Data Processing Addendum.

Munsit

Data Processing Agreement

This Data Processing Agreement (the “ DPA ”) along with any schedules, exhibits or addendums, is incorporated into the Product Schedule (the “ Agreement ”) between CNTXT (the “ Company ”) and the Customer identified and defined in the Order Form (each a “ Party ” and collectively, the “ Parties ”) and is effective as of the effective date mentioned in the Order Form (the “ Effective Date ”).

BACKGROUND

A. The Company currently provides Services to the Customer as defined under the Agreement. In the course of providing the Services, CNTXT acts as a Processor on behalf of the Customer of any relevant Personal Data and the Customer acts as a Controller (as those terms are defined in the Federal Personal Data Protection (PDP). Schedule 1 to this Agreement sets out a description of the personal data being processed, the purposes of processing and approved Sub-Processors.

B. The Parties have entered into this Agreement in order to reflect the specific data protection rights and obligations of each Party in connection with the provision of the Services.

C. Unless the context otherwise requires, terms defined in the Agreement shall have the same meaning when used in this DPA.

The Parties agree to the following terms which, subject to clause 2.2, shall be supplemental to the terms of the Agreement and it is hereby agreed as follows:

1 Definitions

1.1 In this Agreement, unless the context otherwise indicates:

Term	Description
"Data Protection Legislation"	means any applicable laws concerning the protection of personal data or privacy, and any legislation in any jurisdiction which implements, supplements or is equivalent to the Federal Personal Data Protection (PDP) issued by Federal Decree Law No.45 of 2021;
"Personal Data"	means any personal data (as defined in the Federal Personal Data Protection (PDP)) which is provided by Customer to CNTXT in connection with or for the provision of the Services, as described in the Schedule to this Agreement or as may otherwise be provided by CNTXT to the Customer from time to time;
"Personal Data Breach"	means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
"Regulator"	means any supervisory authority with authority under the Federal Personal Data Protection (PDP) over the processing of Personal Data;
"Relevant International Transfer(s)"	means an international transfer of personal data outside of the UAE.
"Sub-Processor"	has the meaning given to that term in clause 5.1; and
" Controller", " Data Subject ", " Processor ", " process ", " supervisory authority "	shall have the meaning given to those terms in the Federal Personal Data Protection (PDP).

1.2 In this Agreement:

1.2.1 References to a statutory provision include any subordinate legislation under that provision in its respective current version.

1.2.2 Any reference to a statute shall, unless the context otherwise requires, be construed as a reference to that statute as from time to time amended, consolidated, modified, extended, replaced or re-enacted together with any secondary legislation made thereunder as from time to time amended, consolidated, modified, extended, replaced or re-enacted.

1.2.3 Headings shall be ignored in construing this Agreement.

1.2.4 If a word or phrase is defined, its other grammatical forms have a corresponding meaning.

1.2.5 The words "include", "includes" and "including" and any succeeding words shall be construed without limitation to the generality of any preceding words or concepts.

1.2.6 each provision shall be deemed to have been drafted by the Parties equally and no provision shall be interpreted against a Party on the basis that it was prepared by that Party.

2 Status of Agreement

2.1 This DPA forms part of the Agreement which has been executed by the Parties.

2.2 To the extent of any inconsistency between the terms of this DPA and the Agreement, this DPA shall prevail.

2.3 This DPA takes effect on the Effective Date and continues until [the later of: (i) the termination or expiry of the Agreement; or (ii)] the Processor ceasing to Process Personal Data in connection with the Services.

3 Processing Obligations

3.1 CNTXT shall subject to clause 3.2, only Process the Personal Data in accordance with the express instructions of CONTROLLER which may be given from time to time (including as necessary to provide the Services and as set out in Schedule 1), including in respect of any international transfers of Personal Data.

3.2 To the extent that CNTXT is required by law to process any Personal Data other than in accordance with CONTROLER’s instructions, CNTXT shall resist such obligations to the maximum extent possible and shall in any event inform CONTROLLER of such requirement before proceeding.

3.3 CNTXT shall:

3.3.1 implement appropriate technical and organizational security measures to protect the security and confidentiality of all Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;

3.3.2 ensure the reliability of any employee, agent or any Sub-Processor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Personal Data, as strictly necessary for the performance of the Services, and to comply with the Federal Personal Data Protection (PDP) in the context of that individual's duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;

3.3.3 cooperate with, and provide all reasonable assistance to CONTROLLER in meeting CONTROLLER’s obligations under the Federal Personal Data Protection (PDP) in relation to the Services, including to: (i) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk in relation to Personal Data, (ii) notify any Personal Data Breach to a Regulator or to any affected Data Subject, and (iii) comply with requests received from data subjects to exercise their rights under Federal Personal Data Protection (PDP), including the rights to access, rectify or erase Personal Data, the right to object to and obtain restriction of processing, and the right to not be subject to automated decision-making;

3.3.4 provide reasonable assistance to CONTROLLER with any data protection impact assessments, and prior consultations with a Regulator or other competent data protection authorities as required by law;

3.3.5 immediately notify CONTROLLER upon receipt of any request by a Data Subject to exercise his or her rights under the Federal Personal Data Protection (PDP) in respect of any Personal Data (and in any event within 2 Business Days of becoming aware);

3.3.6 immediately inform CONTROLLER , if in its opinion, compliance with any instruction of CONTROLLER would infringe the Federal Personal Data Protection (PDP); and

3.3.7 provide CONTROLLER upon request with all information necessary to demonstrate compliance with this Agreement and the Federal Personal Data Protection (PDP) and shall allow CONTROLLER (or any Regulator or third-party auditor appointed by CONTROLLER) to conduct an audit of its premises and records in order to determine compliance with this Agreement.

3.4 CNTXT shall notify CONTROLLER of all enquiries or communications from a Regulator that the CNTXT receives which relate to Personal Data processed under this Agreement unless prohibited from doing so at law or by the Regulator. In circumstances where a Regulator communicates directly with CNTXT in relation to such Personal Data, CNTXT shall keep CONTROLLER notified of all communications, and shall consult with CONTROLLER in connection with regards to that communication, including all proposed responses. CONTROLLER shall be responsible for all communications or correspondence with the Regulator in relation to CONTROLLER’s role as Controller of Personal Data under the Federal Personal Data Protection (PDP) and, to the extent permitted by law, CNTXT shall make no admission, acknowledgement, or statement in respect of CONTROLLER or its acts and omissions to a Regulator.

3.5 The Parties agree that on the termination of this Agreement and/or the Services, CNTXT and any Sub-Processors shall, at the choice of CONTROLLER, return all the Personal Data transferred and any copies to CONTROLLER or shall destroy all Personal Data and certify to CONTROLLER upon request that it has done so, unless local legislation imposed upon CNTXT prevents it from returning or destroying all or part of the Personal Data transferred. In that case, CNTXT shall hold such Personal Data in accordance with its obligations under this Agreement and shall not Process such Personal Data for any purpose other than as required by law.

3.6 CNTXT shall provide any assistance to CONTROLLER which it is obliged to provide pursuant to this Agreement or the Federal Personal Data Protection (PDP) at no additional cost to CONTROLLER.

4 Personal Data Breaches

4.1 In the event CNTXT becomes aware of an actual or any suspected Personal Data Breach, it shall notify CONTROLLER without undue delay (and in any event within 24 hours of becoming aware). CNTXT shall provide such information, assistance and cooperation and take reasonable commercial steps as CONTROLLER may request to: (i) investigate and defend any claim or regulatory investigation; and (ii) mitigate, remedy and/or rectify such Personal Data Breach. The notification to CONTROLLER must include:

a description of the nature of the Personal Data Breach, including where possible the categories, approximate number of Data Subjects concerned and the identity of each Data Subject affected;
the name and contact details of CNTXT contact from whom more information can be obtained;
a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
any other information CONTROLLER reasonably requests relating to the Personal Data Breach, to allow CONTROLLER to meet any reporting obligations or inform Data Subjects of the Personal Data Breach under the Federal Personal Data Protection (PDP).

For the avoidance of doubt, where a Personal Data Breach is the result of a breach by CNTXT of its obligations under this Agreement, CNTXT shall be responsible for all costs reasonably and properly incurred by the parties in connection with the Personal Data Breach.

4.2 The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the appropriate Regulator in connection with a Personal Data Breach, provided that nothing in this clause shall prevent either party from complying with its obligations under the Federal Personal Data Protection (PDP).

4.3 CNTXT shall not notify a Personal Data Breach to any Regulator without the prior written consent of CONTROLLER*.*

5 Sub-Processors

5.1 The Customer acknowledges and agrees that CNTXT may engage Sub-processors as necessary, to support the Services and to process Personal Data for the purposes specified in the DPA. List of Sub-processors that may be engaged by the Company are listed under Schedule 2 herein, which may be updated from time to time (a “ Sub-Processor ”). Any changes to the list of Sub-Processors shall be notified 30 days in advance to the Customer.

5.2 The appointment of a Sub-Processor shall not relieve CNTXT of any liability or responsibility for the performance of any of its obligations under this Agreement.

5.3 CNTXT shall remain fully liable to CONTROLLER for all the acts and/or omissions of any Sub- Processor, CNTXT or sub-CNTXT appointed by CNTXT in connection with the provision of Services to CONTROLLER and shall ensure that any such Sub-Processor is bound by obligations no less onerous than those set out in this Agreement*.*

6 Data Transfers and Safeguards

6.1 The Customer acknowledges and agrees that, for the purpose of providing the Services, Personal Data may be transferred to and processed with the Sub-Processors mentioned in Schedule 2.

6.2 The Parties acknowledge that the legal basis for such transfers and processing under the UAE PDPL is that the processing is necessary for the performance of the contract for the provision of the Services to the Customer, and for any related purposes that are compatible with that primary purpose.

6.3 CNTXT will implement appropriate safeguards to protect Personal Data during such cross- border transfers and subsequent processing, including maintaining contractual protections with relevant sub-processors and relying on their applicable industry-standard security and compliance certifications, where relevant.

7 Indemnity

7.1 Notwithstanding any provision in the Recruitment Contract, CNTXT shall indemnify and hold harmless CONTROLLER from any costs, losses, liabilities, expenses (including legal expenses), penalties or sanctions (“Losses”) which arise directly or indirectly from any breach of this DPA or the Federal Personal Data Protection (PDP) by CNTXT (or any Sub-Processor), except to the extent that such Losses arise directly from any gross negligence or willful breach of contract by CONTROLLER.

8 General

8.1 This DPA may be executed in several duplicates (whether electronically or otherwise), each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

8.2 Each obligation under this DPA shall be treated as a separate obligation and shall be severally enforceable as such, and in the event of any obligation or obligations being found by any authority of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions or parts of such provisions of this DPA, all of which shall remain in full force and effect.

8.3 Subject to any restrictions or requirements set out under this DPA, CONTROLLER shall have the right and power to assign any of its rights, or delegate the performance of any of its obligations, under this DPA to an Affiliate without the prior written authorisation of any other party.

8.4 The failure by a party to assert any of its rights hereunder, including, but not limited to, the right to terminate this DPA due to a breach or default by another party hereto, shall not be deemed to constitute a waiver by that party of its right thereafter to enforce each and every provision of this DPA in accordance with its terms.

8.5 CNTXT’s obligations under this DPA shall survive termination of this DPA to the extent that the CNTXT continues to process any Relevant Personal Data. Termination or expiry of this DPA shall not affect any provision that is expressly or impliedly intended to survive such termination.

8.6 Without prejudice to any other rights or remedies that CONTROLLER may have, CNTXT acknowledges and agrees that damages alone would not be an adequate remedy for any breach of the terms of this DPA. Accordingly, CONTROLLER shall be entitled to seek the remedies of injunctions, specific performance or other equitable relief for any threatened or actual breach of this DPA by the Customer.

8.7 This DPA and all non-contractual obligations arising from it or connected with the Processing of Personal Data are governed by and construed in accordance with the laws of the Abu Dhabi Global Market (ADGM). The Parties to this Agreement irrevocably agree that the courts of the ADGM shall have exclusive jurisdiction to decide and to settle any dispute or claim arising out of or in connection with this Agreement.

Schedule 1 — Description of Processing

Services

The Services are more particularly described in the Recruitment Contract dated on or around the date of this Agreement.

Personal Data

CNTXT shall be provided with the following categories of Personal Data by the Customer in connection with the Services:

identification documents including without limitation, passport copy of potential Candidates, residence ID, photo identity, residential address, email, phone number etc.

Processing Activities

CNTXT shall carry out the following basic processing activities in relation to the Personal Data, for the purpose of providing the Services:

Collection, storage, use, transfer and disclosure of Personal Data

Schedule 2 — List of Sub-Processors

The Company may engage the below listed Sub-processors to provide the Service and to process Personal Data:

Cloud & Infrastructure Providers:

Amazon Web Services (AWS) (US): Hosting infrastructure for scalable compute resources and server deployment, vector and relational database management, secure object storage for data and file hosting.
Microsoft Azure (US): Cloud hosting for AI services, including Speech-to-Text (STT) and Text- to-Speech (TTS).
Google Cloud (US): AI-driven STT and TTS services.
Cloudflare (US): Content Delivery Network (CDN) services, DDoS protection, and enhanced security for web applications.

Webhooks & Event Streaming:

SVIX (US): Webhooks publishing for real-time event delivery.

AI & Language Model Providers:

OpenAI (US): Large language model APIs for AI-driven applications.
Anthropic (US): AI model APIs with a focus on safety and responsible AI.
Cohere (US): NLP models for text generation and semantic search.

Database & Analytics:

Datadog or Similar (US): Application monitoring and security insights.

LLM Observability & Monitoring:

LMNR or Similar (US): LLM observability for monitoring AI model performance and operational metrics.

Identity & Authentication:

Clerk (US): Authentication and user identity management.

Communication & Voice Services:

Twilio (US): SMS, phone, and WhatsApp communication services.
Telnyx (US): VoIP, SIP trunking, and telephony solutions.
LiveKit (US): Real-time voice and video communication.
Eleven Labs (US): AI-powered voice generation and synthesis.
Deepgram (US): Speech-to-Text (STT) AI services.
Cartesia (US): Speech-to-Text (STT) AI services.
PlayAI (US): Speech-to-Text (STT) AI services.

Billing & Metering:

OpenMeter or Similar (US): Real-time event-driven metering and billing.