DATA PROCESSING AGREEMENT

Preamble and Acceptance

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service (“Terms”) between Saifion ApS, CVR 46208145, a Danish limited liability company (“Saifion”, “Processor”, “we”, “us”), and the customer identified in the Saifion account (“Customer”, “Controller”, “you”).

By accepting the Terms of Service and Privacy Policy on the Saifion Platform — whether by clicking “I accept”, creating an account, or using the Platform in any manner — the Customer also accepts this DPA. No separate signature is required for this DPA to be binding. This electronic acceptance satisfies the written-form requirement of Article 28(9) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Saifion maintains an audit trail of each Customer's acceptance, including the account ID, timestamp, IP address, and DPA version accepted. Customers may request a copy of their acceptance record at any time by contacting privacy@saifion.com.

If the Customer is an enterprise organisation that requires a bilateral, individually negotiated DPA (“Enterprise DPA”), the Customer may request one by contacting legal@saifion.com before activating the Platform. Until an Enterprise DPA is signed by both parties, this click-wrap DPA governs the relationship.

1. Scope and Relationship to Other Agreements

1.1 This DPA applies exclusively to Personal Data that Saifion processes on behalf of the Customer in its role as Processor. It does not govern Personal Data that Saifion processes as an independent Controller (for example, account registration data, billing data, marketing analytics, or internal business operations), which is governed by the Saifion Privacy Policy available at saifion.com/privacy.

1.2 In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data on behalf of the Customer, this DPA shall prevail. In all other respects, the Terms of Service shall prevail.

1.3 The liability provisions of the Terms of Service apply to this DPA. The total aggregate liability of Saifion under this DPA is subject to the same caps and exclusions set out in Section 9 of the Terms of Service and is not cumulative with any other liability arising under those Terms.

2. Definitions

Terms defined in the GDPR have the same meaning in this DPA, including “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, and “Personal Data Breach”. In addition:

“Customer Personal Data” means Personal Data that the Customer submits to or generates through the Saifion Platform and that Saifion processes on the Customer's behalf.

“SCC” means the Standard Contractual Clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor) as applicable.

“TOM” means the Technical and Organisational Measures described in Annex I.

“Platform” means the Saifion B2B import platform and freight brokerage services as described in the Terms of Service.

“EU Data Protection Law” means the GDPR and the Danish Data Protection Act (Databeskyttelsesloven) and any successor or implementing legislation.

3. Role Allocation

3.1 For Customer Personal Data processed through the Platform in connection with the Customer's use of the freight brokerage and import services, the Customer is the Controller and Saifion is the Processor.

3.2 Saifion acts as an independent Controller for the following processing activities, which fall outside the scope of this DPA: (a) account registration, authentication, and access management of the Customer's authorised users; (b) billing, invoicing, and collection of Saifion's fees; (c) internal business operations such as analytics of aggregated usage, product improvement, and security monitoring; (d) marketing communications to the Customer's designated contacts; and (e) compliance with Saifion's own legal obligations.

3.3 Shipping Agents with whom the Customer contracts through the Platform act as independent Controllers for Personal Data they receive to perform freight services. The legal relationship between the Customer and each Shipping Agent is separate from this DPA.

4. Subject Matter, Duration, Nature and Purpose

4.1 Subject matter: Saifion's processing of Customer Personal Data to deliver the Platform services to the Customer.

4.2 Duration: Saifion shall process Customer Personal Data for the duration of the Customer's active account on the Platform and thereafter only for the period required to comply with legal obligations or as described in Section 11 (Return or Deletion).

4.3 Nature and purpose of processing: The nature of processing includes collection, storage, retrieval, organisation, structuring, alteration, use, disclosure by transmission, and erasure. The purposes of processing are:

• Provision of the Saifion B2B import platform and freight brokerage services
• Processing of shipping documents, invoices, and customs information
• AI-driven analysis and matching of import needs with Shipping Agents
• User authentication and access management via Clerk
• Data storage and retrieval via Convex and Chroma DB
• AI inference via Anthropic Claude and Google Gemini
• Accounting and financial reconciliation via Dinero/Visma
• Generation of notifications, status updates, and reports requested by the Customer

4.4 Categories of Personal Data: Contact details of authorised users and business contacts (name, job title, email, phone); business identifiers (company name, CVR/VAT); shipment data (origin, destination, HS codes, weights, volumes, product descriptions); commercial data (prices, quantities, invoices); and system data (IP addresses, timestamps, user activity logs).

4.5 Categories of Data Subjects: Authorised users of the Customer; employees and contractors of the Customer whose contact details appear in shipping documents; representatives of the Customer's suppliers, Shipping Agents, customs authorities, and other counterparties; and Data Subjects whose Personal Data is contained in documents the Customer uploads to the Platform.

4.6 Saifion does not process special categories of Personal Data (GDPR Article 9) or criminal conviction data (Article 10) in the ordinary course of providing the Platform. The Customer shall not upload such categories of data without Saifion's prior written consent.

5. Obligations of the Controller

5.1 The Customer, as Controller, warrants that: (a) it has a lawful basis under GDPR Article 6 (and Article 9 where applicable) for each processing activity it instructs Saifion to perform; (b) it has complied with its information obligations under GDPR Articles 13 and 14 toward the relevant Data Subjects; (c) its instructions to Saifion do not violate EU Data Protection Law; and (d) Personal Data uploaded to the Platform is accurate and up to date.

5.2 The Customer is responsible for determining the purposes and means of processing Customer Personal Data and for issuing lawful documented instructions to Saifion. The Customer's use of the Platform, together with the Terms of Service and this DPA, constitutes the Customer's documented processing instructions. Any additional or deviating instructions must be given in writing (including email to privacy@saifion.com).

5.3 The Customer shall indemnify Saifion against claims, fines, or damages arising from the Customer's breach of its obligations as Controller under EU Data Protection Law, subject to the limitations in Section 9 of the Terms of Service.

6. Obligations of the Processor (GDPR Article 28(3))

6.1 Processing on Documented Instructions

Saifion shall process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country or international organisation, unless required to do so by Union or Member State law to which Saifion is subject. In such a case, Saifion shall inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

6.2 Confidentiality

Saifion shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Saifion limits access on a need-to-know basis and requires background checks for personnel with access to production systems.

6.3 Security of Processing (GDPR Article 32)

Saifion shall implement the Technical and Organisational Measures described in Annex I to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.4 Sub-processors

6.4.1 The Customer provides a general written authorisation for Saifion to engage Sub-processors to assist in providing the Platform. The current list of Sub-processors is set out in Annex II and is available at saifion.com/subprocessors.

6.4.2 Saifion shall notify the Customer of any intended addition or replacement of Sub-processors at least 14 days in advance by email to the Customer's registered administrator and/or by publication on saifion.com/subprocessors. The Customer may object to the change on reasonable data protection grounds by written notice within 14 days. If the Customer objects and Saifion cannot reasonably accommodate the objection, the Customer may terminate the affected services as its exclusive remedy.

6.4.3 Saifion shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Saifion remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6.5 Assistance with Data Subject Rights

Saifion shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (Articles 15–22). Where a Data Subject contacts Saifion directly, Saifion shall forward the request to the Customer without undue delay and shall not respond substantively unless authorised by the Customer or required by law.

6.6 Assistance with DPIA and Prior Consultation

Saifion shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (Article 35) and prior consultations with the supervisory authority (Article 36), taking into account the nature of processing and the information available to Saifion. Saifion has conducted its own DPIA for the AI systems used on the Platform; a summary is available on request.

6.7 Personal Data Breach Notification

Saifion shall notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event no later than 24 hours after becoming aware of the breach, regardless of the assessed risk level. The notification shall contain, to the extent known: (a) a description of the nature of the breach including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of Saifion's data protection point of contact; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.

Saifion shall cooperate with the Customer and provide all information and assistance reasonably necessary for the Customer to comply with its own notification obligations under GDPR Articles 33 and 34.

6.8 Return or Deletion of Customer Personal Data

At the choice of the Customer, Saifion shall delete or return all Customer Personal Data after the end of the provision of services relating to processing, and delete existing copies, unless Union or Member State law requires storage. The Customer may export Customer Personal Data at any time during the active subscription period through the Platform's self-service export functionality. After termination, the Customer has 30 days to request export before routine deletion begins. Saifion shall complete deletion within 90 days of termination, subject to back-up rotation cycles and legal retention requirements.

6.9 Audit Rights

6.9.1 Saifion shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

6.9.2 Audits may be carried out once per calendar year, unless there is reasonable suspicion of a material breach. The Customer shall give at least 30 days' written notice, conduct audits during normal business hours, and ensure that the auditor signs a confidentiality undertaking. The Customer bears the cost of its own auditor; Saifion bears the reasonable cost of its own resources up to 16 hours per audit.

6.9.3 Saifion may satisfy audit requests by providing third-party audit reports (for example ISO 27001 certifications or SOC 2 Type II reports from Sub-processors) where these reasonably address the Customer's audit scope.

7. International Data Transfers

7.1 Several of Saifion's Sub-processors are established in the United States or may process data outside the EU/EEA (see Annex II). For all such transfers, Saifion relies on one or more of the following transfer mechanisms:

• The EU Commission's Standard Contractual Clauses (SCC), Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor), as applicable
• The EU-U.S. Data Privacy Framework, where the Sub-processor is certified and active
• Adequacy decisions of the European Commission under GDPR Article 45

7.2 Saifion has conducted Transfer Impact Assessments (TIAs) documenting the level of data protection in each destination country and the supplementary technical, contractual and organisational measures implemented to ensure an essentially equivalent level of protection. Summaries are available on request at privacy@saifion.com.

7.3 Supplementary measures include encryption in transit (TLS 1.3), encryption at rest (AES-256), pseudonymisation of Personal Data before transmission to AI providers, and strict access controls with audit logging.

7.4 Where the Customer instructs Saifion to share Personal Data with Shipping Agents or suppliers located in non-EU/EEA countries in connection with freight services, such transfers are made on the Customer's documented instruction as Controller and the Customer is responsible for ensuring an appropriate transfer mechanism between the Customer and the recipient.

8. AI-Specific Provisions

8.1 Zero-Retention Policy

Customer Personal Data submitted to AI Sub-processors (Anthropic Claude and Google Gemini) for inference is subject to a zero-retention policy. The AI provider does not retain Customer Personal Data after the inference response has been returned, and does not use Customer Personal Data for model training. Saifion verifies these commitments annually and makes the verification available to the Customer upon request.

8.2 Data Minimisation for AI

Before transmitting Customer Personal Data to an AI Sub-processor, Saifion applies pseudonymisation where feasible, replacing directly identifying fields such as names and email addresses with pseudonymous identifiers. Only the minimum data necessary for the inference task is transmitted.

8.3 No Model Training

Saifion shall not use Customer Personal Data to train, fine-tune, or otherwise improve Saifion's or any third party's machine learning models without the Customer's separate, explicit, and documented consent.

8.4 Human Oversight and Transparency (EU AI Act)

Saifion maintains human oversight over automated decision-making in the Platform and provides transparency notices that explain the logic, significance, and consequences of AI-generated outputs. AI-driven matching and recommendations do not produce legal effects or similarly significantly affect Data Subjects within the meaning of GDPR Article 22(1). The Customer may object to profiling as described in the Privacy Policy.

9. Liability, Indemnity and Insurance

9.1 The liability of the parties under this DPA is subject to the aggregate liability cap and exclusions set out in Section 9 of the Terms of Service. This cap is shared with, and not cumulative to, any other liability arising from the provision of the Platform.

9.2 Notwithstanding Section 9.1, nothing in this DPA limits either party's liability where such limitation is not permitted by mandatory EU Data Protection Law, including a Data Subject's right to claim compensation under GDPR Article 82.

9.3 Saifion maintains commercial insurance covering cyber liability and professional indemnity at levels Saifion considers adequate for its business. Current coverage details are available on request to enterprise customers.

9.4 Each party shall indemnify the other for fines, penalties, and damages attributable to its own breach of this DPA or of EU Data Protection Law, subject to the liability cap in Section 9.1.

10. Term, Changes and Termination

10.1 This DPA enters into force when the Customer accepts the Terms of Service and remains in force for as long as Saifion processes Customer Personal Data on behalf of the Customer.

10.2 Saifion may update this DPA from time to time to reflect changes in EU Data Protection Law, Sub-processor arrangements, or operational practices. Material changes that adversely affect the Customer's rights shall be notified to the Customer at least 30 days in advance by email to the registered administrator and/or by publication on saifion.com/dpa with a prominent change notice.

10.3 If the Customer does not accept a material change, the Customer's exclusive remedy is to terminate the affected services by written notice before the change enters into force. Continued use of the Platform after the effective date constitutes acceptance of the revised DPA.

10.4 Non-material changes (such as correcting typographical errors, clarifications that do not alter substantive obligations, or updates to the Sub-processor list governed by Section 6.4) may be made without prior notice but shall be reflected in a change log at the bottom of this DPA.

10.5 Each accepted version of this DPA is archived by Saifion for at least 5 years after its replacement, together with the audit trail of Customer acceptances.

11. Return or Deletion on Termination

On termination of the Platform services, Saifion shall, at the Customer's choice expressed within 30 days of termination, return or delete all Customer Personal Data. In the absence of instruction, Saifion shall delete Customer Personal Data within 90 days of termination. Saifion may retain Customer Personal Data thereafter only to the extent required by Union or Member State law, in which case Saifion shall continue to ensure confidentiality and shall not actively process the data for any other purpose.

12. Governing Law and Jurisdiction

12.1 This DPA is governed by the laws of Denmark, without regard to its conflict of laws principles.

12.2 Any dispute arising out of or in connection with this DPA shall be subject to the jurisdiction set out in Section 21 of the Terms of Service.

12.3 Where this DPA incorporates the SCC, the choice of law and jurisdiction clauses of the SCC apply to the extent of that incorporation.

13. Contact

For matters relating to this DPA, data protection, or to exercise any right under it, please contact:

Data Protection point of contact: privacy@saifion.com
Legal / enterprise DPA requests: legal@saifion.com
Saifion ApS, CVR 46208145, Denmark

Supervisory authority: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark — dt@datatilsynet.dk — +45 33 19 32 00

Annex I — Technical and Organisational Measures (TOM)

Saifion implements the following Technical and Organisational Measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. Saifion reviews and updates these measures regularly.

A. Encryption and Data Protection

• TLS 1.3 for data in transit between clients, servers, and Sub-processors
• AES-256 encryption for data at rest in production databases
• Encrypted backups with separate key management
• Pseudonymisation of Personal Data before transmission to AI inference providers

B. Access Control and Authentication

• Role-based access control (RBAC) with least-privilege principle
• Multi-factor authentication (MFA) required for all production system access
• Single Sign-On via Clerk with support for SSO/SAML for enterprise customers
• Periodic access reviews at least quarterly
• Immediate deprovisioning on personnel departure

C. Logging and Monitoring

• Centralised application and infrastructure logging
• Audit trails for administrative actions and data access
• Automated alerting for anomalies and security events
• Log retention sufficient to investigate incidents (minimum 12 months)

D. Backup and Disaster Recovery

• Automated daily backups of production databases
• Geo-redundant backup storage within the EU
• Tested restore procedures with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• Business continuity and disaster recovery plan reviewed annually

E. Incident Response

• Documented Incident Response Plan with defined roles and escalation paths
• Breach notification to the Customer within 24 hours of awareness
• Post-incident review and remediation tracking
• Annual tabletop exercises

F. Vulnerability Management

• Automated dependency scanning and patch management
• Regular security assessments of the Platform
• Responsible disclosure channel for external security researchers

G. Personnel Security

• Confidentiality undertakings required from all personnel with access to Customer Personal Data
• Security and data protection training for new hires and annually thereafter
• Background checks for personnel in sensitive roles

H. Data Segregation and Minimisation

• Logical separation of Customer Personal Data between tenants
• Data minimisation principles applied in the Platform design
• Retention schedules aligned with the Customer's subscription lifecycle

Annex II — List of Sub-processors

Saifion shall notify the Customer of any intended addition or replacement of a Sub-processor at least 14 days in advance, in accordance with Section 6.4.2.

Annex III — Description of Processing (GDPR Article 28)