Personal Data Protection Commitment

The purpose of this personal data confidentiality protection undertaking is to define the terms under which VRM undertakes to carry out, on behalf of the CLIENT, the processing of personal data defined hereinafter (hereinafter the “Undertaking”). In this respect, VRM shall act as a processor and the CLIENT shall act as a controller. As part of their contractual relationship, the Parties undertake to comply with the regulations applicable to personal data processing, including, in particular, the GDPR. The nature of the operations performed on the data consists of collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure, or destruction.

VRM is authorized to process, on behalf of the CLIENT, the personal data necessary to provide services consisting of handling oral exchanges between individuals using the Upmeet solution, transcribing and summarizing them (hereinafter the “Services”). By subscribing to the Services, the CLIENT will grant access to the Services to a given number of individuals, whether employees or otherwise, among its staff (hereinafter the “Users”). The CLIENT acknowledges that, by using the Services, the Users may disclose personal data (hereinafter the “Client Data”), for which the CLIENT acknowledges being the data controller. The nature of the operations performed on the data consists of collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

The purpose(s) of the Client Data processing are: - to simplify note-taking during meetings and other gatherings by allowing them to be transcribed and summarized automatically using artificial intelligence; - to provide online access to the Services; - to provide the Services.

The personal data processed on behalf of the CLIENT are: - Data relating to Users: o Identity (last name, first name); o The sound of the Users’ voice (and any individuals participating in meetings) during the use of the Services; o The transcription of the Users’ voice (and any individuals participating in meetings) during the use of the Services; o Users’ contact details (email address, telephone number); o Any personal data stated by the Users (and individuals participating in meetings) during the use of the Services. - Certain data relating to the use of the Services: o Frequency of use, number and duration of connections. - Data automatically collected on VRM’s websites: cookies, it being understood that these are entirely controlled by the Users via their own web browser, and that it is necessary to obtain the Users’ consent before collecting these data. The categories of data subjects are: - the Users; - any person participating in a meeting or any oral exchange using the Services.

VRM undertakes to: • process the Client Data only for the sole purpose(s) that are the subject of this subcontracting; a� process the Client Data in accordance with the documented instructions of the CLIENT. If VRM considers that an instruction constitutes a violation of the GDPR or any other provision of European Union law or Member State law regarding data protection, it shall immediately inform the CLIENT. • In addition, if VRM is required by European Union law or the law of the Member State to which it is subject to itself transfer the Client Data to a third country or an international organization, it must inform the CLIENT of this legal obligation before processing, unless the law concerned prohibits such information on important grounds of public interest; • apply the best industry standards for ensuring the confidentiality of the Client Data processed under this Undertaking; • ensure that persons authorized to process Client Data: o undertake to respect confidentiality or are subject to an appropriate statutory obligation of confidentiality; o receive the necessary training in personal data protection; • take into account, with respect to its tools, products, applications, or services, the principles of data protection by design and by default.

VRM may use subcontractors to carry out specific processing activities. In such cases, it shall inform the CLIENT in advance and in writing of any planned changes concerning the addition or replacement of other subcontractors. This information must clearly state the subcontracted processing activities, the identity and contact details of the subcontractor, and the dates of the subcontract. The CLIENT has a period of 14 days from the date of receipt of this information to raise any objections. This subcontracting can only be carried out if the controller has not objected within the agreed timeframe. VRM is already authorized by the CLIENT to use the following subcontractors: • AMAZON WEB SERVICE; • AZURE OPEN AI Microsoft. The subcontractor is required to comply with the obligations of this Undertaking on behalf of and according to the instructions of the CLIENT. It is VRM’s responsibility to ensure that the subcontractor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR. If the subcontractor fails to fulfill its data protection obligations, VRM remains fully responsible to the CLIENT for the performance of the subcontractor’s obligations.

When data subjects submit requests to VRM to exercise their rights, VRM shall forward these requests to the CLIENT immediately upon receipt, by email to the address provided by the CLIENT. The CLIENT guarantees that the individuals concerned by the processing of Client Data have the right to be informed and to access the data concerning them, the right to rectification and erasure, the right to restriction and to object to the processing, the right not to be subject to any automated data processing intended to define their profiles or assess certain aspects of their personality, and, where applicable, the right to data portability. To exercise all of these rights, individuals may contact: - For the CLIENT: at the address provided by the CLIENT on the Website - For VRM: rgpd@upmeet.ai It shall be the responsibility of the CLIENT to respond to such a request or to instruct VRM whether or not to respond to the request. VRM will respond favorably to any reasonable request for assistance in handling such requests from the CLIENT’s data subjects.

VRM shall notify the CLIENT without delay of any personal data breach. This notification is made by sending an email to the address provided by the CLIENT for this purpose. This notification is accompanied by all necessary documentation to enable the CLIENT, where appropriate, to notify the competent supervisory authority of this breach.

VRM will store and process Client Data and Personal Data within the European Union. VRM does not control or restrict the geographical areas from which the CLIENT or the Users can access or transfer the Client Data.

VRM will neither disclose nor grant access to any Client Data except: (1) in accordance with the instructions of the CLIENT, (2) in accordance with Article 5 hereof, or (3) if required by law. VRM will not disclose or grant access to any Client Data to the authorities, except if required by law. Any request from an authority aiming at disclosure of or access to the Client Data received by VRM shall be immediately forwarded to the CLIENT, insofar as permitted by applicable law. If VRM is compelled by law to disclose Client Data to the authorities or to grant them access, VRM undertakes to promptly inform the CLIENT thereof and to provide a copy of the request, to the extent permitted by applicable law.

VRM provides the CLIENT with a tool for anonymizing the Client Data. In this respect, the CLIENT is informed that any User or other participant in the Services must have given their consent to the processing of their personal data, and failing that, the relevant data must be fully anonymized.

VRM assists the CLIENT in conducting impact assessments related to the protection of Client Data. For this purpose, VRM shall provide all the necessary information for conducting the said impact assessment related to Client Data protection. VRM assists the CLIENT in conducting the prior consultation with the supervisory authority. VRM undertakes to cooperate with any supervisory authority, upon the latter’s request, in the performance of its tasks.

VRM undertakes to implement the following security measures: • Pseudonymization and encryption of Client Data; • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services – VRM undertakes, upon the CLIENT’s request, to provide a description of such measures; • Measures to restore the availability of Client Data and access to it within a maximum of 72 hours in the event of a physical or technical incident; • A procedure aimed at testing, assessing, and regularly evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing.

For the entire duration of the CLIENT’s subscription to the Services, the CLIENT will have the possibility to access, extract, and delete the stored Client Data. VRM will retain the Client Data that remain stored in an account with limited functionalities for 90 days following the expiration or termination of the Services subscribed by the CLIENT, so as to allow the CLIENT to extract such data. At the end of the ninety (90) day retention period, VRM will deactivate the CLIENT’s account and irreversibly destroy the Client Data. Once destroyed, VRM may, at the CLIENT’s request, confirm in writing that said destruction has taken place.

VRM declares that it maintains, in writing, a record of all categories of processing activities performed on behalf of the CLIENT, which includes: • The name and contact details of the CLIENT, of any subcontractors, and, where applicable, of the Data Protection Officer; • The categories of processing carried out on behalf of the CLIENT; • Where applicable, transfers of personal data to a third country or an international organization, including the identification of such third country or international organization and, in the case of the transfers referred to in Article 49(1), second subparagraph of the GDPR, the documents proving the existence of appropriate safeguards; • To the extent possible, a general description of the technical and organizational security measures, including, among others, where necessary: o Pseudonymization and encryption of personal data; o Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; o Measures to restore the availability of personal data and access to it in a timely manner in the event of a physical or technical incident; o A procedure aimed at testing, assessing, and regularly evaluating the effectiveness of the technical and organizational measures to ensure the security of processing.

VRM makes available to the CLIENT the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be conducted by the CLIENT or another auditor appointed by it, and to contribute to such audits.

VRM undertakes to carry out or have carried out, through specialized service providers, inspections by means of audits. In this regard, VRM undertakes to make available to the CLIENT all documentation necessary to demonstrate compliance with its obligations under this Undertaking, including by providing the CLIENT with audit reports. Furthermore, VRM undertakes to promptly inform the CLIENT of any inspection carried out by any administrative authority concerning compliance with its obligations in the field of personal data protection, as well as of the outcome of such inspections and any penalties that may be imposed on it. The CLIENT reserves the right to conduct such an audit itself or through a service provider of its choice at any time, subject to providing fifteen (15) days’ notice. VRM undertakes to cooperate in good faith with the auditor appointed by the CLIENT. Thus, VRM undertakes to facilitate the auditor’s access to its premises, and to any document, information, or other element useful for the proper conduct of the audit. The CLIENT may hold VRM liable if it is established that VRM has failed to comply with its obligations under this Undertaking.

The CLIENT undertakes to: 1. document in writing any instructions given to VRM concerning the processing of data; 2. ensure, prior to and throughout the processing, that VRM respects the obligations provided for by the GDPR; 3. supervise the processing, including carrying out audits and inspections of VRM; 4. provide the name and contact details of the CLIENT’s data protection officer or data protection contact person.

To the extent that VRM uses or otherwise processes personal data subject to the GDPR for its own purposes, VRM shall comply with the obligations applicable to an independent data controller within the meaning of the GDPR for such use. In this regard, the Users and data subjects may consult VRM’s personal data protection policy at: https://www.upmeet.ai/privacy/