Data Processing Agreement

Capitalised terms used but not defined in this DPA have the meanings given to them in the Terms. The following additional terms apply:

• "Applicable Data Protection Law" means the Singapore Personal Data Protection Act 2012 ("PDPA") in respect of Trust IQ's obligations as data intermediary under this DPA. Other data protection, privacy, biometric, credit-information, profiling, automated-decisioning, AI, consumer-credit, fair-lending, anti-discrimination or data-transfer laws apply to Trust IQ only to the extent mandatorily applicable to Trust IQ's processing and not excluded by the geographic and use restrictions in the Terms. Client remains responsible for identifying and complying with all laws applicable to Client's collection, upload, use and processing of Client Personal Data and Service Outputs.
• "Anonymised Data" means data that has been irreversibly anonymised such that no individual, Client, or Authorized User is identified or reasonably identifiable, directly or indirectly, by Trust IQ or any other person reasonably likely to receive or access the data, taking into account all means reasonably likely to be used (including technological developments).
• "Client Personal Data" means Personal Data contained in Client Inputs or otherwise processed by Trust IQ on Client's behalf through the Service, as further described in Schedule 1. "Client Inputs", "Service Outputs", "Aggregated Service Metrics" and "Portal User Data" have the meanings given in the Terms; Aggregated Service Metrics constitute Anonymised Data and do not identify Client, any Authorized User, or any Data Subject.
• "Client-Specific Model" means any model, model weights, parameters, calibration layer, scoring configuration, or derived artefact trained or fine-tuned specifically using Client Personal Data or Client Inputs in connection with the Service (including any "Client Model" as defined in the Terms).
• "Personal Data", "Controller", "Processor", and "Data Subject" have the meanings given under Applicable Data Protection Law and include equivalent terms under the PDPA ("personal data", "organisation", "data intermediary").
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data processed by Trust IQ or a Sub-processor.
• "Sub-processor" means any third party, including a Vietnam Affiliate, engaged by Trust IQ to process Client Personal Data in connection with the Service.
• "Vietnam Affiliate" means each Vietnam-incorporated affiliate of Trust IQ that processes Client Personal Data on Trust IQ's behalf in connection with the Service, including Trusting Social Joint Stock Company and Trust IQ Limited Liability Company, as further described in Schedule 2.

Roles. In respect of Client Personal Data processed in connection with the Service: (a) Client is the Controller (and, for purposes of the Singapore PDPA, the organisation responsible for determining the purposes for which and the manner in which Client Personal Data is collected, used, disclosed, and processed); and (b) Trust IQ is the Processor (and, for purposes of the Singapore PDPA, Trust IQ acts as Client's data intermediary under the PDPA, on behalf of and for the purposes of Client).

Trust IQ as an Independent Organisation. Trust IQ acts as an independent organisation (and, where applicable, controller or equivalent) under the Singapore PDPA and other Applicable Data Protection Law when Trust IQ processes Portal User Data, Know Your Business information, security and audit logs, account and billing data, strictly necessary operational and security analytics, and other data for its own administrative, security, compliance, billing, audit, legal, or account-management purposes. The Privacy Policy describes Trust IQ's processing of such data. Aggregated Service Metrics constitute Anonymised Data and are not Personal Data; until such anonymisation is complete, the underlying information remains Client Personal Data and is subject to this DPA.

Scope. This DPA applies to all processing of Client Personal Data carried out by Trust IQ (or any Sub-processor) on Client's behalf in connection with the Service, whether during the Trial or thereafter. This DPA does not apply to Trust IQ's processing of Portal User Data or other data processed by Trust IQ as an independent organisation under Section 2.2, which is governed by the Privacy Policy.

Client Responsibilities. Client is responsible, as Controller and as the organisation under the PDPA, for:

1. the lawfulness, fairness, and transparency of its collection and use of Client Personal Data;
2. identifying all data protection, privacy, biometric, credit-information, consumer-credit, fair-lending, anti-discrimination, automated-decisioning, and cross-border-transfer laws applicable to Client's collection, upload, use, and processing of Client Personal Data through the Service, and obtaining all consents, providing all notices, completing all transfer impact assessments and filings, and complying with all other obligations required of a Controller (or organisation) under such laws;
3. the accuracy of Client Personal Data;
4. the lawfulness of any instructions given to Trust IQ;
5. ensuring that Client Inputs do not include categories of restricted data identified in Section 3.1 of the Terms (including national identification numbers, passport numbers, full residential addresses, bank account numbers, payment-card data, raw identity documents, health data, criminal records, and children's data) unless Trust IQ has expressly agreed in writing;
6. complying with the geographic restrictions in Section 2.3 of the Terms (Prohibited Jurisdictions), including not uploading Client Inputs of residents of the United States, the European Economic Area, the United Kingdom, or Switzerland, or any sanctioned jurisdiction; and
7. ensuring meaningful human review by a competent person before any decision producing legal or similarly significant effects on a Data Subject (including denial of credit, employment, housing, insurance, or benefits), and providing the Data Subject with rights to obtain human review, contest the outcome, and receive an explanation, as required by applicable law.

Trust IQ Remedies for Client Breach. If Trust IQ reasonably believes that Client has uploaded Restricted Data, Client Personal Data from a Prohibited Jurisdiction, or any Client Personal Data in breach of the Terms or this DPA, Trust IQ may suspend processing, quarantine or delete the affected data, disable access to affected Service features, and require Client to remediate the issue. Client remains responsible for all consequences arising from such upload or use.

Documented Instructions. Trust IQ shall process Client Personal Data only on Client's documented instructions. The Terms, any applicable order form or written service description, this DPA, Client's configuration choices, and Client's use of the Service through the Portal together constitute Client's complete and documented instructions for the purposes of Applicable Data Protection Law.

Purpose Limitation. Trust IQ shall process Client Personal Data solely for the purposes set out in Schedule 1 (Description of Processing), which include the generation of Vision Scores, the production of backtest analytics, and (where requested by Client) the fine-tuning of Client-Specific Models.

No General-Purpose Model Training; Aggregated Service Metrics. Trust IQ shall not use Client Personal Data, Service Outputs, Self-Portrait Images, or Client-Specific Models to train, develop, fine-tune, or improve any general-purpose, multi-customer, or foundation model except under a separate written agreement with Client. Trust IQ may create Aggregated Service Metrics only after applying anonymisation measures such that the resulting Anonymised Data cannot reasonably be used to identify Client, any Authorized User, or any Data Subject, and may use such Anonymised Data for operating, maintaining, securing, and improving the Service; producing analytics and benchmarks; and research and development. Trust IQ shall not attempt to re-identify Aggregated Service Metrics. Until anonymisation is complete, the underlying information remains Client Personal Data and is subject to this DPA.

Client-Specific Models. Where Trust IQ fine-tunes or trains a Client-Specific Model using Client Personal Data or Client Inputs:

1. to the extent the Client-Specific Model (including its weights, parameters, or derived artefacts) contains, reveals, or can reasonably be linked to Client Personal Data, the Client, or any Data Subject, it shall be treated as Client Personal Data and Client's Confidential Information for purposes of this DPA;
2. Trust IQ shall apply security measures consistent with Schedule 3 to such Client-Specific Models;
3. Trust IQ shall delete or fully anonymise such Client-Specific Models within the deletion period in Section 12, unless Client expressly agrees otherwise in writing; and
4. Trust IQ shall not use Client-Specific Models that constitute Client Personal Data or Client Confidential Information to provide services to, or generate outputs for, any other customer or third party.

Instructions That Infringe Law. Trust IQ shall inform Client if, in Trust IQ's reasonable opinion, an instruction infringes Applicable Data Protection Law. Trust IQ may decline to act on such instruction.

Trust IQ shall ensure that all personnel authorised to process Client Personal Data are bound by appropriate obligations of confidentiality (whether by contract or statutory duty).

Trust IQ shall limit access to Client Personal Data to those personnel who require access in order to deliver the Service or fulfil Trust IQ's obligations under this DPA.

Security Standard. Trust IQ shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Client Personal Data, having regard to the nature of the data (including data that, depending on processing and applicable law, may constitute biometric, special-category, or sensitive Personal Data), the state of the art, and the cost of implementation. Indicative measures are set out in Schedule 3 (Security Measures) and may be replaced by substantially equivalent measures appropriate to the nature, sensitivity and risk of the processing.

Heightened Protection for Sensitive Data. In recognition of the sensitivity of (a) Image Data and inferences derived therefrom (which, depending on processing and applicable law, may constitute biometric or special-category Personal Data), and (b) Performance Data processed under this DPA, Trust IQ will apply reasonable and appropriate security measures, which may include the measures described in Schedule 3 or substantially equivalent measures, having regard to the nature, sensitivity and risk of the processing.

Updates. Trust IQ may update the security measures from time to time, provided that the overall level of protection is not materially decreased.

General Authorisation. Client grants Trust IQ general authorisation to engage Sub-processors to process Client Personal Data in connection with the Service, subject to the conditions in this Section 6. A current list of Sub-processors is set out in Schedule 2 and may also be published at a URL or Portal location notified to Client from time to time.

Vietnam Affiliates. Client specifically acknowledges and authorises Trust IQ's engagement of the Vietnam Affiliates — namely, Trusting Social Joint Stock Company and Trust IQ Limited Liability Company (each a company incorporated under the laws of Vietnam) — as Trust IQ's operational Sub-processors. The Vietnam Affiliates perform data science, model training and fine-tuning of Client-Specific Models, customer support, and incident response in connection with the Service.

Sub-processor Obligations. Trust IQ will take reasonable steps to ensure that Sub-processors processing Client Personal Data are subject to written confidentiality, security and data-protection obligations appropriate to the nature of the processing. Trust IQ remains responsible to Client for its own compliance with this DPA and the PDPA in respect of Client Personal Data processed by Sub-processors on Trust IQ's behalf.

Changes to Sub-processors. Trust IQ may add or replace Sub-processors from time to time. Trust IQ will notify Client of material changes through the Portal, by email, or by updating the Sub-processor list. If Client objects to a material Sub-processor change, Client may stop using the Service and request deletion of Client Personal Data in accordance with Section 12.

Authorisation. Client authorises Trust IQ to transfer Client Personal Data outside the country in which it was collected, including to Singapore (Trust IQ's headquarters) and Vietnam (the Vietnam Affiliates' operating location), and to other jurisdictions in which Trust IQ or its Sub-processors operate, subject to the geographic restrictions in Section 2.3 of the Terms (Prohibited Jurisdictions).

Transfer Safeguards. Client is responsible for complying with the PDPA Transfer Limitation Obligation and any other transfer requirements applicable to Client's transfer or making available of Client Personal Data to Trust IQ. Trust IQ will process Client Personal Data transferred to or accessed by Trust IQ and its Sub-processors using reasonable security arrangements and retention controls required of Trust IQ as data intermediary under the PDPA and this DPA.

Client Responsibility for Foreign Law Transfers. Where Client Personal Data is subject to a foreign data protection law that imposes additional cross-border transfer requirements (such as transfer impact assessments, filings, registrations, governmental approvals, contractual mechanisms, or supplementary safeguards), Client is responsible, as Controller, for identifying such requirements, completing all assessments and filings, and ensuring all such requirements are satisfied. Trust IQ shall, on Client's reasonable request, provide information and documentation in Trust IQ's possession reasonably needed for Client's assessment.

No U.S., EU/UK/Swiss, or Sanctioned-Jurisdiction Processing in Default. Section 2.3 of the Terms restricts Client's access to the Service in respect of EEA/UK/Swiss residents. Accordingly, this DPA does not include EU Standard Contractual Clauses or equivalent UK/Swiss transfer mechanisms in its default form. Where, exceptionally and pursuant to a separate written agreement, Client Personal Data subject to the EU GDPR, UK GDPR, or Swiss FADP is processed under this DPA, the Parties shall enter into appropriate transfer mechanisms (such as the EU Standard Contractual Clauses with applicable UK/Swiss addenda) as a supplement to this DPA. If Client uploads Client Personal Data of residents of the United States, the EEA, the United Kingdom, Switzerland, or any sanctioned jurisdiction without Trust IQ's prior written agreement, Client remains solely responsible for such upload and for any resulting compliance obligations, and Trust IQ may suspend processing, quarantine or delete the affected data.

Notification to Client. Trust IQ shall notify Client without undue delay after Trust IQ has credible grounds to believe that a Personal Data Breach affecting Client Personal Data has occurred. Where complete information is not available at the time of notification, Trust IQ may provide an initial notice with available information and provide further information on a rolling basis. The notification shall include, to the extent reasonably available: (a) a description of the nature of the Personal Data Breach; (b) the likely consequences; (c) the measures taken or proposed to address the breach; and (d) Trust IQ's contact details for further information.

Cooperation. Trust IQ shall reasonably cooperate with Client's investigation and remediation of any Personal Data Breach, and shall provide Client with information reasonably needed to satisfy Client's breach-notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Law.

Mitigation. Trust IQ shall take reasonable steps to mitigate the effects of, and minimise damage resulting from, any Personal Data Breach.

Trust IQ will, to the extent legally permitted, refer to Client any request received from a Data Subject relating to Client Personal Data. Client is responsible for responding to such requests. Trust IQ will provide reasonable assistance to Client to the extent required by the PDPA, this DPA, or as otherwise agreed in writing, taking into account the nature of the processing and the information available to Trust IQ.

Taking into account the nature of processing and the information available to Trust IQ, Trust IQ shall provide reasonable assistance to Client in connection with Client's obligations under Applicable Data Protection Law relating to: (a) data protection impact assessments; (b) prior consultations with supervisory authorities; (c) responding to enquiries from supervisory authorities; and (d) handling Personal Data Breaches and rights requests.

Trust IQ may charge Client a reasonable fee for assistance that exceeds Trust IQ's standard support obligations, provided that Trust IQ notifies Client of such charges in advance. Trust IQ shall not charge fees for assistance required as a result of Trust IQ's breach of this DPA, its negligence, wilful misconduct, or failure to comply with Applicable Data Protection Law.

Information. Trust IQ shall make available to Client information reasonably necessary to demonstrate compliance with this DPA, including any then-available third-party audit reports, certifications, penetration-test summaries, or equivalent security documentation, subject to confidentiality and reasonable redaction. Trust IQ shall not represent that it holds any certification (such as SOC 2 Type II or ISO/IEC 27001) unless and until such certification has been issued and remains current.

Audits during Trial. During the Trial, Client's audit rights are limited to requesting reasonable information or then-available security documentation relating to Trust IQ's processing of Client Personal Data, subject to confidentiality and reasonable redaction. No on-site audit, production-system access, source-code review, model-weight review, penetration test, or inspection is permitted unless required by the PDPA, required by a competent regulator, or separately agreed in writing by Trust IQ.

Deletion Trigger. Trust IQ shall delete or anonymise Client Personal Data within thirty (30) days after the earliest of: (a) the end of the Trial, if Client does not continue to use the Service under a paid subscription, order form, or other successor agreement; (b) termination of the Terms or this DPA; (c) closure of Client's account; or (d) receipt of Client's written deletion instruction, except where retention is required to comply with applicable law, security, audit, dispute-resolution, regulatory, or legitimate business record-keeping obligations.

Return. Prior to deletion, Client may download available Client Inputs and Service Outputs through the Portal where such functionality is made available. Any additional return or export assistance is subject to technical feasibility, Trust IQ's reasonable costs, and separate written agreement.

Backups and Anonymised Data. Client Personal Data retained in routine backups shall be isolated from active processing and overwritten in the ordinary course within ninety (90) days, unless earlier deletion is technically feasible or longer retention is required by law. Such retained copies remain subject to the security and confidentiality obligations of this DPA. Anonymised Data that no longer constitutes Personal Data may be retained without limitation, provided Trust IQ does not attempt to re-identify it.

Client-Specific Models. Client-Specific Models that constitute Client Personal Data under Section 3.4 are subject to the deletion timeline in Section 12.1. Client-Specific Models that have been fully anonymised such that they cannot reasonably be linked to Client Personal Data, Client, or any Data Subject may be retained as Anonymised Data and used only for Aggregated Service Metrics, benchmarking, security, research, development, and service improvement in accordance with Section 3.3.

The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. For the avoidance of doubt, this DPA does not increase the aggregate cap on liability set out in the Terms, except to the extent required by Applicable Data Protection Law.

Where Trust IQ and Client are both liable to a Data Subject or a supervisory authority for the same loss, each Party shall bear its proportionate share of liability having regard to its respective responsibility for the event giving rise to the loss.

Client Indemnity. Client's indemnity obligations in relation to Client Inputs, Client Personal Data, Service Outputs, Client's use of the Service, and Client's breach of applicable law are set out in the Terms. Nothing in this DPA limits those indemnity obligations.

This DPA takes effect on the date Client accepts the Portal Documents at sign-up and continues for as long as Trust IQ processes Client Personal Data, regardless of any termination of the Terms.

Sections 8 (Personal Data Breach), 12 (Return and Deletion), 13 (Liability), and any other provision intended by its nature to survive, shall survive termination.

Governing Law. This DPA, and any non-contractual obligation arising out of or in connection with it, are governed by, and shall be construed in accordance with, the laws of Singapore, without regard to its conflict-of-laws principles. This DPA is intended to satisfy the data intermediary / processor requirements under the Singapore Personal Data Protection Act 2012. Client is responsible, as Controller, for compliance with any other Applicable Data Protection Law that applies to its processing of Client Personal Data, as set out in Section 2.4.

Dispute Resolution. Any dispute arising out of or in connection with this DPA shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the arbitration provision in the Terms, which is incorporated into this DPA by reference.

Mandatory Foreign Law. Nothing in this DPA limits the application of mandatory provisions of foreign Applicable Data Protection Law to specific processing of Client Personal Data subject to those laws. Where mandatory foreign law applies, compliance with such law is Client's responsibility as Controller, subject to Trust IQ's direct obligations as Processor under such law (if any).

Order of Precedence. In the event of any conflict between this DPA, the Terms and the Privacy Policy in relation to Trust IQ's processing of Client Personal Data on Client's behalf, the following order of precedence applies: (a) any mandatory transfer terms or standard contractual clauses entered into by the Parties, if applicable; (b) this DPA; (c) the Terms; and (d) the Privacy Policy. For commercial terms, fees, service restrictions, liability, indemnities, dispute resolution and general use of the Service, the Terms prevail unless this DPA expressly states otherwise.

Amendments. Trust IQ may amend this DPA from time to time, provided that amendments do not materially reduce the overall level of protection for Client Personal Data. Material amendments will be notified through the Portal or by email at least thirty (30) days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

No Third-Party Rights. Except as expressly provided in this DPA, no person other than the Parties has any rights under the Contracts (Rights of Third Parties) Act 2001 of Singapore to enforce any term of this DPA.

Subject matter and duration. The subject matter is Trust IQ's processing of Client Personal Data on Client's behalf to deliver the Service under the Terms. The duration of processing is for the term of the Terms and any post-termination retention period under Section 12 of this DPA.

Nature and purpose of processing. Generation of Vision Scores and other Service Outputs from Client Inputs; production of backtest performance metrics (Gini coefficient, AUC, lift tables) using Performance Data uploaded by Client in Client Inputs; fine-tuning of Client-Specific Models where requested by Client; cross-checking against Trust IQ's underlying Vision Score model for performance comparison; customer support, incident response, security monitoring, audit logging, and operation of the Portal. For clarity, the processing purposes do not permit Trust IQ to use Client Personal Data, Service Outputs, Self-Portrait Images, or Client-Specific Models to train, develop, fine-tune or improve any general-purpose, multi-customer or foundation model except in accordance with Section 3.3.

Categories of Data Subjects and Personal Data. Borrowers, credit applicants, rejected applicants, and other natural persons whose data appears in Client Inputs. Categories of Personal Data include:

• Image Data — self-portrait images (selfies) of Data Subjects, together with associated image metadata (EXIF data, capture timestamps, device information, camera parameters, and where present, geolocation). Image Data may constitute biometric data under Applicable Data Protection Law where used to identify, verify or authenticate an individual, or where biometric templates or features are derived from it.
• Performance Data — structured data uploaded by Client recording outcome, performance, application, or behavioural information relating to Data Subjects, including historical outcome records, application data, payment status records, and related metadata.
• Inferred attributes — where generated by the Service, technical, contextual, image-based, or other risk-related signals derived from Image Data. Some of these may, under Applicable Data Protection Law, constitute special-category or sensitive Personal Data.
• Subject identifiers — customer or applicant IDs assigned by Client that link records.

Recipients. Trust IQ Pte. Ltd. personnel (Singapore); Vietnam Affiliates (Trusting Social Joint Stock Company and Trust IQ Limited Liability Company) as operational Sub-processors; other Sub-processors listed in Schedule 2; auditors and professional advisors under confidentiality obligations; and supervisory authorities and law enforcement where required by law.

Retention. Client Personal Data: deleted or anonymised within thirty (30) days after the earliest of (a) the end of the Trial, if Client does not continue to use the Service under a paid subscription, order form, or other successor agreement, (b) termination of the Terms or this DPA, (c) closure of Client's account, or (d) receipt of Client's written deletion instruction, except where retention is required by law or for security, audit, dispute-resolution, regulatory or legitimate business record-keeping purposes. Backups: retained until overwritten in the ordinary course within ninety (90) days, unless earlier deletion is technically feasible or longer retention is required by law. Anonymised Data that does not identify and cannot reasonably be used to identify Client, any Authorized User, or any Data Subject may be retained without limitation.

The following Sub-processors are authorised as at the Effective Date:

Group Affiliate Sub-processors (Vietnam Affiliates)

• Trusting Social Joint Stock Company — Operational Sub-processor performing data science, model training and fine-tuning of Client-Specific Models, client support, and incident response. Location: Vietnam. Registered address: [insert address].

• Trust IQ Limited Liability Company — Operational Sub-processor performing data science, model training and fine-tuning of Client-Specific Models, client support, and incident response. Location: Vietnam. Registered address: [insert address].

Infrastructure Sub-processors

• Amazon Web Services (AWS) — Cloud infrastructure hosting. Location: [insert AWS region, e.g., ap-southeast-1 Singapore], or other region notified to Client.

• Google Cloud (Google Asia Pacific Pte. Ltd) — Cloud infrastructure hosting. Location: Singapore, or other region notified to Client.

Operational Sub-processors (processing Client Personal Data)

• Security monitoring — Trust IQ internal security systems and/or third-party security monitoring providers notified to Client where required.

• AI / model-service providers — processing only where applicable to the Vision Score pipeline and only under written sub-processing terms. Vendor, location and processing scope to be notified to Client before use.

Note: Service providers that process Trust IQ's independent organisation data (Portal User Data, KYB information, email/communications to Authorized Users, account-management support) and not Client Personal Data on Client's behalf are listed separately in the Privacy Policy and the public service-provider page, and are not Sub-processors for purposes of this DPA.

The current list of Sub-processors may also be published at a URL or Portal location notified to Client from time to time, and is updated in accordance with Section 6.4 of this DPA.

Trust IQ implements and maintains technical and organisational measures, or substantially equivalent measures, designed to protect Client Personal Data having regard to the nature, sensitivity and risk of the processing. Such measures include:

1. Access controls — role-based access control with least-privilege principle, multi-factor authentication for personnel access to systems processing Client Personal Data, and prompt revocation upon role change or termination;
2. Encryption — encryption at rest using AES-256 or equivalent, encryption in transit using TLS 1.2 or higher, and key management with regular rotation;
3. Network and infrastructure security — network segmentation, vulnerability scanning, prompt patching, and periodic penetration testing or security assessment appropriate to the risk of the processing;
4. Application security — secure software development lifecycle practices, input validation, and dependency scanning;
5. Logging and monitoring — centralised audit logging of access and administrative actions on systems processing Client Personal Data, log retention for a period appropriate to the sensitivity of the data, and security monitoring and alerting with defined incident response procedures;
6. Personnel security — confidentiality obligations, background checks for personnel with privileged access where permitted by law, and regular security and privacy training;
7. Business continuity and disaster recovery — backup and restore procedures, redundancy, and tested recovery plans;
8. Incident response — defined incident response team, roles, and procedures for Personal Data Breach notification consistent with Section 8; and
9. Assurance — Trust IQ may pursue industry-standard certifications (such as ISO/IEC 27001 or SOC 2 Type II) and will provide then-available third-party audit reports, certifications, penetration-test summaries, or equivalent documentation upon request, subject to confidentiality and reasonable redaction.

This DPA is pre-executed by Trust IQ Pte. Ltd. and takes effect as a binding agreement between the Parties upon Client's acceptance of the Portal Documents at sign-up, as recorded in Trust IQ's acceptance logs.

For Trust IQ Pte. Ltd.:

This DPA is deemed pre-executed by Trust IQ Pte. Ltd. and becomes binding upon Client's acceptance of the Portal Documents through the Portal acceptance flow. No additional Trust IQ wet-ink or electronic signature is required unless Trust IQ agrees to execute a counterpart for evidentiary purposes (including for filings, audits, or supervisory authority requests), in which case execution by electronic signature (using Adobe Sign or equivalent) shall not change any terms of this DPA.

For Client:

Entity name, authorised representative and acceptance timestamp will be recorded in Trust IQ's Portal acceptance logs.

Trust IQ Pte. Ltd.

Registered office: #07-01 Suntec Tower 2, 9 Temasek Boulevard, Singapore 038989

Data Protection Officer: data-privacy@trustingsocial.com