Data Processing Addendum

Introduction

This Data Processing Addendum ("Addendum") is entered into between BetterLife Horizons Private Limited, a private limited company incorporated under the Companies Act 2013 and having its registered office at 18th Floor, Tower A, Building No.5, DLF Cyber City, DLF Phase-3, Gurugram, Haryana, India, 122002, operating under the brand name Gabit ("Gabit", "Processor", "we", "us", or "our") and the Customer (as defined in the Agreement) ("Customer", "Controller", "you", or "your").

This Addendum forms part of and supplements the services agreement, master services agreement, or other written or electronic agreement between Gabit and Customer governing Customer's use of Gabit's corporate wellness services, including health monitoring, biometric data analytics, and related services (the "Agreement"). In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail with respect to the Processing of Personal Data.

Customer enters into this Addendum on behalf of itself and any Affiliates authorised to use the Services under the Agreement. For the purposes of this Addendum, references to "Customer" shall include Customer and such Affiliates.

1. Definitions

In this Addendum, the following terms shall have the meanings set out below. Capitalised terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement.

"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of more than 50% of the voting securities or equivalent ownership interest.

"Applicable Data Protection Laws" means all laws and regulations relating to the processing of Personal Data applicable to the performance of the Agreement, including: (i) Regulation (EU) 2016/679 (the "EU GDPR"); (ii) the EU GDPR as retained in United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the "UK GDPR"), together with the Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection ("Swiss FADP"); and (iv) any other applicable data protection or privacy legislation in any relevant jurisdiction.

"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Addendum, the Customer is the Controller.

"Customer Personal Data" means any Personal Data Processed by Gabit on behalf of Customer in connection with the provision of the Services, as further described in Annex 1.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed.

"Processing" (and "Process", "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means a natural or legal person which Processes Personal Data on behalf of the Controller. For the purposes of this Addendum, Gabit is the Processor.

"Restricted Transfer" means a transfer of Personal Data from the EEA, United Kingdom, or Switzerland to a country which has not been deemed to provide an adequate level of data protection by the relevant authority, including the European Commission, UK Secretary of State, or Swiss Federal Data Protection and Information Commissioner.

"Services" means the corporate wellness, health monitoring, biometric data analytics, and related services provided by Gabit to Customer pursuant to the Agreement.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined under Article 9 of the EU GDPR and UK GDPR.

"Standard Contractual Clauses" or "SCCs" means: (i) the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Decision 2021/914 of 4 June 2021 (the "EU SCCs"); and/or (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 (the "UK Addendum").

"Sub-processor" means any third party appointed by Gabit to Process Customer Personal Data on behalf of Customer in connection with the Services.

2. Scope and Roles of the Parties

2.1 This Addendum applies to the Processing of Customer Personal Data by Gabit under the Agreement, to the extent such Processing is subject to Applicable Data Protection Laws.

2.2 The parties acknowledge and agree that with regard to the Processing of Customer Personal Data:

• Customer acts as the Controller and determines the purposes and means of Processing;
• Gabit acts as the Processor and Processes Customer Personal Data solely on behalf of and in accordance with the documented instructions of Customer.

2.3 The details of the Processing, including the subject matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects, are set out in Annex 1 to this Addendum.

2.4 Special Category Data. The parties acknowledge that the Services involve the Processing of health and biometric data which constitutes Special Category Data under Article 9 of the EU GDPR and UK GDPR. Customer shall ensure that a valid legal basis exists under Article 9(2) for the Processing of such data, including obtaining explicit consent from Data Subjects where required. Gabit shall implement appropriate safeguards for the protection of Special Category Data as set out in Section 6 below.

3. Customer Obligations

3.1 Customer shall comply with all Applicable Data Protection Laws in connection with its use of the Services and the Processing of Customer Personal Data.

3.2 Customer shall ensure that it has a valid legal basis for the Processing of Customer Personal Data and, where the Processing involves Special Category Data, a valid condition under Article 9(2) of the EU GDPR / UK GDPR.

3.3 Customer shall ensure that all necessary notices have been given to, and all necessary consents have been obtained from, Data Subjects in accordance with Applicable Data Protection Laws, including explicit consent for the Processing of health and biometric data where required.

3.4 Customer shall ensure that its instructions to Gabit regarding the Processing of Customer Personal Data comply with Applicable Data Protection Laws.

3.5 Customer is solely responsible for determining the lawfulness of the Processing and for compliance with any legal obligations relating to the collection and transfer of Customer Personal Data to Gabit.

4. Gabit's Obligations as Processor

Gabit shall, in relation to Customer Personal Data:

4.1 Processing on Instructions. Process Customer Personal Data only on the documented instructions of Customer (which shall include the terms of the Agreement and this Addendum), unless Processing is required by applicable law to which Gabit is subject, in which case Gabit shall, to the extent permitted by applicable law, inform Customer of that legal requirement before the relevant Processing of that Customer Personal Data.

4.2 Confidentiality. Ensure that all personnel authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such obligations survive the termination of that person's engagement with Gabit.

4.3 No Selling or Sharing. Not sell, share, or otherwise make available Customer Personal Data to any third party for purposes other than the provision of the Services, except as expressly authorised by Customer or required by applicable law.

4.4 Assistance with Data Subject Requests. Taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subject rights under Chapter III of the EU GDPR / UK GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection. Gabit shall promptly notify Customer if it receives a request from a Data Subject in respect of Customer Personal Data and shall not respond to such request except on Customer's documented instructions or as required by applicable law.

4.5 Assistance with Compliance. Provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Articles 32 to 36 of the EU GDPR / UK GDPR (security of processing, notification of a personal data breach to the supervisory authority and to the data subject, and data protection impact assessments and prior consultation), taking into account the nature of Processing and the information available to Gabit.

4.6 Deletion and Return of Data. Upon termination or expiry of the Agreement, and at the choice of Customer, either delete or return all Customer Personal Data to Customer, and delete existing copies unless applicable law requires storage of the Customer Personal Data. Where Customer does not make a choice within thirty (30) days of termination or expiry, Gabit shall delete all Customer Personal Data. Any Customer Personal Data retained pursuant to applicable law shall remain subject to the confidentiality obligations of the Agreement and this Addendum.

4.7 Information and Audit. Make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum and Applicable Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the following conditions:

• Customer shall give Gabit at least thirty (30) days' prior written notice of any audit request;
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Gabit's operations;
• Customer shall ensure that any third-party auditor is bound by obligations of confidentiality;
• Audits shall be limited to once per year, unless a Personal Data Breach has occurred or a supervisory authority requires additional audits;
• Gabit may, in the first instance, satisfy audit requests by providing Customer with relevant certifications, audit reports (including SOC 2 or ISO 27001 reports, where available), or responses to reasonable information security questionnaires.

4.9 Records of Processing. Maintain records of Processing activities carried out on behalf of Customer as required by Article 30(2) of the EU GDPR / UK GDPR, and make such records available to Customer and any supervisory authority upon request.

5. Security of Processing

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Gabit shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

• The pseudonymisation and encryption of Customer Personal Data, both in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing.

5.2 In assessing the appropriate level of security, Gabit shall take account of the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

5.3 The technical and organisational security measures implemented by Gabit are further described in Annex 3 to this Addendum. Gabit may update such measures from time to time, provided that such updates do not materially decrease the overall level of security of the Services.

5.4 Enhanced Measures for Special Category Data. Given that Customer Personal Data includes health and biometric data constituting Special Category Data, Gabit implements the following additional safeguards: role-based access controls limiting access to health data to authorised personnel only; encryption of health data at rest and in transit; audit logging of all access to health data; and regular security assessments of systems processing health data.

6. Personal Data Breach Notification

6.1 Gabit shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall, to the extent reasonably available, include:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
• The name and contact details of Gabit's Data Protection Officer or other contact point from whom further information can be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken by Gabit to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

6.2 Gabit shall take all commercially reasonable steps to contain, investigate, and remediate the effects of a Personal Data Breach and shall keep Customer informed of all material developments.

6.3 Gabit's notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability. Unsuccessful security incidents that do not result in unauthorised access to Customer Personal Data (such as unsuccessful login attempts, pings, port scans, or denial of service attacks on firewalls) do not constitute Personal Data Breaches.

6.4 Customer is solely responsible for complying with breach notification obligations to supervisory authorities and affected Data Subjects under Applicable Data Protection Laws.

7. Sub-processors

7.1 Customer hereby provides general written authorisation for Gabit to engage Sub-processors for the Processing of Customer Personal Data. The current list of Sub-processors is set out in Annex 2 to this Addendum and is also maintained at https://gabit.io/sub-processors (or such other URL as Gabit may notify to Customer from time to time).

7.2 Gabit shall:

• Impose data protection obligations on each Sub-processor by way of a contract that are materially no less protective than those set out in this Addendum;
• Ensure that each Sub-processor Processes Customer Personal Data only to the extent necessary to perform the sub-contracted services;
• Remain fully liable to Customer for the performance of each Sub-processor's obligations in relation to the Processing of Customer Personal Data.

8. International Data Transfers

8.1 Customer acknowledges that the provision of the Services may involve the transfer of Customer Personal Data to countries outside the EEA, United Kingdom, or Switzerland that have not received an adequacy decision from the relevant authority (a "Restricted Transfer"). In particular, Customer Personal Data may be transferred to and Processed in India.

8.2 Transfer Mechanisms. Where a Restricted Transfer takes place, the parties agree that the transfer shall be subject to the following appropriate safeguards:

• For transfers of Personal Data protected by the EU GDPR: the EU SCCs (Module Two: Controller to Processor), which are hereby incorporated into and form part of this Addendum as set out in Annex 4;
• For transfers of Personal Data protected by the UK GDPR: the UK Addendum to the EU SCCs, which is hereby incorporated into and forms part of this Addendum;
• For transfers of Personal Data protected by the Swiss FADP: the EU SCCs as modified to reflect Swiss requirements, including references to the Swiss FADP, the Swiss Federal Data Protection and Information Commissioner, and Swiss courts as applicable.

8.3 EU SCCs Configuration. Where the EU SCCs apply under this Addendum:

• Module Two (Controller to Processor) shall apply;
• Clause 7 (Docking Clause): the optional docking clause shall apply;
• Clause 9 (Sub-processors): Option 2 (General Written Authorisation) shall apply, with the time period for prior notice of Sub-processor changes being thirty (30) days as set out in Section 7.2;
• Clause 11 (Redress): the optional language shall not apply;
• Clause 17 (Governing Law): Option 1 shall apply, governed by the laws of Ireland;
• Clause 18(b) (Forum): disputes shall be resolved before the courts of the Republic of Ireland;
• Annex I of the EU SCCs shall be completed with the information in Annex 1 of this Addendum;
• Annex II of the EU SCCs shall be completed with the information in Annex 3 of this Addendum.

8.4 UK Addendum. Where the UK Addendum applies, Tables 1 to 3 in Part 1 shall be completed with the information in Annex 1 of this Addendum, and Table 4 in Part 1 shall be deemed completed by selecting "Importer".

8.5 Supplementary Measures. Gabit shall implement supplementary technical and organisational measures as necessary to ensure that Customer Personal Data is protected to the standard required by Applicable Data Protection Laws during and after any Restricted Transfer. Such measures may include encryption in transit and at rest, access controls, and regular transfer risk assessments.

8.6 Transfer Risk Assessment. Gabit shall, where required by Applicable Data Protection Laws, conduct and document a transfer risk assessment for Restricted Transfers, assessing the laws and practices of the destination country and the effectiveness of the safeguards in place.

9. Data Protection Officer

9.1 Gabit has appointed the following Data Protection Officer who may be contacted with respect to any issues relating to the Processing of Customer Personal Data under this Addendum:

Name: Prakhar Munde
Email: care@gabit.com

9.2 Data Subjects who wish to exercise their rights under Applicable Data Protection Laws, or who have concerns or complaints relating to the Processing of their Personal Data, may contact the Data Protection Officer at the above address.

10. Government Access Requests

10.1 To the extent legally permissible, Gabit shall promptly notify Customer of any legally binding request from a governmental or regulatory authority for disclosure of Customer Personal Data.

10.2 If Gabit receives a request for access to Customer Personal Data that is not legally binding, Gabit shall reject such request and notify Customer promptly.

10.3 Gabit shall maintain a record of all government access requests relating to Customer Personal Data and shall make such records available to Customer upon request.

11. Liability

11.1 Each party's liability under this Addendum shall be subject to the limitations and exclusions of liability set out in the Agreement.

11.2 Gabit shall indemnify Customer against all losses, liabilities, costs, and expenses (including reasonable legal fees) arising from Gabit's breach of this Addendum or its obligations under Applicable Data Protection Laws, except to the extent that such losses arise from Customer's instructions, Customer's breach of its own obligations under this Addendum, or the actions of Customer's employees, agents, or other processors not appointed by Gabit.

12. Term and Termination

12.1 This Addendum shall remain in effect for so long as Gabit Processes Customer Personal Data under the Agreement.

12.2 The obligations and rights of the parties under Sections 4.7 (Deletion and Return), 6 (Breach Notification), 8 (International Transfers), and 11 (Liability) shall survive termination or expiry of this Addendum.

13. Precedence

13.1 In the event of any conflict or inconsistency between the provisions of this Addendum and the provisions of the Agreement, the following order of precedence shall apply: (a) the Standard Contractual Clauses or UK Addendum; (b) this Addendum; (c) the Agreement.

13.2 If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14. Governing Law

14.1 This Addendum shall be governed by and construed in accordance with the governing law of the Agreement, unless otherwise required by Applicable Data Protection Laws.

14.2 Notwithstanding the foregoing, where the EU SCCs or UK Addendum are incorporated into this Addendum, they shall be governed by the law specified therein.

Annex 1: Description of Processing Activities

This Annex describes the Processing of Customer Personal Data by Gabit in connection with the Services.

Part 1: List of Parties

Part 2: Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs. For transfers subject to the UK GDPR, the competent supervisory authority is the UK Information Commissioner's Office (ICO).

Part 3: Description of Processing

Annex 2: List of Sub-processors

The following Sub-processors are authorised by Customer to Process Customer Personal Data on behalf of Gabit in connection with the Services.

Sub-processors with access to health/biometric data (Special Category Data):

Sub-processors with access to Customer PII (name, email, phone number, etc.):

Note: Gabit may update this list from time to time in accordance with Section 7 of this Addendum.

Annex 3: Technical and Organisational Security Measures

Gabit implements the following technical and organisational measures to protect Customer Personal Data:

1. Access Controls

• Role-based access control (RBAC) with principle of least privilege for all systems processing Customer Personal Data
• Multi-factor authentication (MFA) enforced for all personnel accessing production systems
• Unique user IDs and strong password policies in accordance with industry standards
• Periodic access reviews to ensure appropriateness of access rights
• Immediate revocation of access upon role change or termination

2. Encryption

• Encryption in transit. The read access to data in the ring is password (unique per ring) protected. Standards like TLS 1.2 or higher are used for data transit between the Gabit mobile app and backend servers.
• Encryption at rest: AES-256 encryption for all stored Customer Personal Data, including health and biometric data

3. Infrastructure Security

• Cloud infrastructure hosted on Amazon Web Services (AWS) with security groups and network access control lists
• Regular vulnerability scanning and penetration testing of production environments
• Security patching applied in accordance with risk-based prioritisation
• Security logging and monitoring across all infrastructure components
• Intrusion detection and prevention systems

4. Data Segregation

• Logical separation of Customer Personal Data in multi-tenant environments
• Database-level access controls ensuring Customer data isolation

5. Personnel Security

• Background checks on personnel with access to Customer Personal Data, to the extent permitted by applicable law
• Confidentiality agreements signed by all personnel
• Regular data protection and security awareness training

6. Business Continuity and Disaster Recovery

• Regular automated backups of Customer Personal Data
• Backup frequency appropriate to the sensitivity of the data
• Documented disaster recovery procedures with defined recovery time and recovery point objectives
• Regular testing of backup restoration and recovery procedures
• Multi-availability zone deployment on AWS for resilience

7. Incident Management

• Documented incident response procedures with defined escalation paths
• Root cause analysis following security incidents
• Corrective action tracking and implementation

8. Vendor Management

• Due diligence assessments of Sub-processors prior to engagement
• Contractual data protection obligations imposed on all Sub-processors
• Periodic review of Sub-processor compliance

Annex 4: Standard Contractual Clauses and UK Addendum

The following Standard Contractual Clauses and UK Addendum are incorporated into this Addendum by reference.

EU Standard Contractual Clauses

The EU SCCs adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this Addendum. The parties agree that Module Two (Controller to Processor) applies, completed as specified in Section 8.3 of this Addendum.

UK International Data Transfer Addendum

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, Version B1.0, in force 21 March 2022, is incorporated by reference into this Addendum.

The UK Addendum modifies and supplements the EU SCCs as applicable to Restricted Transfers from the United Kingdom. Tables 1 to 3 of Part 1 are completed with the information set out in Annex 1. For Table 4, the parties select "Importer" as the party that may end the UK Addendum.