DATA PROCESSING AGREEMENT (DPA)

Version: May 2026

BETWEEN:

Eber Pte Ltd (name)

of 380 Jalan Besar, Arc 380 #07-06 Singapore 209000 (address and country of establishment) hereinafter the “Data Processor”

AND

the customer of Eber Pte Ltd

hereinafter the “Data Controller”

each a “party”; together “the parties”.

1.1 This Data Processing Agreement ("DPA") specifies the Parties’ data protection obligations, which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the quote, service agreement or other agreement between the Parties ("the Agreement").

1.2 The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.

2.1 The Data Processor shall only process personal data in accordance with the terms of this DPA.

2.2 The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement. Data may, for that purpose, be processed by any of the Data Processor’s entities.

2.3 Data processing by the Data Processor shall include such actions as may be specified in the Agreement.

2.4 The term of this DPA shall continue until the latter of the following: the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.

2.5 The personal data to be processed by the Data Processor concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Exhibit 1.

3.1 The Agreement enables the Data Controller access to an admin portal, a protected web site that enables the Data Controller’s employees (with admin-access) to upload information without the Data Processor’s participation or knowledge.

3.2 The Data Processor undertakes no responsibility for data uploaded by the Data Controller in the admin portal.

3.3 To the extent that such upload of data constitutes processing of personal data, the Data Controller warrants:

3.3.1 that the Data Controller has the relevant legal basis for having and processing the personal data, including, if applicable, the relevant permissions from the data subject; and

3.3.2 that, if the transfer involves sensitive categories of data, including but not limited to Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Genetic data; and Biometric data, the data subject has been informed or will be informed before the transfer, or as soon as possible after, that its data could be transmitted to a third country not providing adequate protection within the meaning of the applicable data protection law.

4.1 The Data Processor warrants and undertakes:

4.1.1 It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

4.1.2 It will have in place procedures so that any third party it authorises to have access to the personal data will respect and maintain the confidentiality and security of the personal data. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.

4.1.3 It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data controller (which will pass such notification on to the authority where required) if it becomes aware of any such laws.

4.1.4 It will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorised disclosure and abuse.

4.1.5 The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 2.

4.2 Data Hosting and Cross-Border Transfers

Personal data processed under this DPA is primarily hosted on Amazon Web Services infrastructure located in the Singapore region (ap-southeast-1). Where personal data is processed by Sub-processors outside of Singapore, the Data Processor shall ensure that such processing is subject to contractual protections equivalent to those set out in this DPA, and that any cross-border transfers comply with the requirements of the Singapore Personal Data Protection Act 2012 or other applicable data protection law.

5.1 The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

5.2 The Data Processor will procure that all personnel of the Data Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.

5.3 The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

6.1 The Data Processor shall provide reasonable and timely assistance to Data Controller to enable Data Controller to respond to:

6.1.1 any request from a data subject to exercise any of its rights under applicable data protection law (including its rights of access, correction, objection, erasure and data portability, as applicable); and

6.1.2 any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Data Processor, Data Processor shall promptly inform Data Controller providing full details of the same.

6.1.3 The Data Processor shall provide Data Controller with reasonable cooperation to enable Data Controller to conduct any data protection impact assessment that it is required to undertake under applicable data protection law.

7.1 With this DPA, the Data Processor has the Data Controller’s general authorization for the engagement of Sub-processors for the purpose of performing the obligations set out under the Agreement. The Sub-processors, approved by the Data Controller by the signing of this DPA, are listed in Exhibit 3. The Data Processor shall:

7.1.1 maintain an up-to-date list of its Sub-processors on the Data Processor’s website at https://www.eber.co/ (or any future website used by the Data Processor);

7.1.2 update with details of any change in Sub-processors at least 30 days prior to any such change (except to the extent a 30 days’ notice is not possible due to an emergency) and notify the Data Controller of such change via the Data Processor’s usual email notification process;

7.1.3 provide a copy upon request of the data processing agreement(s) between the Data Processor and the Sub-processors at any given time to the Data Controller.

7.1.4 The Data Controller may object to such a new Sub-processor for justified reasons relating to data protection. In the case of a justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such an alternative solution cannot be found and the Data Processor decides to proceed with such a Sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination.

7.2 For Data Controllers subject to additional jurisdictional data protection requirements (such as the EU General Data Protection Regulation), supplementary data processing terms may be agreed in writing between the Parties.

8.1 The Data Controller and the Data Processor will be separately responsible for conforming with the applicable data protection law as applicable to them.

8.2 The Data Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.

8.3 The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with applicable data protection law with respect to processing of personal data in accordance with this DPA.

8.4 The Data Controller shall be responsible for providing accurate and relevant contact details after entering into the Agreement and thereafter to assist in Data Processor’s notification obligations.

9.1 The Data Processor shall without undue delay, and no later than 72 hours, in writing, notify the Data Controller in case of any identified or potential breach of personal data processed under the DPA.

9.2 The notification must, to the extent possible:

9.2.1 describe the nature of the personal data breach including where possible (e.g., loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,

9.2.2 communicate the name and contact details of the person with the Data Processor where more information can be obtained,

9.2.3 describe the likely consequences of the personal data breach, and

9.2.4 describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Escalation Process: In the event of a personal data breach, the Data Processor shall follow the escalation process below:

Stage 1 — Initial Alert (within 72 hours): The Data Processor shall notify the Data Controller of the identified or suspected breach with facts available at that time and initial containment steps taken. Where full information is not yet available, the Data Processor shall provide updates as information becomes known.

Stage 2 — Incident Report (within 5 business days): The Data Processor shall provide the Data Controller with a full written report covering: (a) the nature and scope of the breach; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its effects.

Stage 3 — Resolution Summary (within 30 days): The Data Processor shall provide the Data Controller with a written confirmation that the incident is closed, the actions taken, and any permanent measures implemented to prevent recurrence.

9.4 The Data Processor’s designated point of contact for breach escalation shall be communicated to the Data Controller upon request or at the time of any breach notification.

10.1 The Data Processor shall carry all costs associated with compliance of this DPA in its capacity as Data Processor.

10.2 The Data Controller shall carry all costs associated with compliance of this DPA in its capacity as Data Controller.

10.3 In respect of tasks of the Data Processor, that are not an obligation under this DPA, cf. in the sections above, the Data Processor shall be entitled to charge the Data Controller for the additional resources, time and material necessary to fulfil the required task(s), unless such services are already included in the services rendered under the Agreement.

10.4 The Data Processor will notify the Data Controller in advance of such additional charges and, to the extent possible, provide the Data Controller with a quote of the expected costs.

10.5 If the Data Controller cannot agree to the costs, the Data Processor shall be entitled not to perform the additional assignment and to terminate the Agreement with a notice of 30 days. The Data Processor shall not be considered in breach of contract in this event.

11.1 Within 30 days following the end term or termination of the Agreement, the Data Processor shall (at Data Controller’s election) destroy or return to the Data Controller all Data in its possession or control. The Data Processor reserves the right after such 30-day period to delete personal data from all locations when the Data Controller has not elected either option. This requirement shall not apply to the extent that Data Processor is required by applicable law to retain some or all of the Data.

11.2 Upon the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.

12.1 Each party’s liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability for a breach of this DPA exceed the liability cap set out in the Agreement. Neither party limits nor excludes any liability that cannot be limited or excluded under applicable law (such as for fraud).

13.1 The Agreement is governed by, and must be interpreted in accordance with, the laws of Singapore, including the Singapore Personal Data Protection Act 2012 (PDPA). Where any conflict arises between the provisions of this DPA and the requirements of applicable data protection law, the applicable law shall prevail.