Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between TechPeak Lab Ltd ("Processor") and the customer entity signing the order form or terms ("Controller") for CarbonOS.

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization, unless required to do so by Union or Member State law to which the Processor is subject.

Subject matter: provision of the CarbonOS platform as described in the applicable agreement.

Duration: for the term of the agreement and in accordance with the retention and deletion commitments in the Privacy Policy.

Nature & purpose: hosting, securing, and operating multi-tenant workspaces for emissions, evidence, tasks, reporting, licensing, and support communications.

Categories of data subjects: customer personnel authorized to use the platform, and individuals whose personal data appears in uploaded content when provided by the Controller.

Categories of personal data: account identifiers, contact details, usage logs, and any personal data contained within files or messages uploaded by the Controller.

The Processor shall:

- Process personal data only on documented instructions from the Controller, unless Union or Member State law requires otherwise. - Ensure persons authorized to process personal data are bound by confidentiality. - Implement appropriate technical and organizational measures as described in the Security overview. - Assist the Controller with data subject requests and DPIAs where reasonable, taking into account the nature of processing. - Delete or return personal data at the end of provision of services, at the choice of the Controller, unless law requires retention. - Make available information necessary to demonstrate compliance and allow for audits subject to reasonable confidentiality controls.

Controls include encryption in transit, encryption at rest, tenant isolation with row-level security, least-privilege access for operations staff, logging of administrative actions, and incident response procedures aligned to GDPR Article 33 timelines where applicable.

Detailed controls are summarized in the Security page and expanded under NDA for enterprise customers.

The Controller authorizes engagement of subprocessors that support delivery of the service (for example infrastructure and email delivery). A current list is available to enterprise customers under NDA and updated when material changes occur.

The Processor shall impose appropriate data protection terms on any subprocessor.

The Controller is responsible for the lawfulness of processing, honoring data subject rights for data it controls, maintaining accurate instructions, and classifying special categories of data where relevant.

Uploading highly sensitive categories without a documented legal basis and instruction is prohibited unless expressly agreed in writing.

Where transfers outside the EEA occur, the Processor implements appropriate safeguards such as Standard Contractual Clauses and supplementary measures consistent with regulatory guidance.

For DPA execution, subprocessor notifications, and transfer documentation, contact hello@complyraone.com with subject line "DPA — [company name]".