DATA PROCESSING ADDENDUM

1. Definitions

"Standard Contractual Clauses ("SCCs")" means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

"General Data Protection Regulation ("GDPR")" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

"Personal Data Protection Law ("PDPL")" means the UAE's Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data.

"Controller", "processor", "data subject", "personal data", and "processing" have the meanings given in the GDPR, PDPL and Other Data Protection Laws and Regulations.

"Customer Data" means personal data that the Customer acting as a data controller provides to the Company acting as a data processor in connection with the services provided by the Company or any other personal data with respect to which the Customer is a data controller and the Company is a data processor.

"Other Data Protection Laws and Regulations" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Arab Emirates, applicable to the processing of personal data.

"Sub-processor" means any contractor or entity (if applicable) which provides processing services to the Company in furtherance of the Company's processing on behalf of the Customer.

"Public Authority" means a government agency or law enforcement authority, including judicial authorities.

"Supervisory Authority" means an independent public authority to be responsible for monitoring the application of the data protection legislation.

2. Governing law

This DPA shall be governed by the laws of the United Arab Emirates. Notwithstanding the foregoing, for the purpose of data transfers under GDPR as defined in Section 8.2., the governing law shall be the law of a Member State of the European Union that recognises the enforcement of third-party beneficiary rights. For the purpose of data transfers under GDPR, the Parties agree that the law defined in Section 8.2. shall apply.

3. Roles

Customer acknowledges and agrees that with regard to the data processing under this DPA, Customer shall act as a data controller and MyTaxiCRM shall act as a data processor under the GDPR, PDPL, and Other Data Protection Laws and Regulations.

4. Instructions

The Parties agree that this DPA and the Terms constitute Customer's complete and final documented instructions regarding the processing by MyTaxiCRM of the Customer Data on the Customer's behalf (the "Instructions"). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.

5. Obligations

5.1. MyTaxiCRM's Obligations

5.1.1. General Obligations

With regard to the processing of the Customer Data, MyTaxiCRM shall:

1. process the Customer Data only for established purposes, using appropriate technical and organisational security measures, and in compliance with the instructions received from the Customer subject to Section 4 of this DPA;
2. inform the Customer if MyTaxiCRM cannot comply with its obligations under this DPA, in which case the Customer may terminate the agreement between Parties or take any other reasonable actions, including suspending data processing operations;
3. inform the Customer if, at MyTaxiCRM's discretion, the Customer's Instruction may be in violation of the provisions of the GDPR, PDPL or Other Data Protection Laws and Regulations;
4. follow the Customer's instructions regarding the collection of the Customer Data (including with regard to the provision of notice and exercise of choice) in case MyTaxiCRM is obtaining the Customer Data from data subjects on behalf of the Customer under the Terms;
5. take reasonable steps to ensure that any Sub-processor to whom MyTaxiCRM authorises access to the Customer Data on its behalf complies with respective provisions of the Terms and this DPA;
6. keep records of processing activities carried out on behalf of the Customer under this DPA and present such records to the Customer upon request;
7. make available to the Customer all information necessary to demonstrate compliance with MyTaxiCRM's obligations under this DPA, the GDPR, PDPL and Other Data Protection Laws and Regulations.

5.1.2. Notices to the Customer

Upon becoming aware, MyTaxiCRM shall inform the Customer of any legally binding request for disclosure of the Customer Data by a Public Authority unless MyTaxiCRM is otherwise forbidden by law to inform the Customer, for instance, to preserve the confidentiality of investigation by a Public Authority. MyTaxiCRM will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of the Customer Data under this DPA and Terms.

5.1.3. Security Measures

MyTaxiCRM shall implement and maintain appropriate technical and organisational measures to protect the Customer Data from personal data breaches (the "Security Incidents") in accordance with MyTaxiCRM's security standards set out in Schedule 2 of this DPA. The Customer acknowledges that security measures are subject to technical progress so that MyTaxiCRM may modify or update Schedule 2 at its discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA at the time of signing this DPA.

5.1.4. Security Incident

Upon becoming aware of a Security Incident, MyTaxiCRM shall:

1. notify the Customer without undue delay after it becomes aware of the Security Incident;
2. provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the Customer, including the nature of the Security Incident, the categories and approximate number of data subjects and personal data records concerned (where possible), the likely consequences, measures taken or proposed to be taken by the Customer to address the Security Incident (including, where appropriate, measures to mitigate its possible adverse effects), and the details of the contact person where more information can be obtained; and
3. promptly take reasonable steps to contain and investigate any Security Incident so that the Customer can notify competent authorities and/or affected data subjects of the Security Incident. MyTaxiCRM's notification of or response to a Security Incident shall not be construed as an acknowledgement by MyTaxiCRM of any fault or liability regarding the Security Incident.

5.1.5. Confidentiality

MyTaxiCRM will not access, use, or disclose to any third party any Customer Data, except, in each case, as necessary to maintain or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). MyTaxiCRM shall ensure that any employee/contractor to whom it authorises access to the Customer Data on its behalf (if applicable) is subject to appropriate confidentiality contractual or statutory duty obligations with respect to the Customer Data, including after the end of their respective employment or termination or expiration of the contract.

5.1.6. Return or Deletion of the Customer Data

At the choice of the Customer, MyTaxiCRM shall delete or return all personal data relating to processing to the Customer after the end of the provision of services and delete existing copies and shall cause any sub-processors to do the same, unless law requires storage of the personal data.

5.1.7. Reasonable Assistance

MyTaxiCRM agreed to provide reasonable assistance to the Customer regarding:

1. any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of the Customer Data that MyTaxiCRM processes on behalf of the Customer. In the event that a data subject sends such a request directly to the Company, Section 6 of this DPA shall apply;
2. the investigation of Security Incident and communication of necessary notifications regarding such Security Incidents subject to Section 5.1.4 of this DPA;
3. preparation of data protection impact assessments and, where necessary, consultation of the Customer with the Supervisory Authority under Articles 35 and 36 of the GDPR.

5.1.8. Audit and Certification

5.1.8.1. Supervisory Authority Audit

If a Supervisory Authority requires an audit of the data processing facilities from which the Company processes the Customer Data to ascertain or monitor the Customer's compliance with the GDPR, PDPL or Other Data Protection Laws and Regulations, the Company will cooperate with such audit. The Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time the Company expends for any such audit, in addition to the rates for services performed by the Company.

5.1.8.2. Audits

The Customer may, prior to the commencement of processing and at regular intervals after that, audit the technical and organisational measures taken by the Company. If the Customer is the controller with respect to the personal data processed by the Company on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to the Company's business operations, the Company may provide the Customer with all information necessary to demonstrate compliance with its obligations laid down in the Article 28 of the GDPR or Article 8 of the PDPL and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer with respect to such processing.

The Company shall, upon the Customer's written request and within a reasonable period, provide the Customer with all information necessary for such audit, to the extent that such information is within the Company's control and the Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

5.2. Customer's Obligations

Within the scope of the DPA, the Customer acts as a data controller, and shall be responsible for complying with all requirements that apply to the Customer as a data controller under the GDPR, PDPL and Other Data Protection Laws and Regulations. The Customer represents and warrants that the Customer shall be responsible for:

1. the accuracy, quality, integrity, confidentiality and security of collected Customer Data;
2. complying with all necessary transparency, lawfulness, fairness and other requirements under GDPR, PDPL and Other Data Protection Laws and Regulations for the collection and use of personal data by:
   • establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of the Customer;
   • providing MyTaxiCRM only with personal data that has been lawfully and validly obtained and ensuring that such personal data will be relevant and proportionate to the respective uses;
   • ensuring compliance with the provisions of this DPA and service agreement by the Customer's personnel or by any third-party accessing or using the Customer Data on the Customer's behalf.
3. ensuring that the Customer's Instructions to MyTaxiCRM regarding the processing of the Customer Data comply with the GDPR, PDPL and Other Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation; and
4. complying with all applicable laws, rules, and regulations (including the GDPR, PDPL and Other Data Protection Laws and Regulations) in respect to any Instructions the Customer issues to MyTaxiCRM.

6. Data Subject Request

In the event that a data subject contacts MyTaxiCRM with regard to the exercise of their rights under the GDPR, PDPL and Other Data Protection Laws and Regulations (in particular, requests for access to, rectification or blocking of the Customer Data), MyTaxiCRM, shall notify the Customer of such request.

MyTaxiCRM will use all reasonable efforts to forward such requests to the relevant party indicated in this Section. If MyTaxiCRM is legally required or authorised by the Customer to respond to such a request, it shall immediately notify the Customer and provide the Customer with a copy of the request unless MyTaxiCRM is legally prohibited from doing so.

7. Sub-processors

The Customer agrees that MyTaxiCRM may engage sub-processors in accordance with provisions set out in Clause 9 of EU SCCs (as defined in section 8 herein) to assist in fulfilling MyTaxiCRM's obligations. MyTaxiCRM agrees to inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes within the period specified in EU SCCs.

8. Data Transfers

8.1. Transfers of the Customer Data

Parties agree that when the processing of the Customer Data constitutes a transfer from the Customer as a data controller to MyTaxiCRM as a data processor under the GDPR, PDPL and Other Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses which are deemed to be incorporated into and form part of this DPA as further described in subsection 8.2. of this DPA. If and to the extent the EU SCCs, as applicable, conflict with any provision of the DPA, the EU SCCs shall prevail to the extent of such conflict.

8.2. Transfers under GDPR

When the processing of the Customer Data constitutes a "transfer" under the GDPR and in other cases under this DPA, Standard Contractual Clauses shall apply. When the Customer acts as a controller, and MyTaxiCRM acts as a data processor, Module Two of the EU SCCs shall apply.

For the purpose of the EU SCCs, the Customer acts as a data controller, and MyTaxiCRM acts as a data processor, the Customer is a "data exporter", and MyTaxiCRM is a "data importer".

The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed are as follows:

1. in Clause 7, the optional docking clause shall not apply;
2. in Clause 9, Option 2 (General Written Authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing the data exporter in advance of any intended changes to sub-processors list through the addition or replacement of sub-processors shall be 30 days.
3. in Clause 11, the optional provision shall not apply;
4. in Clause 13, a particular option shall apply depending on the specific case;
5. in Clause 17, Option 1 shall apply. The Parties agree that this shall be the law of Poland;
6. in Clause 18(b), disputes shall be resolved by the courts of Poland;
7. Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;
8. Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.

8.3. Transfers under PDPL

Under the PDPL, when the processing of the Customer Data constitutes a "transfer", this DPA shall apply. This DPA shall apply as an agreement between the Customer as a data controller and MyTaxiCRM as a data processor under Article 8(1) of the PDPL.

In cases described in Article 23(1) of the PDPL, this DPA shall apply as an agreement referred to in Article 23(1(a) of the PDPL.

SCHEDULE 1 - DESCRIPTION OF PROCESSING

A. LIST OF PARTIES

Data exporter

Name: You, "Customer", "User"

Address: the relevant information is contained in the Customer's account.

Contact person's name, position and contact details: the relevant information is contained in the Customer's account

Activities relevant to the data transferred under these Clauses:

• data processing in the context of the provision of services to the Customer by MyTaxiCRM;
• data processing of the Customer's team, with whom MyTaxiCRM cooperates in the course of the provision of services.

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: data controller.

Data importer

Name: MYTAXICRM - FZCO

Address: Beach Resort 2804 Tower 2, Dubai, U.A.E.

Contact person's name, position and contact details: Manager Dmytro Glavatskyi, [email protected]

Activities relevant to the data transferred under these Clauses:

• data processing in the context of the provision of services to the Customer by MyTaxiCRM;
• data processing of the Customer's team, with whom MyTaxiCRM cooperates in the course of the provision of services.

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: data processor.

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:

Customer's employees, contractors, partners, and other third parties, team members.

2. Categories of personal data transferred:

Customer Data: information about the Customer's employees, contractors, partners, and other third parties, team members, such as name, age, contact details, work details, financial and bank information, GPS tracking data, identity documents copies.

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

The data importer may obtain access to the special categories of data (sensitive data) as defined by the data exporter.

The data importer takes technical and organisational measures, which are listed in Schedule 2, to protect personal data, including sensitive personal data, if any is transferred.

4. The frequency of the transfer:

The personal data is transferred on a continuous basis.

5. Nature of the processing:

Personal data processing consists of the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

6. Purpose(s) of the data transfer and further processing:

The main purpose of the data transfer and further processing is to provide the services by the Data importer to the Data exporter and fulfil the Data importer's obligations under the agreement signed between these parties, as well as to conduct project-related communications with the Data exporter's employees and team members.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The personal data shall be stored for the duration of this DPA concluded between the Data importer and the Data exporter unless otherwise agreed in writing or the Data importer is required by applicable law to retain some or all of the transferred personal data.

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

subject matter: the performance of services

nature: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

duration: the performance of the services for the Data importer by the (sub-) processor under the service agreement concluded between the Data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the Data Exporter.

SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing and the risks for the rights and freedoms of natural persons:

• The Data importer has implemented appropriate information security procedures to protect personal data against loss and destruction, including information security-oriented approach throughout the project life.
• The Data importer has conducted access control. The personal data is subject to a strictly need-to-know principle of access and can be displayed to the authorised team members only.
• The Data importer has taken a number of steps to ensure physical security at locations where personal data is processed.
• All servers and workstations of the Data importer have proper security configurations and are continuously checked for vulnerabilities. Any vulnerabilities identified are addressed accordingly.
• The Data importer's security procedures are subject to regular reviews.
• The Data importer has implemented encryption of authorisation data and other security measures (hashing) when storing authorisation data.

Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

The transfer of personal data to MyTaxiCRM's Sub-processors is only made if a corresponding contract exists and only for specific purposes that correspond with this DPA and service agreement between the Customer and MyTaxiCRM. Such a contract shall contain the same or similar security measures as specified in Schedule 2 and the Sub-processor shall provide the level of protection of personal data which is not the lesser than the one provided under this DPA. If personal data is transferred outside the EEA, the data importer provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing agreements based on the EU SCCs.

SCHEDULE 3 - LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Sub-processor 1

Name: Amazon.com, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal

Contact person's name, position and contact details: https://console.aws.amazon.com/support/home

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): storage of personal data on the servers of Amazon.com, Inc.

Sub-processor 2

Name: Hotjar Ltd.

Address: Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville, St Julian's, STJ 3141, Malta

Contact person's name, position and contact details: [email protected]

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): technical maintenance of Company's services.

Sub-processor 3

Name: Functional Software, Inc. d/b/a Sentry

Address: Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105

Contact person's name, position and contact details: https://sentry.io/contact/gdpr/

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): technical maintenance of Company's services.

Sub-processor 4

Name: Zoho Corporation Pvt. Ltd.

Address: 4141 Hacienda Drive, Pleasanton, CA 94588, USA; also 805 Las Cimas Pkwy, Suite 380, Austin, TX 78746, USA; and Plot No. 140 & 151, GST Road, Vallancherry Village, Kanchipuram District 603202, India

Contact person's name, position and contact details: https://www.zoho.com/contactus.html

Description of the processing (including a clear delimitation of responsibilities): Usage of Zoho CRM, Zoho Books, Zoho Campaigns — the sub-processor handles hosting, processing and storage of customer personal data within their cloud services. The "controller" (MyTaxiCRM) retains responsibility for what data is entered, what access rights are granted, and how the data is used (while Zoho provides the platform/infrastructure).

Sub-processor 5

Name: Google LLC

Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contact person's name, position and contact details: https://about.google/company-info/locations/

Description of the processing (including a clear delimitation of responsibilities): Processing of personal data within Google Workspace (Docs, Sheets) for collaboration and storage; and Google Analytics for collection and analysis of usage data (device, browser, IP, visited pages, and user interactions). Google provides platform and analytical tools; the controller defines purposes, access, and retention.

Sub-processor 6

Name: Slack Technologies LLC

Address: 415 Mission St, 3rd Floor, San Francisco, CA 94105, USA

Contact person's name, position and contact details: [email protected]

Description of the processing (including a clear delimitation of responsibilities): Use of Slack for team-communication which may include customer-related information (chat, attachments). Slack provides the communication platform. MyTaxiCRM is responsible for what customer-data is shared via Slack channels, access rights, archival/retention settings.

Sub-processor 7

Name: Atlassian Corporation Pty Ltd.

Address: Level 6, 341 George Street, Sydney, NSW 2000, Australia

Contact person's name, position and contact details: https://www.atlassian.com/company/contact

Description of the processing (including a clear delimitation of responsibilities): Use of Jira and Confluence for internal issue tracking, documentation and possibly customer-data references (tickets, logs). Atlassian provides the SaaS platform; MyTaxiCRM controls what customer data is logged, who can view tickets/pages, retention practices.

Sub-processor 8

Name: IP Telecom Bulgaria Ltd (trade name Zadarma)

Address: office 211, 16 Vasil Levski Str., 8000 Burgas, Bulgaria

Contact person's name, position and contact details: [email protected]

Description of the processing (including a clear delimitation of responsibilities): Provision of IP-telephony services (via Zadarma) including call handling, virtual numbers, call recordings and metadata tied to customer interactions. Zadarma handles telephony infrastructure and call data routing/recording; MyTaxiCRM is responsible for which numbers are used, the linking to CRM/records, access to call recordings, ensuring compliant retention and deletion.

Sub-processor 9

Name: Hotjar Ltd.

Address: Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta

Contact person's name, position and contact details: https://www.hotjar.com/legal/policies/privacy/

Description of the processing: Monitoring of website usage to improve user experience (recording anonymized interactions such as clicks, scrolls, and navigation). Hotjar provides behavioral analytics; the controller manages data scope, activation, and anonymization settings.

Sub-processor 10

Name: Meta Platforms Ireland Limited (WhatsApp)

Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Contact person's name, position and contact details: https://www.whatsapp.com/contact

Description of the processing: Customer communication via WhatsApp. Meta provides secure message delivery; the controller defines content, recipients, and retention of chat records.

Sub-processor 11

Name: Telegram Messenger LLP

Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Contact person's name, position and contact details: https://telegram.org/support

Description of the processing: Use of Telegram Messenger for customer and internal team communication, including exchange of text messages, attachments, and media that may contain limited customer-related information. Telegram provides encrypted cloud-based messaging infrastructure and ensures security of message transmission; the controller determines which data is shared, who has access, and how long such data is retained or deleted.