Data Processing Addendum

1. Parties and interpretation

This Data Processing Addendum (“DPA”) forms part of the Enterprise Agreement (“Agreement”) between TREPINSTAREWARDS PRIVATE LIMITED (“Processor”, “TrusCodes”) and the Customer identified in the Agreement (“Controller”, “Customer”) and governs the processing of Personal Data by Processor on behalf of Controller.

Where there is any conflict between the body of the Agreement and this DPA, this DPA prevails in respect of the subject matter of data protection. Capitalised terms not defined in this DPA have the meanings given in the Agreement or applicable Data Protection Laws.

2. Definitions

“Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended (“CCPA/CPRA”), and the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”).

“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach”, and “Sub-processor” bear the meanings given under applicable Data Protection Laws. Under the DPDP Act, references in this DPA to Controller and Processor include the equivalent terms “Data Fiduciary” and “Data Processor” respectively.

“Restricted Transfer” means a transfer of Personal Data that is subject to specific conditions under Data Protection Laws.

“Standard Contractual Clauses” or “SCCs” means the Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) clauses approved by the European Commission in Implementing Decision (EU) 2021/914, together with applicable jurisdictional addenda (including the UK International Data Transfer Addendum and the Swiss FDPIC adaptations).

3. Scope and roles

Controller determines the purposes and means of Processing of Personal Data. Processor Processes Personal Data on behalf of Controller strictly as described in this DPA and on Controller’s documented instructions, which include those set out in the Agreement and Schedule 1.

Processor confirms it has no independent purpose for Processing Personal Data other than providing the Services. Any Processing outside the scope of this DPA requires a separate written agreement.

4. Processor obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller, including with regard to Restricted Transfers, unless required to do otherwise by a law to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before Processing (unless that law prohibits such information on important grounds of public interest).
• Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take the technical and organisational measures described in Schedule 2 (Security Measures).
• Assist Controller, taking into account the nature of the Processing and the information available to Processor, in fulfilling Controller’s obligations to respond to Data Subject requests under Data Protection Laws.
• Assist Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), and equivalent obligations under other Data Protection Laws.
• At Controller’s choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies, unless Union, Member State, or Indian law requires storage of the Personal Data.
• Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted in accordance with Section 10.

5. Sub-processors

Controller provides general written authorisation for Processor’s engagement of the Sub-processors listed in Schedule 3 (Sub-Processor List) and any additions made in accordance with this Section 5.

Processor shall:

• Inform Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving Controller the opportunity to object to such changes.
• Impose on each Sub-processor, by way of written contract, the same data-protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing meets the requirements of Data Protection Laws.
• Remain fully liable to Controller for the performance of each Sub-processor’s obligations under its contract with Processor.

Where Controller reasonably objects to a new Sub-processor on legitimate, documented data-protection grounds, Processor shall use reasonable efforts to make available to Controller a change in Services to avoid the use of that Sub-processor. If Processor is unable to make such a change available within a reasonable period, Controller may terminate the portion of the Services that cannot be provided by Processor without the use of the objected-to Sub-processor.

6. International transfers and Standard Contractual Clauses

Where Processor’s Processing of Personal Data involves a Restricted Transfer, the parties agree that the Standard Contractual Clauses are incorporated into this DPA and shall apply to that transfer, with:

• Module 2 (Controller-to-Processor) applying where Controller is a controller and transfers Personal Data to Processor.
• Module 3 (Processor-to-Processor) applying where Controller acts as a processor of an onward controller and transfers Personal Data to Processor.
• The UK International Data Transfer Addendum applying to UK-origin transfers.
• The Swiss FDPIC adaptations applying to Swiss-origin transfers.

Processor shall assist Controller in completing any transfer impact assessment required under Data Protection Laws. A current transfer impact assessment summary, covering the technical, contractual, and organisational supplementary measures relied on, is available to Controller at privacy@truscodes.com.

For transfers of Personal Data from India under the DPDP Act, Processor transfers Personal Data only to destinations that are not notified as restricted by the Central Government, and maintains equivalent safeguards at the destination through contractual controls and Sub-processor oversight.

7. Security measures

Processor shall implement and maintain the technical and organisational measures set out in Schedule 2 (Security Measures) to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data, including, as appropriate, the measures referred to in Article 32 of the GDPR.

Processor may update or modify individual security measures from time to time, provided the overall level of security is not materially diminished.

8. Personal Data Breach

Processor shall notify Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Controller’s Personal Data. The notification shall, to the extent reasonably available to Processor at the time:

• Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned.
• Communicate the name and contact details of the relevant Processor contact where more information can be obtained.
• Describe the likely consequences of the Personal Data Breach.
• Describe the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Processor shall cooperate with Controller and take reasonable steps as directed by Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

9. Data Subject requests and regulatory cooperation

Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a request from a Data Subject for access, correction, erasure, restriction, portability, objection, or any other Data Subject right under Data Protection Laws, and shall not respond to the request except on the instructions of Controller or as required by applicable law.

Processor shall reasonably cooperate with Controller’s responses to communications from supervisory authorities, including the European supervisory authorities, the UK Information Commissioner’s Office, the California Privacy Protection Agency, and the Data Protection Board of India.

10. Audit rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA. Controller may, upon at least 30 days’ prior written notice and not more than once per calendar year (except following a Personal Data Breach), at Controller’s cost, conduct or instruct a qualified, independent third-party auditor bound by confidentiality obligations to conduct an audit of Processor’s compliance with this DPA.

Processor may satisfy audit requests through provision of its current SOC 2 Type II, ISO 27001, or equivalent third-party attestation reports, and through responses to an industry-standard security questionnaire, where such documentation reasonably addresses Controller’s audit objectives. On-site audits are subject to reasonable scheduling, scope-limitation, and security-clearance conditions.

11. Return and deletion

Upon termination or expiry of the Agreement, Processor shall, at Controller’s election, either return all Personal Data to Controller or delete all Personal Data and certify deletion in writing, in each case within 90 days of the effective date of termination. Processor may retain Personal Data to the extent required by applicable law, for the duration and purposes required by that law, and subject to continued confidentiality and security controls.

Personal Data in the TrusCodes audit ledger may be retained for the periods specified in the Privacy Policy and Agreement to preserve audit-defensibility, unless Controller specifies a shorter period in writing.

12. Liability

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits either party’s liability for any claims from Data Subjects under Chapter VIII of the GDPR or under equivalent Data Protection Laws.

13. Term and termination

This DPA takes effect on the Effective Date and continues in force for the duration of the Agreement. Sections 10 (Audit Rights), 11 (Return and Deletion), and 12 (Liability) survive termination of this DPA.

14. Precedence and order of priority

In the event of conflict between the documents forming the contractual relationship, the order of priority is: (a) the Standard Contractual Clauses (to the extent incorporated); (b) this DPA; (c) the body of the Agreement; (d) any other referenced schedules or annexes.

15. Governing law

This DPA is governed by the law of the Agreement, save that the Standard Contractual Clauses (where incorporated) are governed by the law specified therein.

Schedule 1 — Description of Processing

This Schedule describes the Processing carried out by Processor on behalf of Controller.

1.1 Subject matter

Provision of the TrusCodes Platform to Controller, including any of the modules BrandShield, CertiSure, LabAssured, GeoGuard, TracePro, and Engage activated under the Agreement.

1.2 Duration

The duration of the Agreement and any post-termination retention period set out in Section 11.

1.3 Nature and purpose of Processing

Identity validation, lifecycle enforcement, tamper-evident verification, custody-event recording, anomaly detection, audit-ledger entry, and administrator activity logging, together with ancillary operational processing (support, billing, system monitoring).

1.4 Categories of Data Subjects

• Authorised users (administrators and operators) of Controller’s Platform deployment.
• Supply-chain actors recording or receiving state transitions (where TracePro is deployed).
• End users who scan TrusCodes-enabled products (scan metadata and, where consented, identity attributes).

1.5 Categories of Personal Data

• Identifiers — name, business email, role, organisational affiliation.
• Authentication credentials and session tokens.
• Device and scan metadata — timestamp, approximate location (where consented), user-agent, IP address.
• Verification outcomes and lifecycle states bound to the scanning actor or consumer.
• Support correspondence and administrative audit-ledger entries.

1.6 Special-category / sensitive data

Processor does not Process special-category or sensitive Personal Data under this DPA unless Controller expressly configures the Platform to do so; in that case, Controller shall ensure the necessary lawful basis and additional safeguards are in place before enabling the feature.

Schedule 2 — Security Measures

Processor implements and maintains the following technical and organisational measures. Individual measures may be updated provided the overall level of security is not materially diminished.

2.1 Governance

• Documented information-security management system aligned to ISO 27001 control objectives.
• Annual risk assessment covering confidentiality, integrity, availability, and resilience.
• Security policies reviewed annually and on material change.

2.2 Access control

• Role-based access controls with least-privilege defaults across production systems.
• Mandatory multi-factor authentication for administrative access to production environments.
• Quarterly access-review cycle; immediate revocation on role change or departure.

2.3 Cryptography

• Encryption of Personal Data in transit using TLS 1.2 or higher.
• Encryption of Personal Data at rest using AES-256. Cryptographic identities use a time-segmented rotating key pool providing forward secrecy.
• Key-management processes segregating duties between issuance, rotation, and use.

2.4 Platform integrity

• Append-only SHA-256 hash-chained audit ledger for verification events and administrator actions; retroactive alteration produces a detectable chain break.
• Per-brand physical database isolation preventing cross-customer readability at the storage layer.
• Continuous anomaly detection over the event stream, with alerting and documented exception-handling procedures.
• Tamper-evident physical label embodiments complementing the digital controls.

2.5 Operational resilience

• Separated development, staging, and production environments with controlled promotion pipelines.
• Daily encrypted backups with documented restore procedures and periodic restore tests.
• Documented incident response plan, rehearsed annually.

2.6 People and vendor risk

• Background screening of personnel with access to production data, proportionate to role and local-law permissibility.
• Mandatory security and privacy training on induction and annually thereafter.
• Vendor-risk assessment for Sub-processors, documented in Schedule 3 and refreshed at least annually.

2.7 Physical security

• Production systems hosted in certified data-centre facilities with controlled physical access, environmental controls, and 24×7 monitoring.
• Corporate premises protected by access control and CCTV; production-level data is not accessible from corporate endpoints.

Schedule 3 — Sub-Processor List

The following Sub-processors are authorised under this DPA. Controller may subscribe to notifications of changes by writing to privacy@truscodes.com.

Document control: Data Processing Addendum version 1.0, effective 21 April 2026. Owner: Legal & Privacy, TREPINSTAREWARDS PRIVATE LIMITED.