Data Processing Agreement

This Data Processing Agreement, as may be amended from time to time (this "Agreement"), sets forth the legally binding terms with respect to all Personal Data collected, used, transmitted or maintained by The Cognition Company Group Ltd ("CogCo") for the company or entity on whose behalf you are accepting this Agreement (the "Customer"). You represent that you have the authority to bind the Customer to the terms of this Agreement.

This Data Processing Agreement is incorporated into and forms part of, and is subject to the terms and conditions of, the Terms of Service (as defined below). The effective date of this Agreement is the date set forth in the Terms of Service or any related Sales Order Form (SOF) or otherwise the date on which the Customer accesses or commences using the Services (the "Effective Date").

Definitions and Interpretation

Any capitalized terms used herein and not otherwise defined herein shall have the meanings ascribed to such terms in the Terms of Service. In addition, the following definitions and rules of interpretation apply in this Agreement.

Definitions:

• AI Regulation: any applicable laws or regulations that apply to an AI System developed or deployed by CogCo and used in connection with CogCo's provision of the Services.
• AI System(s): means any Service (including a feature thereof) that utilises AI Technology.
• AI Technology: machine learning software, algorithms, hardware or other artificial intelligence tools that generate content or make predictions, recommendations, or decisions (including deep learning and content creation).
• Authorised Persons: the persons or categories of persons that the Customer authorises to give CogCo written personal data processing instructions as identified in ANNEX A and from whom CogCo agrees solely to accept such instructions.
• Business Purposes: the services to be provided by CogCo to the Customer as described in the Terms of Service, Internal Business Purposes, and any other purpose specifically identified in ANNEX A.
• Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
• Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing: have the meanings given to them in the Data Protection Legislation.
• Controller: has the meaning given to it in section 6, DPA 2018.
• Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
• Data Subject Request means any request by an individual (or by another person acting on behalf of an individual) to exercise a right under any Data Protection Legislation or any complaint or inquiry about the processing of the individual's Personal Data.
• Internal Business Purposes: means processing of Personal Information by CogCo to (i) make back-ups as part of disaster recovery and business continuity programs; (ii) comply with its own legal or regulatory obligations; (iii) and build and improve the quality of the Services.
• Personal Data: means any information relating to an identified or identifiable living individual that is processed by CogCo on behalf of the Customer as a result of, or in connection with, the provision of the services under the Terms of Service; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
• Personal Data Breach: a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data or other event that compromises the security, confidentiality, or integrity of the Personal Data.
• Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes the Transfer of Personal Data to third parties.
• Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
• Restricted Transfer: any Transfer where the applicable Data Protection Legislation requires the parties to demonstrate adequate protection using a standard contractual instrument or other prescribed means. Restricted Transfers do not include Transfers to recipients in countries whose data protection regimes have been declared adequate by relevant data protection authorities, or which are otherwise not restricted.
• Standard Contractual Clauses means (as applicable) (i) the contract terms set forth in the Annex to the European Commission's decision C (2021) 3972 of 4 June 2021 containing Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, or (ii) other contract terms published by relevant regulatory authorities to authorize data Transfers.
• Subprocessor: any entity (including an Affiliate of CogCo) acting under the instructions of CogCo that processes unencrypted Personal Data on behalf of CogCo.
• Terms of Service means the subscription or license agreement between CogCo and the Customer pursuant to which CogCo Processes any Personal Information for or on behalf of Customer. "Terms of Service" encompasses all order forms, statements of work, and/or online terms and conditions between CogCo and the Customer.
• Transfer: to disclose or otherwise make the Personal Data available to another entity (including to any Affiliate or Subprocessor of CogCo), either by physical movement of the Personal Data or by enabling remote access to the Personal Data.
• UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.

The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes. A reference to writing or written includes email.

In the case of conflict or ambiguity between: any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail; the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and any of the provisions of this Agreement and the provisions of the Terms of Service, the provisions of this Agreement will prevail.

Personal data types and processing purposes

Each party must use reasonable efforts to stay informed of the legal and regulatory requirements for its applicable responsibilities under this Agreement.

CogCo and the Customer agree and acknowledge that for the purpose of the Data Protection Legislation: CogCo is the Processor, and the Customer is the Controller; the Customer retains control of the Personal Data and remains responsible for its compliance obligations and the compliance obligations of the Customer's Affiliates under the Data Protection Legislation; the Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to CogCo for Processing as set forth herein. If any authorisations or consents of Data Subjects are required for such Processing of Personal Data by Provider, Customer shall obtain such consents directly from the Data Subjects; and ANNEX A contains a general description of the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which CogCo may process the Personal Data to fulfil the Business Purposes. Provider may update ANNEX A at any time upon thirty (30) days prior written notice as needed to inform Customer of any changes, including any changes to the privacy and security contacts or Subprocessors.

This Agreement, and Customer's use of the Services features are Customer's complete set of instructions to Provider in relation to the processing of Personal Data. Provider will promptly notify Customer if, in its opinion, the instructions given by Customer for Processing violate any Data Protection Legislation; provided, however, that Provider has no independent obligation to verify that the Processing complies with any specific Data Protection Legislation, as it is entitled to rely on Customer's instructions.

Provider's obligations

CogCo will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions from Authorised Persons. CogCo will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.

CogCo must comply promptly with any Customer written instructions requiring CogCo to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

CogCo will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by applicable law, court, or regulator (including the Commissioner). If applicable law, court, or regulator (including the Commissioner) requires CogCo to process or disclose the Personal Data to a third-party, CogCo must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the applicable law prohibits the giving of such notice.

CogCo will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of CogCo's processing and the information available to CogCo, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

CogCo will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer's identity, the purpose or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. CogCo will not modify or alter the notice in any way without the Customer's written consent.

CogCo certifies that it will not (i) sell the Personal Data or share the Personal Data with third parties for online targeting, (ii) retain, use or disclose the Personal Data other than as specified in the Agreement, as needed to perform the Services and for the Business Purposes, (iii) retain, use or disclose the Personal Data outside of its direct business relationship with Customer.

Provider's employees

CogCo will ensure that all of its employees and contingent workers: are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and are aware both of CogCo's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

CogCo will also reasonably monitor its employees and contingent workers for compliance with the privacy and security requirements.

Security/AI Systems

CogCo has implemented and documented appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX B.

CogCo must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of the security measures.

CogCo may, in certain controlled circumstances, use AI Systems to support the delivery of the Services, including through enterprise accounts or closed systems with contractual or technical safeguards in place. These safeguards are intended to ensure that any data, including confidential or proprietary information, is not used to train AI models or otherwise disclosed to third parties. Such safeguards may include, but are not limited to, data segregation, encryption, restricted access controls, contractual commitments with AI vendors, and system auditing.

CogCo shall comply with all AI Regulations that regulate its use of the AI Systems and tools. Where Personal Data is processed by such AI Systems: (a) such processing is limited to what is necessary to provide the Services and is carried out in accordance with applicable Data Protection Legislation; (b) appropriate technical and organisational safeguards are implemented to prevent unauthorised access, use, or disclosure of Personal Data; and (c) no Personal Data is used to train, fine-tune, or improve any general-purpose AI models, unless expressly authorised in writing by the Customer and subject to a separate agreement.

The Customer acknowledges that certain features of the Services may include AI-generated outputs that are not subject to human review prior to delivery. While CogCo uses commercially reasonable efforts to ensure the reliability of such outputs, they are provided "as is" and the Customer is solely responsible for reviewing and verifying the suitability of such outputs for its intended use.

Personal Data Breach

CogCo will promptly investigate any security incident which is reasonably suspected to have resulted in the unauthorised access to, use or disclosure of the Personal Data.

CogCo will within 48 hours and in any event without undue delay notify the Customer in writing (via email to the email address set out below) if it becomes aware of: the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. CogCo will restore such Personal Data at its own expense as soon as possible; any accidental, unauthorised, or unlawful processing of the Personal Data; or any Personal Data Breach.

Where CogCo becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with all information in its possession about the Personal Data Breach reasonably needed by Customer to assess its incident response obligations, including: description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; and a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

Immediately following any accidental, unauthorised, or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, CogCo will reasonably co-operate with the Customer, in the Customer's handling of the matter, including but not limited to: assisting with any investigation; providing the Customer with physical access to any facilities and operations affected; facilitating interviews with CogCo's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised, or unlawful Personal Data processing.

CogCo will not inform any third-party of any accidental, unauthorised, or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by applicable law.

Cross-border transfers of Personal Data

CogCo (and any Subprocessor) shall only transfer the Personal Data outside the UK as authorised by the Customer in writing or permitted by Data Protection Legislation. Customer authorises CogCo to make routine Transfers of Personal Data in the normal course of business to itself and to its Affiliates using intercompany contracts containing Standard Contractual Clauses or another approved mechanism.

CogCo's primary data centres, including those operated by its Subprocessors, are located within the United Kingdom and the European Economic Area (EEA). With respect to certain Services, Customer may have the option to select from a list of available the data centre locations in jurisdictions that provide an adequate level of protection as recognised under applicable Data Protection Legislation in which Personal Data shall be physically stored. Where the Customer accesses the Services from outside the UK or EEA, Personal Data may be transferred to, stored in, and processed within the UK, EEA, or other jurisdictions that are subject to adequacy decisions or equivalent safeguards. In all such cases, CogCo shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Legislation, including the implementation of Standard Contractual Clauses or other approved transfer mechanisms, where required.

Should any supervisory authority or court determine that any Transfer mechanism used herein is no longer an appropriate basis for such Transfers, CogCo and Customer will promptly take all steps reasonably necessary to demonstrate adequate protection for the impacted information, using another approved mechanism. CogCo understands and agrees that Customer may terminate the Transfers as needed to comply with the Data Protection Legislation.

Subprocessors

Customer authorises CogCo to Transfer Personal Data to the Subprocessors listed in ANNEX C (as amended from time to time).

CogCo must however ensure that it: (i) has conducted adequate due diligence to verify that the Subprocessor is capable of providing the level of protection for Personal Data as is required by this Agreement; (ii) will ensure that all Restricted Transfers of Personal Data to the Subprocessors are authorised using an approved mechanism, if applicable; (iii) has entered into a written contract with the Subprocessor that includes privacy and security terms no less stringent than are imposed on CogCo hereunder; and (iv) remains primarily liable to Customer for the acts, errors and omissions of the Subprocessor, as if they were CogCo's own acts, errors and omissions.

Customer may at any time object to a Subprocessor for good cause by sending an email to privacy@cogco.co and CogCo will not allow Subprocessor to Process any Personal Data until such objection is resolved. If the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after CogCo's receipt of the objection, Customer may, as its sole and exclusive remedy, terminate those aspects of the Service which cannot be provided by CogCo without the use of the new Subprocessor. In such event, CogCo shall refund Customer any unused, prepaid fees for the applicable Service covering the remainder of the term after the date of termination.

Complaints, Data Subject Requests and third-party rights

CogCo must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with: the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

CogCo must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

CogCo will reasonably cooperate with Customer and with its Affiliates and representatives in responding to Data Subject Requests as needed for Customer to demonstrate compliance with Data Protection Legislation applicable to it and to respect individuals' rights under such Data Protection Legislation. CogCo will reasonably assist Customer with any data protection impact assessments, transfer risk assessments or prior consultations with regulators as needed to comply with Data Protection Legislation.

CogCo must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by applicable law.

Term and termination

This Agreement will remain in full force and effect so long as: the Terms of Service remains in effect; or CogCo retains any of the Personal Data related to the Terms of Service in its possession or control (Term).

Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Terms of Service to protect the Personal Data will remain in full force and effect.

CogCo's failure to comply with the terms of this Agreement is a material breach of the Terms of Service. In such event, the Customer may terminate any part of the Terms of Service involving the processing of the Personal Data effective immediately on written notice to CogCo without further liability or obligation of the Customer.

If party cannot comply with any material term of this Agreement it shall promptly notify the other (and use reasonable efforts to remedy the non-compliance), and the parties may agree to suspend the processing of the Personal Data until that processing complies with this Agreement and Data Protection Legislation.

Data return and destruction

At the Customer's request, CogCo will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

On termination of the Terms of Service for any reason or expiry of its term, CogCo will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.

If any law, regulation, or government or regulatory body requires CogCo to retain any documents, materials or Personal Data that CogCo would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

CogCo will certify in writing to the Customer that it has deleted or destroyed the Personal Data within seven days after it completes the deletion or destruction.

Records

CogCo will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved Subprocessors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).

CogCo will ensure that the Records are sufficient to enable the Customer to verify CogCo's compliance with its obligations under this Agreement and the Data Protection Legislation and CogCo will provide the Customer with copies of the Records upon request.

The Customer and CogCo must review the information listed in the Annexes to this Agreement at least once a year to confirm its current accuracy and update it when required to reflect current practices.

Audit

At the Customer's written request, CogCo will: conduct an information security audit before it first begins processing any of the Personal Data and repeat that audit on at least an annual basis; produce a written summary of the report that includes plans to remedy any security deficiencies identified by the audit; and remedy any deficiencies identified by the audit.

Where required by law, CogCo will submit its corporate headquarters for a reasonable audit upon at least 30 days prior written notice, not more than once per year, during CogCo's reasonable business hours, which shall be carried out by Customer (or by a qualified independent auditor) in a mutually agreeable manner.

Notice

Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to: For the Customer: the address set out in the applicable SOF. For CogCo: info@cogco.co

Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Miscellaneous

In the event of a conflict between the terms and conditions of the Terms of Service and this Agreement, this Agreement shall control.

Each party's liability arising out of or related to this Agreement, whether contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Terms of Service and any reference to such limitation of liability of a party means the aggregate liability of the party and its Affiliates under the Terms of Service and this Agreement, including its exhibits and attachments, together.

A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce or enjoy the benefit of any term of this Agreement.

This Agreement shall be governed by the laws of England and Wales. The Courts of England and Wales shall have full jurisdiction to resolve any disputes or claims arising under this Agreement (including any non-contractual disputes or claims).

ANNEX A – Personal Data processing purposes and details

List of Parties

Customer as identified in the Terms of Service

The Cognition Company Group Ltd (or "CogCo" or the "Processor")

THE COGNITION COMPANY GROUP LTD

175 High Holborn, London, WC1V 7AA

Description of the Processing and Transfer

Subject matter of processing: The processing of Personal Data by CogCo is carried out for the purpose of providing the Customer with access to CogCo's hosted, software-as-a-service offerings, as well as any Set-up Services or Professional Services. The processing relates to Personal Data collected, analysed, and reported as part of these Services.

Duration of Processing: Personal Data will be retained by the Processor in accordance with its data retention policy and no longer than necessary for the purposes set forth in the Terms of Service.

Nature and Purpose of Processing: The Processor will process Personal Data solely as necessary to provide the Services set forth in the applicable Sales Order Form or Statement of Work.

Categories of Data Subjects – Depending on the scope of each engagement, data subjects may include:

• End-users or customers of the Customer;
• Employees or contractors of the Customer;
• Survey or study participants;
• Website or platform users;
• Members of the public engaging with experimental interventions.

Categories of Personal Data – Data may include (as applicable to the specific engagement):

• Contact and account details;
• Demographic information (e.g. age, gender, postcode);
• Behavioural and interaction data (e.g. usage patterns, response rates, choices made during experiments);
• Survey responses and research insights;
• Employment-related data (if research is conducted with employees);
• Any other data shared or collected in accordance with the Customer's instructions.

Note: CogCo does not process special category data unless explicitly agreed in writing.

Processing Operations

• Collecting and storing Customer Data (including Personal Data) submitted via the Services platform;
• Analysing and processing Customer Data through AI Systems to generate insights or outputs;
• Hosting and maintaining data within cloud infrastructure located in the UK/EEA or as selected by the Customer;
• Deleting or anonymising data in accordance with the Customer's instructions or applicable retention policies.

Location of Processing – Processing will occur primarily within: The United Kingdom and/or the European Economic Area (EEA); Other jurisdictions only if adequate safeguards are in place (e.g. Standard Contractual Clauses).

Competent Supervisory Authority for Restricted Transfers: Information Commissioner (ICO) – United Kingdom

ANNEX B – Security measures

The Processor has implemented the following appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK/EU GDPR:

Organisational security measures:

• Internal governance documents such as policies or instructions, including information security and data protection policies;
• Regular staff training on confidentiality, data protection, and incident response;
• Login and password management, including complexity requirements and periodic rotation;
• Completion of Data Protection Impact Assessments (DPIAs) for high-risk processing;
• Physical security (premises etc.), including restricted access.

Technical security measures:

• Encryption of personal data at rest and in transit using industry-standard protocols;
• Pseudonymisation of personal data used in research and analysis where possible;
• Access control levels;
• Maintenance of access logs and audit trails;
• Firewalls and endpoint protection usage;
• Data back-ups with tested restoration procedures;
• Two-step verification;
• Security monitoring and incident response protocols.

These measures are reviewed periodically and adapted to evolving security threats and regulatory requirements.

ANNEX C – List of Sub-processors