Joqiva Data Processing Agreement

2 June 2026

This Data Processing Agreement ("DPA") forms part of the Joqiva Terms of Service available and applies where Joqiva processes Customer Personal Data on behalf of a Joqiva customer as processor. By creating a workspace, starting a trial, subscribing to a paid plan, accessing the Service, accepting the Terms of Service, or otherwise entering into an agreement that incorporates this DPA, the Customer agrees to this DPA. Material updates to this DPA will be handled under the change process in this DPA and the Terms of Service. Where required, Joqiva may ask the Customer to accept the updated DPA before continuing to use the Service. This DPA is intended to satisfy the controller-to-processor contract requirements under Article 28 UK GDPR where UK GDPR applies, and equivalent controller-to-processor requirements under other Applicable Data Protection Laws where applicable.

1.1 Processor Joqiva is operated by FOP Mykola Marchuk Mykolaiovych, an individual entrepreneur registered in Ukraine, trading as Joqiva. Joqiva's current legal entity details, trading name, website, country of establishment, registered business address, correspondence address, registration information, UK VAT status, contact details, privacy contact and UK/EU representative information are maintained in the Legal Notice. In this DPA, "Joqiva", "we", "us" or "our" means that operator. 1.2 Controller The "Customer" is the business, sole trader, company, partnership, organisation or other business user that creates, owns or controls a Joqiva workspace and uses the Service for business purposes. The Customer is normally the controller of Customer Personal Data. If the Customer processes Customer Personal Data on behalf of another controller, the Customer is responsible for ensuring that it is authorised to appoint Joqiva as subprocessor and to give Joqiva the instructions described in this DPA. 1.3 Agreement This DPA is between Joqiva and the Customer. If an individual accepts this DPA on behalf of a company, sole trader business, partnership or organisation, that individual confirms that they have authority to bind that business or organisation.

2.1 This DPA is incorporated into and forms part of the Joqiva Terms of Service. 2.2 If there is a conflict between this DPA and the Terms of Service in relation to the processing of Customer Personal Data where Joqiva acts as processor, this DPA takes priority. 2.3 If there is a conflict between this DPA and an applicable international data transfer mechanism, such as the UK IDTA, the UK Addendum or EU Standard Contractual Clauses, that transfer mechanism takes priority for the relevant Restricted Transfer. 2.4 Capitalised words not defined in this DPA have the meaning given in the Terms of Service. 2.5 This DPA does not limit any rights of data subjects that cannot be limited under Applicable Data Protection Laws.

3.1 "Applicable Data Protection Laws" means all data protection and privacy laws that apply to the relevant processing of personal data under this DPA, including where applicable: (a) UK GDPR; (b) Data Protection Act 2018; (c) Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"); (d) Data (Use and Access) Act 2025, to the extent in force and applicable; (e) EU GDPR, where applicable; (f) any applicable laws replacing, amending or supplementing the above; and (g) binding regulator orders, court orders, statutory codes or legally binding decisions applicable to the relevant processing. Regulatory guidance is not legislation unless legally binding, but the parties may take relevant guidance into account when interpreting and applying this DPA. 3.2 "Controller", "processor", "personal data", "personal data breach", "processing", "special category data", "data subject" and "supervisory authority" have the meanings given in Applicable Data Protection Laws. 3.3 "Customer Data" means data, content, files, records, emails, attachments, PDFs, quotes, invoices, job information, customer information, payment reports, audit records and other materials submitted to, generated in, or stored in the Service by or on behalf of the Customer. 3.4 "Customer Personal Data" means personal data contained in Customer Data that Joqiva processes on behalf of the Customer as processor. 3.5 "End Customer" means a customer, prospective customer, homeowner, tenant, payer, quote recipient, invoice recipient, contact, supplier representative or other person who interacts with the Customer through the Service or whose personal data is processed in the Customer's workspace. 3.6 "Restricted Transfer" means a transfer of personal data that is restricted under Applicable Data Protection Laws, including a transfer of UK-regulated personal data to a separate organisation located outside the United Kingdom where no UK adequacy regulation applies. 3.7 "Service" means Joqiva as described in the Terms of Service, including Joqiva websites, web application, customer-facing pages, documented interfaces, related services, features and documentation that Joqiva provides or makes available. 3.8 "Subprocessor" means another processor engaged by Joqiva to process Customer Personal Data on behalf of the Customer. 3.9 "UK Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. 3.10 "UK IDTA" means the UK International Data Transfer Agreement issued under UK data protection law. 3.11 "Workspace" means a Joqiva workspace, business account, organisation space or similar environment where Customer Data is created, stored and managed.

4.1 This DPA applies only where Joqiva processes Customer Personal Data as processor on behalf of the Customer. 4.2 Customer Personal Data may include personal data in: (a) enquiries; (b) jobs; (c) quotes; (d) invoices; (e) customer-facing quote pages; (f) customer-facing invoice pages; (g) customer records; (h) job records; (i) files; (j) PDFs; (k) payment reports; (l) payment evidence; (m) quote acceptances; (n) reminders; (o) inbound emails; (p) outbound emails; (q) email attachments; (r) quote-link SMS delivery attempt and status records; (s) integration and operational event records; (t) operational task records; (u) audit logs; (v) workspace settings; (w) bank transfer instructions; (x) document view records; (y) AI-assisted draft extraction records where enabled; and (z) related technical, security, audit and operational records processed on behalf of the Customer. 4.3 This DPA does not apply where Joqiva processes personal data as an independent controller. 4.4 Joqiva may act as an independent controller for: (a) account registration; (b) user login and authentication administration; (c) subscription billing; (d) support administration; (e) website operation; (f) security monitoring; (g) abuse prevention; (h) legal compliance; (i) business administration; (j) internal product analytics, usage metrics and service analytics where Joqiva determines the purposes and means, as described in the Privacy Policy and Cookie Policy; (k) service communications with Joqiva customers and users; and (l) legal claims and dispute handling. 4.5 Joqiva's controller processing is explained in the Privacy Policy. 4.6 Where the same personal data is processed for different purposes, Joqiva may act as processor for some purposes and controller for other limited purposes. For example, Joqiva may process customer quote data as processor for the Customer, while processing limited security logs as controller to protect the Service.

5.1 For Customer Personal Data: (a) the Customer is normally the controller; (b) Joqiva is normally the processor; and (c) the providers listed on Subprocessors page may act as Subprocessors. 5.2 The Customer determines the purposes and means of processing Customer Personal Data. 5.3 Joqiva processes Customer Personal Data only as instructed by the Customer, except where Joqiva is required to process Customer Personal Data by applicable law. 5.4 If Joqiva is required by law to process Customer Personal Data outside the Customer's instructions, Joqiva will inform the Customer before processing unless the law prohibits Joqiva from doing so. 5.5 If Joqiva determines the purposes and means of processing outside the Customer's instructions, Joqiva may be treated as controller for that processing under Applicable Data Protection Laws.

6.1 The subject matter, duration, nature, purpose, personal data types, data subject categories, and controller rights and obligations are described in Annex 1. 6.2 Annex 1 forms part of this DPA. 6.3 The technical and organisational measures are described in Annex 2. 6.4 The retention schedule is described in Annex 3. 6.5 International transfer details are described in Annex 4.

7.1 The Customer instructs Joqiva to process Customer Personal Data as necessary to provide, operate, secure, maintain, support and make available the Service in accordance with: (a) the Terms of Service; (b) this DPA; (c) the Customer's Plan; (d) the Customer's workspace settings; (e) documented product configuration; (f) actions taken by authorised users; (g) requests or instructions made using the Customer's credentials, access methods or documented interfaces; (h) support requests submitted by or on behalf of the Customer; (i) written instructions accepted by Joqiva; and (j) applicable documentation. 7.2 The Customer's instructions include processing Customer Personal Data for: (a) hosting workspace data; (b) authenticating users; (c) maintaining customer-environment separation; (d) storing customer, enquiry, job, quote and invoice data; (e) generating documents and PDFs; (f) storing files and attachments; (g) displaying customer-facing quote and invoice pages; (h) displaying bank transfer instructions provided by the Customer; (i) recording quote views, quote questions, quote acceptances and quote declines; (j) recording invoice views, payment reports, payment evidence and owner confirmation; (k) sending service emails and reminders; (l) processing inbound emails and attachments; (m) parsing emails; (n) creating draft suggestions or extracted fields through AI-assisted features where enabled; (o) processing integration and operational events; (p) running operational tasks; (q) maintaining audit logs and activity history; (r) providing exports; (s) maintaining backups; (t) detecting and preventing abuse; (u) monitoring availability, reliability and errors; (v) securing the Service; (w) providing support; (x) maintaining and improving the reliability, security and functionality of the Service as part of Service delivery; (y) creating aggregated or anonymised information where permitted by this DPA and applicable law; and (z) complying with applicable law. The Customer's instructions also include using email addresses to send customer-facing quote links by email, using phone numbers to attempt SMS delivery of customer-facing quote links where selected and available, processing SMS delivery metadata for delivery, troubleshooting, audit and security, and recording explicit user confirmation when a manually copied quote link is marked as sent. 7.3 The Customer instructs Joqiva to use Subprocessors as described in this DPA and on Subprocessors page. 7.4 The Customer instructs Joqiva to make Customer Personal Data available to authorised personnel, contractors and approved service providers in Ukraine, the United Kingdom and other locations described in this DPA or on Subprocessors page where necessary to provide, secure, support and maintain the Service, subject to this DPA and applicable transfer safeguards. 7.5 The Customer instructs Joqiva to process Customer Personal Data in accordance with the retention periods in Annex 3, unless the Customer lawfully deletes data, requests deletion, exports data, configures shorter retention where available, or gives a supported written instruction accepted by Joqiva. 7.6 The Customer instructs Joqiva to make international transfers described in this DPA and Annex 4, including transfers or access from Ukraine, where necessary to provide, secure, support and maintain the Service. 7.7 Joqiva may refuse or suspend an instruction if Joqiva reasonably believes the instruction: (a) breaches Applicable Data Protection Laws; (b) creates a security risk; (c) creates an operational risk; (d) requires Joqiva to process data outside the scope of the Service; (e) requires Joqiva to breach law or third-party terms; (f) is technically impossible, materially disproportionate, or outside the agreed scope of the Service; (g) would compromise the rights of another customer or data subject; (h) would compromise the security, integrity or availability of the Service; or (i) is inconsistent with the Terms of Service. 7.8 If Joqiva believes that an instruction breaches Applicable Data Protection Laws, Joqiva will inform the Customer unless prohibited by law.

8.1 The Customer is responsible for complying with Applicable Data Protection Laws in relation to Customer Personal Data. 8.2 The Customer must ensure that: (a) it has a lawful basis for processing Customer Personal Data; (b) it has a lawful basis for instructing Joqiva to process Customer Personal Data; (c) it provides all required privacy notices to End Customers, users, staff, suppliers and contacts; (d) Customer Personal Data is accurate where required for the relevant purpose; (e) Customer Personal Data is adequate, relevant and limited to what is necessary; (f) Customer Personal Data is not excessive; (g) workspace users are authorised and trained as appropriate; (h) user permissions are appropriate; (i) users who no longer need access are removed promptly; (j) customer-facing links are shared only with intended recipients; (k) bank transfer details and payment instructions are accurate; (l) reminders and emails are lawful and fair; (m) it complies with PECR and direct marketing rules where applicable; (n) it responds to data subject requests where it is controller; (o) it handles data protection complaints where it is controller; (p) its instructions to Joqiva are lawful; and (q) it has authority from any upstream controller where the Customer acts as processor for another organisation. 8.3 The Customer must not submit Customer Personal Data to the Service unless the Customer has the right to do so. 8.4 The Customer must not use the Service for systematic processing of special category data, criminal offence data, children's data, health data, financial account access credentials, government identifiers, or highly sensitive personal data unless: (a) the processing is lawful; (b) the processing is necessary for the Customer's business use case; (c) the Customer has completed any required risk assessment; (d) the Customer has provided any required notices and safeguards; (e) the Customer has obtained any required consent or other lawful basis; (f) the processing is not prohibited by the Terms of Service or Acceptable Use Policy; and (g) Joqiva has expressly agreed in writing where the processing materially changes the risk profile of the Service. 8.5 The Service is not designed for children and is not intended to be used directly by children. 8.6 The Customer must not submit passwords, full payment card numbers, CVC codes, unnecessary identity documents, unnecessary medical information, or irrelevant sensitive information into the Service. 8.7 The Customer is responsible for configuring the Service appropriately for its own business, including workspace roles, permissions, customer-facing links, email features, reminder settings, AI-assisted features and export use. 8.8 The Customer is also responsible for making sure email addresses, phone numbers, recipients and manual copy-link sharing choices are accurate, lawful and appropriate for its own customer communications.

9.1 Joqiva will process Customer Personal Data only on documented instructions from the Customer, unless required by applicable law. 9.2 Joqiva will ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality. 9.3 Joqiva will implement and maintain appropriate technical and organisational measures as described in Annex 2. 9.4 Joqiva will assist the Customer with data subject requests, personal data breaches, security obligations, data protection impact assessments and prior consultation obligations as described in this DPA. 9.5 Joqiva will use Subprocessors only in accordance with this DPA. 9.6 Joqiva will provide information reasonably necessary to demonstrate compliance with Article 28 obligations as described in this DPA. 9.7 Joqiva will delete or return Customer Personal Data at the end of processing as described in this DPA, unless applicable law requires or permits continued retention. 9.8 Joqiva will not sell Customer Personal Data. 9.9 Joqiva will not use Customer Personal Data to advertise third-party products to End Customers.

10.1 Joqiva will ensure that personnel and contractors authorised to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality. 10.2 Joqiva will limit access to Customer Personal Data to personnel and contractors who need access for the purposes of providing, securing, supporting or maintaining the Service. 10.3 Joqiva will take reasonable steps to ensure that authorised personnel and contractors process Customer Personal Data only in accordance with this DPA and Joqiva's internal instructions. 10.4 Confidentiality obligations continue after the end of a person's engagement with Joqiva where required by contract, law or professional duty.

11.1 Joqiva will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. 11.2 The technical and organisational measures are described in Annex 2. 11.3 Joqiva may update its technical and organisational measures from time to time, provided that the updates do not materially reduce the overall level of protection for Customer Personal Data. 11.4 The Customer is responsible for maintaining appropriate security controls for its own systems, users, devices, email accounts, passwords, credentials, access permissions, customer-facing links and bank transfer details. 11.5 The Customer must promptly notify Joqiva if it becomes aware of unauthorised access to the Service, compromised credentials, unauthorised changes to bank details, unauthorised changes to payment instructions, or another security incident affecting its use of the Service.

12.1 The Customer gives Joqiva general written authorisation to engage Subprocessors to process Customer Personal Data. 12.2 The current approved Subprocessors and relevant provider categories are listed at Subprocessors page. 12.3 Joqiva will maintain a public Subprocessors page that identifies approved Subprocessors that process Customer Personal Data, their processing functions, relevant locations and available transfer information. 12.4 Joqiva does not need to list Subprocessors directly in this DPA if the Subprocessors page provides the relevant current information. 12.5 Provider categories that are not approved for processing Customer Personal Data must be added to the Subprocessors page and relevant legal documents before they process Customer Personal Data, unless urgent processing is permitted under clause 12.16. 12.6 Joqiva may add, replace or remove Subprocessors. 12.7 Where Joqiva makes a material change to Subprocessors that process Customer Personal Data, Joqiva will provide notice before the change takes effect where reasonably possible. 12.8 Notice may be provided by: (a) updating Subprocessors page; (b) email to the workspace owner or account contact; (c) in-app notice; (d) website notice; or (e) notice to customers who have requested Subprocessor change notices. 12.9 To request Subprocessor change notices, the Customer may use the privacy or legal contact listed in the Legal Notice with the subject line "Subprocessor notices". 12.10 If the Customer objects to a new or replacement Subprocessor on reasonable data protection grounds, the Customer must notify Joqiva in writing before the effective date stated in the notice. 12.11 If no effective date is stated, the Customer must notify Joqiva within 30 days after notice. 12.12 The objection must explain the specific data protection grounds for the objection. 12.13 Joqiva will review the objection in good faith and may, where reasonable and technically possible: (a) provide further information about the Subprocessor; (b) provide information about safeguards; (c) suggest a workaround; (d) disable the affected feature; (e) delay the change for the objecting Customer where feasible; (f) allow cancellation of the affected paid Service; or (g) take another reasonable step. 12.14 If Joqiva cannot reasonably resolve the objection and the Subprocessor is necessary to provide the Service, Joqiva may permit the Customer to cancel the affected Service in accordance with the Terms of Service. 12.15 Continued use of the affected Service after the effective date of a Subprocessor change may be treated as authorisation of the Subprocessor, unless the Customer has made a valid unresolved objection before that date. 12.16 Joqiva may add or replace a Subprocessor without advance notice where necessary to address an urgent security, legal, operational, availability or service continuity issue. In that case, Joqiva will provide notice as soon as reasonably practicable. 12.17 Joqiva will enter into a written contract or equivalent legal terms with each Subprocessor that processes Customer Personal Data. 12.18 The Subprocessor contract must impose data protection obligations that are substantially equivalent to the Article 28 obligations in this DPA, taking into account the nature of the services provided by the Subprocessor. 12.19 Joqiva remains responsible to the Customer for the performance of its Subprocessors as required by Applicable Data Protection Laws.

Joqiva may appoint UK and/or EU GDPR Article 27 representatives to act as contact points for data protection matters where required by applicable law. Article 27 representatives are not Joqiva's data protection officer, controller, processor, subprocessor, UK branch, EU branch, registered office or establishment. Where a representative receives a data protection request, Joqiva remains responsible for assessing and responding to that request in accordance with applicable data protection law.

13.1 Joqiva provides a business workflow SaaS service. 13.2 Customer Personal Data may be processed, stored, accessed or supported from the United Kingdom, Ukraine, countries where approved Subprocessors operate, and other locations described on Subprocessors page. 13.3 The Customer instructs Joqiva to process and access Customer Personal Data from Ukraine and the United Kingdom for the purposes of providing, securing, supporting and maintaining the Service. 13.4 Where processing involves a Restricted Transfer, the parties will ensure that the Restricted Transfer is covered by a valid transfer mechanism under Applicable Data Protection Laws. 13.5 Valid transfer mechanisms may include: (a) UK adequacy regulations where applicable; (b) the UK IDTA; (c) the UK Addendum to the EU Standard Contractual Clauses; (d) EU Standard Contractual Clauses where EU GDPR applies; (e) binding corporate rules where applicable; (f) an applicable exception where lawful and proportionate; or (g) another lawful transfer mechanism available under Applicable Data Protection Laws. 13.5A Where Joqiva or the Customer relies on appropriate safeguards rather than adequacy regulations or an exception, the relevant party will carry out or rely on an appropriate transfer risk assessment or data protection test where required, and will apply supplementary technical, contractual or organisational measures where needed. 13.6 For UK-regulated Customer Personal Data transferred or made accessible from the United Kingdom to Joqiva in Ukraine, where the transfer is a Restricted Transfer and no UK adequacy regulation applies, the parties agree to use the UK IDTA unless another valid transfer mechanism is agreed or applies. 13.7 For the UK IDTA: (a) Annex 4 provides the information intended to complete the required IDTA transfer details; (b) Annex 1 describes transferred data, data subject categories, processing purposes and processing activities; (c) Annex 2 describes security measures; (d) Subprocessors page describes approved Subprocessors and relevant onward transfer information; and (e) the IDTA mandatory clauses are incorporated as described in Annex 4. 13.8 If EU GDPR applies to a transfer from the European Economic Area to Joqiva or a Subprocessor outside the EEA, the parties will use the EU Standard Contractual Clauses. Unless another module is required by the facts: (a) Module Two applies where the Customer is controller and Joqiva is processor; and (b) Module Three applies where the Customer is processor and Joqiva is subprocessor. 13.9 Where the UK Addendum is used with the EU Standard Contractual Clauses for UK-regulated data, the UK Addendum applies as described in Annex 4. 13.10 Joqiva will not knowingly make a Restricted Transfer of Customer Personal Data to a Subprocessor unless Joqiva has taken reasonable steps to ensure that the transfer is covered by an appropriate transfer mechanism. 13.11 The Customer acknowledges that use of the Service requires international processing and access, including access from Ukraine and from approved Subprocessor locations. 13.12 The Customer acknowledges that use of the Service may require international processing and access as described in this DPA and Subprocessors page. If the Customer cannot lawfully use those arrangements for its Customer Personal Data, the Customer must not submit that Customer Personal Data to the Service. 13.13 If a new, amended or replacement transfer mechanism is required or recommended under Applicable Data Protection Laws, Joqiva may update this DPA, Annex 4 or the applicable transfer documentation to reflect that mechanism.

14.1 Joqiva will provide reasonable assistance to the Customer, taking into account the nature of the processing and the information available to Joqiva, to help the Customer respond to requests from data subjects exercising their rights under Applicable Data Protection Laws. 14.2 Joqiva may provide assistance through: (a) product functionality; (b) export tools; (c) deletion tools; (d) access controls; (e) support responses; (f) information about processing; (g) correction or deletion support where available; and (h) reasonable technical assistance. 14.3 If Joqiva receives a data subject request relating to Customer Personal Data, Joqiva will, where reasonably identifiable as relating to the Customer: (a) notify the Customer without undue delay; (b) refer the requester to the Customer where appropriate; and (c) not respond substantively to the request unless instructed by the Customer or required by law. 14.4 Joqiva is not responsible for determining the validity of a data subject request where the Customer is controller. 14.5 The Customer is responsible for responding to data subject requests within the time limits required by Applicable Data Protection Laws. 14.6 Where Joqiva processes the same person's data as independent controller, Joqiva may respond to controller-side requests for Joqiva controller data under the Privacy Policy.

15.1 Where the Customer is controller, the Customer is responsible for handling complaints from data subjects about the Customer's use of Customer Personal Data. 15.2 If Joqiva receives a complaint that clearly relates to Customer Personal Data processed on behalf of the Customer, Joqiva will use reasonable efforts to forward the complaint to the Customer or refer the complainant to the Customer. 15.3 Joqiva will provide reasonable assistance where the complaint relates to Joqiva's processing of Customer Personal Data as processor. 15.4 Joqiva remains responsible for complaints relating to personal data processed by Joqiva as independent controller. 15.5 Joqiva's controller-side complaints process is described in the Privacy Policy.

16.1 Joqiva will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. 16.2 Where feasible, Joqiva will aim to notify the Customer within 48 hours after becoming aware that a Personal Data Breach affecting Customer Personal Data has occurred. 16.3 Joqiva's notification may include, where available: (a) a description of the nature of the Personal Data Breach; (b) affected systems or features; (c) affected categories of Customer Personal Data; (d) affected categories of data subjects; (e) approximate number of affected records, if known; (f) likely consequences, if known; (g) measures taken or proposed to address the breach; (h) measures proposed to mitigate possible adverse effects; (i) contact details for further information; and (j) any other information reasonably available to Joqiva. 16.4 Joqiva may provide information in phases as it becomes available. 16.5 Joqiva's notification of a Personal Data Breach is not an admission of fault or liability. 16.6 The Customer is responsible for deciding whether to notify a supervisory authority, affected data subjects, customers, insurers or other third parties. 16.7 Joqiva will provide reasonable assistance to the Customer with breach assessment and notification obligations, taking into account the nature of the processing and the information available to Joqiva. 16.8 The Customer must promptly notify Joqiva if the Customer becomes aware of a security incident, compromised account, compromised credential, compromised email account, unauthorised bank detail change, or other event that may affect Customer Personal Data in the Service.

17.1 Joqiva will provide reasonable assistance to the Customer with data protection impact assessments ("DPIAs") and prior consultation with supervisory authorities where required by Applicable Data Protection Laws. 17.2 Assistance may include providing: (a) information about processing operations; (b) information about Subprocessors; (c) information about technical and organisational measures; (d) security summaries; (e) data retention information; (f) international transfer information; and (g) other information reasonably available to Joqiva. 17.3 Joqiva is not responsible for conducting DPIAs for the Customer where the Customer is controller. 17.4 The Customer is responsible for determining whether its use of the Service requires a DPIA or consultation with a supervisory authority. 17.5 If the Customer's proposed use of the Service would materially increase the risk profile of processing, the Customer must notify Joqiva before using the Service for that purpose.

18.1 Joqiva will make available information reasonably necessary to demonstrate compliance with Article 28 obligations. 18.2 Joqiva may satisfy this obligation by providing: (a) this DPA; (b) the Subprocessors page; (c) security summaries; (d) technical and organisational measures; (e) privacy and retention information; (f) responses to reasonable security questionnaires; (g) audit reports or certifications if available; (h) written explanations of controls; (i) incident summaries where appropriate; and (j) other reasonable documentation. 18.3 If the information provided under clause 18.2 is not sufficient to demonstrate compliance with Article 28 obligations, the Customer may request an audit. 18.4 Audits must be: (a) limited to Joqiva's processing of Customer Personal Data; (b) conducted no more than once in any 12-month period unless required by a supervisory authority or following a confirmed Personal Data Breach affecting Customer Personal Data; (c) conducted on at least 30 days' written notice, unless a shorter period is legally required; (d) conducted during normal business hours; (e) conducted in a way that does not disrupt Joqiva's operations; (f) subject to confidentiality obligations; (g) limited to information reasonably necessary to verify compliance; (h) conducted remotely where reasonable, although an on-site audit may be requested where legally required or reasonably necessary to verify compliance, subject to appropriate confidentiality, security and operational safeguards; and (i) conducted by the Customer or an independent auditor who is not a competitor of Joqiva. 18.5 Audits must not compromise: (a) security of the Service; (b) privacy of other customers; (c) confidentiality of other customers; (d) Joqiva's trade secrets; (e) Joqiva's source code; (f) Joqiva's internal security architecture beyond what is reasonably necessary; or (g) third-party provider confidentiality obligations. 18.6 The Customer must pay its own audit costs. 18.7 Joqiva may charge reasonable fees for audit support where the audit requires substantial time or resources, unless the audit is required by a supervisory authority, required because of Joqiva's confirmed material breach of this DPA, or charging a fee would make the Customer's Article 28 audit right ineffective. 18.8 Nothing in this clause limits any audit or inspection right that cannot be limited under Applicable Data Protection Laws.

19.1 Subscription end, trial end, cancellation, downgrade or Read-Only Mode does not automatically mean the end of processing under this DPA. 19.2 While a workspace remains active or in Read-Only Mode, Joqiva continues to process Customer Personal Data to provide view, download, export, security, retention and related functionality. 19.3 At the end of processing, the Customer may request return or deletion of Customer Personal Data, subject to the Service functionality, this DPA, the Terms of Service, legal requirements, retention obligations and technical limitations. 19.4 Joqiva may provide return of Customer Personal Data through export tools, existing PDFs, downloadable files or reasonable support-assisted export. 19.5 After a valid deletion request for an account or workspace, Joqiva will delete or anonymise relevant Customer Personal Data within 90 days where legally and technically possible, subject to clauses 19.6 to 19.10. 19.6 Joqiva may retain Customer Personal Data after a deletion request only to the extent that: (a) applicable law requires retention; (b) retention is necessary for legal claims, dispute resolution, fraud prevention, security, audit integrity, accounting or compliance purposes and Joqiva has a lawful basis for that retention; (c) the data is contained in backups pending the next scheduled deletion cycle; or (d) the data is retained as a separate controller record where Joqiva is legally permitted to do so. 19.7 Where Joqiva retains Customer Personal Data under clause 19.6, Joqiva will limit processing to the relevant retention purpose where reasonably practicable. 19.8 Backup deletion may occur on the next scheduled backup deletion cycle. 19.9 Backup data may be isolated, protected and not used for ordinary Service operation before deletion. 19.10 Joqiva is not required to delete data in a manner that would compromise security, business continuity, legal compliance, audit integrity, fraud prevention, accounting integrity or the rights of other customers.

20.1 The standard retention schedule is set out in Annex 3. 20.2 The Customer instructs Joqiva to retain Customer Personal Data according to Annex 3 unless the Customer uses available deletion tools, requests deletion, configures shorter retention where available, or gives another supported instruction accepted by Joqiva. 20.3 Retention periods may be extended where required or permitted by law, court order, regulator, dispute, investigation, security incident, fraud prevention need, audit need or legal claim. 20.4 Joqiva may anonymise Customer Personal Data instead of deleting it where lawful and technically appropriate. 20.5 Anonymised data is not Customer Personal Data if it no longer identifies and cannot reasonably be used to identify an individual.

21.1 Joqiva may offer AI-assisted features to help create draft suggestions, classifications, summaries or extracted fields from emails, messages, attachments or other content submitted to the Service. 21.2 AI-assisted features create drafts, suggestions or extracted fields only. 21.3 AI-assisted features do not create final jobs, final quotes, final invoices, final customer communications or final business decisions. 21.4 The Customer must review, correct and approve AI-assisted output before using it in the Customer's business. 21.5 Joqiva may use approved AI service providers to provide AI-assisted features where those providers are listed on Subprocessors page where required. 21.6 AI-assisted processing is handled through Joqiva systems and approved service providers where the feature is enabled. 21.7 Joqiva will not authorise an AI service provider to use Customer Personal Data submitted through Joqiva to train or improve general AI models unless Joqiva discloses this and the Customer authorises it where required by Applicable Data Protection Laws. 21.8 The Customer must not submit special category data, criminal offence data, children's data, passwords, full payment card details, unnecessary identity documents or highly sensitive personal data to AI-assisted features unless the Customer has a lawful basis, appropriate safeguards and a necessary business use case. 21.9 AI-assisted processing may involve submitted content, inbound email content, message content, attachments, customer contact details, job details, extracted draft fields, reviewed or validated output, usage metadata, validation information and operational logs. 21.10 Joqiva will minimise retained AI-related records to what is reasonably needed for service operation, security, audit, troubleshooting and usage tracking. 21.11 Further AI transparency information is provided in the AI Processing Notice.

22.1 Joqiva may process inbound emails, outbound emails, forwarded emails, parsed emails, reminders, attachments, customer-facing quote link SMS delivery attempts, email metadata, SMS delivery metadata and communication events on behalf of the Customer. 22.2 Email, SMS and quote link communication processing may include: (a) receiving inbound emails; (b) parsing email content; (c) processing attachments; (d) associating emails with enquiries, jobs, quotes, invoices or customer records; (e) sending transactional emails and customer-facing quote links by email; (f) attempting SMS delivery of customer-facing quote links where selected and available; (g) recording user-confirmed manual copy-link sending; (h) sending reminders; (i) processing bounces; (j) processing delivery status information; (k) processing open and click events where configured and lawful; (l) processing integration and operational events; (m) storing email content and email or SMS metadata; and (n) scanning attachments for security purposes where enabled. 22.3 The Customer is responsible for ensuring that its use of email, SMS, reminder and manual copy-link features is lawful, fair and compliant with Applicable Data Protection Laws and PECR. 22.4 The Customer must not use Joqiva email, SMS or reminder features for unlawful marketing, spam, harassment, misleading communications or unauthorised communications. 22.5 SMS delivery is an attempted communication and may not always succeed. SMS delivery metadata may be processed for delivery, troubleshooting, audit and security. 22.6 Open and click tracking is disabled by default. If open or click tracking is enabled later, Joqiva will assess and implement applicable privacy, PECR, consent and disclosure requirements.

23.1 Joqiva may process bank transfer instructions provided by the Customer so that they can be displayed on quotes, invoices, customer-facing pages, reminders and PDFs. 23.2 Bank transfer instructions may include bank account name, sort code, account number, IBAN where used, payment reference, payment terms and related payment instructions. 23.3 If bank transfer instructions identify a sole trader or individual, they may be Customer Personal Data. 23.4 Joqiva does not process, collect, hold, transfer, settle, control or transmit money owed by End Customers to the Customer. 23.5 End Customers pay directly into the Customer's bank account. 23.6 Joqiva does not initiate bank transfers, access payment accounts, or instruct banks or payment institutions to move End Customer funds. 23.7 Joqiva may process payment reports, "I've paid" confirmations, payment evidence, owner confirmation, overdue invoice status and reminders as workflow data. 23.8 Joqiva does not store full payment card numbers for End Customer invoice payments because Joqiva does not process End Customer invoice payments. 23.9 The Customer remains responsible for verifying bank details, payment instructions and receipt of funds.

24.1 Joqiva subscription billing is separate from End Customer invoice payments and is generally processed by Joqiva as controller, as described in the Privacy Policy. 24.2 Joqiva may use a billing provider or merchant of record to process subscription fees, invoices, payment attempts, payment status, tax information and billing support information. 24.3 To the extent any billing provider processes Customer Personal Data on behalf of Joqiva as processor or Subprocessor, it will be listed on Subprocessors page where required. 24.4 Joqiva does not store full payment card numbers, CVC codes or raw card data. 24.5 Billing providers are not used for customer invoice bank-transfer payment tracking. 24.6 Joqiva must not use End Customer invoice payment records as evidence of the Customer's Joqiva subscription payment.

24A.1 Joqiva may operate a partner, referral or affiliate programme under separate Partner Terms. 24A.2 Partner programme and affiliate attribution data is generally processed by Joqiva as controller, as described in the Privacy Policy. 24A.3 Joqiva may use an affiliate network or partner programme provider to administer partner applications, attribution, conversion validation, fraud prevention and commission approval. 24A.4 Customer invoice payments are not commissionable and are not processed through Joqiva, subscription billing providers or affiliate networks. 24A.5 Joqiva will not intentionally disclose Customer Personal Data contained in workspace business records to affiliate networks or partner programme providers unless that processing is lawful, necessary, documented and reflected in Subprocessors page where required. 24A.6 To the extent an affiliate network or partner programme provider processes Customer Personal Data on behalf of Joqiva as processor or Subprocessor, it will be listed on Subprocessors page where required.

25.1 Joqiva will maintain records of processing activities where required by Applicable Data Protection Laws. 25.2 The Customer is responsible for maintaining its own records of processing activities where required. 25.3 Joqiva may provide reasonable information about processor-side records of processing where required to demonstrate compliance with this DPA and Article 28 obligations.

26.1 If Joqiva receives a legally binding request for Customer Personal Data from a government authority, regulator, court or law enforcement authority, Joqiva will review the request. 26.2 Where legally permitted and reasonably practicable, Joqiva will notify the Customer before disclosing Customer Personal Data. 26.3 Joqiva may disclose Customer Personal Data where required by applicable law, court order, regulator or lawful authority. 26.4 Joqiva will use reasonable efforts to disclose only the Customer Personal Data reasonably required by the request. 26.5 Joqiva may challenge or refuse a request where Joqiva reasonably considers that the request is unlawful, excessive, unclear or not binding, subject to applicable law and practical constraints.

27.1 The Customer is responsible for the accuracy of Customer Personal Data submitted to the Service. 27.2 Joqiva is not responsible for checking the accuracy of Customer Personal Data, quote content, invoice content, bank details, payment instructions, customer details or AI-assisted draft output. 27.3 Joqiva will provide reasonable correction functionality or support where available through the Service. 27.4 The Customer must review and correct AI-assisted output before using it in the Customer's business.

28.1 Liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, except to the extent prohibited by Applicable Data Protection Laws. 28.2 Nothing in this DPA limits or excludes liability that cannot be limited or excluded by law. 28.3 Nothing in this DPA limits rights of data subjects under Applicable Data Protection Laws. 28.4 Nothing in this DPA limits Joqiva's obligations under an applicable transfer mechanism to the extent that those obligations cannot be limited by the Terms of Service.

29.1 Joqiva may update this DPA from time to time. 29.2 If Joqiva makes material changes to this DPA, Joqiva will provide reasonable notice, such as by email, in-app notice, website notice or posting an updated version. 29.2A Joqiva will not make a material change to this DPA that materially reduces the overall protection of Customer Personal Data without providing reasonable notice, unless the change is required for legal, security, transfer compliance or urgent operational reasons. 29.3 The updated DPA will apply from the effective date stated in the notice or posted version. 29.4 Continued use of the Service after the effective date of an updated DPA means the Customer accepts the updated DPA, except where Applicable Data Protection Laws require a different method of agreement. 29.5 If the Customer does not agree to an updated DPA, the Customer must stop using the Service and cancel the affected subscription before the updated DPA applies. 29.6 Changes to Subprocessors are handled under the Subprocessor change process in this DPA and on Subprocessors page. 29.7 Joqiva may update this DPA to reflect changes in Applicable Data Protection Laws, transfer mechanisms, regulator guidance, Subprocessor arrangements, security measures, product functionality or operational requirements. 29.8 If a DPA update is required urgently for legal, security, operational or transfer compliance reasons, Joqiva may apply the update sooner than the standard notice period where reasonably necessary.

30.1 This DPA is governed by the laws of England and Wales unless the applicable transfer mechanism requires otherwise. 30.2 The courts of England and Wales have exclusive jurisdiction over disputes arising out of or relating to this DPA unless the applicable transfer mechanism requires otherwise. 30.3 Nothing in this clause limits the jurisdiction, rights or remedies of a supervisory authority or data subject under Applicable Data Protection Laws.

For questions about this DPA, use the contact details maintained in the Legal Notice. The current privacy contact and legal contact are listed in the Legal Notice.

1. Subject matter of processing Joqiva processes Customer Personal Data to provide a business workflow SaaS product for small service businesses, including enquiry management, job management, quote creation, customer quote pages, quote link delivery by email, SMS or manual sharing, invoice creation, bank-transfer payment workflow tracking, reminders, email processing, AI-assisted draft enquiry extraction, exports, support, security and related functionality. 2. Duration of processing Joqiva processes Customer Personal Data for the duration of the Customer's use of the Service, including any active subscription, trial, grace period, Read-Only Mode, export period, backup period and retention period described in this DPA. Processing continues until Customer Personal Data is deleted, anonymised, returned or retained only as permitted by this DPA, the Terms of Service or applicable law. 3. Nature of processing The nature of processing may include: (a) collection; (b) receipt; (c) storage; (d) hosting; (e) organisation; (f) structuring; (g) retrieval; (h) access; (i) display; (j) transmission; (k) parsing; (l) extraction; (m) AI-assisted draft field extraction where enabled; (n) validation; (o) PDF generation; (p) email sending; (q) SMS delivery attempts for customer-facing quote links; (r) user-confirmed manual copy-link sending records; (s) inbound email processing; (t) attachment processing; (u) malware or antivirus scanning where applicable; (v) customer-facing page display; (w) reminder generation; (x) export; (y) backup; (z) logging; (aa) audit history maintenance; (bb) limited operational event processing where necessary to provide, secure, support or maintain the Service; (cc) deletion; (dd) anonymisation; and (ee) security monitoring. 4. Purpose of processing The purpose of processing is to provide, operate, secure, maintain and support Joqiva, including: (a) user authentication; (b) workspace access; (c) workspace isolation; (d) enquiry management; (e) job management; (f) quote management; (g) customer quote pages; (h) quote view, question, acceptance and decline records; (i) invoice management; (j) customer invoice pages; (k) bank transfer instruction display; (l) payment tracking workflow; (m) payment reports; (n) owner confirmation; (o) overdue invoice status; (p) reminders; (q) email processing; (r) customer-facing quote link delivery by email, SMS, or user-confirmed manual sharing; (s) inbound email parsing; (t) attachment storage and scanning; (u) PDF generation; (v) file storage; (w) limited-access document and file links; (x) AI-assisted draft extraction; (y) audit logs; (z) exports; (aa) support; (bb) security, abuse prevention and incident response; (cc) limited operational analytics where necessary to provide, secure, support or maintain the Service; and (dd) maintaining and improving the reliability, security and functionality of the Service as part of Service delivery. 5. Categories of data subjects Customer Personal Data may relate to: (a) Customer workspace owners; (b) Customer administrators; (c) Customer staff; (d) Customer contractors; (e) Customer invited users; (f) End Customers; (g) prospective End Customers; (h) homeowners; (i) tenants; (j) customer contacts; (k) invoice recipients; (l) quote recipients; (m) payers; (n) supplier contacts; (o) email senders; (p) email recipients; (q) people named in enquiries, jobs, quotes, invoices, files, emails or attachments; (r) representatives of businesses; and (s) other individuals whose personal data is submitted to or generated in the Service by the Customer. 6. Categories of personal data Customer Personal Data may include: (a) names; (b) business names; (c) job titles; (d) email addresses; (e) phone numbers; (f) addresses; (g) service addresses; (h) billing addresses; (i) quote details; (j) job descriptions; (k) job notes; (l) customer notes; (m) invoice details; (n) invoice items; (o) quote items; (p) payment status; (q) payment reports; (r) "I've paid" confirmations; (s) payment evidence or payment proof files; (t) quote acceptance records; (u) quote decline records; (v) quote question records; (w) document view records; (x) bank transfer instructions; (y) bank account name; (z) sort code; (aa) account number; (bb) IBAN where used; (cc) payment reference; (dd) VAT or tax information where submitted by the Customer; (ee) email content; (ff) email subject lines; (gg) email attachments; (hh) SMS message content required to deliver customer-facing quote links; (ii) SMS delivery status metadata; (jj) files; (kk) PDFs; (ll) images or documents uploaded by the Customer or End Customer; (mm) IP addresses; (nn) timestamps; (oo) device and browser information; (pp) access logs; (qq) audit logs; (rr) integration and operational event records; (ss) operational task records; (tt) support-related information submitted by the Customer; (uu) source text and validated AI-assisted draft output where enabled; (vv) AI usage metadata where enabled; (ww) limited operational event metadata where the event relates to Customer Personal Data; and (xx) other personal data submitted to or generated in the Service by the Customer. 7. Special categories of data The Service is not designed for systematic processing of special category data. Special category data may be processed only if incidentally submitted by the Customer or End Customer, or if the Customer has a lawful basis and appropriate safeguards. The Customer is responsible for avoiding unnecessary special category data and for ensuring that any such processing is lawful. 8. Criminal offence data The Service is not designed for processing criminal offence data. The Customer must not submit criminal offence data unless the processing is lawful, necessary and expressly permitted under the Customer's own compliance framework. 9. Children's data The Service is not intended for use by children. The Customer must not intentionally submit children's data unless the processing is lawful, necessary and appropriate for the Customer's business use case. 10. Controller rights and obligations The Customer has the rights and obligations set out in this DPA, the Terms of Service and Applicable Data Protection Laws, including the right to give documented instructions, request assistance, object to Subprocessor changes, request return or deletion, and request compliance information or audits as described in this DPA.

1. Security governance Joqiva maintains technical and organisational measures designed to protect Customer Personal Data in a manner appropriate to the risk, taking into account the nature, scope, context and purposes of processing. Joqiva may update these measures from time to time, provided that updates do not materially reduce the overall level of protection for Customer Personal Data. 2. Confidentiality and personnel access Joqiva limits access to Customer Personal Data to authorised personnel, contractors and approved service providers who need access for the purposes of providing, securing, supporting or maintaining the Service. Authorised personnel and contractors are subject to confidentiality obligations or an appropriate duty of confidentiality. 3. Authentication and account access Joqiva uses authentication and account access controls appropriate to the Service configuration. These may include secure session handling, supported login methods, account recovery controls, access checks before workspace access is granted, and monitoring for suspicious authentication activity where appropriate. 4. Authorisation and customer-environment separation Joqiva uses authorisation controls designed to restrict access to Customer Personal Data according to workspace membership, user roles, permissions and access rules. Joqiva uses logical controls designed to separate customer environments and reduce the risk of unauthorised cross-customer access. 5. Storage and file access controls Joqiva uses access controls designed to restrict access to files, PDFs, attachments and workspace records to authorised users and intended recipients. Where files or documents are made available through links, Joqiva uses limited-access or time-limited access methods where appropriate. 6. Encryption and transport protection Joqiva uses encrypted transport, such as HTTPS/TLS or equivalent protection, where appropriate for data transmitted over public networks. Joqiva relies on appropriate infrastructure, database, storage and service-provider controls for protection of stored data, and may apply additional application-level protections where appropriate. 7. Application and service security Joqiva uses application-level controls designed to protect the Service against common abuse, unauthorised access and misuse. These may include input validation, permission checks, abuse-prevention controls, security logging, restricted access to operational systems and secure credential handling. 8. Email, SMS and attachment security Where email, SMS or attachment processing is enabled, Joqiva uses controls designed to reduce communication-related security risks. These may include attachment handling controls, malware-prevention measures where appropriate, access restrictions for attachments, email and SMS delivery event logging, abuse monitoring for communication features and steps to reduce unnecessary exposure of Customer Personal Data in communication logs. 9. AI-assisted processing controls Where AI-assisted features are enabled, Joqiva uses controls designed to limit AI-assisted processing to the relevant feature and to reduce unnecessary disclosure of Customer Personal Data. These may include provider review, data minimisation, limiting submitted content to what is needed for the feature, operational logging, Customer review of AI-assisted output and disclosure of approved AI service providers on Subprocessors page where required. 10. Logging, monitoring and incident response Joqiva maintains operational logs and monitoring designed to support security, reliability, troubleshooting, abuse prevention and incident response. Joqiva maintains a process for triage, investigation, escalation and notification of Personal Data Breaches under this DPA. 11. Backups and restoration Joqiva may maintain backups to support resilience and recovery. Backup measures may include backup access restrictions, backup retention limits, deletion cycles, restore procedures and protection of backup data from ordinary Service use before deletion. 12. Administrative access Joqiva restricts administrative access to personnel and contractors who need it for authorised purposes. Administrative access may be subject to access controls, access logging, separation of ordinary user and administrative operations where practical, and access removal when no longer needed. 13. Subprocessor controls Joqiva assesses approved Subprocessors that may process Customer Personal Data and requires appropriate contractual commitments. Subprocessor review may include: (a) processing purpose; (b) data categories; (c) security measures; (d) access controls; (e) confidentiality; (f) data locations; (g) transfer safeguards; (h) breach notification commitments; (i) retention and deletion commitments; and (j) vendor data processing terms. 14. Data minimisation Joqiva uses reasonable measures designed to limit Customer Personal Data processed by monitoring, support, analytics, AI, logging, billing and partner programme providers to what is necessary for the relevant purpose. Joqiva does not intentionally send Customer Personal Data to third-party providers unless needed for the Service, authorised by this DPA, disclosed in relevant legal documents, or otherwise lawful. 15. Operational records Joqiva maintains operational records where needed to provide, secure, support and operate the Service. Operational records should not intentionally contain passwords, full payment card details, raw secrets, unnecessary sensitive personal data or unnecessary Customer Personal Data. 16. Customer responsibilities The Customer remains responsible for Customer-side security, including user permissions, device security, email account security, passwords, credentials, bank detail review, lawful sharing of customer-facing links and appropriate use of the Service. 17. Limitations No technical and organisational measures can guarantee complete security, but Joqiva will maintain measures appropriate to the risk and the nature of the Service.

1. General principle Customer Personal Data is retained according to product functionality, Customer instructions, workspace status, this DPA, the Terms of Service and applicable law. 2. Active and Read-Only Mode workspaces Customer, job, quote and invoice data is generally kept while the workspace is active or in Read-Only Mode. Inactive or Read-Only Mode workspaces are not automatically deleted solely because a trial or subscription has ended, unless Joqiva states otherwise, the Customer requests deletion, or deletion is required for legal, security, abuse prevention or operational reasons. 3. Deletion requests After a valid deletion request for an account or workspace, Joqiva will delete or anonymise relevant Customer Personal Data within 90 days where legally and technically possible. Joqiva may retain Customer Personal Data after a deletion request only as described in this DPA. 4. Archive and cancellation Archive and cancellation are not the same as deletion. A quote, invoice, payment record, payment report, acceptance record, audit record or other retained business record may be archived, cancelled or hidden from active views while still being stored. Normal workspace user actions may not hard-delete retained business records where retention is required or appropriate for accounting, audit, tax, legal, security, support or dispute reasons. 5. Standard retention periods The following standard retention periods may apply: (a) customer, job, quote and invoice data: kept while the workspace is active or in Read-Only Mode; (b) invoices, invoice items, quotes, payment workflow records, payment reports, quote acceptances and audit-relevant business history: 6 years where retained as part of workspace history, accounting, audit or legal records; (c) VAT/accounting-relevant records: 6 years; (d) files, PDFs and payment proofs: kept with the corresponding workspace, job or document data; (e) email messages and inbound emails: kept with the corresponding workspace or job data; (f) email events and delivery logs: up to 24 months; (g) SMS delivery status metadata: up to 24 months; (h) integration and operational event logs: up to 24 months; (i) operational task records: up to 24 months; (j) audit logs: 6 years for audit-relevant history; (k) document view records: kept with the corresponding workspace, quote, invoice or audit history where needed for security, audit, support or legal reasons; (l) exports: up to 30 days; (m) backups: up to 90 days; (n) inactive or Read-Only Mode workspaces: not automatically deleted solely because the trial or subscription has ended; and (o) deleted or cancelled accounts: deleted or anonymised within 90 days except for legal, tax, accounting, audit, dispute, security, fraud prevention and compliance records; (p) limited operational event metadata: retained for up to 24 months unless a shorter period is configured or a longer period is required for security, legal, audit, dispute, fraud prevention or compliance reasons. 6. Export files Export files may be retained for up to 30 days and may then be deleted. The Customer is responsible for downloading and preserving exports. Export cleanup must not delete the underlying workspace data. 7. Backups Backups may be retained for up to 90 days. Backup deletion may occur on the next scheduled backup deletion cycle. Backup data may be isolated, protected and not used for ordinary Service operation before deletion. 8. Support and security records Support records, security records and abuse prevention records may be retained according to the Privacy Policy, this DPA and the Terms of Service, especially where needed for security, dispute, legal, audit or compliance purposes. 9. Longer retention Retention periods may be longer where required or permitted by law, court order, regulator, dispute, investigation, security incident, fraud prevention need, audit need or legal claim. 10. Anonymisation Joqiva may anonymise Customer Personal Data instead of deleting it where lawful and technically appropriate. Anonymised data is not Customer Personal Data if it no longer identifies and cannot reasonably be used to identify an individual.

1. Purpose of this Annex This Annex provides transfer details for Restricted Transfers involving Customer Personal Data, including transfers from the United Kingdom to Joqiva in Ukraine and onward transfers to approved Subprocessors. This Annex is intended to support the UK IDTA, UK Addendum, EU Standard Contractual Clauses or another lawful transfer mechanism where required. 2. UK-to-Ukraine transfers Where UK-regulated Customer Personal Data is transferred or made accessible from the United Kingdom to Joqiva in Ukraine, and no UK adequacy regulation applies, the parties agree to use the UK IDTA or another valid transfer mechanism. 3. Exporter The exporter is the Customer. Role: Controller, unless the Customer is itself acting as processor for a third party. Exporter contact: The Customer's account owner, workspace owner, billing contact, or other contact details provided in the Customer's Joqiva account. 4. Importer The importer is: FOP Mykola Marchuk Mykolaiovych, an individual entrepreneur registered in Ukraine, trading as Joqiva. Current legal entity, registered business address, correspondence address and contact details are incorporated by reference from the Legal Notice. Role: Processor. 5. Transfer relationship Controller to processor, unless the Customer is itself a processor, in which case the transfer may be processor to subprocessor. 6. Linked agreement The linked agreement is: (a) the Joqiva Terms of Service; (b) this DPA; (c) the Joqiva Subprocessors page; (d) the Joqiva Privacy Policy where relevant; (e) the Joqiva AI Processing Notice where relevant; and (f) any applicable order form or written agreement between Joqiva and the Customer. 7. Description of transferred data Transferred Customer Personal Data is described in Annex 1. 8. Categories of data subjects Categories of data subjects are described in Annex 1. 9. Purpose of transfer The purpose of transfer is to provide, operate, secure, support and maintain the Service, including the purposes described in Annex 1. 10. Frequency of transfer Transfers may occur continuously or periodically during the Customer's use of the Service. Transfers may occur when: (a) users access the Service; (b) Customer Data is submitted; (c) Customer Data is stored; (d) Customer Data is accessed for support or security; (e) emails are processed; (f) files are uploaded; (g) customer-facing pages are accessed; (h) AI-assisted features are used; (i) exports are generated; (j) backups are maintained; (k) incidents are investigated; or (l) Subprocessors provide services. 11. Retention of transferred data Retention is described in Annex 3. 12. Technical and organisational measures Technical and organisational measures are described in Annex 2. 13. Subprocessors Approved Subprocessors and provider categories are listed at Subprocessors page. 14. Onward transfers Joqiva may make onward transfers to approved Subprocessors where necessary to provide the Service. Where required, Joqiva will use an appropriate transfer mechanism for onward Restricted Transfers. 15. Transfer risk assessment and data protection test Where required, the party responsible for the Restricted Transfer will carry out, maintain or rely on an appropriate transfer risk assessment, data protection test or equivalent assessment for the relevant Restricted Transfer. Joqiva will provide reasonable information available to it to support that assessment. The Customer acknowledges that Joqiva may provide transfer information through this DPA, Subprocessors page, security summaries, vendor information and reasonable support responses. 16. Supplementary measures Supplementary measures may include, as applicable: (a) access controls; (b) customer-environment separation; (c) limited-access document and file links; (d) authentication controls; (e) authorisation controls; (f) encryption in transit; (g) provider security controls for hosted data; (h) application-level protection for sensitive stored fields where implemented; (i) restricted administrative access; (j) administrative access logging; (k) confidentiality obligations; (l) Subprocessor contracts; (m) data minimisation; (n) backup controls; (o) security monitoring; (p) incident response procedures; and (q) deletion or anonymisation procedures. 17. UK IDTA incorporation For UK-to-Ukraine Restricted Transfers where the UK IDTA is used, the parties incorporate the UK IDTA into this DPA. The information required by the UK IDTA Part 1 Tables is provided by this Annex, Annex 1, Annex 2, Annex 3, Subprocessors page and the Legal Notice. The parties incorporate the UK IDTA Part 4 Mandatory Clauses by reference using the following wording: "Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses." 18. UK Addendum incorporation Where the UK Addendum is used with the EU Standard Contractual Clauses for a UK-regulated Restricted Transfer, the parties incorporate the UK Addendum into this DPA. The parties incorporate the UK Addendum Part 2 Mandatory Clauses by reference using the following wording: "Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses." 19. EU Standard Contractual Clauses Where EU GDPR applies and the EU Standard Contractual Clauses are required: (a) Module Two applies where the Customer is controller and Joqiva is processor; (b) Module Three applies where the Customer is processor and Joqiva is subprocessor; (c) Annex 1 provides processing and data transfer details; (d) Annex 2 provides technical and organisational measures; (e) Subprocessors page provides approved Subprocessor information; (f) the EU Standard Contractual Clauses prevail for the relevant transfer if there is a conflict; (g) for Module Two and Module Three, the optional docking clause applies only where the parties expressly agree in writing; (h) for Clause 9 of the EU Standard Contractual Clauses, general written authorisation for Subprocessors applies, with the Subprocessor notice and objection process described in Section 12 of this DPA; (i) for Clause 11 of the EU Standard Contractual Clauses, the optional redress language does not apply unless the parties expressly agree otherwise; (j) for Clause 17 of the EU Standard Contractual Clauses, the governing law will be the law of Ireland unless another EU Member State law is stated in an Order Form or transfer document; (k) for Clause 18 of the EU Standard Contractual Clauses, the courts will be the courts of Ireland unless another EU Member State forum is stated in an Order Form or transfer document; and (l) the competent supervisory authority will be the supervisory authority determined under Clause 13 of the EU Standard Contractual Clauses. 20. Automatic updates Where the applicable transfer mechanism allows the parties to adopt an updated mandatory version automatically, the parties choose to adopt updated mandatory transfer clauses to the extent permitted by that mechanism, unless Joqiva states otherwise in an update notice or the parties agree otherwise. This clause does not permit Joqiva to amend mandatory transfer clauses in a way that reduces required protections. 21. Signable transfer documents If a Customer reasonably requires a standalone UK IDTA, UK Addendum, EU Standard Contractual Clauses or equivalent transfer document, the Customer may request it using the privacy or legal contact listed in the Legal Notice. Joqiva will review the request in good faith and provide a reasonable transfer document where required by Applicable Data Protection Laws.