Data processing addendum

1.1 Parties and structure

1.1.1 This data processing addendum (this Addendum) is entered into between Sirius Consulting FZCO, a free zone company established in the United Arab Emirates and trading as Cosmos (trade licence number 43190, registered office The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates), together with its Affiliates engaged in the relevant Processing (Cosmos, the Cosmos Group, we, us, our, meaning Sirius Consulting FZCO together with its Affiliates), and the business client identified in the Underlying Agreement (the Controller, Client, you, your).

1.1.2 The Cosmos entity that acts as Processor under this Addendum is Sirius Consulting FZCO.

1.1.3 Cosmos and the Controller are each a party and together the parties.

1.1.4 This Addendum is a standalone template. It takes effect, and forms part of the Underlying Agreement, on the earlier of the date on which it is signed by both parties and the date on which the Controller first instructs Cosmos to Process Personal Data on its behalf.

1.2 Relationship with the Underlying Agreement

1.2.1 The Underlying Agreement means the agreement between the parties under which Cosmos provides the Services to the Controller, whether described as a master services agreement, a statement of work, an order form, a website terms of engagement, or otherwise.

1.2.2 This Addendum supplements the Underlying Agreement and does not replace it. Where the Underlying Agreement is the Master Services Agreement governing access to the Platform, this Addendum forms a schedule to that agreement.

1.2.3 In the event of a conflict between this Addendum and the remainder of the Underlying Agreement on a matter of data protection, this Addendum prevails. In the event of a conflict between this Addendum and the EU SCCs, the UK Addendum, or the UK IDTA where any of them applies, the relevant transfer instrument prevails to the extent of the conflict, save that nothing in a transfer instrument reduces the security or notification obligations of Cosmos below the standard set out in this Addendum.

1.2.4 Except as expressly varied by this Addendum, the Underlying Agreement remains in full force.

1.3 Purpose and Article 28 compliance

1.3.1 This Addendum records the parties' agreement on the Processing of Personal Data by Cosmos as Processor on behalf of the Controller, and is intended to constitute a binding legal act for the purposes of Article 28(3) of the EU GDPR and Article 28(3) of the UK GDPR.

1.3.2 Where the Processing is subject to the UAE PDPL, the ADGM DP Regulations, or the PDPA, this Addendum is intended to satisfy the equivalent contractual requirements of those regimes, and the obligations of Cosmos are construed so as to give effect to the most protective applicable standard.

1.4 Definitions

1.4.1 In this Addendum, capitalised terms have the meanings given in this clause 1.4 and in the master definitions used across the Cosmos legal suite. Where a term is defined in both, the meaning in this clause 1.4 prevails for the purposes of this Addendum.

1.4.2 Affiliate means, in relation to any entity, any other entity that directly or indirectly Controls, is Controlled by, or is under common Control with, that entity, where Control means the ownership of more than fifty per cent of the voting securities or the power to direct the management and policies of an entity whether through ownership of voting securities, by contract, or otherwise.

1.4.3 Applicable Data Protection Law means all data protection and privacy laws applicable to the Processing of Personal Data under this Addendum, including the UAE PDPL, the ADGM DP Regulations, the EU GDPR, the UK GDPR, the DPA 2018, PECR, and the PDPA, in each case as amended, supplemented, or replaced from time to time, and including binding guidance and codes of practice issued by a competent Supervisory Authority.

1.4.4 Controller, Processor, Sub-processor, Data Subject, Personal Data, Personal Data Breach, Processing, and process bear the meanings given in the Applicable Data Protection Law, construed consistently across regimes. Where a regime uses a different label for an equivalent concept, that label is treated as included.

1.4.5 ADGM DP Regulations means the ADGM Data Protection Regulations 2021.

1.4.6 EU GDPR means Regulation (EU) 2016/679.

1.4.7 UK GDPR means the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.

1.4.8 DPA 2018 means the UK Data Protection Act 2018.

1.4.9 PECR means the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.

1.4.10 PDPA means the Singapore Personal Data Protection Act 2012, as amended by the Personal Data Protection (Amendment) Act 2020.

1.4.11 UAE PDPL means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its Executive Regulations once issued.

1.4.12 EU SCCs means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.4.13 UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the DPA 2018.

1.4.14 UK IDTA means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the DPA 2018.

1.4.15 Controller Personal Data means the Personal Data described in Annex 1 that Cosmos Processes on behalf of the Controller under this Addendum.

1.4.16 Restricted Transfer means a transfer of Controller Personal Data, or an onward transfer, that is subject to a transfer restriction or condition under the Applicable Data Protection Law and to which a transfer mechanism listed in clause 9 must be applied in order for the transfer to be lawful.

1.4.17 Services means the corporate services and compliance technology services provided by Cosmos to the Controller under the Underlying Agreement.

1.4.18 Supervisory Authority means an independent public authority or regulator with responsibility for monitoring the application of an Applicable Data Protection Law, including the UAE Data Office, the ADGM Office of Data Protection, the Information Commissioner's Office (the ICO), the relevant EU lead supervisory authority under the one-stop-shop mechanism, and the Personal Data Protection Commission of Singapore (the PDPC).

1.4.19 TOMs means the technical and organisational measures implemented by Cosmos and described in Annex 2.

1.5 Construction

1.5.1 The headings in this Addendum are for convenience only and do not affect its interpretation.

1.5.2 References to a clause or an Annex are to a clause of, or an Annex to, this Addendum, and the Annexes form an integral part of this Addendum.

1.5.3 A reference to a statute, regulation, or instrument is a reference to it as amended, extended, re-enacted, or replaced from time to time, and includes any subordinate legislation made under it.

1.5.4 The words "including", "include", and "in particular" are to be construed as illustrative and do not limit the words that precede them.

1.5.5 A reference to writing or written includes email but, for the avoidance of doubt, not fax.

2.1 Allocation of roles

2.1.1 For the Processing of Controller Personal Data under this Addendum, the Controller is the Controller and Cosmos is the Processor.

2.1.2 Where Cosmos engages a Sub-processor in accordance with clause 7, Cosmos remains the Processor and the Sub-processor acts as a further Processor on behalf of the Controller.

2.1.3 This Addendum does not apply to Processing in respect of which Cosmos acts as a Controller in its own right. The Processing for which Cosmos is a Controller, including the operation of the Website, the management of the client relationship, billing, compliance with its own legal obligations, and the security and improvement of its own systems, is described in the Privacy page and is not Processing on behalf of the Controller under this Addendum.

2.2 Controller responsibilities

2.2.1 The Controller warrants that, in relation to the Controller Personal Data and the instructions it gives to Cosmos, it has complied and will continue to comply with the Applicable Data Protection Law, including that it has a valid lawful basis for the Processing, has provided all required information to Data Subjects, and has obtained any consent that the Applicable Data Protection Law requires.

2.2.2 The Controller is responsible for the accuracy, quality, and legality of the Controller Personal Data and of the means by which it acquired that Personal Data.

2.2.3 The Controller warrants that its instructions to Cosmos, including the instructions recorded in this Addendum and in Annex 1, will not cause Cosmos to infringe the Applicable Data Protection Law.

2.3 Cosmos responsibilities

2.3.1 Cosmos will Process the Controller Personal Data only as a Processor acting on behalf of the Controller, and in accordance with this Addendum, the Underlying Agreement, and the documented instructions of the Controller.

2.3.2 Cosmos is responsible for compliance with the obligations placed on it as a Processor by this Addendum and by the Applicable Data Protection Law.

3.1 Documented instructions

3.1.1 Cosmos will Process the Controller Personal Data only on the documented instructions of the Controller, including with regard to a Restricted Transfer, unless Cosmos is required to Process the Controller Personal Data by a law to which Cosmos is subject.

3.1.2 The documented instructions of the Controller at the date of this Addendum are set out in this Addendum and in Annex 1. The Controller may give further instructions in writing during the term, provided that those instructions are consistent with the Underlying Agreement and the Applicable Data Protection Law.

3.1.3 If Cosmos is required by a law to which it is subject to Process the Controller Personal Data otherwise than in accordance with the Controller's instructions, Cosmos will, before carrying out the Processing, inform the Controller of that legal requirement, unless that law prohibits the giving of that information on important grounds of public interest.

3.1.4 Cosmos will inform the Controller without undue delay if, in its opinion, an instruction of the Controller infringes the Applicable Data Protection Law. Cosmos is not obliged to carry out a review of the lawfulness of the Controller's instructions, and the giving of such information does not transfer to Cosmos any responsibility that rests with the Controller.

3.2 Subject matter, duration, nature, and purpose

3.2.1 The subject matter of the Processing, its duration, its nature, and its purpose are set out in Annex 1.

3.2.2 The duration of the Processing is the term of the Underlying Agreement, together with any further period during which Cosmos retains the Controller Personal Data in accordance with clause 11 and Annex 1.

3.3 Types of Personal Data and categories of Data Subject

3.3.1 The types of Personal Data Processed under this Addendum and the categories of Data Subject to whom that Personal Data relates are set out in Annex 1.

3.3.2 The Controller will not instruct Cosmos to Process, and will use reasonable endeavours not to submit to Cosmos, any special category Personal Data or Personal Data relating to criminal convictions and offences except where Annex 1 expressly records that such Personal Data is in scope and records the additional safeguards that apply.

3.4 Compliance with Applicable Data Protection Law

3.4.1 Each party will comply with the Applicable Data Protection Law in the performance of its obligations under this Addendum.

3.4.2 Nothing in this Addendum relieves either party of its own direct obligations and liabilities under the Applicable Data Protection Law.

4.1 Confidentiality undertakings

4.1.1 Cosmos will treat the Controller Personal Data as confidential information of the Controller.

4.1.2 Cosmos will ensure that any individual authorised by Cosmos to Process the Controller Personal Data has committed to a binding obligation of confidentiality, whether contractual or statutory, in respect of that Personal Data.

4.1.3 The obligation of confidentiality in this clause 4.1 survives the termination of this Addendum.

4.2 Limitation of access

4.2.1 Cosmos will ensure that access to the Controller Personal Data is limited to those personnel who need access in order to perform the Underlying Agreement.

4.2.2 Cosmos will ensure that personnel with access to the Controller Personal Data are reliable, are subject to appropriate background screening where lawful and proportionate, and receive training on their data protection obligations appropriate to their role.

5.1 Security commensurate with Article 32

5.1.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Cosmos will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, consistent with Article 32 of the EU GDPR and Article 32 of the UK GDPR.

5.1.2 The TOMs implemented by Cosmos at the date of this Addendum are described in Annex 2.

5.1.3 In assessing the appropriate level of security, Cosmos will take account in particular of the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller Personal Data transmitted, stored, or otherwise Processed.

5.2 Maintenance and improvement of measures

5.2.1 Cosmos may update or modify the TOMs from time to time, provided that any such update or modification does not result in a material reduction of the overall level of security provided to the Controller.

5.2.2 Cosmos will keep the TOMs under review and will update them as required to address evolving threats and to maintain compliance with the Applicable Data Protection Law.

5.3 Restoration and resilience

5.3.1 Cosmos will maintain the ability to restore the availability of and access to the Controller Personal Data in a timely manner in the event of a physical or technical incident, and will maintain processes for regularly testing, assessing, and evaluating the effectiveness of the TOMs.

6.1 Data Subject requests

6.1.1 Cosmos will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from a Data Subject exercising rights under the Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

6.1.2 If Cosmos receives a request from a Data Subject in relation to the Controller Personal Data, Cosmos will not respond to that request itself, except on the documented instructions of the Controller or as required by a law to which Cosmos is subject, and will instead promptly notify the Controller of the request and direct the Data Subject to the Controller where appropriate.

6.1.3 The Controller will respond to a Data Subject request within the period required by the Applicable Data Protection Law, being one month under the EU GDPR and the UK GDPR (extendable by two further months where permitted), 30 days under the PDPA, and 30 days under the UAE PDPL. Cosmos will provide its assistance under clause 6.1.1 within a timeframe that allows the Controller to meet the applicable period, provided the Controller makes its request to Cosmos promptly.

6.2 Data protection impact assessments and prior consultation

6.2.1 Cosmos will, taking into account the nature of the Processing and the information available to it, assist the Controller in ensuring compliance with the Controller's obligations relating to data protection impact assessments and to prior consultation with a Supervisory Authority, as set out in Articles 35 and 36 of the EU GDPR and the equivalent provisions of the other Applicable Data Protection Law.

6.2.2 The assistance under clause 6.2.1 is limited to the Processing carried out by Cosmos under this Addendum and to information that is within the knowledge or reasonable control of Cosmos.

6.3 Security and breach assistance

6.3.1 Cosmos will assist the Controller in ensuring compliance with the obligations relating to the security of Processing and to the notification of a Personal Data Breach to a Supervisory Authority and to affected Data Subjects, as set out in Articles 32 to 34 of the EU GDPR and the equivalent provisions of the other Applicable Data Protection Law.

6.4 Charges for assistance

6.4.1 Cosmos will provide the assistance described in this clause 6 at no additional charge where the assistance is reasonably required for the Controller to meet its compliance obligations and the volume of requests is consistent with normal use of the Services.

6.4.2 Where assistance is required on a scale, frequency, or complexity that materially exceeds normal use, Cosmos may charge the Controller its reasonable costs of providing that assistance, calculated on a time-and-materials basis at Cosmos's then-current standard rates, provided that Cosmos notifies the Controller of the anticipated charges before incurring them and gives the Controller the opportunity to refine its request.

7.1 General authorisation

7.1.1 The Controller grants Cosmos a general written authorisation to engage Sub-processors to Process the Controller Personal Data, subject to the conditions in this clause 7.

7.1.2 The Sub-processors engaged by Cosmos at the date of this Addendum are listed in Annex 3 (Approved sub-processors).

7.2 Notification of changes and right to object

7.2.1 Cosmos will inform the Controller of any intended change concerning the addition or replacement of a Sub-processor, thereby giving the Controller the opportunity to object to that change.

7.2.2 Cosmos will give the Controller at least 30 days' prior written notice of the intended addition or replacement of a Sub-processor before that Sub-processor begins to Process the Controller Personal Data. Notice may be given by email to the Controller's nominated contact, by an update to Annex 3 (Approved sub-processors) combined with a notification mechanism to which the Controller has subscribed, or by another written means agreed between the parties.

7.2.3 The Controller may object to the addition or replacement of a Sub-processor on reasonable data protection grounds by giving Cosmos written notice of its objection, with reasons, within the 30-day notice period.

7.2.4 If the Controller objects in accordance with clause 7.2.3, the parties will work together in good faith for a period of 30 days from the date of the objection to find a commercially reasonable resolution that addresses the Controller's objection, which may include Cosmos not appointing the proposed Sub-processor in respect of the Controller Personal Data, Cosmos making available an alternative Sub-processor or configuration, or the Controller agreeing additional safeguards.

7.2.5 If the parties are unable to reach a resolution within the 30-day period under clause 7.2.4, the Controller may, as its sole and exclusive remedy, terminate the part of the Underlying Agreement that cannot be performed without the proposed Sub-processor by giving Cosmos written notice. Where that part cannot reasonably be severed from the remainder, the Controller may terminate the Underlying Agreement as a whole. Termination under this clause 7.2.5 takes effect at the end of a notice period that is reasonable in the circumstances, and the Controller will be entitled to a pro rata refund of any fees paid in advance for Services not yet provided as at the effective date of termination.

7.2.6 Where Cosmos reasonably considers that the appointment of a new Sub-processor is required urgently to maintain the security or continuity of the Services, Cosmos may appoint that Sub-processor on shorter notice, provided that Cosmos notifies the Controller as soon as reasonably practicable and the Controller retains the right to object under clause 7.2.3 and the consequences in clauses 7.2.4 and 7.2.5 apply.

7.3 Sub-processor terms

7.3.1 Where Cosmos engages a Sub-processor, Cosmos will impose on that Sub-processor, by a written contract, data protection obligations that are no less protective than those imposed on Cosmos by this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing meets the requirements of the Applicable Data Protection Law.

7.3.2 Where a Sub-processor is engaged for Processing that involves a Restricted Transfer, Cosmos will ensure that an appropriate transfer mechanism under clause 9 is in place between Cosmos and the Sub-processor.

7.3.3 Cosmos will carry out reasonable due diligence on a prospective Sub-processor before engaging it, in order to satisfy itself that the Sub-processor is capable of meeting the obligations referred to in clause 7.3.1.

7.4 Liability for Sub-processors

7.4.1 Where a Sub-processor fails to fulfil its data protection obligations, Cosmos remains fully liable to the Controller for the performance of that Sub-processor's obligations, subject to the limitations and exclusions of liability in clause 12.

7.5 Replacement obligations

7.5.1 If a Sub-processor ceases to provide adequate guarantees in respect of the protection of the Controller Personal Data, or materially breaches its data protection obligations, Cosmos will take reasonable steps to remedy the position, which may include the replacement of that Sub-processor with a Sub-processor that provides adequate guarantees, and clause 7.2 applies to any such replacement save that Cosmos may give shorter notice where required to protect the Controller Personal Data.

8.1 Notification to the Controller

8.1.1 Cosmos will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting the Controller Personal Data.

8.1.2 For the purposes of clause 8.1.1, Cosmos becomes aware of a Personal Data Breach when it has a reasonable degree of certainty that a security incident has occurred that has led to a Personal Data Breach affecting the Controller Personal Data.

8.2 Content of the notification

8.2.1 The notification under clause 8.1.1 will, to the extent the information is available to Cosmos at the time of notification, describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken by Cosmos to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects.

8.2.2 Where, and insofar as, it is not possible to provide all of the information referred to in clause 8.2.1 at the same time, the information may be provided in phases without further undue delay, and Cosmos will provide updates to the Controller as further information becomes available.

8.3 Cooperation and remediation

8.3.1 Cosmos will cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of a Personal Data Breach.

8.3.2 Cosmos will document each Personal Data Breach affecting the Controller Personal Data, including the facts relating to it, its effects, and the remedial action taken, and will make that documentation available to the Controller on reasonable request.

8.3.3 Cosmos will not make any public statement or notification to a Supervisory Authority or to Data Subjects that identifies the Controller in connection with a Personal Data Breach without the prior written consent of the Controller, unless and to the extent that Cosmos is required to do so by a law to which it is subject.

9.1 General principle

9.1.1 Cosmos will not carry out a Restricted Transfer of the Controller Personal Data unless a transfer mechanism recognised by the relevant Applicable Data Protection Law is in place for that transfer, or an exemption or derogation lawfully applies.

9.1.2 The transfer mechanisms applicable to the Processing under this Addendum are recorded in Annex 4.

9.2 EU SCCs

9.2.1 Where the EU GDPR applies to a Restricted Transfer, the EU SCCs are incorporated into this Addendum by reference and apply to that transfer.

9.2.2 Where the Controller is a Controller and Cosmos is a Processor, Module Two (controller to processor) of the EU SCCs applies. Where the Controller is itself a Processor acting on behalf of a third party controller and Cosmos is a Processor, Module Three (processor to processor) of the EU SCCs applies.

9.2.3 For the purposes of the EU SCCs that are incorporated under this clause 9.2:

9.2.3.1 in Clause 7 (the docking clause), the optional docking clause applies;

9.2.3.2 in Clause 9 (use of sub-processors), Option 2 (general written authorisation) applies, and the minimum period for prior notice of changes concerning the addition or replacement of Sub-processors is 30 days, consistent with clause 7.2.2 of this Addendum;

9.2.3.3 in Clause 11 (redress), the optional independent dispute resolution body language does not apply;

9.2.3.4 in Clause 17 (governing law), the EU SCCs are governed by the law of the Republic of Ireland;

9.2.3.5 in Clause 18 (choice of forum and jurisdiction), disputes are to be resolved before the courts of the Republic of Ireland;

9.2.3.6 the dates, parties, descriptions, competent supervisory authority, technical and organisational measures, and Sub-processor details required by the Appendix to the EU SCCs are populated by Annexes 1, 2, 3, and 4 of this Addendum, which the parties agree are incorporated into and form the Appendix to the EU SCCs.

9.2.4 The rationale for the option selections in clause 9.2.3 is recorded in Annex 4 so that the basis of each selection is transparent and auditable.

9.3 UK transfers

9.3.1 Where the UK GDPR applies to a Restricted Transfer, the parties will give effect to that transfer by means of either the UK IDTA or the EU SCCs as supplemented by the UK Addendum, in each case as recorded in Annex 4.

9.3.2 Where the UK Addendum applies, it is incorporated into this Addendum by reference, and the EU SCCs referred to in clause 9.2 are read as varied by the UK Addendum, with Tables 1 to 3 of the UK Addendum populated by the corresponding details in Annexes 1 to 4 and Table 4 specifying that the Importer may end the UK Addendum as set out in the UK Addendum.

9.3.3 Where the UK IDTA applies, it is incorporated into this Addendum by reference, with its tables populated by the corresponding details in Annexes 1 to 4.

9.4 Singapore transfers

9.4.1 Where the PDPA applies to a transfer of the Controller Personal Data outside Singapore, Cosmos will ensure that the transferred Personal Data receives a standard of protection comparable to that under the PDPA, by means of legally enforceable obligations on the recipient consistent with the prescribed contractual protections under the Personal Data Protection Regulations 2021 of Singapore.

9.4.2 The prescribed contractual protections required under clause 9.4.1 are recorded in, or incorporated by reference into, Annex 4, and where the EU SCCs or the UK IDTA already apply to the same transfer, the parties agree that those instruments, taken together with this Addendum, are intended to satisfy the comparable standard of protection required by the PDPA.

9.5 UAE transfers

9.5.1 Where the UAE PDPL applies to a transfer of the Controller Personal Data outside the United Arab Emirates, Cosmos will ensure that the transfer is made only to a jurisdiction that provides an adequate level of protection, or, in the absence of adequacy, on the basis of an appropriate safeguard or a permitted exception under the UAE PDPL, including a contractual undertaking by the recipient to comply with the UAE PDPL.

9.5.2 The applicable UAE data protection regime for Cosmos's own Processing is the UAE PDPL. The ADGM DP Regulations do not apply to Cosmos's own Processing. Where a Sub-processor or other recipient is a regulated partner whose Processing is subject to the ADGM DP Regulations, any equivalent transfer protections required under those Regulations are recorded in Annex 4.

9.6 Supplementary measures

9.6.1 Where a transfer risk assessment indicates that a transfer mechanism alone does not ensure an adequate level of protection in the circumstances of a particular Restricted Transfer, Cosmos will, in cooperation with the Controller, identify and implement supplementary technical, contractual, or organisational measures, and will record those measures in Annex 4 or in a separate written record made available to the Controller.

10.1 Information obligation

10.1.1 Cosmos will make available to the Controller all information necessary to demonstrate compliance with the obligations of a Processor under the Applicable Data Protection Law and under this Addendum.

10.2 Audit rights

10.2.1 Cosmos will allow for and contribute to audits, including inspections, conducted by the Controller or by an auditor mandated by the Controller, in relation to the Processing of the Controller Personal Data by Cosmos.

10.2.2 An audit under clause 10.2.1 is subject to the following conditions:

10.2.2.1 the Controller may carry out an audit no more than once in any twelve-month period, save where an audit is required by a Supervisory Authority or follows a Personal Data Breach affecting the Controller Personal Data, in which case an additional audit is permitted;

10.2.2.2 the Controller will give Cosmos at least 30 days' prior written notice of an audit, unless a shorter period is required by a Supervisory Authority;

10.2.2.3 an audit will be conducted during Cosmos's normal business hours, in a manner that minimises disruption to Cosmos's business and to the data of its other clients;

10.2.2.4 the Controller and any auditor it mandates will, before the audit, enter into reasonable confidentiality undertakings in favour of Cosmos, and an auditor mandated by the Controller must not be a competitor of Cosmos;

10.2.2.5 the scope of an audit is limited to systems, premises, records, and personnel relevant to the Processing of the Controller Personal Data, and does not extend to information relating to other clients of Cosmos or to information the disclosure of which would place Cosmos in breach of a duty of confidentiality or a legal obligation owed to a third party;

10.2.2.6 the Controller will bear its own costs of an audit and will reimburse Cosmos for the reasonable costs of Cosmos's personnel time and resources expended in supporting an audit, except where the audit reveals a material breach by Cosmos of this Addendum, in which case Cosmos bears its own costs.

10.3 Reliance on third party reports

10.3.1 In order to satisfy a request for information or for an audit under this clause 10, Cosmos may, to the extent reasonably sufficient to address the Controller's request, provide the Controller with a copy of, or reasonable access to, the most recent of any audit reports, certifications, or attestations that Cosmos holds, including a SOC 2 Type II report, an ISO/IEC 27001 certificate and statement of applicability, or an equivalent independent third party report or certification.

10.3.2 Where a report or certification under clause 10.3.1 reasonably addresses the substance of the Controller's information or audit request, the Controller will accept that report or certification in satisfaction of the request, and will only proceed to an on-site inspection where the report or certification does not reasonably address the request, or where an on-site inspection is required by a Supervisory Authority.

10.4 Findings

10.4.1 Where an audit identifies a deficiency in Cosmos's compliance with this Addendum, Cosmos will, at its own cost, take reasonable steps to remedy the deficiency within a reasonable period agreed with the Controller.

11.1 On termination

11.1.1 On the termination or expiry of this Addendum, or earlier on the written instruction of the Controller, Cosmos will, at the choice of the Controller, return all the Controller Personal Data to the Controller, or delete all the Controller Personal Data, and delete the existing copies, save to the extent that clause 11.2 applies.

11.1.2 The Controller will notify Cosmos of its choice under clause 11.1.1 no later than 30 days after the termination or expiry of this Addendum. If the Controller does not do so, Cosmos may delete the Controller Personal Data in accordance with clause 11.1.1.

11.1.3 Cosmos will complete the return or deletion under clause 11.1.1 within 90 days after the later of the termination or expiry of this Addendum and the receipt of the Controller's instruction, and will, on the written request of the Controller, certify in writing that it has done so.

11.2 Retention required by law

11.2.1 Cosmos may retain a copy of the Controller Personal Data to the extent, and for so long as, it is required to do so by a law to which it is subject, or for the establishment, exercise, or defence of legal claims, in which case Cosmos will inform the Controller of the retention, will retain the Controller Personal Data only for the purpose and period required, will continue to protect it in accordance with this Addendum, and will not actively Process it for any other purpose.

11.2.2 Controller Personal Data held in routine backup media that cannot reasonably be isolated for individual deletion will be deleted in the ordinary course of Cosmos's backup rotation, and will be protected in accordance with this Addendum and not restored to active use, until deletion is complete.

12.1 Allocation aligned with the Underlying Agreement

12.1.1 The liability of each party arising out of or in connection with this Addendum is subject to, and counts towards, the exclusions and limitations of liability set out in the Underlying Agreement, and the parties agree that this Addendum and the Underlying Agreement together form a single agreement for the purpose of calculating any aggregate cap on liability.

12.1.2 Nothing in this Addendum, and nothing in the Underlying Agreement, limits or excludes the liability of either party for fraud, for fraudulent misrepresentation, for death or personal injury caused by its negligence, for wilful misconduct, or for any liability that cannot lawfully be limited or excluded.

12.2 Claims by Data Subjects and regulators

12.2.1 Where a transfer instrument incorporated under clause 9 confers on a Data Subject a right to compensation or otherwise allocates liability between the parties as data exporter and data importer, that allocation applies as between the parties for the Restricted Transfer to which the instrument relates, and as between the parties any payment made by one party in respect of damage caused jointly is subject to a right of contribution from the other party to the extent of that other party's responsibility for the damage.

12.3 Indemnity position

12.3.1 Neither party excludes or limits any indemnity expressly given in the Underlying Agreement, and this Addendum does not create any indemnity that is not expressly stated in the Underlying Agreement.

13.1 Term

13.1.1 This Addendum takes effect in accordance with clause 1.1.4 and continues in force for as long as Cosmos Processes the Controller Personal Data on behalf of the Controller.

13.2 Termination

13.2.1 This Addendum terminates automatically on the termination or expiry of the Underlying Agreement, save that the provisions of this Addendum that by their nature are intended to survive, including clauses 4, 8.3.2, 10, 11, 12, and 14, survive termination to the extent and for the period necessary to give them effect.

13.2.2 Termination of this Addendum does not affect the obligations of Cosmos under clause 11 in respect of the return and deletion of the Controller Personal Data.

14.1 Contact details

14.1.1 Queries relating to this Addendum, and notices under it, may be sent to Cosmos at privacy@cosmos.global, or to the Data Controller at dpo@cosmos.global, or by post to The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates, marked for the attention of the Data Controller.

14.1.2 The Controller will keep Cosmos informed of the current contact details of the person nominated by the Controller to receive notices under this Addendum, including a notification under clause 8 and a Sub-processor change notice under clause 7.2.

14.2 Governing law and jurisdiction

14.2.1 This Addendum and any non-contractual obligations arising out of or in connection with it are governed by the law of the Abu Dhabi Global Market (ADGM). The ADGM Courts have non-exclusive jurisdiction to settle any dispute arising out of or in connection with it. Nothing in this clause deprives a consumer resident in the European Union, the European Economic Area, the United Kingdom, or Singapore of the protection of mandatory provisions of the law of their country of residence, and such a consumer may also bring proceedings in, and benefit from the mandatory consumer protection laws of, that country where local law so requires.

14.2.2 Clause 14.2.1 is without prejudice to the governing law and jurisdiction of any transfer instrument incorporated under clause 9, which is governed and construed as set out in that instrument and in clause 9.

14.3 Variation

14.3.1 No variation of this Addendum is effective unless it is in writing and signed by or on behalf of each party, save that Cosmos may update Annex 2 in accordance with clause 5.2 and Annex 3 in accordance with clause 7.2, and may update Annex 4 to reflect a change in transfer mechanisms required by a change in the Applicable Data Protection Law, in each case by written notice to the Controller.

14.4 Severability

14.4.1 If any provision of this Addendum is or becomes invalid, illegal, or unenforceable, it is to be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable, and if such modification is not possible, the relevant provision is to be deemed deleted. Any modification to or deletion of a provision under this clause does not affect the validity and enforceability of the rest of this Addendum.

14.5 No waiver

14.5.1 No failure or delay by a party to exercise any right or remedy provided under this Addendum or by law constitutes a waiver of that or any other right or remedy, nor does it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of a right or remedy prevents or restricts the further exercise of that or any other right or remedy.

14.6 Entire agreement

14.6.1 This Addendum, together with the Underlying Agreement and the Privacy page, constitutes the entire agreement between the parties in relation to the Processing of the Controller Personal Data by Cosmos as Processor, and supersedes any previous agreement or understanding on that subject matter.

14.7 Notices

14.7.1 A notice given under this Addendum must be in writing and sent to the relevant party at the contact details notified for the purpose, and is deemed received, if sent by email, at the time of transmission, provided that no automated message of non-delivery is received, and, if delivered by hand or sent by pre-paid post, at the time recorded by the delivery service or, in the absence of a record, two business days after posting for domestic post and five business days after posting for international post.

14.8 Cross-references

14.8.1 This Addendum is to be read together with the Privacy page, which describes the Processing for which Cosmos acts as a Controller. The approved Sub-processors referred to in clause 7 are recorded in Annex 3 (Approved sub-processors) of this Addendum.

This Annex sets out the details of the Processing of the Controller Personal Data and constitutes the Controller's documented instructions for the purposes of clause 3. Where the EU SCCs, the UK Addendum, or the UK IDTA apply, this Annex populates the corresponding parts of the Appendix or tables of the relevant instrument.

‍

A1.1 Parties

‍

‍

A1.2 Subject matter

The subject matter of the Processing is the provision by Cosmos of the Services to the Controller under the Underlying Agreement, and the Processing of Personal Data that is necessary and incidental to the provision of those Services.

A1.3 Duration of the Processing

The Processing continues for the term of the Underlying Agreement, together with any subsequent period during which Cosmos retains the Controller Personal Data in accordance with clause 11 and paragraph A1.9 of this Annex.

A1.4 Nature of the Processing

The Processing comprises the operations necessary to deliver the Services, which may include collection, recording, organisation, structuring, storage, retrieval, consultation, use, hosting, transmission to and from authorised recipients, analysis, generation of documents and compliance outputs, disclosure to Sub-processors engaged in accordance with clause 7, restriction, erasure, and destruction.

A1.5 Purpose of the Processing

The purpose of the Processing is to enable Cosmos to provide corporate structuring support, compliance calendaring, document management, and entity administration to the Controller, and any related support, security, and administration of the Services, in each case on the instructions of the Controller.

A1.6 Types of Personal Data

The types of Personal Data Processed are, by default and subject to refinement on a per-engagement basis:

‍

‍

Special category Personal Data and Personal Data relating to criminal convictions and offences are not in scope unless expressly recorded in the Underlying Agreement. Where such Personal Data is in scope, the additional safeguards are those agreed in writing between the parties before the Processing of that Personal Data begins.

A1.7 Categories of Data Subject

The categories of Data Subject to whom the Controller Personal Data relates are:

‍

‍

A1.8 Frequency of the Processing

The Processing is carried out on a continuous basis for the duration of the Underlying Agreement.

A1.9 Retention period

The Controller Personal Data is retained for the duration of the Underlying Agreement and is then returned or deleted in accordance with clause 11, subject to retention required by law under clause 11.2. Engagement-specific retention periods, where they differ, are recorded in the Underlying Agreement.

A1.10 Competent Supervisory Authority

Where the EU SCCs apply, the competent Supervisory Authority is the lead supervisory authority of the Controller determined in accordance with Clause 13 of the EU SCCs. Where the UK GDPR applies, the competent Supervisory Authority is the Information Commissioner's Office.

This Annex describes the technical and organisational measures implemented by Cosmos for the purposes of clause 5. Where the EU SCCs, the UK Addendum, or the UK IDTA apply, this Annex populates the corresponding part of the Appendix or tables. Cosmos may update this Annex in accordance with clause 5.2 provided the overall level of security is not materially reduced.

A2.1 Information security governance

Cosmos maintains a documented information security management framework, with defined roles and responsibilities, executive ownership, and a programme of internal review. Security policies are reviewed at least annually and on a material change to the threat environment or to the Services.

A2.2 Access control

Access to systems Processing the Controller Personal Data is granted on the principles of least privilege and need to know. Cosmos enforces individual named accounts, role-based access control, multi-factor authentication for access to production systems and administrative interfaces, periodic access reviews, and prompt revocation of access on a change of role or on the departure of personnel.

A2.3 Authentication and credential management

Cosmos enforces minimum password complexity standards, secure storage of credentials using salted cryptographic hashing, protection of secrets and keys in a managed secrets store, and the rotation of credentials and keys on a defined schedule and on a suspected compromise.

A2.4 Encryption

Cosmos encrypts the Controller Personal Data in transit using current industry-standard transport encryption, and at rest using industry-standard encryption algorithms. Cryptographic keys are managed within a key management service with controlled access and logging.

A2.5 Network and infrastructure security

Cosmos segregates production, staging, and development environments, restricts inbound and outbound network traffic through firewalls and security groups, deploys intrusion detection and monitoring, and maintains protections against distributed denial-of-service attacks at the infrastructure layer.

A2.6 Application security

Cosmos applies secure development practices, including code review, dependency scanning, static and dynamic application security testing where appropriate, and a change management process that separates the authoring and the approval of changes to production.

A2.7 Vulnerability and patch management

Cosmos carries out regular vulnerability scanning, applies security patches within timeframes calibrated to the severity of the vulnerability, and commissions independent penetration testing on a periodic basis and following a significant change to the architecture of the Services.

A2.8 Logging and monitoring

Cosmos maintains audit logging of access to and material actions affecting the Controller Personal Data, protects logs against tampering, retains logs for a defined period, and monitors logs for anomalous and suspicious activity.

A2.9 Backup, resilience, and business continuity

Cosmos maintains regular backups of the Controller Personal Data, tests the restoration of backups, and operates business continuity and disaster recovery arrangements designed to restore the availability of and access to the Controller Personal Data in a timely manner following an incident.

A2.10 Pseudonymisation and data minimisation

Where appropriate to the nature of the Processing, Cosmos applies pseudonymisation, segregation, and data minimisation techniques to reduce the risk to Data Subjects.

A2.11 Physical security

The Controller Personal Data is hosted in data centres operated by Cosmos's cloud hosting Sub-processors, which maintain physical access controls, environmental controls, and resilience measures appropriate to a facility of that type, evidenced by recognised certifications.

A2.12 Personnel measures

Cosmos applies pre-engagement screening of personnel where lawful and proportionate, binding confidentiality obligations, role-appropriate data protection and security training on joining and on a recurring basis, and a documented disciplinary process for breaches of security policy.

A2.13 Supplier management

Cosmos carries out security due diligence on Sub-processors before engagement, imposes contractual security obligations consistent with clause 7.3, and reviews the security posture of Sub-processors on a periodic basis.

A2.14 Incident management

Cosmos maintains a documented incident response process covering detection, triage, containment, eradication, recovery, notification consistent with clause 8, and post-incident review.

A2.15 Secure deletion

Cosmos uses secure deletion methods designed to render the Controller Personal Data unrecoverable on the expiry of the applicable retention period and on the return or deletion of data under clause 11.

A2.16 Certifications and attestations

Cosmos holds, or requires its key infrastructure Sub-processors to hold, recognised independent certifications and attestations, which may include ISO/IEC 27001 certification and a SOC 2 Type II report, and makes the relevant reports and current certification details available to the Controller on request in accordance with clause 10.3.

This Annex records the Sub-processors approved at the execution date of this Addendum, and is the single authoritative list of Sub-processors for the purposes of clause 7. Where the EU SCCs, the UK Addendum, or the UK IDTA apply, this Annex populates the corresponding Sub-processor details in the Appendix or tables of the relevant instrument. Cosmos may update this Annex in accordance with clause 7.2.

A3.1 Scope

A3.1.1 This Annex records the Sub-processors engaged to Process Personal Data on behalf of business clients in connection with the Services. A Sub-processor is a third party engaged by Cosmos that Processes Personal Data on behalf of a business client. This Annex does not record suppliers that do not Process Personal Data, or suppliers used only in respect of Processing for which Cosmos acts as a Controller in its own right.

A3.2 Status

A3.2.1 This Annex sets out the current and complete list of Sub-processors engaged by Cosmos as at the effective date. Every vendor listed is a Sub-processor that Cosmos currently engages. Changes to this Annex are notified in accordance with the process described in paragraph A3.5 and clause 7.2.

A3.2.2 The transfer mechanisms shown in the tables are the mechanisms applied under clause 9, and are read together with Annex 4.

A3.2.3 A point-in-time copy of this Annex as at the execution date should be appended to, or filed with, an executed counterpart of this Addendum so that the parties have a fixed record of the Sub-processors approved on execution.

A3.3 Approved sub-processors

The tables below list Sub-processors by category. Every entry records a Sub-processor that Cosmos currently engages as at the effective date.

A3.3.1 Cloud hosting and infrastructure

‍

‍

A3.3.2 Email and transactional email

‍

‍

A3.3.3 Web analytics

‍

‍

A3.3.4 Customer relationship management

‍

‍

A3.3.5 Payment processing

‍

‍

A3.3.6 Communications and messaging

‍

‍

A3.3.7 Identity verification and KYC or AML screening

‍

‍

A3.3.8 Document storage and electronic signature

‍

‍

A3.3.9 Customer support and helpdesk

‍

‍

A3.3.10 Application monitoring and error logging

‍

‍

A3.3.11 AI model providers

‍

‍

A3.4 Note on AI model providers

A3.4.1 Cosmos does not itself train, develop, or fine-tune any AI model, and does not use User inputs to train any model that Cosmos controls. The AI model providers listed in this category process Personal Data in order to return outputs to Cosmos for the benefit of the relevant business client.

A3.4.2 Inputs sent to OpenAI, Anthropic, and Mistral AI may be used by those providers to train or improve their models. Users should not submit confidential information or special category personal data into AI-assisted features. Further detail is set out in the Responsible AI Notice.

A3.5 Notification of changes

A3.5.1 Business clients give Cosmos a general written authorisation to engage Sub-processors. Cosmos will inform the relevant business clients of any intended change concerning the addition or replacement of a Sub-processor before that Sub-processor begins to Process Personal Data on their behalf.

A3.5.2 Cosmos will give at least 30 days' prior notice of the addition or replacement of a Sub-processor, in accordance with clause 7.2. Notice may be given by an update to this Annex combined with a notification mechanism to which the business client has subscribed, by email to the client's nominated contact, or by another written means agreed between the parties.

A3.5.3 A business client may object to the addition or replacement of a Sub-processor on reasonable data protection grounds, and the procedure and consequences of an objection, including the good-faith resolution process and the limited right of termination, are set out in clause 7.2.

A3.5.4 Where a new Sub-processor is required urgently to maintain the security or continuity of the Services, Cosmos may engage that Sub-processor on shorter notice, in which case it will notify affected business clients as soon as reasonably practicable, and the right to object continues to apply, as set out in clause 7.2.6.

A3.5.5 A business client may subscribe to receive notifications of changes to this Annex by contacting Cosmos at privacy@cosmos.global. Cosmos recommends that every business client subscribes so that it receives advance notice of changes.

This Annex records the transfer mechanisms applied to Restricted Transfers under clause 9, and the rationale for the option selections, so that the basis of each transfer is transparent and auditable.

A4.1 EU SCCs

‍

‍

A4.2 UK transfers

‍

‍

A4.3 Singapore transfers

‍

‍

A4.4 UAE transfers

‍

‍

A4.5 Transfer risk assessment and supplementary measures

A transfer risk assessment is carried out for a Restricted Transfer where the Applicable Data Protection Law requires one. Where supplementary measures are required under clause 9.6, they are recorded in a separate written record made available to the Controller.

The definitions used in this Addendum are set out in clause 1.4 and are supplemented by the master definitions used across the Cosmos legal suite. The following terms are collected here for ease of reference.

‍