This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between:

The entity or person accepting these Terms (“Company”, “Business”, “you” or “your”)

and

Profyle Card Limited, a company registered in England and Wales with company number 12973729, whose registered office is at 16 Cole Street, London, SE1 4YH (“Profyle Card”, “Service Provider”, “we”, “us” or “our”)

(together the “Parties”)

WHEREAS

(A) The Company acts as a Data Controller. (B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor. (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (D) The Parties wish to lay down their rights and obligations. (E) The details of the processing operations, including categories of Personal Data and Data Subjects, are set out in Schedule 1 to this Agreement.

ACCEPTANCE OF THIS AGREEMENT

This Data Processing Agreement is incorporated by reference into the Profyle Card Terms of Service. This Agreement becomes binding upon: (a) Acceptance of the Terms of Service; (b) Execution of an Order Form that references this Agreement; (c) Processing personal data through the Profyle Card platform; or (d) Clicking “Accept” where this option is provided separately If you are accepting this Agreement on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to this Agreement. Where this Agreement is executed as a standalone document, it supplements any existing service agreement between the parties.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning: 1.1.1 “Agreement” means this Data Processing Agreement and all Schedules; 1.1.1a “Processing Details” means the details of processing operations as set out in Schedule 1; 1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement; 1.1.3 “Contracted Processor” means a Subprocessor; 1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; 1.1.5 “EEA” means the European Economic Area; 1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; 1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679; 1.1.7a “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018; 1.1.8 “Data Transfer” means: 1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or 1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws); 1.1.9 “Services” means the Profyle Card for Business product including Enterprise Management Portal the Data Processor provides. 1.1.10 “Subprocessor” means the authorised Processor(s) listed in Schedule 2 (as may be amended from time to time between the parties) appointed by Data Processor in its role as a Processor to Process Personal Data on behalf of the Company in connection with this Agreement. 1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall: 2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and 2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions. 2.2 The Company instructs Processor to process Company Personal Data as detailed in Schedule 1 (Processing Details). The Company retains full control over which Personal Data is provided to the Processor and determines what information is uploaded, shared, or processed through the platform at all times. 2.3 The categories of Personal Data, categories of Data Subjects, nature and purpose of processing, and duration of processing are as specified in Schedule 1, which forms an integral part of this Agreement. 2.4 The Processor acknowledges that the Company has complete discretion and control over: (a) the scope and extent of Personal Data processed; (b) the categories of Data Subjects included; (c) instructions for processing operations; (d) access permissions and data sharing; and (e) retention and deletion of Personal Data, all as further described in Schedule 1.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. 4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. 4.3 Only authorised persons at the Data Processor will have access to Company data and only for the purposes of servicing or administrating the services. 4.4 Data Processor shall only store data within servers located within the EEA and will only store data encrypted at rest. 4.5 Data Processor cloud infrastructure is provided by Google Cloud Platform.

5. Subprocessing

5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor or Subcontractor unless required or authorised by the Company in writing. 5.2 Notwithstanding Section 5.1, the Processor may update Schedule 2 by providing the Company with 30 days’ advance written notice of any intended changes concerning the addition or replacement of Subprocessors. The Company may reasonably object to such changes within 14 days of notification. If the Company objects, the Parties shall discuss in good faith to resolve the objection. The updated list of Subprocessors shall be maintained at https://www.profylecard.com/legal/subprocessors.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws. 6.2 Processor shall: 6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and 6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. 7.2 Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1 Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors, as further detailed in Schedule 1.

9. Deletion or return of Company Personal Data

9.1 Subject to sections 9 and 10 and the retention periods specified in Schedule 1, Processor shall promptly and in any event within 90 calendar days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

10. Data Retention Policy

10.1 Subject to this section 10, backups of the Processor’s active database are made each day for disaster recovery and business continuity purposes to ensure we can deliver a robust and resilient service. 10.2 Data is retained within our Backups until they are rotated out by more recent backups per our data retention period defined in section 10.3. 10.3 Our data retention period for backups is 45 calendar days, after which the data is automatically removed from our systems. 10.4 Our systems include data retention protection which stops our backups from being accidentally deleted within 30 calendar days of them being created.

11. Audit rights

11.1 Subject to this section 11, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors. 11.2 Information and audit rights of the Company only arise under section 11.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

12. Data Transfer

12.1 The Processor may not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) or the United Kingdom without the prior written consent of the Company. Where transfers to the UK occur, the Parties acknowledge that the UK benefits from an adequacy decision from the European Commission. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area or the UK to a third country, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on the EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are incorporated herein by reference. 12.2 For transfers subject to the UK GDPR, where personal data is transferred to a country outside the UK that does not benefit from a UK adequacy decision, the Parties shall implement the UK International Data Transfer Agreement (“UK IDTA”) or the UK Addendum to the EU SCCs, as appropriate. The applicable transfer mechanism shall be determined based on the origin of the data transfer and executed as a separate agreement if required. 12.3 The Parties acknowledge that Schedule 2 identifies the location of each Subprocessor. For Subprocessors located outside the EEA: (a) Transfers to UK-based Subprocessors (including Algolia, Inc. in London, UK) are permitted under the adequacy decisions referenced in Section 12.1; (b) Any future Subprocessors in non-adequate countries will require implementation of appropriate safeguards before engagement; (c) The Processor maintains records of transfer mechanisms for each Subprocessor, available upon request. 12.4 Standard Contractual Clauses Implementation: (a) The EU SCCs (Module Two: Controller to Processor) are incorporated by reference into this Agreement; (b) For the purposes of the EU SCCs:

– The “data exporter” is the Company – The “data importer” is Profyle Card Limited – Annex I of the SCCs is fulfilled by Schedule 1 and Schedule 2 of this Agreement – The competent supervisory authority shall be determined by the Company’s location

(c) In case of conflict between this Agreement and the EU SCCs for international transfers, the EU SCCs shall prevail; (d) The Parties agree that the SCCs shall automatically apply to any transfer requiring them without need for separate execution.

13. General Terms

13.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain. 13.1a The Schedules to this Agreement, including Schedule 1 (Processing Details) and Schedule 2 (Permitted Subprocessors), form an integral part of this Agreement and may be updated from time to time by written agreement between the Parties. 13.1b This Agreement may be executed electronically and shall be binding when accepted by the Company through any of the following methods: (i) executing an Order Form that references this Agreement, (ii) clicking to accept where this option is made available, or (iii) beginning to process personal data through the Services after being provided with this Agreement. 13.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address. 13.3 The duration of this agreement will last for the period of the Profyle Card for Business subscription between the Company and Data Processor and for no less than 12 months from the date first set out below. 13.4 The Company may terminate this agreement in the event that Data Processor breaches the GDPR principles. 13.5 It is the responsibility of Company that data processing is carried out in accordance with GDPR and Company may decide how personal data may be processed.

14. Governing Law and Jurisdiction

14.1 This Agreement is governed by the laws of England and Wales. 14.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales. IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

EXECUTION

For the Company

By accepting the Profyle Card for Business Terms of Service, executing an Order Form that references this DPA, or processing personal data through the Services, the Company agrees to be bound by this Data Processing Agreement.

Company Name	As registered in Profyle Card for Business account
Authorised By	Account Owner, as designated in account/admin settings
Date of Acceptance	Upon first processing of personal data through the Services

For Profyle Card Limited

This Data Processing Agreement is pre-executed on behalf of Profyle Card Limited.

Signature	[Signature on file]
Name	Christopher Tingley
Title	Co-founder
Date	15 December 2025

For questions regarding this DPA, contact: dpo@profylecard.com

SCHEDULE 1 – Processing Details

1. Categories of Personal Data

The Company retains full control over which Personal Data is provided to the Data Processor. The Company determines what information is uploaded, shared, or processed through the platform at all times. The Data Processor may process the following categories of Personal Data as determined and controlled by the Company:

1.1 Staff Member Data

Such Personal Data as the Company chooses to include on digital business cards, which may include but is not limited to:

• Name and professional information
• Business contact details
• Company and role information
• Professional biography
• Social media profiles
• Photograph/avatar
• Any other professional information the Company elects to include

1.2 Business Contact Data

Personal Data of any individuals whose information the Company chooses to store or process through the platform, including:

• Contact information provided by the Company
• Professional details as determined by the Company
• Interaction history and notes
• Any categorisation or tags applied by the Company
• Introduction and referral information

1.3 Design and Branding Assets

• Company-provided logos and brand imagery
• Custom design elements and templates
• Marketing materials uploaded by the Company
• QR codes generated for the Company’s use
• Landing page content created by the Company

1.4 Analytics and Engagement Data

Data automatically generated through use of the platform:

• Interaction timestamps and frequency
• Geographic location data (city/country level) of interactions
• Engagement metrics and ROI tracking
• Platform usage statistics
• Activity logs related to Company’s use of the service

1.5 Account and Administrative Data

• Details of Company’s authorised users
• Platform access and authentication data
• Audit trails of Company-initiated changes
• Support correspondence

2. Categories of Data Subjects

2.1 Company-Determined Individuals

• Any individuals whose Personal Data the Company chooses to process through the platform
• This may include but is not limited to: employees, contractors, business contacts, clients, prospects, partners, and any other individuals at the Company’s discretion

2.2 Platform Users

• Individuals authorised by the Company to access and use the platform
• Account administrators designated by the Company

3. Nature and Purpose of Processing

3.1 Company Control

The Company maintains complete control over:

• Which Personal Data is uploaded or entered into the platform
• How Personal Data is organised and categorised
• With whom Personal Data is shared
• When Personal Data is modified or deleted
• The scope and extent of data processing activities

3.2 Nature of Processing Operations

The Data Processor performs the following operations as directed by the Company:

• Storage of Personal Data provided by the Company
• Display of Personal Data as configured by the Company
• Transmission of Personal Data to Company-designated recipients
• Generation of analytics based on platform usage
• Backup operations for service continuity
• Deletion of Personal Data upon Company instruction

3.3 Purpose of Processing

Personal Data is processed solely to:

• Provide the digital business card platform services
• Execute the Company’s instructions regarding data handling
• Generate analytics and reporting as requested
• Maintain platform security and service availability
• Provide technical support
• Comply with applicable legal requirements

4. Duration of Processing

Personal Data will be processed for the duration of the Principal Agreement. The Company may request deletion of specific Personal Data at any time.

4.1 Active Data

• Retained for duration of subscription unless deleted by the Company
• Post-termination: 90 calendar days grace period for data retrieval

4.2 Backup Data

• Automated backups: 45 calendar days rotation
• Backups are for disaster recovery only and not directly accessible

5. Data Processing Locations

All processing occurs within:

• Primary processing: European Economic Area (EEA)
• Storage: EEA-based data centres
• No transfers outside EEA without explicit Company consent

6. Company Rights and Control

The Company retains at all times:

• Full visibility of all Personal Data processed
• Ability to add, modify, or delete any Personal Data
• Control over user access and permissions
• Right to export all Personal Data
• Right to restrict or expand processing activities
• Complete discretion over what Personal Data to process through the platform

SCHEDULE 2 – Permitted Subprocessors

The Processor shall only use the Subprocessors listed below. This list is also maintained and updated at: https://www.profylecard.com/legal/subprocessors

Name of subprocessor	Entity type	Data Location	Data transfer mechanism
Google Cloud EMEA Limited	Cloud Infrastructure	EEA	SSL secured APIs
Algolia, Inc.	Elastic Search Provider	London, UK*	SSL secured APIs
Mailgun	Email mailing list and email sending provider	EEA	SSL secured APIs
Stripe	Payments Processor	EEA	SSL secured APIs
Google Analytics	Analytics Provider	US	SSL secured APIs SCC

*Transfers to UK permitted under EU-UK adequacy decision **Transfers to US require Standard Contractual Clauses as per Section 12.4

Notes on Data Transfers:

• EEA locations: No additional transfer mechanism required
• UK locations: Covered by EU-UK adequacy decision (Commission Implementing Decision (EU) 2021/858) and UK adequacy regulations
• Other locations: Appropriate safeguards implemented as per Section 12
• All transfers use encrypted connections (SSL/TLS)