Data Processing Addendum

Effective date: 1 May 2026 Last updated: 18 May 2026 Version: 1.0

This Data Processing Addendum ("DPA") supplements the Terms of Service ("Terms") between JM&Co SRL ("Sylatris", "Processor") and the Customer ("Controller") and governs the processing of personal data by Sylatris on behalf of the Customer in connection with the Service.

This DPA is incorporated by reference into the Terms in accordance with Section 6.4. Capitalised terms not defined herein have the meanings given in the Terms.

1. Definitions

(a) "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of personal data, including Regulation (EU) 2016/679 ("GDPR") and its national implementations.

(b) "Personal Data" means any information relating to an identified or identifiable natural person processed by Sylatris on behalf of the Customer through the Service.

(d) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

(e) "Sub-processor" means any third party engaged by Sylatris to process Personal Data on behalf of the Customer.

2. Scope and roles

2.1 The Customer is the Controller and Sylatris is the Processor of Personal Data processed through the Service, within the meaning of GDPR Article 28.

2.2 Sylatris processes Personal Data solely on documented instructions from the Controller, including the instructions set forth in the Terms, this DPA, and any subsequent written instructions agreed by the parties.

3. Details of processing

| Element | Description | |---|---| | Subject matter | Provision of the Sylatris business management platform | | Duration | Duration of the Terms plus the retention period in Section 16.5 of the Terms | | Nature and purpose | Hosting, storage, retrieval, display, AI-assisted extraction and classification of business documents, conversational assistance, invoicing, expense management, and customer relationship management | | Types of Personal Data | Names, email addresses, postal addresses, VAT numbers, bank account details (IBAN/BIC), invoice and expense records, uploaded document content, chat messages, authentication data | | Categories of data subjects | Customer's employees and authorised users, Customer's end clients and suppliers (as referenced in invoices, expenses, and customer records) |

4. Obligations of the Processor

Sylatris shall:

(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law, in which case Sylatris shall inform the Controller of that legal requirement before processing (unless prohibited by law);

(b) Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 9 of this DPA;

(d) Respect the conditions for engaging Sub-processors as set forth in Section 6 of this DPA;

(e) Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR;

(f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Sylatris;

(g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, in accordance with Section 16.5 of the Terms, and delete existing copies unless EU or Member State law requires storage;

(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

5. Obligations of the Controller

The Controller shall:

(a) Ensure that the processing of Personal Data through the Service has a valid legal basis under Applicable Data Protection Law;

(b) Provide all necessary notices to data subjects and obtain any required consents;

(d) Comply with all obligations of a controller under Applicable Data Protection Law.

6. Sub-processors

6.1 The Controller provides general written authorisation for Sylatris to engage Sub-processors. The current list of Sub-processors is maintained at sylatris.com/privacy/sub-processors.

6.2 Sylatris shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within thirty (30) days. If the Controller objects on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Service.

6.3 Sylatris shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA.

6.4 Sylatris remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7. Data transfers

7.1 Sylatris shall not transfer Personal Data to a country outside the EEA unless appropriate safeguards are in place in accordance with Chapter V of the GDPR.

7.2 For transfers to Sub-processors in the United States, Sylatris relies on one or more of the following mechanisms:

(a) EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914);

(b) The EU-US Data Privacy Framework adequacy decision (adopted 10 July 2023), where the recipient is a certified participant;

8. Data breach notification

8.1 Sylatris shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

8.2 The notification shall include:

(a) A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned;

(b) The name and contact details of the point of contact for further information;

(d) A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

9. Security measures

Sylatris implements the following technical and organisational measures:

(a) Encryption: TLS 1.3 for data in transit; AES-256 for data at rest (Supabase managed encryption);

(b) Authentication: Magic-link email authentication via Supabase Auth; no password storage;

(c) Access control: Row-level security (RLS) enforced at the database layer; role-based access (owner/admin/accountant) within organisations;

(d) Infrastructure: Application hosted on Vercel (EU edge); database hosted on Supabase (EU-Central, Frankfurt);

(e) Monitoring: Server-side error logging; webhook signature verification; idempotency guards on payment events;

(f) Personnel: Access to production systems limited to authorised personnel under confidentiality obligations;

(g) Sub-processor security: All Sub-processors maintain SOC 2 Type II certification or equivalent.

10. Audit

10.1 Sylatris shall make available to the Controller, on request, evidence of compliance with this DPA, including relevant certifications, audit reports (e.g., SOC 2 Type II), and documented security practices.

10.2 The Controller may conduct an audit, or appoint a qualified third-party auditor (bound by confidentiality), to verify compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably interfere with Sylatris's operations.

11. Liability

The liability of each party under this DPA is subject to the limitations of liability set forth in the Terms (Section 14).

12. Term and termination

12.1 This DPA takes effect on the Effective Date of the Terms and remains in force for as long as Sylatris processes Personal Data on behalf of the Controller.

12.2 Upon termination, Sylatris shall comply with the data retention and deletion provisions of Section 16.5 of the Terms.

13. Contact

For questions about this DPA or data processing: Email: privacy@sylatris.com