Data Processing Agreement (DPA)

Data Controller ('the Customer'): The company that has accepted the General Terms with eAktiebok and thereby accepted this DPA. The Customer is a limited company or other legal entity as stated in the agreement/order form.

Data Processor ('eAktiebok'): Alternativa Nordics AB, reg. no. 559528-9058, Magnus Ladulåsgatan 3, 118 63 Stockholm, Sweden.

The Parties have entered into this DPA, which constitutes an integral part of the General Terms for the service eAktiebok.se. In the event of any conflict between the content of this DPA and the General Terms, the provisions of this DPA shall prevail in matters relating to the processing of personal data.

Definitions set forth in the General Terms shall also apply to this DPA, unless otherwise stated.

eAktiebok provides a digital platform for establishing, maintaining and managing share registers in accordance with the requirements of the Swedish Companies Act. In connection with this, eAktiebok processes personal data relating to the Customer's shareholders and, where applicable, board members and other persons with registered roles at the Customer.

The Customer is the data controller for such personal data. eAktiebok acts as data processor in relation to the Customer and processes personal data exclusively on the Customer's behalf and in accordance with the Customer's instructions and the terms of this DPA.

Note: The processing instruction below may, at the Customer's request, be separated into a separate appendix. Contact info@eaktiebok.se if this is desired.

eAktiebok processes personal data exclusively to provide the Service, namely:

• Storage and display of shareholder information in the digital share register

• Registration of share transfers, new share issues and other corporate events

• Generation of share certificate documentation and export files (CSV/PDF)

• Access control and authentication of the Customer's users

Personal data may not be processed for any other purpose without the Customer's written consent, except as required by applicable legislation.

• Shareholders in the Customer's company (natural and legal persons — for legal persons, contact persons' data may be processed)

• Board members and signatories of the Customer's company, insofar as these are registered in the Service

• The Customer's own admin users (contact persons)

• Name (first and last name)

• Personal identity number / coordination number (for Swedish shareholders)

• Address (registered or postal address)

• Email address (for shareholders and admin users)

• Number of shares, share class and ownership share

• Date of acquisition and any transfer

• IP address and login log (technical data for security and support)

Note: Personal identity numbers are processed pursuant to Chapter 3, Section 10 of the Swedish Data Protection Act (2018:218) for purposes relating to share registers in accordance with the Swedish Companies Act.

Personal data is stored for as long as the Customer's account is active. Upon termination of the account (voluntarily or due to non-payment), data is retained for 30 days for export purposes, after which it is permanently deleted. Data that eAktiebok is required to retain by law (e.g. accounting records) is handled in accordance with applicable legislation.

The Customer undertakes to:

• Process personal data in accordance with GDPR and applicable data protection legislation

• Ensure that there is a legal basis for the processing that the Customer instructs eAktiebok to perform

• Provide necessary information to data subjects in accordance with GDPR Articles 13–14

• Notify eAktiebok of any changes to the processing instructions

• Ensure that eAktiebok receives the instructions and information required to fulfil its obligations under this DPA

eAktiebok processes personal data exclusively in accordance with applicable data protection legislation and documented instructions from the Customer, as set out in the General Terms and this DPA. If eAktiebok considers that an instruction violates GDPR or other applicable data protection legislation, eAktiebok shall promptly inform the Customer.

If necessitated by changed processes at sub-processors engaged by eAktiebok for the provision of the Service, the Data Processor is entitled to request that the Data Controller amend the instruction. Upon such request, the Data Controller shall amend the instruction within a reasonable time.

eAktiebok ensures that personnel processing personal data are bound by confidentiality obligations or under statutory duty of secrecy, and that such personnel are aware of the confidential nature of the processing. Access to personal data is limited to personnel who require access to perform their duties.

eAktiebok implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. Measures include, but are not limited to:

• Encryption of personal data in transit (TLS 1.2+) and at rest

• Role-based access control (RBAC) and password management

• Regular security reviews and access logging

• Backup and recovery procedures

• Secure management of service account authentication

eAktiebok is entitled to engage sub-processors to provide the Service. The Customer gives general consent to the engagement of sub-processors in accordance with this DPA. A current list of engaged sub-processors is provided upon request via contact to privacy@eaktiebok.se and updated when changes occur.

eAktiebok shall inform the Customer of planned changes regarding engagement or replacement of sub-processors at least 30 days in advance via email to the registered address. The Customer has the right to object in writing to such changes within this period. If the Customer objects, the parties shall seek a mutually agreeable solution.

eAktiebok shall, upon request, disclose engaged sub-processors and, to the extent known, the sub-processors' own sub-processors. eAktiebok shall enter into agreements with sub-processors imposing at least equivalent data protection obligations as those applicable to eAktiebok under this DPA. eAktiebok is liable to the Customer for the sub-processors' fulfilment of their obligations.

eAktiebok shall, taking into account the nature of the processing and the information available, assist the Customer with appropriate technical and organisational measures insofar as possible, to fulfil the Customer's obligation to respond to requests for the exercise of data subject rights (Articles 15–22 GDPR).

eAktiebok shall assist the Customer in fulfilling obligations under Articles 32–36 GDPR (security, incident notification, impact assessment), taking into account the information available to eAktiebok.

eAktiebok is not entitled to represent the Customer in relation to the Swedish Authority for Privacy Protection (IMY) or vis-à-vis data subjects, unless the Customer expressly requests this in the individual case.

eAktiebok shall notify the Customer without undue delay of a personal data breach. The notification shall contain:

• A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records affected

• Contact details for the data protection officer or other contact point

• The likely consequences of the personal data breach

• The measures taken or proposed to address the breach

eAktiebok assists the Customer in fulfilling the obligations under Article 33 (notification to IMY) and Article 34 (notification to data subjects) GDPR.

eAktiebok shall, upon written request, provide the information necessary to demonstrate that the obligations under this DPA are fulfilled. If eAktiebok at the time of the audit request holds a SOC 2 report, ISO 27001 certification or similar third-party certification that covers the requested audit area, this shall be deemed to constitute sufficient documentation, provided there is no reasonable suspicion of a legal violation.

The Customer is entitled to conduct an audit once (1) per calendar year, with at least 30 days' written notice and a disclosed agenda for the planned audit. The audit shall be conducted during normal business hours and in a manner that minimises disruption to operations. The Customer bears the costs of the audit unless otherwise agreed.

Upon termination of this DPA or the underlying agreement, eAktiebok shall, at the Customer's choice, either return or delete all personal data, unless legislation requires the data to be retained. The Customer may export their data via the Service's built-in export function (CSV/PDF) during the 30 days following the termination of the account.

eAktiebok processes personal data within the EU/EEA. In cases where sub-processors are engaged that process data outside the EU/EEA, this is done on the basis of an adequacy decision or the European Commission's Standard Contractual Clauses (SCCs).

Each party is liable for its own violations of GDPR and this DPA in accordance with the principles set forth in GDPR. The limitation of liability in §12 of the General Terms applies to contractual claims for damages between the parties. It does not limit administrative sanctions from supervisory authorities or claims from individual data subjects in accordance with GDPR.

This DPA is governed by Swedish law. Disputes that cannot be resolved amicably shall be settled by the Stockholm District Court as the court of first instance, in accordance with §17 of the General Terms.

This DPA is valid for the duration of eAktiebok's processing of personal data on the Customer's behalf, i.e. for the entire period during which the Customer's account is active and during the subsequent 30-day period for export and deletion.

The DPA automatically ceases to apply when all processing of personal data on the Customer's behalf has ceased and all data has been deleted or returned in accordance with section 5.8.

Data protection contact at eAktiebok: Alternativa Nordics AB

Email: privacy@eaktiebok.se