Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"): • "Controller" means the Customer who determines the purposes and means of processing personal data • "Processor" means Talentee LLC (Kolva), which processes personal data on behalf of the Controller • "Data Subject" means an identified or identifiable natural person whose personal data is processed • "Personal Data" means any information relating to a Data Subject • "Processing" means any operation performed on personal data (collection, recording, storage, use, disclosure, erasure) • "Sub-processor" means any third party engaged by the Processor to process Personal Data • "Data Protection Laws" means GDPR, CCPA, and any other applicable data protection legislation • "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers

This DPA applies to all Personal Data processed by Kolva on behalf of the Customer in connection with the Service. The Processor shall process Personal Data only: • As necessary to provide the Service as described in the Terms of Service • In accordance with the Controller's documented instructions • In compliance with applicable Data Protection Laws Categories of Data Subjects: • Customer employees and users (sales representatives, managers, administrators) • Customer's clients and prospects (business contacts) • End users of Customer's products or services (for HES/field service data) Types of Personal Data processed: • Identity data (names, job titles, photos) • Contact data (email, phone, address) • Location data (GPS coordinates during check-in/out) • Commercial data (visit notes, sales figures, client interactions) • Technical data (device info, IP addresses, usage logs) • Voice data (when using voice debrief features) Duration: Processing continues for the duration of the subscription agreement plus 90 days for data export, after which data is deleted.

Kolva, as Processor, shall: • Process Personal Data only on documented instructions from the Controller, unless required by applicable law • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations • Implement appropriate technical and organizational measures to ensure security (Article 32 GDPR) • Not engage another processor without prior specific or general written authorization of the Controller • Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability) • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations • At the Controller's choice, delete or return all Personal Data upon termination of the Service • Make available all information necessary to demonstrate compliance and allow for audits • Immediately inform the Controller if an instruction infringes Data Protection Laws

The Controller provides general authorization for the Processor to engage Sub-processors, subject to the following conditions: Current Sub-processors: • Supabase (Postgres hosting, US) — Database storage and authentication • Vercel (US) — Application hosting and serverless functions • Stripe (US) — Payment processing • Resend (US) — Transactional email delivery • OpenAI (US) — AI language model processing • Anthropic (US) — AI language model processing • Inngest (US) — Background job orchestration The Processor shall: • Maintain an up-to-date list of Sub-processors at kolva.ai/legal/sub-processors • Notify the Controller at least 30 days before adding or replacing a Sub-processor • Impose data protection obligations on Sub-processors equivalent to those in this DPA • Remain fully liable for the acts or omissions of its Sub-processors The Controller may object to a new Sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected Service.

The Processor implements the following technical and organizational measures: Technical Measures: • Encryption at rest (AES-256) and in transit (TLS 1.3) • Row-Level Security (RLS) at the database level • API authentication with hashed keys (SHA-256) • Automated vulnerability scanning and dependency updates • Secure development lifecycle (code review, testing, staging environments) • Network segmentation and firewall rules • Automated backups with point-in-time recovery • Multi-factor authentication for infrastructure access Organizational Measures: • Access control policies (principle of least privilege) • Employee security awareness training • Incident response procedures and team • Vendor security assessment program • Regular security audits and penetration testing • Data classification and handling procedures • Business continuity and disaster recovery plans

In the event of a Personal Data breach, the Processor shall: • Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach • Provide the following information: — Nature of the breach, including categories and approximate number of Data Subjects affected — Name and contact details of the data protection officer or point of contact — Likely consequences of the breach — Measures taken or proposed to address the breach and mitigate adverse effects • Cooperate with the Controller in investigating and remediating the breach • Document all breaches, including facts, effects, and remedial actions taken • Not notify any third party about a breach without the Controller's prior written consent, unless required by law The Controller remains responsible for notifying supervisory authorities and Data Subjects where required under applicable law.

Personal Data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, the parties agree to the following safeguards: • Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission Decision 2021/914 • UK International Data Transfer Addendum to the EU SCCs • Swiss data transfer mechanisms as required The Processor shall: • Implement supplementary measures where necessary (encryption, pseudonymization) • Conduct transfer impact assessments when required • Suspend transfers if safeguards can no longer be ensured • Cooperate with Data Subjects and supervisory authorities regarding data transfers The SCCs are incorporated by reference into this DPA and shall prevail in case of conflict with other provisions.

The Processor shall assist the Controller in responding to Data Subject requests, including: • Right of access (Article 15 GDPR) • Right to rectification (Article 16 GDPR) • Right to erasure (Article 17 GDPR) • Right to restriction of processing (Article 18 GDPR) • Right to data portability (Article 20 GDPR) • Right to object (Article 21 GDPR) The Processor shall: • Promptly forward any Data Subject request received directly to the Controller • Provide technical capabilities to assist with request fulfillment (data export, deletion tools) • Respond to Controller instructions regarding Data Subject requests within 5 business days • Not independently respond to Data Subject requests unless authorized by the Controller

The Controller has the right to audit the Processor's compliance with this DPA: • The Processor shall make available all information reasonably necessary to demonstrate compliance • The Controller (or an independent auditor) may conduct audits with 30 days' prior written notice • Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations • The Controller shall bear the costs of audits (unless the audit reveals material non-compliance) • The Processor may satisfy audit requests by providing relevant certifications, audit reports (SOC 2 Type II), or compliance documentation • Audit results shall be treated as confidential information

Where Personal Data is processed through AI features: • AI processing serves the legitimate purpose of providing the Service (briefings, analytics, predictions) • Personal Data sent to AI sub-processors (OpenAI, Anthropic) is transmitted via encrypted API calls • AI sub-processors do not retain Personal Data beyond the API request lifecycle • AI sub-processors do not use Customer Data to train their models (per their enterprise agreements) • AI-generated outputs may contain derived insights but not raw Personal Data • The Controller can disable AI features at any time through account settings • AI processing does not involve automated decision-making with legal effects (Article 22 GDPR)

This DPA: • Takes effect upon the Customer's acceptance of the Terms of Service • Remains in effect for the duration of the Service agreement • Survives termination of the Service agreement to the extent necessary for data deletion obligations Upon termination: • The Processor shall cease processing Personal Data (except as required for deletion) • At the Controller's choice, the Processor shall delete or return all Personal Data within 90 days • The Processor shall certify deletion in writing upon request • Backup copies shall be deleted within 30 days following primary data deletion

Data Protection Officer: dpo@kolva.ai Legal inquiries: legal@kolva.ai Security inquiries: security@kolva.ai Talentee LLC Wilmington, Delaware, United States https://kolva.ai