Data Processing Agreement

Welcome to the incredible journey of you becoming you.

This Data Processing Agreement ("DPA") forms part of and is incorporated into the agreement between the Parties for the relevant TiJUBU service, namely the Subscription Agreement (Self-Serve) for a self-serve free or paid subscription, or the Master Subscription Agreement for a negotiated subscription (in each case, the "Agreement"), between:

(1) the Customer identified in the applicable Order Form (the "Controller"); and

(2) Truleadership, Unipessoal, Lda., a company incorporated under the laws of Portugal, with registered office at Rua do Açúcar, 76, Arm. 4, 1950-009 Lisboa, Portugal, registered with the Commercial Registry under sole registration and tax number (NIPC) PT516202367 ("TiJUBU" or the "Processor"), each a "Party" and together the "Parties".

This DPA gives effect to Article 28(3) of Regulation (EU) 2016/679 ("GDPR") and, where applicable, Law no. 58/2019 of 8 August (the Portuguese GDPR implementation law) and Spanish Organic Law 3/2018 of 5 December (LOPDGDD). Where the Agreement and this DPA conflict on a matter of data protection, this DPA prevails.

1.1 Terms not defined here have the meaning given in the Agreement or, failing that, in the GDPR.

1.2 In this DPA:

• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", "Supervisory Authority" have the meanings in Article 4 GDPR.
• "Customer Personal Data" means Personal Data that TiJUBU Processes on behalf of the Controller under the Agreement, as described in Annex I.
• "Sub-processor" means any processor engaged by TiJUBU to Process Customer Personal Data.
• "Applicable Data Protection Law" means the GDPR and all EU and Member State laws supplementing it that apply to the Processing, including Law no. 58/2019 (Portugal) and Organic Law 3/2018 (Spain).
• "TOMs" means the technical and organizational measures set out in Annex II.

2.1 As between the Parties, the Controller is the controller and TiJUBU is the processor in respect of Customer Personal Data. Where the Controller is itself a processor acting for a third-party controller (for example, where the Customer Processes Personal Data on behalf of its own client), TiJUBU acts as sub-processor, and the Controller warrants it has the authority and instructions necessary to engage TiJUBU on these terms.

2.2 This DPA applies to all Processing of Customer Personal Data carried out by TiJUBU and its Sub-processors in connection with the Services.

2.3 TiJUBU does not engage in any automated decision-making producing legal or similarly significant effects on Data Subjects within the meaning of Article 22 GDPR. The Services provide analytics, simulation and workflow outputs intended to support human decisions, and the Controller remains responsible for any employment decision it takes.

3.1 TiJUBU shall Process Customer Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by EU or Member State law to which TiJUBU is subject. In that case, TiJUBU shall inform the Controller of that legal requirement before Processing, unless the law prohibits it on important grounds of public interest.

3.2 The Agreement, this DPA, the Order Form and the configuration choices the Controller makes through the Services constitute the Controller's complete and final documented instructions. Additional instructions outside the scope of the Agreement require agreement in writing and may be subject to fees.

3.3 TiJUBU shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law. TiJUBU may suspend the affected Processing (without liability) until the instruction is confirmed, amended or withdrawn.

4.1 TiJUBU shall ensure that persons authorized to Process Customer Personal Data are bound by an appropriate statutory or contractual duty of confidentiality and are Processing the data only as instructed.

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects, TiJUBU shall implement and maintain the TOMs set out in Annex II, which shall provide a level of security appropriate to the risk in accordance with Article 32 GDPR.

5.2 TiJUBU may update the TOMs from time to time provided the updates do not materially reduce the overall level of security.

6.1 The Controller grants TiJUBU general authorization to engage Sub-processors, subject to this Clause 6. The Sub-processors engaged at the date of the Order Form are listed in Annex III and maintained at TiJUBU's published sub-processor list.

6.2 TiJUBU shall inform the Controller of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, giving the Controller the opportunity to object on reasonable grounds relating to data protection. If the Controller objects, the Parties shall discuss in good faith; if no resolution is reached, the Controller may terminate the affected Services without penalty as its sole remedy.

6.3 TiJUBU shall impose on each Sub-processor, by written contract, data protection obligations equivalent in substance to those in this DPA. TiJUBU remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7.1 TiJUBU shall Process and store Customer Personal Data within the European Economic Area ("EEA"). Customer platform data is hosted in Amazon Web Services, Ireland (eu-west-1 region). Processing by the Controller's users located in Portugal or Spain, and by TiJUBU within Ireland, takes place within the EEA and does not constitute a transfer under Chapter V GDPR.

7.2 TiJUBU shall not transfer Customer Personal Data to a country outside the EEA unless it has put in place a transfer mechanism compliant with Chapter V GDPR. Where a Sub-processor entails such a transfer, TiJUBU shall rely on an adequacy decision, the EU-US Data Privacy Framework where the recipient is certified, or the EU Standard Contractual Clauses together with a transfer impact assessment and any supplementary measures required. Transfer mechanisms in force are recorded in Annex IV.

8.1 Taking into account the nature of the Processing, TiJUBU shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR. Where a Data Subject sends such a request directly to TiJUBU, TiJUBU shall, without undue delay, forward it to the Controller and shall not respond itself except on the Controller's instruction.

8.2 TiJUBU shall assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the Processing and the information available to TiJUBU.

9.1 TiJUBU shall notify the Controller without undue delay, and in any event no later than forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2 The notification shall, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point. Where the information cannot be provided at once, it may be provided in phases without undue further delay.

9.3 TiJUBU's notification is not and shall not be construed as an admission of fault or liability. Responsibility for notifying the competent Supervisory Authority and affected Data Subjects under Articles 33 and 34 GDPR rests with the Controller.

10.1 TiJUBU shall make available to the Controller information necessary to demonstrate compliance with Article 28 GDPR and this DPA, through the following tiered mechanism:

10.2 The Controller bears its own and TiJUBU's reasonable costs of an on-site or remote audit under 10.1(c), unless the audit reveals a material non-compliance by TiJUBU, in which case TiJUBU bears its own costs.

11.1 TiJUBU shall not use Customer Personal Data to train, fine-tune or improve any machine-learning or artificial-intelligence model for the benefit of any third party or any other customer. This obligation binds TiJUBU and is flowed down to any AI Sub-processor.

11.2 Where the Services use a third-party AI Sub-processor, TiJUBU shall ensure by contract that the Sub-processor does not use Customer Personal Data to train its models and Processes such data only to provide the relevant functionality to the Controller.

11.3 Any AI inference logs containing Customer Personal Data are subject to the return and deletion obligations in Clause 12. Audit logs of AI-assisted activity are available to the Controller through the Services.

12.1 On termination or expiry of the Agreement, TiJUBU shall, at the Controller's choice, return or delete all Customer Personal Data, and delete existing copies, unless EU or Member State law requires storage. The Controller may export Customer Personal Data in a structured, commonly used, machine-readable format during a period of thirty (30) days after termination (the "Export Window").

12.2 After the Export Window, TiJUBU shall delete Customer Personal Data from active systems within thirty (30) days and from routine backups within the ordinary backup rotation cycle, not exceeding ninety (90) days, after which it is irretrievably overwritten. Deletion extends to AI inference logs in accordance with Clause 11.3.

12.3 TiJUBU shall, on written request, certify in writing the completion of deletion.

12.4 Where TiJUBU is permitted by the Agreement to retain anonymized or aggregated data derived from Customer Personal Data, it may do so only where the data has been anonymized irreversibly such that no Data Subject can be identified, directly or indirectly, by any means reasonably likely to be used, consistent with Recital 26 GDPR. The anonymization technique is described in Annex II. Such data is no longer Personal Data and falls outside this Clause 12.

13.1 The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, including the elevated cap applicable to data protection matters, subject always to mandatory law that cannot be limited or excluded.

14.1 This DPA takes effect on the effective date of the Agreement and continues for as long as TiJUBU Processes Customer Personal Data, after which the surviving obligations (including Clauses 4, 12 and 13) continue for so long as required.

15.1 This DPA is governed by Portuguese law and subject to the jurisdiction provisions of the Agreement, without prejudice to the rights of Data Subjects and the competence of Supervisory Authorities under Applicable Data Protection Law.

Subject matter

Provision of the subscribed TiJUBU Services as described in the Agreement and the Plan Details or Order Form. The categories below reflect the TiJUBU Pay (Pay Intelligence) Services; for other Services the categories are as set out in the applicable Plan Details or Order Form and any service-specific annex.

Duration

The term of the Agreement, plus the return/deletion periods in Clause 12.

Nature and purpose

Hosting, storage, organization, analysis, simulation and workflow processing of workforce data to enable the subscribed Services. For the Pay Services, this comprises pay analysis, pay policy design and pay review cycles. Outputs support human decisions and do not produce automated decisions with legal or similarly significant effect.

Categories of Data Subjects

The Controller's employees, and where applicable its candidates, contractors and other workforce members whose data the Controller loads into the Services.

Categories of Personal Data (Pay Services)

• Identification and employment data: name, employee identifier, job title, function, grade/level, department, location, hire date, tenure, manager.
• Compensation data: base salary, variable pay, bonuses, benefits, pay history, pay band/range data.
• Demographic data relevant to pay equity: sex/gender. (Used for gender pay gap measurement under Directive (EU) 2023/970 and national law. This is not a special category under Article 9 GDPR.)

Categories of Personal Data (Career Journeys)

• Identification and employment data: name, employee identifier, job title, function, grade/level, department, location.
• Career-development data: skills, qualifications, certifications, role and career history, development goals, stated preferences and aspirations. None of this is a special category under Article 9 GDPR. The Service supports career development and does not make or determine promotion or selection decisions.

Special categories of Personal Data

None are required for, or to be submitted to, the Self-Serve Services. The Pay Services do not require Article 9 data. A Service that requires Article 9 data (for example a wellbeing module processing health data) is not available self-serve and may only be contracted under a Master Subscription Agreement with a service-specific annex setting out the Article 9 condition relied on and any additional safeguards.

Frequency of Processing

Continuous for the term, via integration with the Controller's HRIS or manual upload.

• Encryption. Data encrypted at rest using AES-256 and in transit using TLS 1.3.
• Access control. Role-based access on the principle of least privilege; multi-factor authentication for administrative and remote access; unique credentials; quarterly access reviews.
• Network and infrastructure security. Segmentation, firewalling, hardened baseline configurations, managed vulnerability scanning.
• Monitoring and logging. Centralized security monitoring (SIEM), audit logging of access to Customer Personal Data, alerting on anomalous activity.
• Testing. Independent penetration testing at least annually, with remediation tracked against defined service levels by severity.
• Resilience. Backups with point-in-time recovery; documented business continuity and disaster recovery plans, tested periodically.
• Secure development. Secure SDLC, code review, segregation of development, test and production environments; test environments do not use live Customer Personal Data unless masked.
• Personnel. Confidentiality undertakings, security awareness training, defined joiner/mover/leaver process.
• Sub-processor management. Due diligence and contractual flow-down of equivalent obligations.

The current sub-processors engaged to Process Customer Personal Data are listed below and maintained on TiJUBU's published sub-processor list. TiJUBU gives at least 30 days' advance notice of any addition or replacement.

No sub-processor outside the EEA Processes Customer Personal Data at the date of this version. If an AI model vendor or other sub-processor is engaged in future, it will be added to this Annex and the published list with its purpose, location and Chapter V transfer mechanism before it begins Processing.

All sub-processors that Process Customer Personal Data are EEA-located. Accordingly, no Chapter V transfer of Customer Personal Data occurs and no transfer mechanism is required at the date of this version. For any future sub-processor outside the EEA, the applicable mechanism (adequacy decision, EU-US Data Privacy Framework, or EU Standard Contractual Clauses with a transfer impact assessment) will be recorded here against that sub-processor.