Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the agreement between Kapitah, Inc. ("Processor") and the customer ("Controller") for the KAPITAH® platform. It applies when KAPITAH® processes personal data on behalf of the Controller and incorporates the EU Standard Contractual Clauses by reference where required.

Subject matter: provision of the Service. Duration: the term of the underlying subscription plus any agreed export window. Nature and purpose: hosting, processing, and securing Controller's financial records.

• Data subjects: Controller's employees, contractors, customers, vendors, and other counterparties.
• Categories of data: contact details, financial transactions, banking instructions, supporting documents, communications, and any other data Controller chooses to upload.
• Special categories: KAPITAH® is not designed to process special-category data; Controller must not upload it.

• Process personal data only on documented instructions from Controller.
• Ensure personnel are bound by confidentiality.
• Implement the technical and organizational measures described in our Security overview.
• Assist Controller with data-subject requests and impact assessments.
• Notify Controller of personal-data breaches without undue delay and no later than 72 hours after becoming aware.

Controller authorizes KAPITAH® to engage sub-processors listed on the Security page. KAPITAH® imposes equivalent data-protection obligations on each sub-processor and gives Controller 30 days' notice before adding a new sub-processor that processes personal data, during which Controller may object.

Where personal data is transferred out of the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) apply, together with the UK International Data Transfer Addendum and the Swiss FDPIC supplement where relevant.

At Controller's choice on termination, KAPITAH® will return or delete personal data within 90 days, except where retention is required by law. Backups are purged on a rolling 35-day cycle.

KAPITAH® will make available SOC 2 Type II reports, penetration-test summaries, and the information necessary to demonstrate compliance with this DPA. On reasonable notice and subject to confidentiality, Controller may conduct an audit no more than once per year.

This DPA is effective without separate signature for customers on standard plans when they accept the Terms of Service. Enterprise customers may request a countersigned version by emailing legal@kapitah.com.