1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

"Applicable Data Protection Laws" means any applicable privacy or data protection legislation or regulations, including but not limited to European Data Protection Laws, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its implementing regulations as amended or superseded from time to time ("CCPA") as well as similar laws adopted in other states. In the event of a conflict in the meanings of defined terms in the Applicable Data Protection Laws, the meaning from the law applicable to the region of residence of the relevant Data Subject applies;

"Controller" shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable "controller" as that term is defined under European Data Protection Laws and Applicable Data Protection Laws in the U.S. and "business" as the term is defined under the CCPA;

"Customer Personal Data" means any Personal Data Processed by Cykel as a Processor on behalf of Customer or Third-Party Controller pursuant to the Agreement;

"Data Subject" shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable "data subject" as that term is defined under European Data Protection Laws and "consumer" as the term is defined under the CCPA and Applicable Data Protection Laws in the U.S.;

"Data Subject Rights" means all rights granted to Data Subjects under Applicable Data Protection Laws, which may include, as applicable, rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Laws;

"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to European Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland;

"DPA" means this Data Processing Agreement;

"EEA" means the European Economic Area;

"European Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA, including the European Union, and all other data protection laws of the EEA, the United Kingdom ("UK"), and Switzerland, each as applicable, and as may be amended or replaced from time to time;

"EU-US Data Privacy Framework" means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final;

"Personal Data" shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable "personal data" as that term is defined under European Data Protection Laws and "personal information" as the term is defined under the CCPA;

"Process" and "Processing" shall be interpreted consistent with Applicable Data Protection Laws;

"Processor" shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable a "processor" as the term is defined under European Data Protection Laws and "service provider" or "contractor" as those terms are defined under the CCPA;

"SCCs" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

"Services" means the services provided by Cykel to the Customer under the Agreement.

"Subprocessor" means any person appointed by Cykel to Process Personal Data on behalf of the Customer in connection with the Agreement;

"Third-Party Controller" means a Controller for which the Customer is a Processor; and

"UK Addendum" means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

The terms, "Commission", "Member State", "Personal Data Breach" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The terms, "Business Purpose", "Share", and "Shared" shall have the same meaning given to them under the CCPA. The terms "Sell" and "Selling" shall have the meaning defined in Applicable Data Protection Laws in the U.S.

2. Scope

2.1 This DPA applies to the Processing of Customer Personal Data by Cykel. The subject matter, nature and purposes of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.2 Customer is a Controller of Customer Personal Data and appoints Cykel as a Processor of such data. Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by Cykel as described in this DPA, and obtain Data Subjects' consent to such Processing by Cykel as necessary to comply with Applicable Data Protection Law. Cykel shall comply with the obligations of Applicable Data Protection Laws and, as applicable, shall provide the level of privacy protection to Customer Personal Data required by such Applicable Data Protection Laws.

2.3 If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Cykel; must obtain all necessary authorizations from such Third-Party Controller; will ensure that the Third Party Controller provided notice and obtained any consents necessary for Processing by Cykel as set forth in section 2.2; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

3. Processing of Customer Personal Data

3.1 Cykel shall Process Customer Personal Data in accordance with the Customer's documented instructions and as reasonably necessary to provide the Services. Customer acknowledges that such Processing as set out in the Agreement constitutes documented instructions for the purposes of this DPA.

3.2 The Customer's instructions are documented in this DPA, the Agreement, and any applicable statement of work, and Cykel shall process Customer Personal Data for the limited and specific purposes of carrying out these documented instructions or as otherwise expressly permitted by Applicable Data Protection Laws. Where permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that Cykel uses Customer Personal Data consistent with Customer's obligations under Applicable Data Protection Laws.

3.3 Solely for the purposes of the CCPA, and except as (i) expressly permitted by the CCPA, or (ii) reasonably necessary to provide, maintain, or improve the Services, Cykel shall not: (i) Sell or Share Customer Personal Data, (ii) retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, (iii) retain, use, or disclose Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

3.4 Unless prohibited by applicable law, Cykel will inform Customer if Cykel is subject to a legal obligation that requires Cykel to Process Customer Personal Data in contravention of Customer's documented instructions.

4. Personnel

Cykel shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and ensuring that all such individuals are subject to contractual confidentiality obligations or professional or statutory obligations of confidentiality.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Cykel shall implement commercially reasonable technical and organizational measures to protect Customer Personal Data. Such measures shall be generally consistent with industry standards for services of similar nature and scope.

5.2 In assessing the appropriate level of security, Cykel shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

6.1. Customer hereby authorizes Cykel to engage Subprocessors. A list of Cykel's current Subprocessors can be provided upon request. Customer acknowledges that the list may be subject to change without notification.

6.2. Cykel will enter into a written agreement with Subprocessors which imposes the same obligations as required by Applicable Data Protection Laws.

6.3. Cykel will notify Customer of any changes to its Subprocessors by updating the list at https://www.cykel.ai/dpa. If Customer has a reasonable basis to object to Cykel's use of a new Subprocessor, Customer may notify Cykel in writing within fifteen (15) days after the list is updated. If Customer does not object within this period, Customer shall be deemed to have accepted the new Subprocessor. If Customer does object, Cykel will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's use of the Services to avoid processing of Customer Personal Data by the objected-to Subprocessor. If Cykel is unable to make available such change within sixty (60) days, either party may terminate the affected portions of the Services upon written notice to the other party.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing and the information available to Cykel, Cykel shall assist the Customer by implementing appropriate technical and organisational measures, as appropriate, for the fulfillment of the Customer's obligations to respond to requests to exercise Data Subject Rights.

7.2 Cykel shall:

7.2.1 promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data; and 7.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws.

8. Personal Data Breach

8.1 Cykel shall notify Customer without undue delay upon becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data that is likely to result in a high risk to the rights and freedoms of natural persons, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.

8.2 Cykel shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Cykel shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Cykel.

10. Deletion or Return of Customer Personal Data

10.1. This DPA is terminated upon the termination of the Agreement.

10.2. The Customer may request return of Customer Personal Data in Cykel's or Cykel's Subprocessors' possession up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Cykel will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer. Cykel may retain Customer Personal Data to the extent required by applicable law but only to the extent and for such period as required by such law and always provided that Cykel shall ensure the confidentiality of all such Customer Personal Data.

11. Audit rights and Compliance

11.1 No more than once per twelve (12) month period, and upon reasonable written request with at least thirty (30) days' notice, Cykel shall make available to Customer information necessary to demonstrate compliance with this DPA in the form of third-party audit reports or certifications, or Cykel's self-assessment documentation.

11.2 If the documentation provided under Section 11.1 is not sufficient to verify Cykel's compliance with this DPA, Customer may conduct an on-site audit, subject to the following conditions: (a) the audit shall be conducted during regular business hours, subject to Cykel's security and confidentiality requirements; (b) Customer shall provide at least forty-five (45) days' prior written notice; (c) audits shall be limited to once per twenty-four (24) month period unless there are reasonable grounds to suspect material non-compliance with this DPA; (d) Customer may use a mutually agreed third-party auditor, provided such auditor enters into a confidentiality agreement acceptable to Cykel; (e) audits shall not unreasonably interfere with Cykel's business activities; and (f) Customer shall bear all costs and expenses of any audit. Cykel may charge Customer for any time expended for any such on-site audit at Cykel's then-current professional services rates.

11.3 Information rights of the Customer only arise under Section 11.1 to the extent that the Agreement does not otherwise give the Customer information rights meeting the relevant requirements of Applicable Data Protection Law.

11.4 Solely for the purpose of the CCPA, Cykel shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving notice from Cykel in accordance with this subsection, Customer may direct Cykel to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

12. Data Transfer

12.1 Customer hereby authorizes Cykel to perform Data Transfers to any country deemed to have an adequate level of data protection by the European Commission, including on the basis of the EU-US Data Privacy Framework, or by other competent authorities (including in the UK and Switzerland), as appropriate; on the basis of adequate safeguards in accordance with European Data Protection Laws; or pursuant to the SCCs and the UK Addendum referred to in Sections 12.2 and 12.3 below.

12.2 By entering into this DPA, Customer and Cykel conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the "data exporter" is Customer; the "data importer" is Cykel; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of England and Wales; the courts in Clause 18(b) are the Courts of England and Wales; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

12.3 By entering into this DPA, Customer and Cykel conclude the UK Addendum, which is hereby incorporated and applies to Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the "Exporter" is Customer and the "Importer" is Cykel, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 12.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the "Approved EU SCCs" are Annex I and II respectively; and (iv) in Table 4, both the "Importer" and the "Exporter" can terminate the UK Addendum.

ANNEX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

Customer (as defined above), Role : Controller, or Processor on behalf of Third-Party Controller

Data importer:

Name: Cykel AI PLC, Role: Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

Categories of Data Subjects whose Personal Data is transferred:

• Job candidates and potential candidates (for Lucy)
• Sales prospects and customers (for Eve)
• Subjects of research or analysis (for Samson)
• Employees and contractors of the Customer
• Other data subjects whose personal data is contained in Customer data

Categories of Personal Data transferred:

• For Lucy (recruitment): Candidate names, contact details, professional experience, education, skills, resumes/CVs, job applications, employment history, user communications, and other recruitment-related information
• For Eve (sales): Customer and prospect contact information, company details, deal information, communication history, user communications, and other sales-related information
• For Samson (research): Public web data and, when connected by the Customer, data from Customer's sources that may contain personal data
• Any other personal data that the Customer chooses to input or upload into Cykel's services

Sensitive Data transferred (if applicable) and applied restrictions or safeguards: The Customer is not expected to transfer sensitive data to Cykel. If any sensitive data is transferred, the Customer must inform Cykel and additional safeguards may be applied.

The frequency of the International Data Transfer: On a continuous basis.

Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement. Processing activities may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the International Data Transfer and further Processing: The Personal Data will be transferred and further processed for the provision of Cykel's digital worker services as described in the Agreement, including:

• Automation of recruitment processes (Lucy)
• Automation of sales processes (Eve)
• Research and analysis (Samson)
• Any other services as described in the Agreement

The period for which the Personal Data will be retained: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. Upon termination of the Agreement, Personal Data will be handled as described in Section 10 of this DPA.

For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the EU Member State in which the data exporter is established.

The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.

The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA:

Cykel maintains a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Cykel's operations, the nature and scope of Cykel's activities, and the sensitivity of the Customer Personal Data processed.

This program includes:

1. Reasonable access controls and authentication procedures
2. Encryption of sensitive data in transit and at rest where appropriate
3. System monitoring and logging
4. Business continuity and disaster recovery capabilities
5. Regular security testing and evaluation procedures
6. Employee training and awareness programs
7. Incident response procedures

Cykel may modify or update these security measures from time to time, provided that such modifications will not materially decrease the overall security of the Services during the term of the Agreement.

The measures in this Annex apply to all transfers described in this DPA.