1 PREAMBLE

1.1 This Data Processing Agreement ("DPA") forms an integral part of the agreement between linkyard ("Provider") and the customer ("Customer") regarding Phonemos and related services (the "Agreement"). The Agreement and this DPA may be concluded by (i) signature of a contract, order form or other contractual document, (ii) acceptance of an offer, quotation or order issued by Provider, (iii) click acceptance, (iv) placement of an order or payment of an invoice, or (v) access to or use of the services, whichever occurs first.

1.2 For the purposes of this DPA, "Applicable Data Protection Law" means the Swiss Federal Act on Data Protection ("FADP"), the Ordinance to the FADP and, to the extent applicable to the Processing, Regulation (EU) 2016/679 ("GDPR") and other mandatory data protection laws.

1.3 Customer acts as controller (or equivalent under Applicable Data Protection Law) with respect to Customer Data processed under the Agreement. Provider acts as processor (or equivalent) except to the extent Provider processes personal data for its own independent purposes as permitted by the Agreement or required by law.

1.4 All content uploaded or stored by or on behalf of Customer in a Phonemos instance remains Customer Data. As between the parties, Customer retains all rights, title and interests in and to Customer Data.

1.5 This DPA applies exclusively to the Processing of Customer Data by Provider on behalf of Customer in connection with the services under the Agreement.

2 NATURE, SCOPE, PURPOSE AND DURATION OF THE PROCESSING

2.1 Provider shall process Customer Data only on behalf of and in accordance with Customer's documented instructions, this DPA and the Agreement, unless otherwise required by applicable law.

2.2 The subject matter, nature, purpose, categories of data subjects and categories of personal data are described in Client Data (Annex to the DPA). Processing includes hosting, storage, organisation, retrieval, transmission, support, maintenance, backup, security monitoring and related service delivery activities.

2.3 The duration of the Processing corresponds to the term of the Agreement plus any period reasonably required for transition, backup cycling, return and deletion as provided in Section 11.

2.4 Provider may process Customer Data in Switzerland, the European Economic Area, the United Kingdom and in other jurisdictions permitted under Applicable Data Protection Law, including through approved subprocessors. Any transfer to a jurisdiction that does not provide an adequate level of protection shall be subject to a lawful transfer mechanism under Applicable Data Protection Law.

2.5 If Provider is legally required to process Customer Data otherwise, Provider shall inform Customer before such Processing unless such information is prohibited by law.

3 POWERS OF INSTRUCTION OF THE CUSTOMER

3.1 Customer may issue documented instructions regarding the Processing of Customer Data within the scope of the Agreement and this DPA. Instructions shall be binding only to the extent they are reasonable, necessary for compliance and technically feasible.

3.2 Provider may refuse or suspend the implementation of any instruction that is unlawful, contradictory, outside the scope of the Agreement or this DPA, compromises the security, confidentiality, integrity or availability of the services, or requires disproportionate effort or material changes unless the parties agree on corresponding adjustments, timelines and fees.

3.3 Oral instructions must be confirmed by Customer in text form without undue delay. Until such confirmation is received, Provider may postpone implementation.

3.4 If Customer issues individual instructions that go beyond the contractually agreed scope of services, Customer shall reimburse Provider for the resulting additional effort at the agreed rates or, absent such agreement, at Provider's then-current standard rates.

3.5 Provider shall inform Customer without undue delay if, in Provider's opinion, an instruction infringes Applicable Data Protection Law.

4 OBLIGATIONS OF THE CUSTOMER

4.1 Customer is solely responsible for the lawfulness of the Processing, the existence of a valid legal basis, the permissibility of the instructions, the accuracy and quality of Customer Data and the protection of data subject rights.

4.2 Customer shall provide all notices and obtain all consents, authorisations and permissions required under Applicable Data Protection Law, to the extent such notices, consents, authorisations or permissions are Customer's responsibility.

4.3 Customer shall inform Provider without undue delay if it identifies errors, unlawful instructions, inaccurate Customer Data or other irregularities relevant to the Processing.

4.4 Customer shall indemnify and hold harmless Provider from third-party claims, administrative measures, damages, costs and expenses arising from Customer's breach of this DPA, the Agreement or Applicable Data Protection Law, or from unlawful instructions, except to the extent caused by Provider's breach of this DPA or the Agreement or by Provider's intent or gross negligence.

5 OBLIGATIONS OF THE PROVIDER

5.1 Provider shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data, taking into account the state of the art, the nature of the Processing and the risks for data subjects. The measures are described in Technical and Organisational Measures (Annex to the DPA).

5.2 Provider may modify the technical and organizational measures from time to time, provided that the overall level of security is not materially reduced.

5.3 Provider shall ensure that persons authorized to process Customer Data are bound by confidentiality obligations.

5.4 Provider shall designate a data protection officer or other responsible contact where and for so long as required by Applicable Data Protection Law. Contact details will be provided upon request.

5.5 Provider shall assist Customer, to the extent reasonably possible and taking into account the nature of the Processing, with responding to data subject requests and complying with mandatory obligations regarding security, breach notifications, data protection impact assessments and consultations with supervisory authorities. Unless the need for assistance arises from Provider's breach, such assistance shall be reimbursable at Provider's then-current rates.

5.6 Provider shall make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, primarily through current documentation, certifications, audit reports and questionnaire responses in accordance with Section 8.

5.7 Provider shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and shall provide information reasonably available to Provider and necessary for Customer to assess and meet its notification obligations.

5.8 Provider shall inform Customer, unless legally prohibited, of binding requests by public authorities for access to Customer Data and of material supervisory authority measures relating specifically to the Processing of Customer Data under this DPA.

5.9 Provider shall not sell Customer Data and shall not use Customer Data for its own unrelated purposes. Provider may process Customer Data as necessary to provide, secure, maintain, support and improve the services as permitted by the Agreement and Applicable Data Protection Law.

6 PERSONAL DATA BREACHES AND ASSISTANCE

6.1 Provider shall maintain procedures to detect, respond to and investigate Personal Data Breaches.

6.2 Provider shall provide reasonable assistance to Customer regarding security, breach notifications, data protection impact assessments and consultations with supervisory authorities, to the extent required by Applicable Data Protection Law and reasonably possible in view of the information available to Provider.

6.3 Unless the relevant assistance is required due to Provider's breach of this DPA or Applicable Data Protection Law, Customer shall reimburse Provider for reasonable internal and external costs incurred in providing such assistance.

7 AUDITS AND CONTROLS

7.1 Customer may, at its own expense, verify Provider's compliance with this DPA no more than once per calendar year, unless a Personal Data Breach, substantiated regulatory inquiry or other special circumstance reasonably requires an additional audit.

7.2 Audits shall be conducted during normal business hours, with at least thirty (30) days' prior written notice, without disrupting Provider's operations and subject to appropriate confidentiality obligations.

7.3 Before any on-site audit, Customer shall first make reasonable use of documentation, certifications, audit reports and questionnaires provided by Provider. An on-site audit may be requested only if those materials are insufficient to demonstrate compliance and the requested audit is proportionate.

7.4 Customer may not access information relating to other customers, Provider's internal pricing, non-relevant security architecture details, source code, penetration test reports, vulnerability details or trade secrets, except to the extent strictly necessary and subject to additional safeguards determined by Provider.

7.5 Provider may satisfy audit rights by providing current third-party audit reports, certifications or comparable evidence, to the extent such materials reasonably demonstrate compliance with this DPA.

7.6 If Customer appoints a third-party auditor, such auditor must not be a competitor of Provider and must be bound by confidentiality obligations at least equivalent to those set out in the Agreement.

7.7 Customer shall reimburse Provider for reasonable costs of supporting audits unless the audit demonstrates a material breach of this DPA by Provider.

8 SUBPROCESSORS

8.1 Customer grants Provider a general authorisation to engage subprocessors for the Processing of Customer Data in connection with the services.

8.2 Provider shall maintain a current list or policy (Sub processor policy (Phonemos Cloud)) regarding its subprocessors and shall notify Customer of material changes to subprocessors, for example by updating the subprocessor policy or by electronic notice.

8.3 Customer may object to a new subprocessor within fifteen (15) days after notice if Customer can demonstrate reasonable grounds relating to data protection or information security. If the parties cannot resolve the objection in good faith, Provider may choose not to appoint the relevant subprocessor or Customer may terminate the affected service with effect from the date the new subprocessor is introduced.

8.4 Provider shall impose on each subprocessor data protection obligations that are materially no less protective than those set out in this DPA, to the extent applicable to the services performed by such subprocessor.

8.5 Services used as ancillary support services, such as telecommunications services, postal or courier services, security services, maintenance services, waste disposal, cleaning, auditors or banking services, do not constitute subprocessors where they do not process Customer Data as part of the core service delivery in a manner requiring a processor or subprocessor arrangement under Applicable Data Protection Law.

9 DATA SUBJECT REQUESTS

9.1 Customer is responsible for responding to requests from data subjects and supervisory authorities, unless Applicable Data Protection Law expressly requires Provider to act.

9.2 If a data subject or supervisory authority contacts Provider directly regarding Customer Data, Provider may refer the request to Customer and, where appropriate, provide reasonable assistance.

9.3 Provider shall, to the extent technically feasible and reasonably possible within the services, enable Customer to rectify, erase, restrict or export Customer Data, or shall carry out such actions on Customer's documented instruction where Customer cannot do so itself.

10 RETURN AND DELETION OF CUSTOMER DATA

10.1 Upon termination or expiry of the Agreement, Provider shall, at Customer's choice and to the extent technically feasible, return Customer Data and or delete Customer Data within a reasonable period, unless applicable law requires further retention or the Agreement provides otherwise.

10.2 Backup copies and system logs may be retained for a limited period in accordance with Provider's backup cycles, disaster recovery procedures and legal retention obligations, provided that such data remains protected and is not processed for any other purpose.

10.3 Upon Customer's written request, Provider shall confirm completion of deletion, provided that Provider may charge reasonable costs for non-standard confirmation or extraction work.

11 LIABILITY

11.1 The liability of the parties under or in connection with this DPA shall be governed by the liability regime set out in the Agreement, subject always to mandatory provisions of Applicable Data Protection Law.

11.2 In the internal relationship between the parties, Customer shall be responsible for damages, claims, fines, penalties, costs and expenses arising from Customer's role as controller, from unlawful or incomplete instructions, or from Customer's failure to comply with Applicable Data Protection Law, except to the extent caused by Provider's breach of this DPA or the Agreement or by Provider's intent or gross negligence.

11.3 Provider shall be responsible in the internal relationship for damages, claims, fines, penalties, costs and expenses to the extent caused by Provider's breach of this DPA, the Agreement or Applicable Data Protection Law applicable specifically to Provider as processor.

11.4 If a supervisory authority or court imposes a fine or measure on Provider that is caused by Customer's unlawful instructions, missing legal basis, unlawful data collection or other breach attributable to Customer, Customer shall reimburse Provider for the relevant amounts and reasonable defence costs, except to the extent the fine or measure was caused by Provider's own breach, intent or gross negligence.

12 CONFIDENTIALITY

12.1 "Confidential Information" means all non-public information, data and documents disclosed or made available in connection with the Agreement or this DPA, including analyses, summaries and extracts derived therefrom.

12.2 Confidential Information does not include information that the receiving party can demonstrate (i) was already lawfully known to it without confidentiality obligation, (ii) is or becomes public without breach, (iii) is lawfully received from a third party without confidentiality obligation or (iv) is independently developed without use of the disclosing party's Confidential Information.

12.3 Each party shall protect the Confidential Information of the other party with appropriate care and may disclose it only to its personnel, affiliates, advisers and approved subprocessors who need to know it and are bound by confidentiality obligations. A party may also disclose Confidential Information to the extent required by law or by a binding order, provided that, where legally permissible, it gives prior notice and reasonably cooperates with the other party.

12.4 The confidentiality obligations survive termination of the Agreement and this DPA.

13 FINAL PROVISIONS

13.1 This DPA forms an integral part of the Agreement. In the event of a conflict between this DPA and other contractual documents, this DPA shall prevail with respect to data protection matters.

13.2 Swiss law applies, excluding conflict-of-laws rules, subject to mandatory provisions of Applicable Data Protection Law. The competent courts at the seat of Provider shall have exclusive jurisdiction unless mandatory law provides otherwise.

13.3 If any provision of this DPA is invalid or unenforceable, the remaining provisions shall remain unaffected. The invalid provision shall be replaced by a valid provision that most closely reflects the economic purpose of the invalid provision.