Data Processing Agreement

Data Processing Agreement

1. General

1.1 This DPA applies to the extent the parties process personal data in connection with the Agreement.

1.2 Compliance with Data Protection Laws. Customer shall at all times comply with Data Protection Laws with respect to the processing of personal data in connection with the Agreement, including its use and receipt of the Services and processing of Customer Personal Data. Tracelight shall comply with European Data Protection Laws when processing Customer Personal Data in connection with the Agreement.

1.3 Lawful processing. Without prejudice to the generality of paragraph 1.2 of this DPA, Customer warrants and represents that it (a) has all rights and consents, and has provided all notices, as required by Data Protection Laws to lawfully (a) process Customer Personal Data in connection with the Services and (b) permit Tracelight to use, process and transfer Customer Personal Data in order to provide the Services to Customer and perform Tracelight's other rights and obligations under the Agreement (including this DPA).

1.4 No Sensitive Data. Customer shall not include any Sensitive Data in Customer Personal Data or use the Services to process Sensitive Data without Tracelight's prior express written consent.

2. Roles of the Parties

2.1 Except as set out in paragraph 2.2 of this DPA, Customer shall be the controller of Customer Personal Data and Tracelight shall be Customer's processor of such Customer Personal Data.

2.2 Tracelight shall act as an independent controller with respect to its processing of: (a) any contact information of Authorised Users and other Customer personnel that Tracelight receives in connection with this Agreement, and (b) any personal data in Usage Data and Feedback.

3. Tracelight as Processor

3.1 Where Tracelight acts as Customer's processor of Customer Personal Data, Tracelight shall:

(a) process Customer Personal Data only on the documented written instructions of Customer, unless otherwise required by applicable law, in which case Tracelight shall notify Customer of that legal requirement before such processing (unless legally prohibited from doing so);

(b) only transfer Customer Personal Data outside the United Kingdom and European Economic Area in accordance with European Data Protection Laws;

(c) ensure personnel processing Customer Personal Data are obliged to keep it confidential;

(d) implement reasonable technical and organisational measures to protect Customer Personal Data from a personal data breach;

(e) taking into account the nature of Tracelight's processing and the information reasonably available to Tracelight, to the extent required under European Data Protection Laws: (i) assist Customer (at Customer's cost) to respond to data subject requests, carry out data protection impact assessments and consult with supervisory authorities and the Commissioner, and (ii) notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer Personal Data and assist Customer (at Customer's cost) with notifying competent supervisory authorities, the Commissioner and affected data subjects;

(f) engage those third party processors ("Subprocessors") identified on Tracelight's Subprocessor List from time to time, provided that if Tracelight appoints a new Subprocessor (i) Tracelight shall notify Customer of any such appointment in advance, and (ii) within 5 days of such notification, Customer, acting reasonably, may object to such appointment by giving Tracelight written notice if Customer can reasonably evidence that such appointment poses a materially increased risk to Customer Personal Data (attaching such evidence to the objection);

(g) execute with each Subprocessor a written agreement materially on their standard data processing terms and, as between the parties, Tracelight shall be responsible to Customer where a Subprocessor fails to fulfil its data protection obligations and such failure causes Tracelight to breach its obligations under this DPA;

(h) subject to paragraph 3.1(k) of this DPA, on Customer's written reasonable request and at Customer's cost, make available to Customer such information as is reasonably necessary to demonstrate Tracelight's compliance with the obligations in this DPA;

(i) subject to paragraph 3.1(k) of this DPA, on Customer's written reasonable request, Tracelight shall allow for an audit by a mutually agreed auditor, as is reasonably necessary to demonstrate Tracelight's compliance with the obligations in this DPA and subject to the following conditions: (i) not more than once per twelve (12) months, (ii) sixty (60) days' prior written notice, (iii) all costs and expenses borne by Customer, (iv) during Business Hours, (v) maximum of half a business day, (vi) pre-agreed scope, (vii) subject to Tracelight's data protection and security policies, confidentiality, contractual and legal obligations, (viii) solely as a remote demonstration of Tracelight's personal data processing systems, (ix) any auditor is bound to Tracelight by a confidentiality agreement in a form acceptable to Tracelight, (x) no interference with Tracelight's services or data (including of other customers), and (xi) excluding third party systems and premises;

(j) delete such personal data at termination of the Agreement, except where (i) applicable law requires storage of the personal data or (ii) kept in "business as usual" back-ups, provided that such back-ups are not generally available to all Tracelight employees; and

(k) inform Customer without undue delay, and not provide information or allow an audit under this DPA, if Tracelight reasonably considers doing so may infringe applicable law or a legal obligation or duty.

3.2 Annex 1 provides the description of processing where Tracelight acts as Customer's processor of Customer Personal Data.

4. Definitions

The following definitions apply to this DPA.

Authorised Users: those employees, agents and independent contractors of Customer and its Affiliates who are authorised by Customer to use the Product and the Documentation.

Business Hours: 9AM to 6PM (UK time) on each Business Day.

Customer Personal Data: means the personal data provided by Customer to Tracelight in connection with the Agreement, including personal data contained in Customer Data.

Data Protection Laws: means any law applicable from time to time relating to the processing of personal data and/or privacy, including the European Data Protection Laws, as re-enacted, applied, amended, superseded, repealed or consolidated, and in each case including any legally binding regulations, direction and orders issued from time to time under or in connection with any such law.

European Data Protection Laws: as applicable to Tracelight's processing of the relevant personal data, the Data Protection Act 2018 ("DPA 2018"), the "UK GDPR" (as defined in the DPA 2018) and the Data Use and Access Act 2025, and the European Union General Data Protection Regulation 2016/679 (the "EU GDPR"). The terms "controller", "Commissioner", "data subject", "personal data", "processing", "processor", "personal data breach", "supervisory authority" have the meanings given to them in the European Data Protection Laws.

Feedback: any comments, feedback, ideas, proposals, and suggestions for improvement for the Product provided by Customer and/or any Authorised User to Tracelight via any method.

Product: the Tracelight AI-assisted financial modelling software, including the Microsoft Excel Add-In, that is supplied to Customer by Tracelight "as a service" as described in the Specification and made available to Customer, including all revised versions and updates.

Professional Services: the professional services to be provided by Tracelight to Customer, as specified in an applicable Order Form/SoW.

Sensitive Data: any health data, any other special categories of personal data (as listed in Article 9(1) of UK GDPR and EU GDPR) and any data relating to criminal convictions and offences or related security measures (interpreted in accordance with Article 10 UK GDPR or EU GDPR).

Services: for the purposes of the DPA, as applicable, the making available of the Product (including associated support) and the Professional Services.

Subprocessor List: where Tracelight acts as processor of Customer Personal Data, Tracelight's list of its Subprocessors to whom it delegates such processing of Customer Personal Data, as updated from time to time. The version of the Subprocessor List as at the Effective Date is at Annex 2 to this DPA.

Usage Data: data and information about the provision, use, security and performance of the Product (including support) based on Customer's and its Authorised Users' use of the Product.

DPA Annex 1 – Description of Processing

Subject-matter, nature and purpose: the hosting, storing and processing of Customer Personal Data in Customer Data to provide and use the Services in accordance with the Agreement.

Duration: the term of the Agreement and as set out in paragraph 3.1(j) of this DPA.

Types of personal data: the types of personal data contained in Customer Data. The scope of personal data is solely in Customer's control, as Customer determines Customer Data uploaded to, and the prompts that are input to, the Services.

Categories of data subject: the data subjects of the personal data contained in Customer Data, which may include Customer's and its customers' employees, directors, shareholders and other personnel. The scope of categories of data subject is solely within Customer's control, as Customer determines Customer Data, including the documents uploaded to, and the prompts that are input to, the Services.

Sensitive Data: None.

DPA Annex 2 – Subprocessor List

OpenAI OpCo, LLC (OpenAI Ireland Ltd. for customers in the EEA & Switzerland) Location: United States; Europe (EEA & Switzerland); Australia; Canada; Japan; India; Singapore; South Korea; United Kingdom; United Arab Emirates Processing Activities: LLM services

Anthropic PBC Location: United States; Europe (EU/EEA); Asia (APAC); Australia — Anthropic states customer data may be processed in select countries in the US, Europe, Asia and Australia; default data storage in the United States unless otherwise agreed. Processing Activities: LLM services

Google LLC Location: Global — processed in Google-operated data centers and Google Cloud regions worldwide. Notable regions include: United States; Canada; Brazil; Chile; Mexico; Ireland; Netherlands; Belgium; Finland; Germany; France; United Kingdom; Spain; Italy; Poland; Czech Republic; Austria; Switzerland; Sweden; Norway; Israel; United Arab Emirates; South Africa; India; Japan; South Korea; Taiwan; Hong Kong; Singapore; Indonesia; Australia. Processing Activities: LLM services

Amazon Web Services Location: US, EU, UK, Singapore, Australia (can be configured regionally for Enterprise customers) Processing Activities: Cloud Hosting / Deployment / Database Services

Axiom, Inc. Location: United States; European Union (EEA) — processes/stores customer data in the geographic region where data is submitted; uses AWS and Cloudflare (may result in processing/storage across provider regions, with geo-redundant backups). Processing Activities: Event data analytics

Daytona Platforms Inc. Location: US — US-East (Washington, DC); US — US-West (Oregon); EU — EU-Central (Frankfurt); EU — EU-West (London); Asia — Asia-South (Mumbai) Processing Activities: AI sandboxing

Exa Labs, Inc. Location: United States (services operated in the U.S.; San Francisco). May also be processed in locations of authorised subprocessors — see DPA: https://docs.exa.ai/reference/security Processing Activities: AI search engine