Data Processing Terms

0.1 Overview

These data processing terms (the "Data Processing Terms") sets out the terms and conditions applicable to Wenn Property AS's ("WP") Processing of Personal Data on behalf of the Customer under the Agreement. The Data Processing Terms shall take precedence over the Agreement, including any terms incorporated therein, for matters pertaining to WP's Processing of Personal Data on behalf of the Customer.

0.2 Customer's role

Customer is either a controller or a processor of the Personal Data processed under these Data Processing Terms. When Customer is a data controller, WP is a data processor. When Customer is a data processor, WP is a sub-processor. These Data Processing Terms covers both situations.

WP understands that if the Customer is considered a data processor in its agreement with its customer, see section 0.2 above, the Customer acts on behalf of another legal controller of the Personal Data processed under these Data Processing Terms, and that WP shall be subject to similar obligations as the Customer is required by its customer in accordance with Article 28(4) of the GDPR.

All rights of the Controller under these Data Processing Terms also apply to the Customer's customers when they are the legal controller of the Personal Data. Unless otherwise specified, WP shall only be in direct contact with and follow the instructions from the Customer, even if there is another legal controller of the Personal Data processed under these Data Processing Terms.

These Data Processing Terms include the Data Processing Specification attached as Attachment 1 hereto.

Subject to Clause 13 below, these Data Processing Terms apply as of the date set out above.

1. Background and purpose

Under the terms of the Agreement, WP will have access to and process Personal Data on behalf of the Controller.

These Data Processing Terms set forth the rights and obligations of the parties pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"), and the applicable national data protection legislation implementing the GDPR (jointly, the "Applicable Data Protection Law").

2. Definitions and Interpretation

For the purposes of these Data Processing Terms, "Controller", "Data Subject", "Member State(s)", "Processor", "Processing", "Personal Data", "Personal Data Breach", "Third Countries" and "Supervisory Authority" shall have the meanings assigned to them in the Applicable Data Protection Law.

Other capitalised terms and expressions used in these Data Processing Terms shall have the meaning set out in the Agreement and as defined herein, including in Clause 15 below.

3. Description and purpose of the Processing

The Processing carried out by WP on behalf of the Customer under these Data Processing Terms, including its nature and purpose, relevant Processing operations, categories of Personal Data and Data Subjects involved, is further described in the Data Processing Specification.

4. Requirements for the Processing

4.1 General requirements

WP shall only Process the Personal Data in accordance with these Data Processing Terms, the Agreement, instructions from the Customer and Applicable Data Protection Law, and not process Personal Data for any other purposes.

The restrictions set out in Clause 4.1.1 shall not apply where WP is obligated to Process the Personal Data pursuant to Member State or EU/EEA law. In the event of any such obligation, WP shall notify the Customer unless prohibited from disclosing this information by the relevant laws.

If, in WP's opinion, an instruction from the Customer is in violation of Applicable Data Protection Law or other mandatory national or EU/EEA law, WP shall notify the Customer thereof.

WP shall ensure that measures are implemented in accordance with the requirements of the Applicable Data Protection Law in order to ensure confidentiality (i.e. that Personal Data are not disclosed to unauthorized persons or parties), integrity (i.e. that the Personal Data is not unintentionally changed in relation to the Processing) and availability (i.e. that the persons that are required have access to the Personal Data, have the necessary access) in relation to the Processing of Personal Data.

4.2 Transfers of Personal Data to Third Countries

WP shall (and shall procure that any WP personnel shall) not Process or cause the Personal Data to be Processed outside the EEA without the Customer's prior written consent, and provided that the necessary measures to ensure an adequate level of protection for the Personal Data in accordance with the Applicable Data Protection Law are in place. In the event that an approved transfer of Personal Data outside the EEA requires that Standard Contractual Clauses ("SCC") pursuant to Commission Implementing Decision 2021/914/EU of 4 June 2021 (or any successor thereto) are entered into with the Third Country recipient of the Personal Data, WP shall enter into such SCCs with the Third Country recipient in its own name.

By entering into the Agreement, the Customer consents to the transfers of Personal Data identified in Data Processing Specification attached to these Data Processing Terms.

4.3 Personnel requirements

WP shall ensure that the Personal Data are Processed solely by reliable personnel who are:

• granted access to the Personal Data on a need-to-know basis;
• familiar with the Applicable Data Protection Law provisions applicable to the Processor's Processing of Personal Data;
• trained in the care, protection and handling of Personal Data;
• authorised to Process the Personal Data only as necessary for the purposes set out in these Data Processing Terms; and
• subject to appropriate confidentiality obligations.

5. Security

5.1 Processing security requirements

WP has implemented and maintains appropriate technical and organizational security measures to protect the Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and other breaches of security.

The security measures described in Clause 5.1.1 are implemented with regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

WP shall, upon the Customer's request, make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Clause 5.1.

5.2 Security incidents and notification (Personal Data Breach)

Upon becoming aware of any Personal Data Breach, WP shall, without undue delay, after having become aware of the incident, notify the Customer and provide all information and cooperation that the Customer may reasonably require in order for the Customer to fulfil its Personal Data Breach requirements under the Applicable Data Protection Law. Further, WP shall take such measures and actions necessary to remedy and mitigate the effects of the Personal Data Breach.

6. Data protection impact assessment

WP shall upon the Customer's request provide all reasonable and timely assistance as the Customer may require in order to conduct a data protection impact assessment (DPIA) as set out in Article 35 GDPR and, if necessary and upon request from the Customer, consult with its relevant Supervisory Authority.

7. Cooperation with the Controller and the Supervisory Authority

WP shall provide such assistance requested by the Customer as is necessary to enable the Customer to fulfil its obligations pursuant to Articles 32 to 36 of the GDPR, and to enable the Customer to respond to (i) requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including the rights of access, correction, objection, erasure and data portability, as applicable); and (ii) other correspondence, enquiries or complaints received from a Data Subject, Supervisory Authority or other third party in connection with the Processing of the Personal Data.

In the event that any such request, correspondence, enquiry or complaint is made directly to WP, WP shall inform the Customer without undue delay, providing the necessary details of the same.

8. Audit and compliance review

WP shall respond to inquiries from the Customer relating to its Processing of Personal Data, including making available all information necessary to demonstrate compliance with these Data Processing Terms and WP's obligations under the Applicable Data Protection Law.

Unless otherwise is required by the Applicable Data Protection Law, the Customer shall be entitled to perform audits of WP's compliance with these Data Processing Terms and the Applicable Data Protection Law. Such audits or inspections are limited to one (1) each calendar year of the Term and subject to four (4) weeks written notice to WP, unless otherwise required by a governmental authority to which the Customer is subject.

9. Use of Sub-Processors

9.1 General requirements for the use of Sub-Processors

Customer may not sub-contract any Processing of Personal Data to any subcontractor ("Sub-Processors"), without the prior written authorization of the Customer. WP shall impose data protection terms on Sub-Processors it appoints in accordance with the foregoing sentence which are in accordance with the data protection obligations set out in these Data Processing Terms.

WP shall remain responsible for any acts and/or omissions of its Sub-Processors as if they were carried out by WP itself.

The Sub-Processors engaged by WP, and authorized by the Customer, at the signature date of the Agreement are set out in the Data Processing Specification attached hereto.

9.2 Engagement or replacement of Sub-Processors

In the event that WP replaces any of the Sub-Processors set out in the Data Processing Specification, or engages a new Sub-Processor, the Customer shall be entitled to thirty (30) calendar days' written notice informing the Customer of WP's intentions.

The Customer shall be entitled to object to WP's replacement or addition of Sub-Processors if there is reasonable cause to believe that the engagement of the Sub-Processor in question would be detrimental to the data protection requirements set out herein. If the Customer objects to the Sub-Processor, the parties shall negotiate in good faith to find a solution to address the Customer's concerns.

WP shall keep an updated list of all Sub-Processors engaged in the Processing of Personal Data on behalf of the Customer available at the Customer's request at all times.

10. Term and termination

These Data Processing Terms shall remain in effect for as long as WP Processes Personal Data on behalf of the Customer for the purposes described in these Data Processing Terms.

11. Data retention

Upon the termination of the Agreement and the expiry of these Data Processing Terms, WP shall return to the Customer all of the Personal Data and any copies thereof which WP is Processing or has Processed on behalf of the Customer and which has not already been deleted in accordance with agreed retention policies, and/or securely destroy the same.

Notwithstanding the above, WP may retain such Personal Data as WP is under a legal obligation to retain under national or EU/EEA law.

12. Liability and indemnification

The parties' liability for damage suffered by a data subject or other natural persons which is due to a violation of the Applicable Data Protection Law, will follow the provisions of article 82 of the GDPR.

The parties are individually liable for administrative fees imposed pursuant to article 83 of the GDPR.

13. Changes to the Data Processing Terms

The provisions set out in the Data Processing Terms may be subject to changes to accommodate changes to the Applicable Data Protection Law. The Customer shall be given written notice of such changes. The changes will be implemented upon the renewal of the then-current term (the Initial Period or a Renewal Period, as the case may be), unless the Applicable Data Protection Law requires such changes to take effect sooner.

Notwithstanding the above, the Data Processing Specification may be updated from time to time to (a) reflect agreed changes in the Customer's instructions or to accommodate changes to the Services of WP; or (b) reflect changes to the Processing carried out in accordance with Clause 9.2 and 4 of these Data Processing Terms.

14. Consideration

WP shall be entitled to consideration from the Customer on a time and materials basis for its assistance and participation pursuant to Clauses 6 (Data protection impact assessment), 7 (Cooperation with the Controller and the Supervisory Authority) and 8 (Audit and compliance review) above, provided however that if an audit reveals any non-compliance with these Data Processing Terms, then WP shall not be entitled to charge Customer for the costs of the audit.

15. Definitions

The capitalized terms below shall, for the purpose of these Data Processing Terms, have the following meaning:

• "Agreement" means the agreement, entered into between the Customer and WP to which these Data Processing Terms apply, including any other terms incorporated by reference therein;
• "Initial Period" means the initial duration of the Agreement; and
• "Renewal Period" means each period the Agreement is renewed for after the Initial Period.

Attachment 1 – Data Processing Specification

Version dated: 9th of December 2024

1. Description and purpose of the Processing

1.1 Purposes and nature of the Processing

The overall purpose of the Processing is to fulfil the purposes and provide the services set out in the Agreement. The operation of WP's solution and the provisioning of an optimized tool to the Customer, requires certain processing of personal data.

Under these Data Processing Terms, WP will store Personal Data of the Customer (as described in section 1.4 below) in the tenant storage, to enable the relevant data flow, to allow the Customer to utilize WP's solution in its business operations, and to establish a damage assessment report on behalf of the Customer.

1.2 Processing of Personal Data outside the scope of these Data Processing Terms

Appendix 3 to the Agreement sets out the Conceptual Data Architecture of WP, including a description of the relevant scenarios of data processing and the parties' roles and responsibilities in this regard.

WP intends to anonymize certain Personal Data provided by the Customer for use in machine learning and data analytics. Once the Personal Data has been anonymized in accordance with GDPR requirements, such that the data subjects can no longer be identified directly or indirectly, the resulting anonymized data falls outside the scope of these Data Processing Terms and GDPR. WP will be free to process such anonymized data for machine learning and analytics purposes without the constraints of these Data Processing Terms.

Where Appendix 3 appoint WP as the Controller for a specific processing operation, WP's Processing of Personal Data is outside the scope of these Data Processing Terms.

1.3 Processing operations

The Processing of the Personal Data for the purposes described in Clause 1.1 above will involve such Processing operations as are necessary in pursuit of the stated purposes, including, inter alia, the following basic Processing operations such as data collection, disclosure, access, storage and structuring, as well as deletion.

Some operations may be wholly or partially automated. Additional Processing operations may also be performed subject to the Customer's instructions or be required to accommodate changes to the Pilot from time-to-time.

1.4 Categories of Personal Data

As a Processor the processing may involve, inter alia, the following categories of Personal Data: insurance policy information, names, email addresses, phone numbers, addresses, IDs of the reports created by WP, and the report itself. The report may contain the following categories of Personal Data: descriptions of the property, damages and cause, property addresses, photos from properties and documentation of restoration need/work.

Additional Personal Data may also be Processed subject to the Customer's instructions or to accommodate changes to the Pilot from time-to-time.

1.5 Special categories of Personal Data

No special categories of Personal Data will be involved in the Processing.

1.6 Categories of Data Subjects

The Personal Data being Processed will primarily concern the employees of the Customer.

2. Sub-Processors and Processing locations

The Sub-Processors using the Processing locations set out in the table below are engaged by WP as of the signature date of the Agreement and are to be considered approved by the Customer as of the same date.

3. Applicability of the Data Processing Specification

Subject to Clause 13 of the Data Processing Terms, this Data Processing Specification applies as of the date set out above.

4. Security

WP will implement appropriate technical and organizational security measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures are further described in Wenn Property Security Brief.