Platform Science NV

Data Processing Agreement

This Data Processing Agreement (“DPA”) is the parties’ agreement with regard to the Processing of Personal Data and supplements all License, Subscription, Services or other written or electronic agreements (the “Agreements”) between Platform Science NV, a company incorporated in Belgium, with its registered offices at Ter Waarde 90, 8900 Ieper, Belgium, with company number 0464.257.143, RLE Gent, division Ieper (“Platform Science”), and Customer in relation to the purchase of Services, Subscriptions, Licenses and/or Products (including Software as a Service, their associated Platform Science offline or mobile applications, and support, and defined as “Services” or otherwise in the Agreement or hereinafter) in the course of which Platform Science receives or processes personal data from Customer.

Customer enters into this DPA (i) by signing or otherwise accepting the Agreement, (ii) upon signing it on behalf of itself and as required under applicable Data Protection Laws and Regulations, in the name and on behalf of Authorized Affiliates, if and to the extent Platform Science processes Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and its Authorized Affiliates.

In the course of providing the Services to Customer pursuant to the Agreement, Platform Science may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data.

HOW TO EXECUTE THIS DPA:

I This DPA consists of: the main body of the DPA, and Schedules 1 to 2

II It has been pre-signed on behalf of Platform Science. The Standard Contractual Clauses (as defined below) are incorporated by reference.

III If Customer wants to complete this DPA Customer must:

a. Complete the information in the signature box and sign on Page 5 and 6.

b. Complete the information as the data exporter on Page 5 and 6.

IV Send the completed and signed DPA to Platform Science by email, indicating your organization’s Customer’s Account Number (as set out on the applicable Platform Science invoice), to [email protected].

HOW THIS DPA APPLIES:

- If the Customer entity accepting this DPA is a party to an Agreement, this DPA is an addendum to and forms part of that Agreement and the Platform Science entity that is party to the Agreement is party to this DPA.

- If the Customer entity signing this DPA has submitted an order that has been accepted by Platform Science or any of its Affiliates, but is not itself a party to the Agreement, this DPA is an addendum to that order (including any renewal order) and the Platform Science entity on which such order has been placed is party to this DPA.

This DPA does not replace any comparable or additional rights relating to Processing of Customer Data contained in the Agreement (including any existing data processing addendum to the Agreement).

DATA PROCESSING TERMS

1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the outstanding voting interests of the subject entity.

“Authorized Affiliate” means any of Customer's Affiliate(s) which (i) is subject to one or more Data Protection Laws and (ii) is permitted to use the Services pursuant to the Agreement between Customer and Platform Science, but has not signed their own order with Platform Science and is not a "Customer" as defined under the Agreement.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the entity that executed the Agreement, together with its Affiliates (for so long as they remain

Affiliates) which have signed Order Forms.

“Customer Data” means what is defined in the Agreement as “Customer Data” or “Your Data.”

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, as applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the individual to whom Personal Data relates.

“Europe” means the European Union (EU), the European Economic Area (EEA) and Switzerland.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Personal Data” means any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), provided such data is Customer Data.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.

“Processor” means the entity which Processes Personal Data on instruction and on behalf of the Controller.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities.

“EU Standard Contractual Clauses” means an agreement executed by and between either (i) a Platform Science Affiliate and Platform Science Inc. or (ii) Customer and Platform Science Inc., each pursuant to the implementing decision (EU) 2021/914.

“Sub-processor” means any Processor engaged by Platform Science or a member of the Platform Science Group.

“Platform Science” means the Platform Science entity which is a party to this DPA, namely Platform Science NV, a company incorporated in Belgium, Solid SAS, a company incorporated in France, or Logicway B.V., a company incorporated in the Netherlands, each as applicable.

“Platform Science Group” means Platform Science and its Affiliates engaged in the Processing of Personal Data.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Platform Science is a Processor and that Platform Science or members of the Platform Science Group will engage Sub-processors pursuant to the requirements set forth in Section 5 below, provided that for Processing of Customer Account Data, Platform Science is the Controller.

2.2 Customer’s Processing of Personal Data

Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Platform Science shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws and Regulations or other statutory provisions.

2.3 Platform Science’s Processing of Personal Data

Platform Science shall only Process Personal Data on behalf of and in accordance with Customer’s instructions including with regard to transfers of Personal Data to a third country or an international organization. Customer instructs Platform Science to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable orders; (ii) Processing initiated by users in their use of the Services; (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement; and (iv) processing for the purpose of anonymization in compliance with the Data Use Clauses in the Agreement or in Schedule 1.

PLATFORM SCIENCE DOES NOT ACT AS PROCESSOR FOR THE FOLLOWING PERSONAL DATA: User login and contact details, software usage data and data generated by security measures (“Customer Account Data)”.

2.4 Scope and Purpose; Categories of Personal Data and Data Subjects

The subject-matter of Processing of Personal Data by Platform Science is the performance of the Services pursuant to the Agreement. The types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing/Transfer) to this DPA.

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Rights. Taking into account the nature of the Processing, Platform Science assists Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests of Data Subjects for exercising their Data Subject rights pursuant to the Data Protection Laws and Regulations. To the extent Customer, in its use of the Services, does not have the ability to exercise these rights herself, Platform Science shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Platform Science is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from Platform Science’s provision of such assistance.

3.2 Direct Requests of Data Subject. Platform Science shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for exercising their Data Subject rights pursuant to Section 3.1. Platform Science shall not respond to any such Data Subject request without Customer’s prior consent in text form except to confirm that the request relates to Customer to which Customer hereby agrees.

4. PLATFORM SCIENCE AND CUSTOMER PERSONNEL

4.1 General. Platform Science and Customer shall take steps to ensure that any natural person acting under their respective authority who has access to Customer Data does not process Customer Data except on instructions from the Customer, unless he or she is required to do so by Data Protection Laws and Regulations.

4.2 Confidentiality. Platform Science shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality undertakings. Platform Science shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.3 Reliability. Platform Science shall take commercially reasonable steps to ensure the reliability of any Platform Science personnel engaged in the Processing of Personal Data.

4.4 Limitation of Access. Platform Science shall ensure that personnel access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (i) Platform Science’s Affiliates may be retained as Sub-processors; and (ii) Platform Science and Platform Science’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. In such case, Platform Science and Platform Science’s Affiliate shall impose on any Sub-processor materially similar data protection obligations as set out in this DPA by way of a contract or other legal act. The contract or other legal act shall contain sufficient guarantees that any Sub-processor implements appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws and Regulations.

5.2 List of Current Sub-processors and Notification of New Sub-processors. The current list of Sub-processors engaged in Processing Personal Data for the performance of each applicable Service, including a description of their processing activities and countries of location is listed in Schedule 1. Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data, and instructs Platform Science accordingly. Platform Science will inform about changes to sub-processors in its release notes, customer updates or similar communications which shall be considered notice for purposes of Section 9.2 of the EU Standard Contractual Clauses.

5.3 Objection Right for New Sub-processors. In order to exercise its right to object to Platform Science’s use of a new Sub-processor, Customer shall notify Platform Science promptly in text form sent to [email protected] within thirty (30) business days after receipt of Platform Science’s notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Platform Science will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Platform Science is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable order(s) and Agreements with respect only to those Services which cannot be provided by Platform Science without the use of the objected-to new Sub-processor by providing written notice to Platform Science. Platform Science will refund Customer any prepaid fees covering the remainder of the term of such order(s) following the effective date of termination with respect to such terminated Services.

5.4 Liability. Platform Science shall be liable for the acts and omissions of its Sub-processors to the same extent Platform Science would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. SECURITY, AUDITS AND ASSISTANCE

6.1 Security of Processing. Platform Science shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, including Personal Data, as set forth in Schedule 1. Platform Science regularly monitors compliance with these safeguards. Platform Science will not materially decrease the overall security of the Services during the term of the Agreement.

6.2 Audits. Platform Science shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Platform Science may have obtained third-party certifications and audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Platform Science shall make available to Customer that is not a competitor of Platform Science (or Customer’s independent, third-party auditor that is not a competitor of Platform Science) a copy of Platform Science’s then most recent third-party audits, certifications or any other information necessary to demonstrate Platform Science is complying with the obligations set forth in this DPA.

6.3 Assistance to Customer. Platform Science shall assist Customer in ensuring compliance with the obligations regarding security of Processing, notification and communication of Personal Data breaches, data protection impact assessments and prior consultations with the supervisory authority pursuant to the Data Protection Laws and Regulations.

6.4 Security Breach Management and Notification. In case of a Personal Data breach pursuant to the Data Protection Laws and Regulations, Platform Science maintains security incident management policies and procedures and shall, to the extent permitted by law, notify Customer of such breach without undue delay.

7. RETURN AND DELETION OF CUSTOMER DATA

Platform Science shall after the end of the provision of Services at the choice of Customer return Customer Data to Customer and/or delete Customer Data in accordance with the procedures and timeframes specified in the Agreement or its Service description unless legislation imposed on Customer requires the storage of Customer Data.

8. GOVERNMENT ACCESS REQUESTS

8.1 Unless prohibited by applicable law, Platform Science shall inform the Customer in general terms about requests, orders or similar demands by a court, competent authority, law enforcement or other government body ("Law Enforcement Request") relating to the processing of personal data under these Clauses.

8.2 Platform Science will object to and challenge any Law Enforcement Request by taking legal remedies to the extent they are reasonable given the circumstances. If compelled to disclose personal data transferred under these Clauses by a Law Enforcement Request, Platform Science will, unless prohibited by applicable law, give Customer reasonable notice to allow Customer to seek a protective order or other appropriate remedy unless Platform Science is legally prohibited from doing so.

8.3 In case Platform Science makes personal data available to sub-processors, Platform Science will select sub-processors in a country outside of the European Economic Area that is not subject of an adequacy finding by the European Union Commission, only after a due diligence that entails (i) a review of any transparency reports made available by sub-processor, (ii) and carrying out a transfer risk assessment.

9. AUTHORIZED AFFILIATES

9.1 Contractual Relationship. The Customer enters into the DPA on behalf of itself and, as may be the case, in the name and on behalf of Authorized Affiliates, thereby establishing a separate DPA between Platform Science and each such Authorized Affiliate. Each Authorized Affiliate is bound by the obligations under this DPA. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, but is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Platform Science under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Platform Science, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA. If Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA as Controller, Authorized Affiliate hereby authorizes the Customer to exercise any such right in lieu of Authorized Affiliate. Moreover, the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together.

10. LIMITATION OF LIABILITY

Each party’s and its Affiliates’ liability arising out of or related to this DPA and all DPAs between Authorized Affiliates and Platform Science, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Platform Science's and its Affiliates’ total liability for all claims from the Customer and its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under such Agreement, including by any Authorized Affiliate, and, in particular, shall not be understood to apply individually and severally to each Authorized Affiliate that is a contractual party to any such DPA. For further avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.

If Customer has subscribed to, or purchased the Services, through a reseller or other business partner of Platform Science, Platform Science’s and its Affiliates’ liability arising out of or related to this DPA and all DPAs between Authorized Affiliates and Platform Science, whether in contract, tort or under any other theory of liability shall be limited, to the extent legally permissible, in aggregate to the higher of amounts received by Platform Science for these Services or EUR 50,000.

11. INTERNATIONAL PROVISIONS

11.1 Jurisdiction Specific Terms. To the extent Platform Science processes personal data originating from and protected by Data Protection Laws and Regulations in one of the jurisdictions listed in Schedule 3 (Jurisdiction Specific Terms) of this DPA, the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.

11.2 Cross Border Data Transfer Mechanisms. To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from one jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction listed in Schedule 3 (Jurisdiction Specific Terms of this DPA) to Platform Science located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 4 (Cross Border Transfer Mechanisms) of this DPA will apply.

12. MISCELLANEOUS

12.1 Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this DPA; (2) the terms of this DPA outside of Schedule 4 (Jurisdiction Specific Terms); and (3) the Agreement.

12.2 Updates. Platform Science may update the terms of this DPA from time to time; provided, however, Platform Science will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Data Protection Laws and Regulations; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this DPA are available at platformscience.eu/privacy.

Customer Legal Name:____________________ ☐ Customer has purchased the

Services through Platform

Science’s Authorized Reseller

or Business Partner

Address: Reseller Name

Platform Science Customer Number:_______ Address: ____________________

Reseller Customer Number

☐ For EU/EEA/UK bill to customers. Customer wishes to enter into EU Standard Contractual

clauses directly with Platform Science Inc. If this box is not checked the transfer mechanism

for the transfer to Platform Science Inc. is the one described in Section 2.2 of Schedule 4 or

any other transfer mechanisms established between the Platform Science Affiliate in Europe and Platform Science Inc.

If the previous box is checked: Customer considers the following Modules as applicable:

☐ Module 1 ☐ Module 2 ☐ Module 3

☐ Customer elects to execute this DPA The parties' authorized signatories have duly executed this Agreement:

CUSTOMER (hereby signs this DPA)

Name:

Title:

Date:

Platform Science N.V. Platform Science France SAS

Signature:____________________ Signature: ____________________

Print Name: Peter Huysmans Print Name: Peter Huysmans

Title: General Manager Title: General Manager

Date: 15.7.2025 Date: 15.7.2025

Platform Science Nederland B.V.

Signature: ____________________

Print Name: Peter Huysmans

Title: General Manager

Date: 15.7.2025

Contact Details for all Platform Science entities:

[email protected]

Addresses Platform Science Entities

Platform Science NV

Ter Waarde 90, 8900 Ieper, Belgium

For: FleetWorks, FleetCockpit, FleetCockpit Plus, Performance Management, Video Intelligence.

Platform Science France SAS

11 Rue Hubble Parc de la Haute Borne, 59650 Villeneuve-d'Ascq, France

For: Solid Product Line

Platform Science Nederland B.V.

Zandbreeweg 12, 7577 BZ Oldenzaal, the Netherlands

For: FleetHours Web, FleetHours SaaS, Absence Planner

SCHEDULE 1 - DESCRIPTION OF PROCESSING

1. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

● Employees, officers, directors and contractors of Customer

● Customer’s customers (who are natural persons), often in their capacity as recipients of shipments, services and products

● Employees, agents, advisors, freelancers of Customer’s customers, vendors and counterparties of transactions processed through the Services

● Customer’s users authorized by Customer to use the Services

2. CATEGORIES OF PERSONAL DATA TRANSFERRED

● Contact and Master Data (First and last name, Title, Position)

● Contact information (company, email, phone, physical business address)

● ID data such as passports, driver licenses, IP addresses, Unique identifiers (UUID)

● Occupational and educational data (qualifications, experiences, skills)

● Job related data (services rendered, project contributions, assigned jobs and tasks, performance related data, hours of service, expenses)

● Localisation data (vehicle geolocation data is tracked which, by itself is not personally identifiable information. As with other data, when combined with personal identifiers it can be considered personal data under the GDPR as it can be used in combination with other identifiers to identify drivers.)

● Contract related data (billing, payment, transaction history)

● History of Interactions

3. SENSITIVE DATA TRANSFERRED (IF APPLICABLE)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The applicable security measures are described in Schedule 2 below.

4. FREQUENCY OF THE PROCESSING/ TRANSFER

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous basis depending on the use of the Services by Customer.

5. NATURE OF THE PROCESSING

The nature of the Processing is the performance of the Services pursuant to the Agreement.

6. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING

Platform Science will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.

7. DURATION OF PROCESSING

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

On Platform Science N.V. client devices, Platform Science stores the data as long as it is needed for the execution of the tasks. After the execution of a task, the collected data is transmitted to the backend solution. At that moment, the data is deleted from the client device. If the device is not online, the data is stored on the device until the moment it comes back online. The live data on the backend solutions (FleetWorks and FleetCockpit) is stored for 4 months. In the reporting services, the data is available for 12 months. The live data can be obtained by the customer via web services. The customer defines the setup of the integration services and can filter which data is transmitted through web services.

The storage data times can be extended to 18 months for the BI reporting tool (Operational KPIs) and 24 months for the Performance Portal tool (Driving style portals).

For remote tacho download, the data is stored according to the legally required period of tacho downloads.

8. SUB-PROCESSOR TRANSFERS

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Sub-processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement. Subject to Section 9 of this DPA, the Sub-processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Purpose of Processing: Accounts Management

Personal Data required: Account data

Sub-processors: Amazon Web Services

Location: Ireland

Purpose of Processing: Infrastructure as a Service

Personal Data required: Data uploaded into the Service and data generated when using the Service

Sub-processors: Novasystems

Location: The Netherlands

Purpose of Processing: Forgot Password

Personal Data required: Email-address

Sub-processors: Mailgun

Location: Germany

Purpose of Processing: Vehicle Telemetry

Personal Data required: Tacho data, Driver ID data, vehicle location data*

Sub-processors: Amazon Web Services

Location: Ireland, Germany

Purpose of Processing: Admin-Driver communications

Personal Data required: Driver ID data

Sub-processors: Amazon Web Services Microsoft Azure

Location: Ireland, Germany

Purpose of Processing: Driver activity reporting

Personal Data required: Driver ID data, email address

Sub-processors: Amazon Web Services

Location: Ireland, Germany

Purpose of Processing: Data Analytics

Personal Data required: All of customer’s data

Sub-processors: Snowflake, Microsoft Azure

Location: Ireland, Germany

Purpose of Processing: Vehicle incident reporting

Personal Data required: Tacho data, Driver ID data

Sub-processors: Amazon Web Services

Location: Ireland, Germany

Purpose of Processing: Security Logging

Personal Data required: Account data, Driver ID data

Sub-processors: Datadog

Location: United States (Platform Science is planning a migration Datadog’s EU instance)

Purpose of Processing: Security Backups

Personal Data required: Account data

Sub-processors: Amazon Web Services,

Location: Ireland, Germany

Purpose of Processing: System Delivery and Management

Personal Data required: Account data

Sub-processors: Platform Science Inc.

Location: USA

Purpose of Processing: Show traces on maps, calculate ETAs, edit and improve map data

Personal Data required: for a detailed overview of the different Trimble maps components see https://maps.trimble.com/privacy/

Sub-processors: Trimble Maps

Location: for a detailed overview of the different Trimble maps components see https://maps.trimble.com/privacy/

SCHEDULE 2 - Technical and Organizational Security Measures

Where applicable, this Schedule 2 will serve also as Annex II to the EU Standard Contractual Clauses.

Technical and Organizational Security Measure

1. Measures of pseudonymisation and encryption of personal data

Where possible, Platform Science encrypts Data transmitted between customers and the Platform Science application over public networks using TLS 1.2 or higher. Customer Data stored on Platform Science managed systems (for AICPA certified products - see item 7 below for more information) is encrypted using AES 256 or stronger ciphers.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Platform Science has dedicated Cybersecurity personnel responsible for oversight of security and privacy. It has appointed Cybersecurity and Privacy leadership in addition to an Office of Data Protection, together with an Engineering Leadership Council which meets quarterly to discuss privacy and security risks managed within Sector product portfolios. In addition, product risk is tracked in an internal portal with compliance monitoring performed monthly.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

In order to support availability of Platform Science SaaS products, Platform Science leverages industry leading cloud service providers (Amazon Web Services (AWS) and Microsoft Azure) for auto-scaling, geographically diverse data centers, extensive application and infrastructure monitoring, and 24x7 support mechanisms.

Platform Science maintains backups of data stores, including Customer Data, that support the primary functionalities of the Platform Science applications. Backups are stored in a location geographically-separated from the primary data storage location where possible.

In addition to the measures of our service providers, Platform Science maintains a security incident response function that includes a documented Incident Response Policy and plan to triage security events and incidents involving Customer Data. This defines response protocol such as containment, eradication, restoration and communication activities for security incidents, as well as roles and responsibilities of Platform Science personnel and a requirement for post-incident reviews with Platform Science Management.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Platform Science employs independent third parties to conduct periodic penetration testing, including Sarbanes-Oxley, PCI, SOC 1, Type II, SOC 2 Type II, ISO27001 or NIST 800-171 equivalent audits on an annual basis where required for regulatory compliance. In addition, Platform Science conducts regular internal vulnerability testing and penetration testing on applicable products and platforms in conjunction with Platform Science’s Cybersecurity program and policy requirements. Platform Science may perform assessments of new vendors or partners if the business risk warrants review. Platform Science encourages 3rd parties to report any cybersecurity issues, incidents and vulnerabilities associated with our products, services or websites.

5. Measures for user identification and authorisation

For products leveraging Platform Science ID (TID, Platform Science Identity) for authentication, Platform Science processes the password securely. In addition, some Platform Science products may support Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML) and Multifactor Authentication (MFA).

6. Measures for the protection of data during transmission

As per item 1, Platform Science encrypts Customer Data transmitted over public networks between customers and the Platform Science application using current encryption ciphers whenever possible.

7. Measures for the protection of data during storage

As per item 1, Customer Data stored on Platform Science managed data storage is encrypted using AES 256 or stronger for any Platform Science products currently AICPA SOC 1, Type II, SOC 2, Type II or NIST 800-171 certified. Refer to Item 11 for more detailed information.

8. Measures for ensuring physical security of locations at which personal data are processed

Platform Science SaaS products, applications and services are typically hosted with Customer Data stored within data centers provided by Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP). As such, Platform Science relies on the physical, environmental and infrastructure controls of these platforms. Platform Science periodically reviews certifications and third-party attestations provided by these providers relating to the effectiveness of their data center controls.

9. Measures for ensuring events logging

Platform Science maintains many cybersecurity tooling logs and application and infrastructure security audit logs. Security logs are analyzed using SIEM technology in combination with event correlation to detect anomalous activity.

10. Measures for ensuring system configuration, including default configuration

Platform Science leverages common industry standards to strengthen cybersecurity through secure configuration and defense in depth. Platform Science applies security patches to its systems in accordance with the Platform Science Secure Development Lifecycle Policy (TSDLCP).

11. Measures for internal IT and IT security governance and management

For SOC 1, Type II, SOC 2, Type II or NIST 800-171 Platform Science certified products, personnel with access to Customer Data leverage role-based and least privilege principles for access control. Staff are only provided with sufficient access to Customer Data to be able to carry out their job duties securely. Remote network access to Platform Science systems requires encrypted communication via secured protocols and use of multi-factor authentication. Platform Science has established and will maintain procedures for password management for this personnel demographic, designed to ensure passwords are unique to each individual, and inaccessible to unauthorized persons, including at minimum:

● cryptographically protecting passwords when stored in computer systems or in transit over any public network;

● altering default passwords from vendors; and

● education on good password practices such as using passphrases

● staff access to production infrastructure requires multi-factor authentication (MFA).

For ISO 27001 certificate compliance and to ensure proper and effective use of cryptography to protect the confidentiality and integrity of data owned or managed by Platform Science In-Scope Divisions, data classified as Confidential or Restricted must be encrypted by the use of valid encryption processes for data at rest and in motion as required by regulation and/or Risk Assessment. This includes but is not limited to sensitive information stored on mobile devices, removable drives and laptop computers. Platform Science In-Scope Divisions will employ only unmodified, commercial cryptography applications to encrypt data at rest and/or in-transit.

Platform Science staff are subject to confidentiality obligations and various policies, such as Acceptable Use, Data Classification, Secure Destruction and MFA. Platform Science requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Platform Science also requires its staff to undergo privacy training annually (including to comply with GDPR).

For applicable products, Platform Science has implemented security and privacy by design principles, including but not limited to, threat modeling and product application penetration tests.

12. Measures for certification/assurance of processes and products

Platform Science will maintain SOC 2, Type II, ISO 27001 or NIST 800-171 certifications, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard for applicable products.

Platform Science will maintain information security policies that meet the requirements of the ISO 27001 standard, an internal audit program that assesses Platform Science’s ISMS and information security controls, and a management committee that is responsible for oversight of Platform Science’s Information Security Management System (ISMS).

13. Measures for ensuring data minimization

Platform Science may allow visitors to use certain functionalities of some products anonymously and minimizes the Data it requires from Customers to only what is necessary to provide the service requested under localized laws and regulations.

14. Measures for ensuring data quality

Platform Science ensures the quality of its data through various verification mechanisms unique to applicable Platform Science products. Platform Science may also allow product users to update the information in their accounts themselves or via requests to its customer support functions.

15. Measures for ensuring limited data retention

Platform Science can implement the Data Retention Policy of the Customer setting out the retention periods for various types of data.

16. Measures for allowing data portability and ensuring erasure

Applicable Platform Science products have a process for deleting Customer Data within 30 days of receiving customer verified written requests and may enable the download of Customer Data to provide to alternative service providers as required by GDPR.

17. Third Party (Sub-processor) Control and Management

Platform Science only employs sub-processors that process personal data on Platform Science’s behalf as part of applicable subscription services in compliance with Data Protection Laws and Regulations. Platform Science also verifies before choosing a sub-processor and transferring any data the sub-processor’s technical and organizational measures to ensure a level of security appropriate to the risk of its customers data processing. Platform Science also takes reasonable measures to ensure security of the transfers of Customer Data to third party Sub-processors. At a minimum, such measures include identifying the risks to Customer and Data Subject rights based upon nature, scope and context of processing; reviewing the security and data protection controls implemented by the Sub-processor to protect Customer Data (including SOC 2 Type II audit reports and/or ISO 27001 certificates as applicable); imposing data protection contractual terms that protect personal data to the same or similar standard Platform Science is obligated to provide its customers (including valid cross border transfer mechanisms, sub-processor management, and compliance programs); requiring the Sub-processor to only process Customer Data on behalf of Platform Science and its customers and, limiting its processing of Customer Data to the scope of Platform Science’s instructions.

SCHEDULE 3 – JURISDICTION SPECIFIC TERMS

1. European Economic Area (EEA):

1.1 The definition of “Data Protection Laws and Regulations” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

1.2 When Platform Science engages a sub-processor under Section 5.1 (Authorization for Onward Sub-processing) of this DPA, it will:

(a) require any appointed sub-processor to protect the Customer Data to the standard required by Data Protection Laws and Regulations and imposes the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and

(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on the basis of the EU Standard Contractual Clauses or pursuant to Binding Corporate Rules approved by competent European Union data protection authorities.

1.3 Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

1.4 Customer acknowledges that Platform Science, as a controller, may be required under Data Protection Laws and Regulations to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Platform Science to notify impacted data subjects with whom Platform Science does not have a direct relationship (e.g., Customer’s end users), Platform Science will notify Customer of this requirement. Customer will provide reasonable assistance to Platform Science to notify the impacted data subjects.

2. United Kingdom (UK):

2.1 References in this DPA to “GDPR” will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.

2.2 When Platform Science engages a sub-processor under Section 5.1 (Authorization for Onward Sub-processing) of this DPA, it will:

(a) require any appointed sub-processor to protect the Customer Data to the standard required by Data Protection Laws and Regulations, such as including the same data protection obligations referred to in Article 28(3) of the UK GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the UK GDPR, and

(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement or the EU Standard Contractual Clauses and the UK International Data Transfer Addendum or pursuant to Binding Corporate Rules approved by competent United Kingdom data protection authorities.

2.3 Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.

2.4 Customer acknowledges that Platform Science, as a controller, may be required under Data Protection Laws and Regulations to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Platform Science to notify impacted data subjects with whom Platform Science does not have a direct relationship (e.g., Customer’s end users), Platform Science will notify Customer of this requirement. Customer will provide reasonable assistance to Platform Science to notify the impacted data subjects.

3. Switzerland:

3.1 The definition of “Data Protection Laws and Regulations” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).

3.2 When Platform Science engages a sub-processor under Section 5.1 (Authorization for Onward Sub-processing) of this DPA, it will:

(a) require any appointed sub-processor to protect the Customer Data to the standard required by Data Protection Laws and Regulations in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the FADP, and

(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses including the amendments named in Section 3.3 or pursuant to Binding Corporate Rules approved by competent European Union or Swiss data protection authorities.

3.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.3 of Schedule 3 (EU Standard Contractual Clauses), the parties agree that all amendments shall be made to the EU Standard Contractual Clauses that are deemed as necessary by the Swiss Federal Data Protection and Information Commissioner. Specifically, these are at the time of conclusion of the DPA:

(a) references to “EU Member State” and “Member State” will be interpreted to include Switzerland, and

(b) insofar as the transfer or onward transfers are subject to the FADP:

(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;

(ii) the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;

(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and

(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.

(v) Clause 18(c) of the EU Standard Contractual Clauses applies whereas a data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland where the data subject has their habitual residence.

4. Australia:

4.1 The definition of “Data Protection Laws and Regulations” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

4.2 The definition of “personal data” includes “Personal Information” as defined under Data Protection Laws and Regulations.

4.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Data Protection Laws and Regulations.

SCHEDULE 4 - CROSS BORDER TRANSFER MECHANISM

(Applies to Data transferred from the EU, EEA, UK and Switzerland)

1. Definitions

● “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

● “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

● "Data Privacy Framework" means the EU-US and/or Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce.

● "Data Privacy Principles" means the Data Privacy Framework principles (as supplemented by the Supplemental Principles).

2. Cross Border Data Transfer Mechanisms

2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Framework as referenced in Section 2.2 (Data Privacy Framework) of this Schedule; (b) the EU Standard Contractual Clauses as referenced in Section 2.3 (EU Standard Contractual Clauses) of this Schedule; (c) the UK International Data Transfer Addendum as referenced in Section 2.4 (UK International Data Transfer Addendum) of this Schedule; and, if neither (a), (b), (c), nor (d) is applicable, then (e) other applicable data Transfer Mechanisms permitted under Data Protection Laws and Regulations.

2.2 Data Privacy Framework. To the extent Platform Science Inc. processes any Personal Data via the Services originating from the EEA or Switzerland, Platform Science Inc. is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such personal data. To the extent that Customer is (a) located in the United States of America and is also self-certified under the Data Privacy Framework or (b) located in the EEA or Switzerland, Platform Science further agrees (i) to provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) to notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, an alternative Transfer Mechanism will apply in accordance with the order of precedence in Section 2.1 (Order of Precedence) of this Schedule 4; and (iii) upon written notice, to work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of personal data.

2.3 EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA, Switzerland, or UK either directly or via onward transfer, to any country or recipient outside the EEA, Switzerland or UK that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) Platform Science is processing Customer Account Data and (ii) Customer is a controller of Customer Usage Data and Platform Science is processing Customer Usage Data;

(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of the Personal Data and Platform Science is processing Personal Data on Customer’s behalf;

(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Platform Science is processing as sub-processor on Customer’s behalf; and

(e) For each Module, where applicable:

(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause shall not apply;

(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 5.2 (Current Sub-processors and Notification of Sub-processor Changes) of this DPA;

(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;

(iv) Identify the competent supervisory authority/ies in accordance with clause 13:

(v) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Dutch law;

(vi) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Amsterdam, the Netherlands;

(vii) in Annex I, Part A of the EU Standard Contractual Clauses:

Data Exporter: Customer (if the box on page 6 is checked).

Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences.

Data Exporter Role: The Data Exporter’s role is set forth on page 6.

Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.

Data Importer: Platform Science Inc.

Contact details: Platform Science Privacy Team - [email protected]

Data Importer Role: The Data Importer’s role is set forth on page 6

Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;

(viii) in Annex I, Part B of the EU Standard Contractual Clauses:

The categories of data subjects are set forth in Section 1 of Schedule 1 (Description of Processing) of this DPA.

The Sensitive Data transferred is set forth in Section 3 of Schedule 1 (Description of Processing) of this DPA.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is set forth in Section 5 of Schedule 1 (Description of Processing) of this DPA.

The purpose of the processing is set forth in Section 6 of Schedule 1 (Description of Processing) of this DPA.

The period for which the personal data will be retained is set forth in Section 7 of Schedule 1 (Description of Processing) of this DPA.

For transfers to sub-processors, the subject matter, nature, and duration of the processing listed in Section 8 of Schedule 1.

(ix) in Annex I, Part C of the EU Standard Contractual Clauses: Where a Platform Science entity residing in the EU is the Data Exporter the competent supervisory authority is the supervisory authority of the member state the Platform Science entity resides in. Where the Customer is the Data Exporter the competent supervisory authority is the supervisory authority of the member state the Platform Science entity resides in. In any other Case the supervisory authority is The Dutch Data Protection Commission will be the competent supervisory authority; and

(x) Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the EU Standard Contractual Clauses.

2.4 UK Extension to the Data Privacy Framework and International Data Transfer Addendum. Customer and Platform Science agree that the UK Extension to the Data Privacy Framework will apply, and in absence of such, the EU Standard Contractual Clauses and the UK International Data Transfer Addendrum to the EU Commission Standard Contractual Clauses in its most recent version will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA as described in Section 2.3 of this Section 4 and the UK International Data Transfer Addendum will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

(a) In Table 1 of the UK International Data Transfer Addendum, Customer's and Platform Science's details and key contact information are set forth in Section 2.3 (e)(vii) of this Schedule 3;

(b) In Table 2 of the UK International Data Transfer Addendum, information about the version of the EU Standard Contractual Clauses, and selected clauses, which the UK International Data Transfer Addendum is appended to, are set forth in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 4;

(i) The list of Parties is set forth in Section 2.3(e)(vii) of this Schedule 3.

(ii) The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).

(iii) Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this DPA, and

(iv) The list of sub-processors is set forth in clause 8 of Schedule 1.

(d) In Table 4 of the UK International Data Transfer Addendum, both the Importer and the Exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Addendum.

2.5 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this DPA, including Schedule 4 (Jurisdiction Specific Terms), the Agreement, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Addendum, as applicable, will prevail.