Version 3.0

Date: 21/06/2026

This Data Processing Agreement ("Processing Agreement") is an annex to the General Terms and Conditions and forms part of the agreement ("Agreement") between the customer ("Controller") and dembrane B.V. ("Processor"). This Processing Agreement governs the processing of personal data by dembrane on behalf of the Controller. Where the Services are delivered through an external Workspace as described in Article 3.8 of the General Terms and Conditions, the Controller is the Data Owner designated for that Workspace. Capitalised terms have the meaning as defined in the General Terms and Conditions (Article 1), unless otherwise defined in this Processing Agreement.

For the purposes of Article 28(3) of the GDPR, the Controller and Processor (each a "Party", together the "Parties") have agreed on the following terms to ensure the protection of the rights of Data Subjects.

Recitals

• As part of the performance of the Agreement, Personal Data will be processed by Processor on behalf of Controller.

• Pursuant to Article 28 of the GDPR, the arrangements regarding the processing and security of such Personal Data must be laid down in a data processing agreement.

• The Parties have laid down these arrangements in this Processing Agreement.

Article 1. Definitions

Terms used in this Processing Agreement written with an initial capital letter shall have the following meanings:

• Data Subject: the person to whom Personal Data relates.

• Personal Data: any information about an identified or identifiable natural person processed by Processor in the context of the performance of the Agreement with Controller.

• Data Owner: the organisation that is the controller of the Personal Data processed in a Workspace, as described in Article 3.9 of the General Terms and Conditions.

• GDPR: the EU General Data Protection Regulation 2016/679.

• AI Act: The EU Artificial Intelligence Act, Regulation (EU) 2024/1689.

Article 2. Processing of Personal Data

2.1. The categories of Data Subjects and types of Personal Data processed by Processor are set out in Annex I.

2.2. Processor shall process the Personal Data disclosed to it only on the basis of written instructions from Controller and only in the context of the performance of the Agreement, unless a provision of Union or Member State law applicable to Processor obliges it to process. In that case, Processor shall notify Controller of that legal requirement prior to processing, unless that legislation prohibits such notification for important public interest reasons.

2.3. Processor has no control over the purposes and means of processing Personal Data. Nothing in this Processing Agreement is intended to transfer control over Personal Data to Processor in any way.

2.4. Processor shall not be permitted to:

• use the Personal Data to process for their own purposes;

• use the Personal Data to process for other or further purposes than reasonably necessary in the context of the performance of the Agreement;

• provide the Personal Data to third parties to the extent that this is not permitted on the basis of the Agreement and/or the Processing Agreement and/or on the basis of a mandatory legal provision pursuant to which Processor is obliged to disclose Personal Data to (supervisory or investigative) authorities.

2.5. Workspaces and roles. The Controller is the Data Owner of the Personal Data processed in a Workspace. Where a party other than the Controller operates an external Workspace on behalf of the Data Owner (for example a partner or consultant), that operating party acts as a separate processor of the Data Owner and is responsible for its own arrangements with the Data Owner. Processor processes the Personal Data as a processor of the Controller in its own right, and not as a sub-processor of the operating party.

Article 3. Legal and Regulatory Compliance

3.1. Parties will conduct themselves in accordance with the provisions of the GDPR, the AI Act and future (European) laws and regulations applicable at any time in the field of processing personal data and artificial intelligence. If future laws and regulations require the Processing Agreement to be amended, Parties will enter into consultations in order to make new arrangements which will maintain the scope of this Processing Agreement as much as possible.

3.2. Processor shall cooperate with Controller in carrying out a Data Protection Impact Assessment, at least to the extent possible in connection with the information available to it and the nature of the processing. The reasonable costs that this obligation to cooperate entails for Processor shall be borne by Controller.

3.3. If and to the extent that Controller is required under laws and regulations to provide information to a supervisory authority regarding the processing of Personal Data, Processor shall, at the first request of Controller, provide all reasonably requested cooperation to Controller so that such information becomes available and the supervisory authority can be duly informed.

Article 4. Confidentiality

4.1. Processor shall be obliged to keep the Personal Data confidential and shall ensure that those authorised to process the Personal Data have undertaken to observe confidentiality.

4.2. Even after the termination of this Processing Agreement, this confidentiality obligation shall continue to exist, except insofar as it concerns information that has already become publicly known, other than as a result of a breach of the aforementioned confidentiality obligation.

Article 5. Security Measures Processor

5.1. Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include the measures listed in Annex II.

5.2. In determining the measures, Processor shall take into account the state of the art, the implementation costs, as well as the nature, scope, context and purposes of processing and the risks to the rights and freedoms of individuals that vary in terms of probability and severity.

5.3. When assessing the appropriate level of security, Processor shall in particular take into account the processing risks, especially those resulting from the destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, transmitted, stored or otherwise processed data, whether accidental or unlawful.

5.4. In accordance with Article 32 GDPR, Processor shall also, independently from Controller, evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, Controller shall provide Processor with all information necessary to identify and evaluate such risks.

5.5. Processor shall take measures to ensure that any natural person acting under the authority of the Processor and having access to the Personal Data shall only process it on the instructions of the Controller, unless a provision of Union law or Member State law requires Processor to process it.

Article 6. Data Retention

6.1. During the Agreement. The following retention periods apply to Personal Data processed by Processor:

• Audio recordings: retained for the duration of the project as defined by Controller in the Platform, and deleted within 30 days after the project is completed or the relevant conversation is deleted by Controller;

• Transcription, chat and analysis data: retained for the duration of the Agreement. Controller may delete conversations through the Platform at any time, which cascades to the associated audio recording and transcription. The same process also applies to the chat and analysis data;

• Client account data (email): retained for the duration of the Agreement.

6.2. Controller may export its data through the Platform at any time during the Agreement in a commonly used, machine-readable format.

6.3. Audio and transcription data transmitted to sub-processors for processing purposes is retained by those sub-processors only for the transient period necessary to complete processing, as specified in Annex III. This data is automatically deleted by the sub-processors within a timeframe which dembrane has set with the sub-processors, as specified in Annex III.

6.4. After the termination of this Processing Agreement, Processor shall, at the first request and at the choice of the Controller, delete all Personal Data or return it in a commonly used, machine-readable format. Controller shall communicate its choice to Processor no later than two (2) weeks before termination of the Processing Agreement. If Processor does not receive this choice in a timely manner, Processor shall delete the Personal Data within 30 days after termination.

6.5. Processor retains a copy of the Personal Data beyond the periods specified in this Article only where required to do so under a mandatory legal provision. In such cases, Processor shall inform Controller of the scope and expected duration of the retention.

Article 7. Supervision by Controller

7.1. Upon request, Processor shall provide Controller with the necessary information enabling Controller to form an opinion on Processor's compliance with the provisions of Articles 2, 4, 5, 6, 8, 9, 11 and 12 of this Processing Agreement.

7.2. Controller shall have the right to have Processor's compliance with obligations in Articles 2, 4, 5, 6, 8, 9, 11 and 12 of this Processing Agreement audited by an independent expert bound by confidentiality. Processor shall cooperate in the audit and provide all information reasonably relevant to the audit as timely as possible. The costs of audits commissioned by Controller shall be borne by Controller, unless it appears that Processor has not adequately fulfilled its obligations in which case Processor shall bear the costs.

7.3. If the independent expert's audit report shows that the measures and provisions taken by Processor do not sufficiently comply with this Processing Agreement, Processor shall immediately take the necessary measures to comply with it.

Article 8. Data Breach Notification Obligation

8.1. Processor shall inform Controller without undue delay, as soon as it discovers that a Personal Data breach has occurred. This provision of information shall be such that Controller is able to fulfil its obligations under Article 33 and Article 34 of the GDPR.

8.2. Processor shall always keep Controller fully informed about the progress of the recovery and all relevant developments regarding the breach referred to in Article 8.1 and the consequences thereof. Processor shall take all measures that can reasonably be expected of it to mitigate the adverse consequences of the breach referred to in Article 8.1 as the case may be, to remedy or limit as much as possible.

8.3. In the context of a breach referred to in Article 8.1, Processor shall not communicate with Data Subject(s) and/or supervisory authority(ies) other than on the instructions of Controller, or with its express and explicit consent.

Article 9. Sub-processing

9.1. Processor hereby obtains general consent to outsource parts of the processing of Personal Data to sub-processors listed in Annex III during the term of the Agreement.

9.2. Processor shall inform the Controller of any changes regarding the addition or replacement of sub-processors. Controller may object to such changes in writing within 30 days of notification, stating reasonable grounds. If Processor cannot reasonably accommodate the objection, Controller may terminate the affected processing (or the Agreement) in accordance with the termination provisions of the Agreement.

9.3. Processor shall agree a third-party beneficiary clause with each sub-processor whereby, in the event of bankruptcy of the Processor, Controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor, including the right to instruct the sub-processor to delete or return the Personal Data.

9.4. Processor shall ensure that all sub-processors engaged by it that play a role in the performance of the Agreement will comply with the obligations contained in this Processing Agreement, in particular the obligation to provide adequate guarantees regarding the application of appropriate technical and organisational measures in order to ensure an equivalent level of protection of Personal Data.

9.5. The sub-processors actually engaged depend on the tier and deployment configuration agreed with Controller, as further described in Annex III. Where Controller uses its own LLM (the bring-your-own-model configuration of the Innovator tier), the provider of that model is not a sub-processor of Processor, and Controller is responsible for its own arrangements with that provider. The Guardian tier provides additional compliance support and controls for high-compliance environments and, unless otherwise agreed in writing with Controller, uses the same sub-processors set out in Annex III.

Article 10. Requests from Data Subject

10.1. Controller has obligations towards Data Subjects under the GDPR, such as with regard to providing information, giving access to, rectifying and deleting Personal Data. Processor shall, if possible, cooperate with the obligations to be fulfilled by Controller. Processor reserves the right to charge its regular hourly rate to Controller for its cooperation.

10.2. If a Data Subject contacts Processor directly in relation to the performance of their rights under the GDPR, Processor will not address this (in substance), but will notify Controller without delay.

Article 11. International Transfers

11.1. Processor shall ensure that any processing of Personal Data carried out by or on behalf of Controller including the third parties engaged by it in connection with the performance of the Agreement shall take place within the European Economic Area (EEA) or to or from countries that provide a guaranteed level of protection in accordance with the GDPR.

11.2. Therefore, without the prior written consent of Controller, Processor shall not transfer Personal Data to or store Personal Data in a country or organisation outside the EEA or make Personal Data accessible from a non-EEA country, unless that country or organisation provides a guaranteed level of protection or a provision of Union or Member State law applicable to Processor obliges it to process. In that case, the Processor shall notify the Controller, prior to processing, of that legal requirement, unless that legislation prohibits such notification for important public interest reasons.

11.3. Where the processing of Personal Data involves a transfer to a country outside the EEA that does not benefit from an adequacy decision under Article 45 GDPR, Processor shall ensure that appropriate safeguards are in place in accordance with Article 46 GDPR, including but not limited to Standard Contractual Clauses adopted by the European Commission. Processor shall inform Controller of any such transfers and the safeguards applied. As of the effective date, Processor maintains data residency within the EEA for all primary processing activities. This article applies in the event that circumstances require transfer outside the EEA.

Article 12. AI Act Compliance

12.1. Processor has classified the Platform's AI functions under the AI Act as follows: (a) the transcription function as minimal risk (Article 50(2) of the AI Act); (b) the chat and reporting functions as limited risk, subject to the transparency obligations under Article 50 of the AI Act. Processor provides transparency disclosures to Data Subjects within the Platform accordingly.

12.2. Processor maintains documentation of its AI Act compliance, including risk classifications, transparency measures, and guidance on the respective obligations of provider and deployer, in its compliance documentation.

Article 13. Warranty and Indemnity

13.1. Controller guarantees that data processing takes place in accordance with applicable laws and regulations. This means in any case that Controller guarantees that it has the right to collect the data (or have it collected) and that it is entitled to process the data (or have it processed).

13.2. Controller shall indemnify Processor against damages and costs resulting from any claims by third parties, expressly including Data Subjects and supervisory authorities (such as the Personal Data Authority), related to or arising from any unlawful processing and/or other violation of the GDPR and/or the Processing Agreement attributable to Controller.

Article 14. Liability

14.1. Controller guarantees correct compliance with the obligations under the Processing Agreement. This Processing Agreement forms an integral part of the Agreement between Controller and Processor and the (total) liability of Processor is (thereby) limited in accordance with the provisions of the Agreement.

Article 15. Term of Processing Agreement

15.1. This Processing Agreement enters into force at the time the Agreement takes effect and is entered into for the duration of the Agreement.

15.2. Once the Agreement is terminated or ends, for whatever reason, this Processing Agreement shall remain in force for as long as Personal Data is processed by Processor, after which this Processing Agreement shall terminate by operation of law.

15.3. The post-termination retention and deletion obligations are governed by Article 6.4 and 6.5 of this Processing Agreement.

Article 16. Final Provision

16.1. Amendments and supplements to this Processing Agreement shall only be valid if agreed in writing between the Parties. The amendment regime of the General Terms and Conditions (Article 15) does not apply to this Processing Agreement.

16.2. This Processing Agreement is exclusively governed by Dutch law.

16.3. The competent court in 's-Hertogenbosch, the Netherlands, shall have exclusive jurisdiction to adjudicate any disputes arising out of or in connection with this Processing Agreement.

16.4. This Processing Agreement is version 3.0, dated 21/06/2026. Previous versions are superseded in their entirety.

Annex I. Categories of Data Subjects and Personal Data

Annex II. Security Measures

Standards System

Processor maintains a certified Information Security Management System (ISMS) in accordance with ISO 27001:2022. The ISMS scope covers the design, development, and operation of the dembrane platform, including the processing of personal data on behalf of Controllers.

• Certification: ISO 27001:2022, issued by an accredited certification body. A copy of the current certificate is available in the Processor's compliance data room.

• Statement of Applicability: The applicable controls from ISO 27001:2022 Annex A are documented in the Statement of Applicability and are available in the Processor's compliance data room.

• BIO2 alignment: Processor is implementing controls aligned with the BIO2 (Baseline Informatiebeveiliging Overheid) framework for Dutch public sector clients.

Technical Measures

• Encryption in transit: All data in transit is encrypted using TLS 1.2 or higher.

• Encryption at rest: All stored personal data is encrypted at rest using AES-256 or equivalent industry-standard encryption provided by the infrastructure provider.

• Access control: Access to personal data is restricted on a role-based-access-control (RBAC). All access to production systems and data stores requires multi-factor authentication (MFA).

• Secure connections: Personal data is only transmitted via secure connections (HTTPS, IPSEC, FTPS).

• Infrastructure: Processor uses industry-standard cloud infrastructure (DigitalOcean) for data storage and compute, all hosted within the European Economic Area. See Annex III for details.

• Backups: Backups of personal data are transmitted and stored via secure, encrypted connections. Backup procedures are documented within the ISMS.

• Logging and monitoring: Access to personal data is logged. Logs are reviewed as part of the ISMS operational procedures.

• Vulnerability management: Processor maintains a vulnerability management process including regular security assessments. Penetration tests, if conducted, can be found in the compliance data room.

Organisational Measures

• Data minimisation: Processor separates personal data from research insights as soon as technically feasible and stores only the data necessary to provide the contracted services.

• Staff awareness: All employees receive information security awareness training and have signed confidentiality agreements. Compliance is tracked within the ISMS.

• Retention discipline: Personal data is retained only for the periods specified in Article 6 of this Processing Agreement.

• Deletion cascading: When Controller deletes a conversation and/or chat through the Platform, the associated audio recording, transcription, chat data, and analysis data are deleted from Processor's systems. Deletion regarding sub-processors happens within their respective transient retention windows (see Annex III).

• Data subject deletion requests: If a Data Subject requests deletion of their data, Processor will cooperate with Controller and work with sub-processors to ensure data is deleted throughout the processing chain.

• Incident response: Processor maintains a documented incident response procedure, including the ability to inform Controller within the timeframe specified in Article 8.1 of this Processing Agreement.

• Access on instruction only: Stored personal data is only accessed by Processor staff at Controller's request or after notification for maintenance purposes.

Adequacy and Audits

Information security adequacy is demonstrated through:

• ISO 27001:2022 certification (externally audited);

• Controls aligned with the BIO2* framework (implementation in progress);

• Periodic internal audits and management reviews as required by the ISMS;

• Controller may verify these measures through the audit rights described in Article 7 of this Processing Agreement.

* External service providers are not part of the government and are therefore not themselves directly bound by the BIO or the delivery of an ICV. However, they must comply with the client's requirements. Conditions for the purpose of information security must therefore be laid down in the contract.

Annex III. Sub-processors

The sub-processors actually engaged depend on the tier and deployment configuration agreed with Controller (see Article 9.5). For the bring-your-own-LLM configuration of the Innovator tier, the Controller's own LLM provider is not a sub-processor of Processor. The Guardian tier uses the same sub-processors listed below, with additional compliance support and controls for high-compliance environments.