Data Protection Agreement Regarding Amplifai’s Software Solutions

Effective date: 4th September 2025

1.              PROCESSOR AND CONTROLLER ROLES AND RESPONSIBILITIES

Amplifai AS (“the Supplier”) will, in order to provide the SaaS Services including any agreed Deliverables and Consultancy Services according to the agreed Order Form, which will constitute analytics and aggregated financial data collection and reporting of financial key figures and other operational data, process personal data as a processor

The Customer defined in the Order Form will act as the controller when the Supplier processes personal data on the Customer’s behalf. Customer’s initial instructions and further processing details are set out below in section 4.

The Terms defined in Article 4 of the EU General Data Protection Regulation (“GDPR”) shall apply to this DPA.

This DPA forms an integral part of the Agreement and applies for as long as the Supplier processes personal data on behalf of the Customer, and is an integral part of the Order Form.

2.              WARRANTY

Supplier warrants that it has implemented appropriate technical and organizational measures in such a manner that its processing of personal data under this DPA will meet the requirements of applicable data protection law and ensure the protection of the rights and freedoms of the data subjects.

Failure by the Supplier to fulfil its obligations under this DPA shall constitute a breach of the agreement.

3.              PROCESSING DETAILS

Supplier warrants it will meet the requirements under Article 28 GDPR by:

a)       Only processing personal data as instructed by the Customer in the DPA or later written instruction.

b)      Notifying the Customer if Supplier believes that an instruction is in violation of applicable data protection laws.

c)       Ensuring that individuals processing personal data are bound by a duty of confidentiality.

d)      Implementing appropriate technical and organizational measures to ensure a level of security for personal data appropriate to the risk.

e)      Assisting the Customer in its duty to respond to data subjects' requests to exercise their GDPR rights.

f)        Fulfilling the requirement for data breach notification and assistance.

g)       Assisting the Customer with data protection impact assessments and any cooperation with the relevant supervisory authority.

h)      Immediately informing the Customer in writing of any legal obligation that requires Supplier to disclose personal data that Supplier processes on behalf of the Customer.

i)        Demonstrating compliance with the obligations under Article 28 GDPR by making available necessary information on Customer’s request.

j)        Allowing and contributing to any reasonable audits directed by the customer.

k)       Deleting or returning personal data and copies at the Customer’s choice at the end of the service relating to the processing.

Due to the uncertain scope of points e, f, g and j above, these tasks may be subject to additional payment on a time-and-material basis in accordance with applicable rates.

4.              INITIAL INSTRUCTIONS OF PROCESSING

Purposes

The purposes of the processing are the delivery of the SaaS Services including any agreed Deliverables and Consultancy Services according to the agreed Order Form, which may be described as follows:

Supplier has developed a cloud-based software platform intended to automate and improve financial data collection and reporting of financial key figures and other operational data, allowing customers to retrieve deep insights for decision-making and consolidated financial statements.

The system uses third-party machine learning systems and manual guidance and verification from the users (human-in-the-loop) in order to select and retrieve data directly from portfolio companies’ and subsidiaries’ accounting systems, project systems, Excel reports, and BI tools. The output from this software platform is structured and optimized by selected third-party machine learning systems and manual guiding from the users (human-in-the-loop) in order for customers to solve various issues regarding data collection and reporting, analysis and decision-making, forecasting, etc. Customer will obtain access to the system by means of a web interface, through which Customer will have the functionality described for each software solution in the Order Form concluded between Supplier and Customer and covering the delivery of the system.

Categories of personal data and data subjects

The Supplier will process the personal data provided by the Customer through its use of the software in accordance with the Order Form. This data may include, but is not limited to, the following categories:

  • Employee Data: Names, job titles, email addresses, phone numbers, and employment details.

  • Financial Data: Transactional information linked to identifiable individuals.

  • Platform User Data: Names of users, login credentials, usage logs, and related information.

  • Data from Integrated Systems: Personal data retrieved from accounting systems, project management tools, Excel reports, and BI tools.

  • System Monitoring Data: Information such as IP addresses and device details.

Sub-Processors

The Customer authorizes the Supplier to engage third-party sub-processors for specific processing activities, including the use of third-party machine learning systems, provided that:

  1. The Supplier ensures that sub-processors are bound by equivalent data protection obligations.

  2. The Supplier provides prior notice to the Customer of any changes to the list of sub-processors.

The Supplier will be responsible for its own sub-processors.

Supplier will notify the Customer of any intended changes of sub-processors or locations of processing, offering the Customer the opportunity to object. If the Customer objects to Supplier’s engagement of a sub-processor, the Supplier is free to terminate the agreement, and both parties are free of their obligations.

 

5.              MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA

The Supplier shall:

·       Implement technical and organisational measures to ensure the security of personal data;

·       Ensure that the level of protection guaranteed to data subjects under applicable data protection laws, including the GDPR, is maintained and not compromised.  

6.              INTERNATIONAL DATA TRANSFERS

The personal data required for processing does not require any additional basis for export if the processing occurs exclusively within the EEA. If personal data is transferred outside the EEA, the Supplier shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other mechanisms approved under the GDPR.

7.              TERM AND TERMINATION

This DPA shall remain in effect for the duration of the Supplier’s provision of the platform to the Customer. Upon termination, the Supplier shall delete or return all personal data upon the request of the Customer.