Schedule 7

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the API Terms of Service and Master Service Agreement between SPY Genesis Corp. (the “Processor”) and the Client (the “Controller”) and governs the processing of Personal Data by the Processor on behalf of the Controller.

1. Scope and Roles

1.1The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data only on behalf of and in accordance with the documented instructions of the Controller.

1.2The details of the processing are set out in Annex 1 to this DPA, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects.

2. Processor Obligations

2.1The Processor shall: (a) process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; (b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality; (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; (d) comply with the conditions for engaging sub-processors set out in clause 3; (e) assist the Controller by appropriate technical and organisational measures for the fulfilment of data subject requests; (f) assist the Controller in ensuring compliance with the obligations relating to security, breach notification, data protection impact assessments, and prior consultation; (g) at the choice of the Controller, delete or return all Personal Data to the Controller upon termination and delete existing copies unless Union or Member State law requires storage; and (h) make available to the Controller all information necessary to demonstrate compliance and allow for and contribute to audits.

3. Sub-Processing

3.1The Controller grants general authorisation for the engagement of sub-processors, subject to the Processor: (a) maintaining an up-to-date list of sub-processors at spacepay.com/legal/sub-processors; (b) providing the Controller with at least thirty (30) days' prior written notice of any intended addition or replacement of a sub-processor; and (c) imposing on each sub-processor data protection obligations no less protective than those set out in this DPA.

3.2If the Controller objects to a new sub-processor, it shall notify the Processor in writing within fifteen (15) days of receiving notice. The parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the affected Services upon thirty (30) days' written notice.

3.3The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

4. International Transfers

4.1The Processor shall not transfer Personal Data to a country outside the EEA unless: (a) the European Commission has made an adequacy decision for that country; (b) Standard Contractual Clauses approved by the European Commission are in place; or (c) another valid transfer mechanism under Chapter V of the GDPR applies.

4.2Where transfers rely on Standard Contractual Clauses, the Processor shall conduct a transfer impact assessment and implement supplementary measures where necessary to ensure essentially equivalent protection.

5. Breach Notification

5.1The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, upon becoming aware of a Personal Data breach. The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records concerned; (c) likely consequences; and (d) measures taken or proposed to address the breach.

6. Audit Rights

6.1The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

6.2Audits shall be conducted during normal business hours, no more than once per year (unless a data breach or regulatory investigation requires additional audits), and at the Controller's expense.

Last updated: 16 February 2026