Data Processing Addendum

This Data Processing Addendum including its Exhibits (“DPA”) supplements the Data Data Protection and Privacy Policy and Sleek Terms and Conditions of Service, as updated from time to time between the User and Sleek Tech Pte. Ltd. (“Sleek”) or any other agreement between the User and Sleek governing the User’s use of the SLEEK Services (the “Agreement”).

In the course of providing the SLEEK Services to the User pursuant to the Agreement, Sleek may Process Personal Data on behalf of the User. This DPA reflects the parties’ agreement with regard to the Processing of Personal Data.

The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

DEFINITIONS

All capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement. In this DPA, the following capitalized terms used shall further have the meanings given to them below:

The terms “Personal Data” and “Processing” shall have the meaning ascribed by the PDPA, but shall only cover the scope of personal data processing specified in Exhibit A of this DPA.

“Data Breach”, in relation to personal data, means — (a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of Personal Data; or (b) the loss of any storage medium or device on which Personal Data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the Personal Data is likely to occur.

“Data Controller” means an organisation that determines the purposes and means of the processing of Personal Data.

“Data Subject” any living individual whose Personal Data is collected, held or processed by an organisation.

“PDPA” means the Personal Data Protection Act 2012 of Singapore (as amended from time to time).

“Platform” means the proprietary online systems and components developed, owned and maintained by Sleek including any replacement systems and components, and any 1 related software, websites, URLs and software programs ancillary to the Sleek Platform such as reports, compilations and databases.

“Processor” means an organisation which Processes Personal Data on behalf of the Data Controller.

“Service” means any software products or services that Sleek makes publicly available for customers to purchase or use our consulting and other services, and third-party services.

”Subprocessor” means another Processor, engaged by the Processor to Process all or part of the Personal Data.

“User App” means the software application providing certain SLEEK Services to the User.

“User Email Address” means every email address associated with the User’s account with Sleek in the way that it is, at the given point of time, registered with Sleek as an email address of a user of the User’s account.

1. APPLICATION OF PDPA AND THE TERMS

1.1 Compliance with PDPA. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under the PDPA for the Term (as defined below).

1.2. Roles of the Parties. The parties’ relationship is one of Data Controller (User) to Processor (Sleek), or, where the User is processing Personal Data on behalf of another Data Controller, Processor (User) to Subprocessor (Sleek).

2. PROCESSING OF PERSONAL DATA

2.1. User’s obligations. As a Data Controller (if applicable), the User instructs Sleek (as Processor) to Process Personal Data in accordance with this DPA and the PDPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Sleek to Process Personal Data. As a Processor (if applicable), the User instructs Sleek (as Sub-Processor) to Process Personal Data in accordance with this DPA, and is responsible for sharing the Data Controller’s instructions with Sleek prior to the processing of Personal Data.

2.2. User’s liability. The User shall have sole responsibility for the accuracy, quality, and legality of Personal Data provided by the User to Sleek and the means by which User acquired such Personal Data. To the extent the PDPA applies to the Processing of Personal Data under this DPA, the User is liable for complying with its obligations as Data Controller, including informing the Data Subjects about the Processing of their Personal Data under this DPA, obtaining their consent, if necessary, and ensuring that the User and Sleek have the authority to use the Personal Data in accordance with the purposes defined herein. As Processor (if applicable), the User shall remain fully liable to the Data Controller for the Personal Data where Sleek fails to fulfill its data protection obligations hereunder.

2.3. Sleek’s Processing of Personal Data. Sleek provides information about its Processing of User’s Personal Data in Sleek’s Data Protection and Privacy Policy.

2.4. Obligations of Sleek. To the extent set forth by the PDPA, Sleek agrees, warrants and represents that it:

a) will ensure that persons authorised to Process the Personal Data have committed to confidentiality obligations; further, Sleek shall only allow access to Personal Data to such of the Sleek’s personnel who need access to the Personal Data in order to allow Sleek to perform its obligations under the Agreement;

b) will take reasonable measures to ensure the confidentiality of Personal Data and the security of Processing, as further specified in Section 3 hereof;

c) will not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Agreement, and as set out in the Data Protection and Privacy Policy;

d) only process Personal Data in accordance with this DPA and the User’s instructions (unless legally required to do otherwise);

e) will assist the User in ensuring compliance with the obligations relating to the security of the Personal Data (as further specified in Section 3 hereof), User’s notification & communication obligations in case of a Data Breach (as further specified in Section 6 hereof), and consulting the Personal Data Protection Commission (PDPC) if need be, taking into account the nature of Processing and the information available to Sleek;

f) will make available to the User on a reasonable basis all information necessary to demonstrate compliance with the PDPA obligations relating to Sleek as laid down in this DPA as applicable; and

g) will inform the User immediately if (in its opinion) any instructions infringe the PDPA.

3. SECURITY OF PERSONAL DATA

Sleek has taken steps that are reasonable in the circumstances to safeguard processed Personal Data from unauthorised access and to maintain the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

3.1. Technical and Organizational Measures. Sleek shall, while taking into account the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects resulting from the Processing, implement the appropriate technical and organisational measures listed in Exhibit B.

3.2. Reviews and Updates. The technical and organisational measures shall be reviewed and updated by Sleek on an annual basis.

4. RIGHTS OF DATA SUBJECTS AND OTHER REGULATORY ACTIONS

4.1. Data subjects’ right to information. It is the User’s responsibility to provide the Data Subjects with the information on the processing of their Personal Data.

4.2. Exercise of data subjects’ rights. To the extent set forth by the PDPA, taking into account the nature of the Processing and the information available to Sleek, Sleek will assist the User, insofar as this is possible, for the fulfillment of its obligation to respond to Data Subject right requests concerning notably the right of access, to rectification, erasure, withdrawal of consent.

4.3. Regulatory Action. Sleek will without undue delay, provide the User with reasonable assistance with engagement with supervisory authorities.

5. SUBPROCESSORS

5.1. The User authorises Sleek to engage Subprocessors in connection with the provision of the SLEEK Services.

5.2 Subprocessor requirements. Sleek will:

a) require its Subprocessors to comply with equivalent terms as Sleek’s own obligations in this DPA;

b) ensure appropriate safeguards are in place in accordance with the requirements of the PDPA before internationally transferring Personal Data to a Subprocessor, and

c) be liable for any acts, errors or omissions of its Subprocessors as if they were a party to this DPA.

6. DATA BREACHES

6.1. Notification. Sleek shall notify the User without undue delay after become aware of a Data Breach when the Data Breach is: a) likely to result in significant harm or impact to the individuals to whom the information relates; or b) of a significant scale (i.e. Data Breach involves personal data of 500 or more individuals). Upon determining that a Data Breach is notifiable, Sleek, where required, will inform the affected individuals as soon as practicable, at the same time or after notifying the Commission.

6.2. Provided information. Sleek undertakes to provide the User with assistance as required under the PDPA in responding to it, as well as all relevant details of the Data Breach required for the User to comply with its obligations under the PDPA in relation to the Data Breach.

7. RETURN AND DELETION OF USER’S DATA

7.1 Return (export) right and deletion. Please our Data Protection and Privacy Policy and the Agreement for how Sleek will return and/or delete Personal Data at the end of the Term.

7. TERM AND AMENDMENTS

8.1 Commencement and previous agreements. This DPA becomes effective the date on which the SLEEK Services start to be used by the User.

8.2 Duration. This DPA will remain in force for as long as the SLEEK Services are used by the User (the “Term”). Any provision of this DPA which is intended to survive the Term will remain in full force.

8.3. Amendments. The User acknowledges and agrees that this DPA may be amended in the same way as agreed by the parties for amendments of the Agreement, including Sleek’s right to update the terms of the Agreement, any of its policies and this DPA from time to time, as decided by Sleek in its sole discretion, subject to notice to User at the Admin User Email Address.

9. LIABILITY

9.1. Each party’s aggregate liability under this DPA will not exceed the total amount of fees paid by the User to Sleek for the provision of the services under the Agreement during the period of 12 months immediately preceding the incident giving rise to the liability.

10. GOVERNING LAW AND JURISDICTION

10.1. Governing law and jurisdiction. This DPA shall be governed by the laws of Singapore. The courts of Singapore have exclusive jurisdiction to settle any dispute arising out of connection with this DPA.

10.2. Dispute resolution. In order to resolve amicably any dispute that may arise with respect to the interpretation, the performance and/or the termination of this DPA, the Parties agree to negotiate after the receipt of a notice by one of the Parties, with the intent to solve any dispute in an amicable way. The parties shall endeavour to reach an amicable settlement by signing a settlement agreement within thirty (30) days following the notification by a party of the existence of the dispute.

11. OTHER

11.1 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

(a) DPA,

(b) Agreement.

11.2 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

11.3 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

Exhibit A

Description of the Processing

Sleek is authorised to process, on behalf of the User, the necessary Personal Data for providing the SLEEK Services.

The purposes of the Processing and types of data processed are specified in the Privacy Policy and Terms and Conditions.

Exhibit B

Security Measures

As of the effective date of this DPA, Sleek, when Processing Personal Data on behalf of the User implements and maintains the following technical and organisational security measures for the Processing of such Personal Data:

1. Physical Access Controls: Sleek shall take reasonable measures to prevent physical access, such as secured buildings and offices, to prevent unauthorized persons from gaining access to Personal Data.

2. System Access Controls: Sleek shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factors authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.

3. Data Access Controls: Sleek shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorised staff, ; and, that Personal Data cannot be read, copied, modified or removed without authorisation in the course of Processing.

4. Transmission Controls: Sleek shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

5. Input Controls: Sleek shall take reasonable measures to provide that it is possible to check and establish whether and by whom Service Data has been entered into data 7 processing systems, modified or removed. Sleek shall take reasonable measures to ensure that (i) the Personal Data source is under the control of the User; and (ii) Personal Data integrated into the Service is managed by secured file transfer from the User.

6. Data Backup: Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by Sleek.