Data Processing Addendum

1. Introduction and Scope

This Data Processing Addendum ("DPA") governs Antology's processing of personal data on behalf of the Customer in connection with the Services. It forms part of the Antology Master Terms of Service (the "Agreement").

Antology Pte. Ltd., incorporated in Singapore, acts as the Processor, and the Customer acts as the Controller (or equivalent under applicable law).

2. Definitions

Data Protection Laws means all applicable privacy and data protection laws, including the EU GDPR, UK GDPR, Singapore Personal Data Protection Act 2012 (PDPA), and CCPA.

Personal Data means any information relating to an identified or identifiable natural person processed by Antology on behalf of the Customer.

Processing, Controller, Processor, subprocessor, Data Subject, and Supervisory Authority have the meanings given in the GDPR.

Customer Data means any data, including Personal Data, uploaded, shared, or transmitted by the Customer through the Service (including delivery, order, vehicle, or agent data, and related logistics information).

Standard Contractual Clauses (SCCs) means the EU Commission Clauses approved under Implementing Decision 2021/914.

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party ("control" meaning ownership or control of more than 50 percent of voting interests).

Authorized Affiliate means any Affiliate of the Customer that (a) is permitted to use the Services pursuant to the Agreement between Customer and Antology, (b) has not entered into its own separate agreement, and (c) is subject to Data Protection Laws applicable to the Customer. For purposes of this DPA, all Authorized Affiliates shall be deemed "Customer."

3. Roles and Relationship

The Customer is the Controller; Antology is the Processor. Antology processes Customer Data only to provide and improve the Services, as documented in this DPA and the Agreement, or as required by law with notice where permitted.

The Customer may extend this DPA to its Affiliates that use the Services, provided the Customer remains responsible for their compliance. Where applicable law requires, such Affiliates are deemed "Customer" for purposes of this DPA.

4. Categories of Data and Processing

Data Subjects: delivery recipients, drivers, agents, employees, or other individuals whose data appears in Customer uploads or integrations.

Types of Personal Data: names, addresses, contact details, route or location data, identifiers, email addresses, and related logistics information.

Special Categories: none anticipated; the Customer must not upload sensitive data unless explicitly agreed in writing.

Purpose: to provide route optimization, delivery analytics, and related logistics services.

Duration: for the term of the Agreement until deletion or return under Section 11.

5. Subprocessing

The Customer authorizes Antology to use subprocessors for hosting, analytics, support, and related services. Antology binds subprocessors to privacy and security obligations at least as protective as this DPA and remains responsible for their performance.

Antology will maintain a list of subprocessors and provide it to the Customer upon request.

6. Security of Processing

Antology implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, monitoring, incident response, employee confidentiality, and regular security testing.

7. Data Breach Notification

If Antology confirms a Personal Data Breach, it will notify the Customer without undue delay, provide details, likely impact, and remedial actions, and cooperate with the Customer and relevant authorities.

Unsuccessful incidents that do not result in unauthorized access to Customer Data—such as pings, port scans, failed log-ins, or denial-of-service attacks without system compromise—do not require notification.

8. Data Subject Requests

Antology assists the Customer in responding to Data Subject requests that the Customer cannot fulfill via the Services and will not respond directly to Data Subjects unless authorized or legally required.

Data Subjects may contact Antology regarding the processing of their Personal Data. Antology shall, where applicable, cooperate with and assist the Customer in responding to Data Subject requests under applicable Data Protection Laws, including GDPR Articles 12–23. Nothing in this DPA prevents Data Subjects from exercising their rights directly against the Customer or Antology to the extent required under the SCCs.

If Antology becomes aware that Personal Data it processes is materially inaccurate or outdated, it will inform the Customer without undue delay.

9. International Transfers

(a) Transfers under the GDPR and UK GDPR

Where Customer Data includes personal data originating from the EEA or UK and is transferred to or processed in a country that has not received an adequacy decision (including the United States), the parties agree to rely on the EU Standard Contractual Clauses (EU Commission Implementing Decision 2021/914, Module 2) as the transfer mechanism.

For the SCCs:

• The data exporter is the Customer.
• The data importer is Antology Pte. Ltd.
• Clause 17 (Governing Law): The laws of Ireland apply.
• Clause 18 (Dispute Resolution): The courts of Ireland have jurisdiction.

Antology additionally safeguards transfers through encryption, limited access, and documented risk assessments in accordance with SCC Clause 14.

(b) Transfers under Singapore PDPA

Where the Customer's data is subject to Singapore's Personal Data Protection Act (PDPA), Antology ensures that such transfers comply with the PDPA's cross-border transfer requirements by providing a comparable standard of protection to that under the PDPA.

10. Confidentiality

Antology ensures personnel authorized to process Customer Data are bound by confidentiality and receive appropriate data-protection training.

11. Audits and Compliance

Antology will make available information reasonably necessary to demonstrate compliance.

Audits may be performed no more than once every 12 months with 30 days' prior written notice. Antology may satisfy audit requests through current independent audit reports or certifications. On-site audits occur during business hours, must not unreasonably interfere with operations, and are limited to systems relevant to the Services. Auditors must sign confidentiality agreements.

Antology will cooperate with any competent Supervisory Authority in the performance of its audit or inspection obligations under the GDPR and SCCs.

12. Return or Deletion of Data

Upon termination or expiry, Antology will, at the Customer's choice, return Customer Data in a common format or delete it unless retention is required by law. Backup data is securely deleted within 90 days. Antology will certify deletion upon the Customer's request.

13. Local Laws and Government Access

Antology has no reason to believe that the laws or practices of the countries in which it processes Personal Data (including the United States) prevent it from fulfilling its obligations under this DPA or the SCCs.

In the event Antology receives a legally binding request from a public authority to disclose Personal Data, it shall notify the Customer (unless prohibited by law), assess the legality of the request, challenge it where appropriate, and disclose only the minimum necessary data. Antology shall document its assessment and any actions taken and make such documentation available to the Customer upon request.

14. Assistance and Cooperation

Antology and the Customer shall document their assessment of the laws and practices of the countries in which Personal Data is processed, including the United States, to verify that they do not prevent the Processor from fulfilling its obligations under this DPA or the SCCs. Each party shall make this documentation available to the competent Supervisory Authority upon request.

Antology will also provide reasonable assistance with data-protection impact assessments, prior consultations, breach notifications, and compliance demonstrations, taking into account the nature of processing and information available to it.

15. Liability

Each party's liability under this DPA is subject to the limitations in the Agreement, except where prohibited by applicable law.

16. Conflict, Governing Law, and Duration

If this DPA conflicts with the Agreement, this DPA controls for personal-data processing matters.

This DPA follows the Agreement's governing law except where the SCCs specify otherwise and remains in effect while Antology processes Customer Data.

Appendix 1 – Technical and Organizational Measures

• Role-based access control and authentication.
• Encryption in transit (TLS 1.2+) and at rest (AES 256 or equivalent).
• Network segmentation, firewalls, and secure remote access.
• Continuous monitoring, alerting, and restricted log access.
• Personnel screening and ongoing security training.
• Physical data-center protection and access logs.
• Business continuity and disaster recovery testing.
• Vendor management with subprocessor due diligence and contractual safeguards.

Appendix 2 – Subprocessor List

Available upon request. Advance notice and objection rights apply as stated in Section 5.

Appendix 3 – Data Subject Request Handling

Antology routes any Data Subject communications it receives to the Customer's designated contact and provides reasonable technical assistance needed to fulfill verified requests.