DATA PROCESSING AGREEMENT SAAS

Privacy Policy
Data Processing Agreement (DPA) for Escrow and Paying Agent services Data Sharing Agreement (DSA) For 102 Trustee Services Data Processing Agreement (DPA) for SaaS and all other bilateral services Sub-Processors

DATA PROCESSING AGREEMENT

This Data Processing Agreement (together with its Annexes, the "DPA") forms part of the service agreement (the "Agreement") between altshare Ltd./ altshare Trusts Ltd. ("altshare") and the entity who receives the services under the Agreement ("Customer"), (Customer and altshare shall be referred to as a “Party” and collectively as the “Parties”)

This DPA reflects the Parties’ agreement with regard to the Processing of Personal Data. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under the Data Protection Laws.

DATA PROCESSING TERMS

In the course of providing the Service to Customer pursuant to the Agreement, altshare may Process Personal Data on behalf of Customer. The Parties agree to comply with the following provisions with respect to Personal Data Processed by altshare as part of the Service for Customer.

1. DEFINITIONS

1.1. "Affiliate" means a person or entity controlling, controlled by or under the common control with a Party; the term "control", for the purpose of this definition, shall mean direct or indirect possession of the power to direct or cause the direction of the management or policies of a Party, whether through the ability to exercise voting power, by contract or otherwise.

1.2. "Customer Data Subject(s)" means Data Subject(s) whose Customer Personal Data is provided to altshare by Customer for Processing in connection with the Service.

1.3. "Customer Personal Data" means any Personal Data provided to altshare by Customer in connection with the Service.

1.4. "Data Protection Laws" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR")and the regulations promulgated thereunder and other binding rules and guidelines issued by the Israeli Privacy Protection Authority ("Israeli Data Protection Legislation"); as such are amended, replaced or superseded from time to time.

1.5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or harm to the integrity of, Customer Personal Data.

1.6. "SCCs" mean the standard contractual clauses as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes thereto, as may be amended or replaced from time to time.

1.7. "Subprocessors" means any entity appointed by altshare to Process Customer Personal Data on behalf of Customer in connection with the Agreement, excluding any employee of altshare but including its Affiliates.

1.8. "Supervisory Authority" means an independent public authority which is established by a European Union Member State; and shall also include the Israeli Privacy Protection Authority.

1.9. "Service" shall have the meaning ascribed to it in the Agreement.

1.10. "Data Subject", "Process" or "Processing", "Controller" and "Processor" (including "Holder") shall have the meanings or equivalent terms ascribed to them in the applicable Data Protection Laws.

2. DATA PROCESSING

2.1. Scope and Roles. This DPA applies when Personal Data is Processed by altshare as part of altshare’ provision of the Service. In this context, Customer is the Controller of the Customer Personal Data and altshare is the Processor of Customer Personal Data.

2.2. Details of Processing. The details of the Processing of Personal Data are set forth in Annex I.

2.3. Customer’s Instructions.

2.3.1. If Customer purchases the SaaS Service, altshare shall only Process Customer Personal Data on behalf of and in accordance with Customer's instructions described in the Agreement and this DPA, including for the provision of the Service described under the Agreement. Any other Processing shall only be permitted in the event that such Processing is required by required by applicable law or binding order to which altshare is subject; in which case, altshare shall inform the Company of that requirement before engaging in such Processing, unless Data Protection Laws prohibit such information on important grounds of public interest. altshare shall inform Customer, if in altshare’s opinion an instruction infringes any provision under Data Protection Laws.

2.3.2. If Customer purchases any other Service than SaaS, altshare shall Process Customer Personal Data on behalf of Customer for the provision of the Service and for the performance of the Agreement as detailed in the Agreement and on additional documented and reasonable instructions from Customer. Any other Processing shall only be permitted in the event that such Processing is required by applicable law or binding order to which altshare is subject; in which case, altshare shall inform the Customer of that requirement before engaging in such Processing, unless Data Protection Laws prohibit such information on important grounds of public interest. altshare shall inform Customer, if in altshare’s opinion an instruction infringes any provision under Data Protection Laws.

2.4. Notice and Legal Basis. Customer will provide all necessary notices to Data Subjects and receive all necessary permissions and consents, including Customer’s sharing and transferring of Customer Personal Data with third-parties and in a third-country, to the extent required under applicable Data Protection Laws, or otherwise implement the required lawful basis of Processing pursuant to the Data Protection Laws, as necessary for altshare to Process Customer Personal Data lawfully. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness of the Customer Personal Data and its use.

3. PERSONNEL. altshare shall ensure that access to Customers Personal Data is limited on a need to know basis and such authorized personnel are subject to confidentiality obligations.

4. DATA SECURITY. altshare shall implement and maintain appropriate technical and organisational measures to ensure a level of security of Customer Personal Data appropriate to the risk, taking into account the nature, scope and context of the Processing and the costs of implementation, including as set out in Annex ‎II to this DPA. altshare may review and update such technical and organizational measures from time to time, provided that any such updates will not materially decrease the overall level of security of the Service during the term of the Agreement.

5. PERSONAL DATA BREACH

5.1. Personal Data Breach Communications. altshare shall notify Customer without undue delay after becoming aware of a Personal Data Breach and provide Customer with available information about the Personal Data Breach. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without further delay.

5.2. Personal Data Breach Remediation. altshare shall reasonably cooperate with Customer to prevent, investigate, mitigate or rectify Personal Data Breach.

5.3. Personal Data Breach Notification. Any required notification to the relevant Supervisory Authorities or Data Subjects regarding Personal Data Breach will be the sole responsibility of Customer and altshare shall reasonably assist Customer upon request.

6. ASSISTANCE

6.1. Data Subject Requests. altshare shall notify Customer of any request raised by a Customer Data Subject to altshare, including requests for exercising Data Subject’s rights under Data Protection Laws; and reasonably assist Customer by technical and organizational measures for the fulfillment of Customer's obligations to respond the Customer’s Data Subject requests.

6.2. Data Protection Impact Assessment and Prior Consultation. Upon Customer’s reasonable request, altshare shall provide reasonable assistance to Customer to conduct data protection impact assessment and prior consultation with Supervisory Authorities, all in relation to altshare’s Processing of Customer Personal Data.

7. SUBPROCESSORS

7.1. Existing Subprocessors. As of the date hereof, altshare represents that with respect to each existing Subprocessor as set out in Annex III to this DPA, altshare has entered into an agreement substantially similar material obligations under this DPA.

7.2. Appointment of New Subprocessor. Customer hereby provides altshare with a general authorization to engage Subprocessors for the provision of the Service. altshare shall inform Customer of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. With respect to each new Subprocessor, altshare shall ensure that the arrangement between altshare and this Subprocessor is governed by a written agreement, that bind them by substantially similar material obligations under this DPA.

8. CROSS-BORDER DATA TRANSFERS

8.1. Transfers between the Parties. Where Customer transfers Personal Data originating from the European Economic Area ("EEA") to altshare and to the extent the GDPR applies, such transfer shall be according to one of the following: (a) to a country considered by the European Commission as providing an adequate level of protection of Personal Data; or (b) in the absence of an adequacy decision, or in case any adequacy decision is invalidated at a future date, the Parties agree that the SCCs will be deemed entered into and will automatically apply, and incorporated into this DPA by this reference, and completed as follows:

8.1.1. The Parties agree that Module Two (Controller to Processor) are incorporated herein by reference and the Parties are deemed to have accepted and signed the SCCs where necessary in their entirety. Annex I, Annex II and Annex III of the SCCs shall be represented by Annex I, Annex II and Annex III to this DPA. If and to the extent the SCCs conflict with any provision of this DPA, the SCCs will prevail to the extent of such conflict.

8.1.2. The Parties agree that: (a) Clause 7 - the optional docking clause will not apply. (b) Clause 9, Option 2 will apply and the time period for prior written notice of Subprocessor changes will be ten (10) days, the agreed Subprocessors are listed in Annex III. (c) Clause 11 - the optional language will not apply. (d) Clause 17 - Option 1 will apply, and the SCCs will be governed by the Irish law. (e) Clause 18(b) - disputes will be resolved before the courts of Ireland.

8.2. Onward Transfer. If and when altshare provides a Subprocessor with access to EEA originating Customer Personal Data and to the extent the GDPR applies, altshare undertakes to transfer Customer Personal Data to a country considered by the European Commission as providing an adequate level of protection of Personal Data; or if the country is not considered as providing an adequate level of data protection, altshare shall bind the Subrocessor with any other approved transfer mechanism under the GDPR, such as SCCs.

9. INSPECTION AND AUDIT RIGHT

9.1. Upon reasonable request, altshare shall make available to Customer available information necessary for Customer to demonstrate compliance with the Data Protection Laws.

9.2. To the extent required under applicable Data Protection Laws, upon Customer's written request (not more frequently than annually), and subject to reasonable confidentiality obligations, altshare shall make available to Customer a copy of altshare's most recent audit report, certifications and summaries of audit reports conducted by accredited third party auditors.

9.3. To the extent that altshare's provision of an audit report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer may conduct an audit of altshare's Processing, subject to the following terms: (i) the audit will be pre-scheduled in writing with altshare, at least forty-five (45) days in advance and will be performed not more than once a year; (ii) the auditor will execute a non-disclosure and non-competition undertaking toward altshare; (iii) the auditor will not have access to non-Customer's data; (iv) Customer will make sure that the audit will not interfere with or damage altshare's business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; (vi) the auditor will first deliver a draft report to altshare and allow altshare reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (vii) Customer will receive only the auditor's report, without any altshare 'raw data' materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; and (viii) as soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.

10. DATA RETENTION OR RETURN

10.1. Deletion. Within reasonable time after the end of the provision of the Service or upon Customer reasonable request, altshare shall return or delete Customer Personal Data to Customer, at Customer’s choice. Upon Customer’s request, altshare shall provide written certification to Customer that it complied with the provisions of Section ‎‎10. Copies in back-up files may be retained for a longer period according to altshare's backup policies.

10.2. Retention.

10.2.1. Notwithstanding section 10.1, if Customer purchases SaaS, Customer acknowledges and agrees that altshare may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law.

10.2.2. Notwithstanding section 10.1, if Customer purchases any other Service than SaaS, Customer acknowledges and agrees that altshare may retain Personal Data to the extent required by applicable laws and professional regulations, provided that (i) Personal Data is retained to the extent and for the such period as required by such applicable laws; and (ii) Personal Data is retained confidential and only processed as necessary for the purpose(s) specified in the applicable laws and professional regulations.

10.3. Anonymized and Aggregated Data. If the Customer purchases SaaS, Customer authorizes altshare to anonymize, de-identify and aggregate Customer Personal Data for altshare’s legitimate business purposes, including for testing, development, improvement, security, controls, fraud detection and operations of the Platform and Service.

11. PERSONAL DATA PROCESSED BY EACH PARTY FOR PURPOSES OF MANAGING THE AGREEMENT. Each Party shall Process separately and independently the Personal Data of the representatives of the Parties for purposes of managing the Agreement. With respect to such Personal Data, each Party shall be responsible to fulfill all of its obligations under the Data Protection Laws and shall cooperate with the other Party as reasonably necessary to assist with the fulfillment of the other Party's obligations under the Data Protection Laws.

12. TERM. This DPA will commence on the later of the date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.

13. ORDER OF PRECEDENCE. In any conflict with the terms of the Agreement, regarding to the subject matter of this DPA, the provisions of this DPA shall prevail.

14. MISCELLANEOUS. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

‍

ANNEX I

A. LIST OF PARTIES

1. Data exporter:

Name: Customer as detailed in the Agreement.

Address: [___________]

Contact person’s name, position and contact details: [___________]

Activities relevant to the data transferred: to access the Platform and receive the Service pursuant to the Agreement.

Signature and date: to the extent applicable, by entering into the Agreement, data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.

Role: Controller

2. Data importer:

Name: [altshare Ltd./ Altshare Trusts Ltd.]

Address: 19A Habarzel st. Ramat Hahayal, Tel Aviv

Contact person’s name, position and contact details: Tsippy Kaufman – Chief Legal Officer – tsippyk@altshare.com

Activities relevant to the data transferred: to provide Service pursuant to the Agreement.

Signature and date: to the extent applicable, by entering into the Agreement, data importer is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.

Role: Processor

B. DESCRIPTION OF TRANSFER

The following description depends on the Service the Customer chooses to receive pursuant to the Agreement:

1. SAAS SERVICE

▪ Categories of data subjects whose personal data is transferred:

o Customer's employee

▪ Categories of personal data transferred:

o account Personal Data, i.e., first name, last name, user name, phone number, email address

o IP address

o cookies and other tracking technologies

o financial information, i.e., number of shares / options, data about the transfer of payments to the individual in the event of dividends and sales of shares and options.

o tax information

o bank account details, i.e., bank account number

o any other information necessary for the performance of the Service, and may include additional information such as copies of agreements to which Customer’s employee is a party, share certificates, payments Customer’s employee is about to receive or amounts of investment, etc.

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

Not applicable (Note: althsare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

As applicable

▪ Nature of the processing:

All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

▪ Purpose(s) of the data transfer and further processing:

Access to the platform and provision of the Service in accordance with the Agreement.

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.1 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The subject matter of the Processing is Customer Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

2. PAYING AGENT SERVICE

▪ Categories of data subjects whose personal data is transferred

Any individuals receiving Service from altshare through the Customer, including bondholders, shareholders, other security holders, authorized representatives, and beneficial owners.

▪ Categories of personal data transferred

The Customer receives from its end-users the following types of Personal Data:

o Identification data, i.e., full name, place and date of birth, nationality, ID / passport number.

o Financial data, i.e., name of bank, branch, bank account number (ABA, IBAN, SWIFT), currency, payment instructions, transaction history, detail on dividends, interests or other payments processed.

o Tax information, i.e., tax identification number.

o Contact data, i.e., place of residency, place of citizenship, fax, email address and phone number(s).

o Contractual data, i.e., any information included in agreements (e.g., beneficial ownership, authorized signatories), bank account ownership proof, CRS Self Certification, correspondence with the paying agent.

o Anti-money laundering (AML) / KYC Data, i.e., copies of identity documents, proof of address, source of funds / wealth information, declarations regarding political exposure (PEP status).

o Professional data, i.e., employer name, job title, business contact details (e.g., work email address, phone number).

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

All processing activities, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Execution and administration of payment instructions;

o Distribution of funds (e.g., interest, dividends, redemptions);

o Maintenance of registers of holders;

o Verification and identification of data subjects in accordance with applicable AML and KYC laws;

o Communication with data subjects regarding payments and related matters; and

o Compliance with legal obligations (such as anti-money laundering and tax reporting requirements).

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter of the Processing is Processing of Customer Persona Data in connection with the Service provided by altshare under the Agreement, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

3. RESTRUCTURING TRUST SERVICE

▪ Categories of data subjects whose personal data is transferred

o End-users of trust services, e.g., signatories, certificate holders;

o Employees and contractors of the Customer;

o Business customers and partners;

▪ Categories of personal data transferred

o Identification data, i.e., full name, nationality, ID / passport number.

o Trust service data, e.g., certificate serial numbers.

o Organizational details, e.g., company name, role

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Support the operational, legal, or technical restructuring of trust service offerings.

o Maintain business continuity.

o Migrate, archive, or transfer digital trust assets and related user data securely.

o Ensure availability, confidentiality, and integrity of trust service during and after restructuring.

o Provide reporting, analytics, and audit support in connection with regulatory obligations.

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

4. BUSINESS VALUATION SERVICE

▪ Categories of data subjects whose personal data is transferred

o Employees, officers, and directors of the business being valued

o Shareholders, investors, or beneficial owners

o Customers, vendors, and business partners (when relevant for valuation inputs)

o Counterparties in M&A or financial transactions

▪ Categories of personal data transferred

o Identification data, e.g., name, title, contact information

o Employment data, e.g., job role, compensation, performance metrics

o Ownership or shareholding information

o Financial data, e.g., salary, bonuses, equity interests

o Contractual data, e.g., terms of employment, service agreements

o Transactional data, e.g., invoices, sales, payment history

o Publicly available corporate filings or registry data

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Conducting quantitative and qualitative business valuations

o Preparing valuation reports, presentations, and deliverables

o Performing due diligence and data verification tasks

o Supporting legal, accounting, and strategic planning related to valuation

o Complying with professional and regulatory requirements

o Providing ancillary consulting service (e.g., benchmarking, scenario modeling)

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

5. EXPENSE REPORTING SERVICE

▪ Categories of data subjects whose personal data is transferred

o Employees, contractors, and consultants of the Customer

o Corporate cardholders and travel administrators

o Approvers, finance personnel, and audit staff

o Vendors or service providers referenced in expenses

▪ Categories of personal data transferred

o Identification data, e.g., name, title, employee ID

o Financial data, e.g., expense amounts, currencies, credit card details—masked or tokenized

o Expense details, e.g., dates, categories, receipts, travel itineraries

o Contact details, e.g., business address, phone number, email

o Geolocation data, e.g., from travel receipts or mileage tracking

o Any documents, e.g., scanned receipts, invoices, proof of purchase

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Collection and processing of expense claims submitted by Data Subjects

o Verification and approval workflows

o Audit and compliance review of expense data

o Payment processing and reimbursement

o Generation of expense analytics, dashboards, and reports

o Retention of expense data for legal, regulatory, or tax purposes

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

6. SHAREHOLDERS REPRESENTATIVE SERVICE

▪ Categories of data subjects whose personal data is transferred

o Shareholders (individuals and beneficial owners)

o Authorized representatives or proxies of shareholders

o Employees, officers, and directors of represented entities

o Counterparties to the transaction (for contact purposes)

o Legal and financial advisors involved in the process

▪ Categories of personal data transferred

o Identification data, e.g., name, address, date of birth, ID numbers

o Contact details, e.g., email, phone number, postal address

o Financial data, e.g., bank account details for distributions, shareholdings, proceeds entitlements

o Tax data, e.g., taxpayer ID, W-8/W-9 forms, residency status

o Legal and transactional data, e.g., powers of attorney, shareholder agreements

o Communication records, e.g., emails, meeting notes, written instructions

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Acting as agent or representative for shareholders in corporate transactions (e.g., mergers, acquisitions, divestitures)

o Administering post-closing rights and obligations (e.g., earn-outs, escrow releases, indemnification claims)

o Coordinating with legal counsel, buyers, sellers, escrow agents, and other transaction parties

o Facilitating communications with represented shareholders

o Collecting, verifying, and managing shareholder records

o Managing documentation and compliance with contractual and legal obligations

o Performing accounting, tax reporting, and distribution of proceeds

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

7. SHARE LOCK-UP SERVICE

▪ Categories of data subjects whose personal data is transferred

o Shareholders subject to lock-up restrictions under Section 15C;

o Officers, directors, or controlling shareholders;

o Legal representatives or proxy holders of shareholders (e.g., trustees);

o Customer employees involved in share issuance or compliance reporting.

▪ Categories of personal data transferred

The Customer receives from its end-users the following types of Personal Data:

o Identification data, i.e., full name, ID / passport number;

o Contact data, i.e., email address, phone number, address;

o Number of shares allocated and subject to lock-up;

o Lock-up duration and applicable dates;

o Transaction history during lock-up period;

o Identification of controlling shareholders (where applicable);

o Digital copies of signed lock-up agreements;

o ISA submission confirmation numbers.

▪ Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

Not applicable (Note: altshare does not intend to process any special categories of personal data as defined in Article 9 of the GDPR.)

▪ The frequency of the transfer

As applicable

▪ Nature of the processing

▪ Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement, including:

o Verifying and registering shareholders subject to statutory lock-up obligations;

o Maintaining digital or physical records of lock-up undertakings;

o Monitoring and enforcing lock-up periods and restrictions on trading;

o Preparing, submitting, and storing reports for the Israeli Securities Authority (ISA);

o Notifying shareholders regarding the commencement and expiration of lock-up periods;

o Responding to inquiries and audits by regulatory authorities;

o Ensuring legal compliance and facilitating transparency in the securities market.

▪ The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with Section 10.2.2 to this DPA.

▪ For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1.1. altshare shall establish a procedure for allowing access to Personal Data and restriction of such access. altshare shall keep record of the persons authorized to access the Relevant Personal Data.

1.2. altshare shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Relevant Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; and (ii) has received appropriate training on his/her responsibilities.

1.3. altshare shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.

1.4. altshare shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to altshare’s system's infrastructure, data Processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to the Personal Data or to the system or communication lines between altshare and its respective clients.

1.5. altshare shall list all components (infrastructure and software) used to Process the Personal Data, including computer systems, communication equipment, and software. altshare shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.

1.6. altshare shall act in accordance with an appropriate written information security policy (WISP) and working procedures that comply with the security requirements under this Annex and Data Protection Laws, including with respect to backup and recovery procedures. altshare shall review its security policies and operating procedures periodically and not less than on an annual basis, and when material changes to the systems or Processing are made, all in order to amend them, if required.

1.7. altshare shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.

1.8. altshare shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. altshare shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months.

1.9. altshare will perform security risk surveys to systems containing Personal Data, at least once every 18 months.

1.10. altshare will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods

ANNEX III

LIST OF SUB-PROCESSORS

Customer has authorized the use of the following Sub-Processors