes the obligations and responsibilities of the parties involved regarding the privacy and security of processed information, as well as detailing the security practices and measures adopted by Pipefy to ensure the integrity, confidentiality, and availability of data, in accordance with applicable laws and regulations. The provisions of this Annex complement the Terms of Use and apply to all Customers when personal and sensitive data is processed within the Pipefy Solution.

As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”).

1. Pipefy will act exclusively as a data processor, processing information in accordance with the documented and specific instructions provided by the Client, who is the data controller. Pipefy does not have the autonomy to define the purposes or methods of processing the personal data by the Parties.

1.1. For the purposes of this Annex, the following definitions apply:

a) Configuration Data: Information automatically generated or collected by the platform or system, related to the configuration, customization, and parameterization of the contracted product or service. This data may be accessed by Pipefy exclusively for technical support, continuous platform improvement, and understanding product usage, always in compliance with applicable data protection and privacy regulations.

b) Customer Data: Data directly inputted by the Client or its representatives, including but not limited to personal or corporate information, strategic or sensitive content related to platform usage. This data is owned and exclusively processed by the Client. Pipefy’s access to Data Entered into Cards is expressly limited and will only occur when necessary for technical support or specific consulting requested by the Client; with the Client’s prior, express, and specific authorization, detailing the purpose and scope of the access; or to comply with a legal or regulatory obligation, upon notifying the Client.

1.2. The Client shall be responsible for ensuring that the data entered into the Cards complies with applicable legislation and for maintaining adequate security measures within its internal environment to prevent unauthorized access.

1.3. As the Controller of Personal Data, it is the Customer’s responsibility to handle requests for the exercise of rights by Data Subjects, and it is Pipefy’s responsibility, as Processor, to assist in the fulfillment of requests made by Data Subjects whenever necessary and requested by the Customer, such as requests for access to Personal Data, correction of incomplete, inaccurate, or outdated Personal Data, blocking or deletion of unnecessary or excessive Personal Data, portability of Personal Data, among other rights provided by law, the granting or denial of which shall be at the sole discretion of the Customer.

2. Pipefy is solely responsible for all costs incurred in fulfilling requests made by Data Subjects in which Pipefy is considered the Controller, with the Customer being solely responsible for fulfilling requests made by Data Subjects in which the Customer is considered the Controller, as well as the costs incurred for such purposes.

3. Pipefy and Customer agree and acknowledge as follows:  

1. Both Parties shall comply with all applicable laws, rules, and regulations concerning the Personal Data processed in connection with the performance of their obligations, including but not limited to Law No. 13.709/18 (General Data Protection Law – LGPD) when processing data subjects residing in Brazil and/or Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) when processing data of data subjects residing in the European Union, and/or the California Consumer Privacy Act (CCPA) when processing data of data subjects residing in California, USA.;
2. Pipefy uses the personal data received under this legal relationship only for the purpose agreed upon between the Parties, and under no circumstances shall Pipefy use this Personal Data for a different purpose, under penalty of immediate termination and full assumption of any damages caused to the other Party and/or third parties.
3. Pipefy does not store or share personal data with third parties, except with the prior express authorization of the other Party or as a requirement for the fulfillment of the Agreement, under the terms of this Annex.
4. Both Pipefy and Customer shall treat all non-public Personal Data as confidential, even if this legal relationship is terminated regardless of the reasons for its termination or resolution.
5. The duration of the Processing shall respect the contractual object, as well as the provisions of applicable law.
6. Pipefy adopts appropriate mechanisms for processing Personal Data in accordance with legal provisions, in order to prevent loss, destruction, theft, damage, alteration, manipulation, or accidental interception and/or disclosure.
7. Both Pipefy and Customer shall limit access to Personal Data originating from this Agreement only to employees, agents, and/or representatives who need it to complete the task/activity to be carried out, with each party being responsible for the actions of its employees, agents, and/or representative.
8. It is the sole responsibility of the Client, as the data controller, to ensure that all personal data included or processed on the Pipefy platform has a valid legal basis for processing. This includes, but is not limited to, obtaining consent from data subjects, when applicable, or complying with another legal basis as provided in Article 7 of the LGPD.
9. The Client will be fully responsible for any violation of the LGPD resulting from their failure to ensure a valid legal basis for the processing of personal data, including, but not limited to, any administrative sanctions or damage payable to third parties.

3.1. The Parties acknowledge that the Pipefy Solution has been developed to meet general privacy and data protection requirements, as applicable. The Customer is responsible for assessing the suitability of the Solution for the specific legal and regulatory requirements of its industry. Pipefy does not warrant compliance with sector-specific regulations that may apply to the Customer, and the Customer shall be solely responsible for ensuring the use of the Solution in accordance with such regulations.

4. Vulnerability Management. The Parties undertake to manage vulnerabilities in their tools used in the processing of personal data, conducting periodic tests to identify and promptly correct any vulnerabilities that may be identified.

5. Purpose of Storage. Pipefy undertakes to store Personal Data only for the periods necessary to: (a) achieve the purpose of processing the Personal Data under this Agreement; (b) process payments; (c) prevent or address technical problems; (d) whenever feasible, in anonymized form, to improve and enhance the Pipefy Solution; (e) as expressly authorized by the Customer, including cases of sharing Customer Data with Non-Pipefy Applications; and (f) compliance with legal and/or regulatory requirements.

6. Log Keeping. Pipefy will record the “logs” of changes and processing of the personal data for which it is the controller, keeping in these records the minimum elements that allow assessing the activity and who carried it out and when, as regulated by law, with the management of changes in data where Pipefy is only the processor being the responsibility of the Customer.

7. Retention and Deletion of Personal Data. Provided that the contract between the parties is valid, Customer data will be stored in Pipefy’s database on servers located in the United States, even if they have been deleted through the application or a set of routines and programming standards for accessing a web-based software application or platform (“API”). In cases of contractual termination, regardless of the cause, Pipefy reserves the right to delete the Customer’s Personal Data in accordance with written instructions from the Customer, or within a maximum of one hundred and eighty (180) days after termination of the Agreement.

8. Sub-Processing. Pipefy may use specialized third parties to perform the processing of Personal Data, as available at https://www.pipefy.com/sub-processors/ (“Sub-Processors”). It is Pipefy’s obligation to ensure that the Sub-Processors undertake to ensure a security level equal to or greater than that described in this Section before transferring any Personal Data or authorizing any sub-processing, as well as to conduct periodic audits to verify compliance with privacy rules and legal obligations. Pipefy shall be fully and severally liable for any breach, violation, irregularity, or illegality committed by its Sub-Processors.

9. Disclosure Scenarios. Pipefy will not disclose Personal Data to third parties at any time except in the following scenarios: (a) with prior written authorization from the Customer; (b) in accordance with the sub-processing rules described above; or (c) under applicable data protection legislation, provided that Pipefy makes reasonable efforts to share only the minimum amount of Personal Data necessary for a specific purpose, and the Customer is notified in advance, in accordance with and as provided for in this Agreement.

10. Requests from Authorities. If Pipefy receives any judicial order and/or official communication that determines the provision or disclosure of personal information, unless expressly prohibited by legal force, regulation, judicial or administrative order, Pipefy must notify the Customer within a maximum of thirty-six (36) hours of becoming aware, providing an opportunity for timely adoption of legal measures to prevent or mitigate the effects resulting from the disclosure of Personal Data related to this request or its objects.

11. Third-Party Applications. If the Customer installs, activates, and/or otherwise uses a Non-Pipefy Application in conjunction with the Pipefy Solution, the Customer acknowledges and agrees that the provider of this Non-Pipefy Application may access Customer Data, including Personal Data, as necessary, for the integration of this Non-Pipefy Application with the Pipefy Solution and/or in accordance with the activities of this Non-Pipefy Application. In this context, Pipefy is not responsible for any incident, disclosure, modification, or deletion of any Customer Data and Personal Data resulting from access by a Non-Pipefy Application.

12. Obligations of Pipefy. Pipefy ensures and guarantees:

1. Confidentiality and integrity of the information shared by the Customer;
2. Non-violation of the privacy of Personal Data in its relationship with clients, suppliers, researchers, patients, consumers, and employees;
3. Adopt technical and administrative measures of information security to prevent misuse and unauthorized use of Personal Data;
4. Immediately and adequately respond to all requests from the Customer regarding Personal Data Processing, as well as consider the guidance of the National Data Protection Authority regarding the Processing of Personal Data transferred;
5. Be responsible for maintaining a written record of activities related to compliance with applicable data privacy legislation;
6. Restrict access to Personal Data by defining qualified individuals responsible for Processing, as well as ensuring and being responsible for the reliability of its employees, agents, and representatives who will have access to Personal Data, considering the nature of such Personal Data;
7. Maintain a detailed inventory of access to Personal Data and access logs to applications, containing the time, duration, identity of the employee or person responsible for access, and the accessed file, including when such access is made to comply with legal obligations or determinations defined by a competent authority;
8. The processing of Personal Data, i.e., any operation or set of operations performed on the Personal Data of its clients, suppliers, and employees; including, but not limited to obtaining, recording, storing, altering, analyzing, using, transmitting, combining, blocking, deleting, or destroying, are in absolute accordance with the rights of the data subject and will be carried out in accordance with the established purpose;
9. Protect Personal Data of its clients, suppliers, and employees, ensuring to them, within legal limits, the right to be informed about any processing of their data; as well as to have access to their own data, among other rights provided by applicable law;
10. Record activities involving international transfer of Personal Data, indicating the country/organization of destination and adopting the necessary safeguards to ensure that the transfer is carried out in accordance with applicable legislation and guidelines defined by a competent authority;
11. Meet requests for information made by the Customer within thirty-six (36) hours, justifying any delays; and
12. Cooperate with the fulfillment of requests from data subjects of the Customer (clients of the Customer), using appropriate technical and organizational measures, in accordance with Customer instructions.
13. send 1 (one) executive report, in the last quarter of the current fiscal year, upon demand, regarding information security and data privacy (“Report”), made available free of charge, provided that it is requested 45 days in advance as regulated in clause 15.6 of the Terms, or, when in different frequency or quantity, upon feasibility analysis, which may result in additional costs, to be negotiated between the Parties.

13. Contingency Plan. Pipefy undertakes to create contingency mechanisms to prevent data leaks, and must test and keep it up to date, committing to present its contingency plan to the Customer upon request for compliance with requests from the authority or in case of any eventual judicial demands.

14. Incident Notification. If, at any time, there is an actual breach, suspicion, or potential threat to the security of Personal Data, or if there is suspicion of loss, destruction, deletion, damage, corruption, or unauthorized disclosure to a third party, the Party that becomes aware of the incident shall notify the other Party within a maximum of 3 (three) business days from the moment it becomes aware of it, and the notification shall contain the full and complete details regarding the breach, including:

1. date and time of the incident;
2. date and time of acknowledgment by the Party that had its data leaked;
3. list of types of data affected by the incident;
4. list of data subjects affected by the incident;
5. the nature and facts of such breach, including the data subject, if possible;
6. contact details of the data protection officer or appointed and named representative to deal with data leaks in the company, responsible for additional information regarding the incident;
7. the likely consequences and/or potential consequences of such incident; and
8. the measures adopted or proposed by Pipefy or by the data protection officer to remedy such breach and mitigate any possible adverse effects and the dates of implementation of these measures (action plan).

15. Incident Handling. In the event of an incident, Pipefy must promptly comply with the instructions provided by the Customer, aiming to remedy or mitigate adverse consequences, as well as practice all necessary acts and resources to contain the breach and recover and/or restore Personal Data (where possible) and meet any requests, notifications, or investigations by Authorities.

16.. Contact information. Pipefy’s support regarding privacy and personal data matters can be accessed at the following email address: [email protected]. 

APPENDIX 1 – COMPLIANCE WITH CALIFORNIA CONSUMER PRIVACY ACT OF 2018

1. The purpose of this CCPA Data Protection Agreement (“CCPA DPA”) is to define the conditions in which Pipefy, Inc. (“Pipefy” or the “Processor”) undertakes to carry out, on Customer’s (“Customer” or the “Controller”) behalf, the personal data processing operations defined below.
2. As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”, or “GDPR”), and the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General (hereinafter “the CCPA”).
3. Terms defined in the CCPA, including ‘consumer’, ‘personal information’, ‘service provider’, ‘commercial purposes’, ‘third-party’, and ‘business purposes’, carry the same meaning in this DPA.
4. “Contracted Business Purposes” means the database management, hosting and related services performed on behalf of the Customer pursuant to the Service Agreement for which Pipefy receives or accesses Customer Personal Information.
5. “Customer Personal Information” means Customer Data (as defined in the Service Agreement and Privacy Policy) that constitutes personal information of a consumer subject to the CCPA. For the avoidance of doubt, Customer Personal Information does not include User Personal Information (as defined in the Privacy Policy), with respect to which Pipefy is not a service provider, and this DPA does not apply to such User Personal Information.

1. Pipefy shall use the Customer Personal Information received under this relationship solely for the purposes agreed upon between the Parties. Under no circumstances shall Pipefy use this Personal Data for any other purpose than performing the Contracted Business Purposes or as otherwise permitted by the CCPA (as a service provider or “exempt” third party) or required by law. Any violation of this provision shall result in the immediate termination of this Agreement and full liability for any damages caused to the other Party and/or third parties.
2. Pipefy shall not retain, use, disclose, store or share Customer Personal Information outside of this direct business relationship between Pipefy and Customer unless otherwise permitted by the CCPA (as a service provider or “exempt” third party) or as required by law, or, upon the prior express authorization of the Customer, in accordance with the terms of this DPA.
3. Pipefy shall adopt appropriate mechanisms for processing Customer Personal Information in accordance with legal provisions, to prevent loss, destruction, theft, damage, alteration, sale, manipulation, or accidental interception and/or disclosure.
4. Pipefy may use aggregated, de-identified, or anonymized data for its own purposes. Pipefy shall not attempt to, nor will it actually, re-identify any data that has been aggregated, de-identified, or anonymized. For the avoidance of doubt, and to the extent permitted by the CCPA, Pipefy may use Customer Personal Information to detect data security incidents, prevent fraudulent or illegal activity, or enhance its services.
5. both parties shall comply with all applicable requirements of the CCPA regarding the collection, use, retention, or disclosure of Customer Personal Information. In the event that any request is made by end users of the Customer, the Customer will be responsible for providing customer service. Pipefy does not control or manage the Customer Personal Information.

6. Sub-Processing. Pipefy may engage specialized third parties to provide the Contracted Business Services, as listed at www.pipefy.com/sub-processors/ (“Sub-Processors”). Pipefy is responsible for ensuring that its Sub-Processors agree to maintain a level of security that is equal to or exceeds the standards described in this DPA before any Personal Data is transferred or sub-processing is authorized. Any sub-processor must qualify as a service provider under the CCPA, and Pipefy shall ensure that no disclosures to the sub-processor are made that would be considered a sale under the CCPA. Pipefy shall also conduct periodic audits to verify that its Sub-Processors comply with applicable privacy rules and legal obligations. Pipefy shall be fully and jointly liable for any breach, violation, irregularity, or non-compliance committed by its Sub-Processors.
7. If the Customer is unable to delete Customer Personal Information held within Pipefy’s records in response to a verified Consumer request for deletion pursuant to the CCPA. Pipefy shall promptly effectuate such deletion upon receipt of the Customer’s written instruction to do so, provided that no exception to deletion under the CCPA is applicable and/or Pipefy is not legally restricted from doing so. Pipefy may charge its then-current standard fees for this service. Requests for deletion should be submitted to: https://app.pipefy.com/public/form/CxbZakYy.  
8. Changes to this CCPA DPA. Pipefy may amend this CCPA DPA under the following conditions:

1. To reflect a change in the name or form of a legal entity;
2. To comply with the applicable law, regulation, court order, or guidance issued by a governmental regulator or agency; or
3. If the change does not expand the scope of Pipefy’s processing of Customer Personal Data, or otherwise materially adversely affect Customer’s rights under this DPA.
4. Pursuant to Section 6(a)(ii) or (iii), notify the Customer at least 30 days prior to the effective date of the change (or such shorter period as may be required to comply with the applicable law), provided that, if the Customer object to any such changes, the Customer may terminate the Agreement with Pipefy by providing a written notice to Pipefy within 90 days of receiving notification of the change.

APPENDIX 2 – INTERNATIONAL TRANSFER OF PERSONAL DATA

SECTION I – GENERAL INFORMATION

CLAUSE 1. Identification of the Parties

1.1. By this contractual instrument, the Exporter and the Importer (hereinafter, the Parties), identified below, agree to adopt the standard contractual clauses (hereinafter, the Clauses) approved by the National Data Protection Authority (ANPD) to govern the International Data Transfer described in Clause 2, in accordance with the provisions of National Legislation.

() Exporter/Controller () Exporter/Operator

( ) Importer/Controller (x) Importer/Operator

CLAUSE 2. Subject Matter

2.1. These Clauses apply to International Data Transfers from the Exporter to the Importer, as described below.

Description of the international data transfer:

CLAUSE 3. Subsequent Transfers

3.1. The Importer may not carry out a Subsequent Transfer of Personal Data that is the subject of the International Data Transfer governed by these Clauses, except in the cases provided for in item 18.3.

CLAUSE 4. Responsibilities of the Parties

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, in its capacity as Controller, shall be responsible for fulfilling the following obligations set forth in these Clauses:

a) Responsible for publishing the document stipulated in Clause 14;

(x) Exporter ( ) Importer

b) Responsible for responding to requests from data subjects as outlined in CLAUSE 15:

(x) Exporter ( ) Importer

c) Responsible for reporting security incidents as outlined in Clause 16:

(x) Exporter ( ) Importer

4.2. For the purposes of these Clauses, if it is subsequently verified that the Designated Party as defined in item 4.1 acts as an Operator, the Controller shall remain responsible for:

a) for fulfilling the obligations set forth in Clauses 14, 15 and 16 and other provisions established in National Legislation, especially in case of omission or non-compliance with obligations by the Designated Party;

b) by complying with the ANPD’s requirements; and

c) by guaranteeing the rights of the Holders and by repairing the damages caused, in accordance with the provisions of Clause 17.

SECTION II – MANDATORY CLAUSES

CLAUSE 5 Purpose

5.1 These Clauses are presented as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for carrying out the International Data Transfer and aim to guarantee the adoption of adequate safeguards for compliance with the principles, the rights of the Data Subject and the data protection regime provided for in National Legislation.

CLAUSE 6. Definitions

6.1 For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation on the International Transfer of Personal Data shall be considered, without prejudice to other normative acts issued by ANPD. The Parties also agree to consider the terms and their respective meanings as set out below:

a) Processing agents: the controller and the processor;

b) ANPD: National Data Protection Authority;

c) Clauses: the standard contractual clauses approved by ANPD, which are part of SECTIONS I, II and III;

d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third-party, including a Third-Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;

e) Controller: Party or third-party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;

f) Personal Data: information related to an identified or identifiable natural person;

g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or to a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;

h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;

i) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;

j) Importer: processing agent, located in a foreign country, who receives personal data from the Exporter;

k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by ANPD;

l) Arbitration Law: Law No. 9,307, of September 23, 1996;

m) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;

n) Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;

o) Processor: Party or third-party, including a Sub-processor, which processes Personal Data on behalf of the Controller;

p) Designated Party: Party or a Third-Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency, Data Subjects’ rights and notifying security incidents;

q) Parties: Exporter and Importer;

r) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;

s) Sub-processor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer;

t) Third-Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4

u) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;

v) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;

w) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and

x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third-party, including a Sub-processor, provided that it does not constitute an Access Request.

CLAUSE 7. Applicable legislation and ANPD supervision

7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Contract.

CLAUSE 8. Interpretation

8.1. Any application of these Clauses shall occur in accordance with the following terms:

a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;

b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;

c) no item in these Clauses, including a Related Agreement and the provisions set forth in SECTION IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and

d) provisions of SECTIONS I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in SECTIONS III and IV of this agreement or in Related Agreements.

CLAUSE 9. Docking Clause

9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.

9.2 The acceding party shall have the same rights and obligations as the originating parties, according to the position assumed of Exporter or Importer and according to the corresponding category of processing agent.

CLAUSE 10. General obligations of the Parties

10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures and, in particular:

a) use the Personal Data only for the specific purposes described in CLAUSE 2, with no possibility of subsequent processing incompatible with such purposes,subject to the limitations, guarantees and safeguards provided for in these Clauses;

b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;

c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and nonexcessive data in relation to the Personal Data processing purposes;

d) guarantee to the Data Subjects, subject to the provisions of Clause 4: (d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, with due regard for trade and industrial secrecy;

(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and

(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;

e) adopt the appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;

f) not to process Personal Data for abusive or unlawful discriminatory purposes;

g) ensure that any person acting under their authority, including subprocessors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses;

h) keep a record of the Personal Data processing operations of the International Data Transfer governed by these Clauses, and submit the relevant documentation to ANPD, when requested.

CLAUSE 11. Sensitive personal data

11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in SECTION III.

CLAUSE 12. Personal data of children and adolescents

12.1. In case the International Data Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.

CLAUSE 13. Legal use of data

13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to the Importer in accordance with the National Legislation.

CLAUSE 14. Transparency

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:

a) the form, duration and specific purpose of the international transfer;

b) the destination country of the transferred data;

c) the Designated Party’s identification and contact details;

d) the shared use of data by the Parties and its purpose;

e) the responsibilities of the agents who shall conduct the processing;

f) the Data Subject’s rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before ANPD; and

g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.

14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent document.

14.3. Upon request, the Parties shall make a copy of these Clauses available to the Data Subject free of charge, complying with trade and industrial secrecy.

14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.

CLAUSE 15. Rights of the data subject

15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:

a) confirmation of the existence of processing;

b) access to data;

c) correction of incomplete, inaccurate or outdated data;

d) anonymization, blocking or erasure of unnecessary or excessive data or data processed in noncompliance with these Clauses and the provisions of National Legislation;

e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrecy;

f) erasure of Personal Data processed under the Data Subject’s consent, except for the events provided in CLAUSE 20;

g) information on public and private entities with which the Parties have shared data;

h) information on the possibility of denying consent and on the consequences of the denial;

i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;

j) review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality; and

k) information on the criteria and procedures adopted for the automated decision.

15.2. Data subject may oppose the processing based on one of the events of waiver of consent, in case of noncompliance with the provisions of these Clauses or National Legislation.

15.3 The deadline for responding to the requests provided for in this Clause and in item 14.3 is 15 (fifteen) days from the date of the data subject’s request, except in the event of a different deadline established in specific ANPD regulations.

15.4. In case the Data Subject’s request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:

a) inform the Data Subject of the service channel made available by the Designated Party; or

b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.3. (Amended by the RECTIFICATION of August 18, 2025)

15.5. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure, except in cases where this communication is demonstrably impossible or involves a disproportionate effort.

15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.

CLAUSE 16. Security Incident Reporting

16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days of the occurrence of a security incident that may entail a relevant risk or damage to the Data Subjects, according to the provisions of National Legislation.

16.2. The Importer must keep a record of security incidents in accordance with National Legislation.

CLAUSE 17. Liability and compensation for damages

17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.

17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of a breach of these Clauses.

17.3. The defense of Data Subjects’ interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.

17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions of item 17.6.

17.5. The Controllers directly involved in the processing activities which resulted in damage to the Data Subject shall be jointly and severally liable for these damages, except for the provisions of item 17.6.

17.6. Parties shall not be held liable if they have proven that:

a) they have not carried out the processing of Personal Data attributed to them;

b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses or National Legislation; or

c) the damage results from the sole fault of the Data Subject or of a third party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.

17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of sufficient evidence or when the Data Subject would be excessively burdened by the production of evidence.

17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.

17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse against the other responsible parties, to the extent of their participation in the damaging event.

CLAUSE 18. Safeguards for Onward Transfers

18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in CLAUSE 3.

18.2. In any case, the Importer:

a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in CLAUSE 2;

b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and

c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third-party recipient of the Onward Transfer.

18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation, regardless of the authorization referred to in CLAUSE 3.

CLAUSE 19. Access Request Notification

19.1 The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in the event that notification is prohibited by the law of the country in which the data is processed.

19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.

19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received, and legal measures implemented.

CLAUSE 20. Termination of processing and erasure of data

20.1. Parties shall erase the personal data subject to the International Data Transfer governed by these Clauses after the ending of their processing, within the scope and technical boundaries of the activities, being their storage authorized only for the following purposes:

a) compliance with a legal or regulatory obligation by the Controller;

b) study by a Research Body, guaranteeing, whenever possible, the anonymization of personal data;

c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and

d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data have been anonymized.

20.2. For the purposes of this Clause, processing of personal data shall cease when:

a) the purpose set forth in these Clauses has been achieved;

b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;

c) at the termination of the processing period;

d) Data Subject’s request is met; and

e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.

CLAUSE 21. Data processing security

21.1. Parties shall implement Security Measures which guarantee sufficient protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.

21.2. Parties shall inform, in SECTION III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data and that of children and adolescents.

21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.

CLAUSE 22. Legislation of country of destination

22.1 The Importer declares that it has not identified any laws or administrative practices of the country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.

22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.

CLAUSE 23. Non-compliance with the Clauses by the Importer

23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.

23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects’ rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:

a) suspend the International Data Transfer;

b) request the return of the Personal Data, its transfer to a third-party, or its

erasure; and

c) terminate the contract.

CLAUSE 24. Choice of forum and jurisdiction

24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of residence.

24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.

SECTION III – Security Measures