Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the master services agreement, Order Form or Terms of Service (collectively, the "Agreement") between Nomos Pte. Ltd. ("Nomos") and the customer named in the Agreement ("Customer"). It applies to the extent that Nomos processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

• PDPA means the Singapore Personal Data Protection Act 2012, as amended, and the regulations and advisory guidelines issued by the PDPC.
• Personal Data, Data Intermediary and Notifiable Data Breach have the meanings given under the PDPA. For Customers with data subjects in the EU or UK, the equivalent GDPR / UK GDPR terms "controller", "processor" and "personal data breach" shall apply mutatis mutandis.
• Customer Personal Data means Personal Data contained in Customer Data and processed by Nomos on Customer's behalf.
• Subprocessor means any third party engaged by Nomos to process Customer Personal Data.

2. Roles of the parties

For Customer Personal Data, Customer is the organisation determining the purposes and means of processing (data controller for GDPR purposes) and Nomos acts as a data intermediary under section 4(2) of the PDPA (data processor for GDPR purposes). Each party shall comply with its obligations under applicable data protection laws.

3. Scope, nature and purpose of processing

Nomos shall process Customer Personal Data only for the purposes set out in the Agreement and this DPA, and only in accordance with Customer's documented instructions (including Customer's configuration of the Services). Annex I describes the subject matter, duration, nature, purpose, categories of data subjects and categories of Personal Data.

4. Nomos obligations

• Process Customer Personal Data only on documented instructions from Customer, including transfers, unless required to do otherwise by law (in which case Nomos shall notify Customer where legally permitted).
• Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement the technical and organisational security measures set out in Annex II.
• Assist Customer, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under applicable law.
• Assist Customer in ensuring compliance with its security, breach notification and impact assessment obligations.
• On termination of the Services, return or delete all Customer Personal Data in accordance with Section 9 below.
• Make available to Customer the information necessary to demonstrate compliance with this DPA.

5. Subprocessors

Customer provides general written authorisation for Nomos to engage Subprocessors. A current list of Subprocessors is maintained at nomosagents.com/subprocessors. Nomos shall give Customer at least thirty (30) days' prior notice of any intended changes and Customer may object on reasonable data-protection grounds during that period. Nomos shall impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and shall remain liable to Customer for the acts and omissions of its Subprocessors.

6. Cross-border transfers

Customer authorises Nomos to transfer Customer Personal Data outside Singapore where necessary for the provision of the Services. Nomos shall ensure that the recipient is bound by legally enforceable obligations providing a standard of protection that is comparable to that under the PDPA, including by means of contractual safeguards such as the ASEAN Model Contractual Clauses, the EU Standard Contractual Clauses or the UK International Data Transfer Addendum, as applicable. The relevant clauses are incorporated by reference and shall apply on request from Customer.

7. Notifiable Data Breach

Nomos shall notify Customer without undue delay and, in any event, within seventy-two (72) hours after becoming aware of a Notifiable Data Breach affecting Customer Personal Data. The notification shall describe, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences and the measures taken or proposed to address it. Nomos shall reasonably cooperate with Customer in any required notification to the PDPC, affected data subjects or other regulators.

8. Use of AI systems

• Customer Personal Data shall not be used to train any third-party foundation model.
• Customer Personal Data shall not be used to train Nomos's own models for purposes unrelated to providing the Services to Customer, except in a fully de-identified and aggregated form.
• Where configured, AI Output derived from Customer Personal Data is reviewed by a human (in Customer's organisation or by Nomos's service team) before release.
• Model prompts, completions and intermediate artefacts may be logged on a short-term basis for quality assurance, debugging and audit, and are purged in line with documented retention periods.

9. Return and deletion

On termination of the Services, Nomos shall, at Customer's option, return or delete all Customer Personal Data and existing copies, except to the extent that retention is required by applicable law. Routine system backups containing Customer Personal Data shall be deleted in accordance with Nomos's backup retention schedule.

10. Audits

Nomos shall, upon reasonable prior written notice, make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (subject to confidentiality obligations and reasonable security requirements). Audits shall be conducted no more than once per year, except where required following a Notifiable Data Breach or by a regulator. Where available, Nomos may satisfy audit obligations by providing summaries of independent third-party audit reports (such as SOC 2 or ISO/IEC 27001 reports).

11. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12. Order of precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

Annex I — Description of processing

Subject matter and duration

Provision of agentic AI services to Customer for the term of the Agreement.

Nature and purpose

Automated extraction, classification, drafting, computation and review of financial, accounting and tax-related records on behalf of Customer.

Categories of data subjects

Customer's personnel; Customer's clients and their representatives; counterparties named in documents submitted to the Services.

Categories of Personal Data

Business contact details; identification numbers; financial account identifiers; transaction information; correspondence; and any other Personal Data contained in documents that Customer submits to the Services.

Annex II — Technical and organisational security measures

• Encryption: TLS 1.2 or higher in transit; AES-256 or equivalent at rest.
• Access control: role-based access, least-privilege, MFA for administrative access, periodic access reviews.
• Network security: segmented production networks, managed firewalls, intrusion detection, hardened images.
• Application security: secure development lifecycle, dependency scanning, code review and secrets management.
• Vulnerability management: regular scanning, prompt patching, third-party penetration testing on a periodic basis.
• Logging and monitoring: centralised logging of access and security events, alerting on anomalous activity.
• Personnel: background checks where permitted by law, confidentiality undertakings, security and privacy training.
• Business continuity: documented backup and recovery procedures, periodically tested.
• Incident response: documented incident response plan with defined roles, escalation paths and notification procedures.
• Vendor management: due diligence and contractual safeguards on Subprocessors.

Annex III — Approved Subprocessors

The current list of approved Subprocessors and their categories of processing is maintained at nomosagents.com/subprocessors and is updated from time to time in accordance with Section 5.