Data Protection Addendum

This Data Protection Addendum ("Addendum") is entered into between Coherendz India Private Limited ("Coherendz") and the Customer pursuant to the Terms of Service at hoopstr.ai or other written/electronic agreement incorporating this Addendum (the "Agreement").

Customer enters into this Addendum on behalf of itself and any Affiliates authorised to use the Services under the Agreement. The Parties agree that the terms below shall be added as an Addendum to the Agreement.

1. Definitions

• Affiliate: Entity that owns/controls, is owned/controlled by, or shares common control/ownership with Customer or Coherendz.
• Customer Personal Data: Personal Data provided by or available to Coherendz, or collected by Coherendz on behalf of Customer, processed by Coherendz to perform the Services.
• Controller to Processor SCCs: Standard contractual clauses for cross-border transfers published by the European Commission (June 4, 2021).
• Data Protection Laws: Local, state, or national law regarding Personal Data processing applicable to Coherendz, including GDPR, UK GDPR, and Swiss DPA.
• EU Area: European Union, European Economic Area, United Kingdom, and Switzerland.
• Services: Services supplied by Coherendz to Customer pursuant to the Agreement.
• Third Country: Countries without adequacy decisions for cross-border Personal Data transfers.

2. Roles of the Parties

Customer acts as Business or Controller, and Coherendz acts as Service Provider or Processor in relation to Customer Personal Data. This Addendum applies solely to Processing of Customer Personal Data by Coherendz acting as Processor, Subprocessor, or Third Party. Customer is solely responsible for ensuring timely communications to Customer's Affiliates regarding compliance with applicable Data Protection Laws.

3. Description and Purpose of Processing

Processing details are set out in Annex 1. Processing purpose is the provision of Services pursuant to the Agreement and any Order Form(s). Parties may amend Annex 1 on mutual written agreement as reasonably necessary.

4. Data Processing Terms

Customer Obligations

Customer shall comply with all applicable Data Protection Laws in connection with this Addendum. Customer is solely responsible for compliance regarding collection and transfer of Customer Personal Data to Coherendz. Customer agrees not to provide Coherendz with data concerning health, religion, or special categories of data as defined in Article 9 of the GDPR.

Coherendz Obligations

• Process Customer Personal Data solely on documented instructions of Customer for purposes of providing the Services.
• Not sell, share, or use Customer Personal Data outside of the business relationship with Customer.
• Ensure personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures in accordance with Article 32 of the GDPR, including pseudonymisation, encryption, and regular testing of security measures.
• Give at least 30 calendar days' notice before adding or changing sub-processors listed in Annex 2.
• Promptly notify Customer of any legally binding requests for disclosure of Customer Personal Data.
• Notify Customer without undue delay upon becoming aware of a Personal Data Breach, including all information reasonably required to comply with data breach reporting obligations.
• Assist Customer in fulfilling obligations under Articles 32–36 of the GDPR.
• Upon termination, return or delete all Customer Personal Data, unless retention is required by applicable law.
• Maintain records and allow for audits, including inspections, by Customer or its designated auditor.

5. Restricted Transfers

Where Customer Personal Data is transferred to a Third Country, such transfers comply with EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

• EU GDPR transfers: Module Two (controller to processor) applies; governed by Irish law; disputes resolved before courts of Republic of Ireland.
• Swiss DPA transfers: EU SCCs apply with modifications for Swiss law and regulatory authorities.
• UK GDPR transfers: EU SCCs apply as modified by the UK Transfer Addendum.

6. Precedence

Provisions of this Addendum are supplemental to the Agreement. In the event of inconsistency, Addendum provisions shall prevail over the Agreement. The Controller to Processor SCCs shall control in the event of any contradiction with this Addendum or the Agreement.

7. Indemnity

Customer shall defend and indemnify Coherendz and its Affiliates from and against any claims, losses, damages, fines, and costs arising from any breach by Customer of this Addendum or its obligations under applicable Data Protection Laws.

8. Security Measures

Technical and organisational measures implemented by Coherendz include:

• ISO/IEC 27001:2013 certified information security management system
• Multi-factor authentication and role-based access controls
• HTTPS/TLS encryption for all data in transit; encryption at rest
• Multi-availability zone AWS infrastructure
• Regular independent penetration testing and vulnerability assessments
• Background checks for personnel with access to Customer Personal Data
• Formal incident response, disaster recovery, and business continuity programs
• Security logging and monitoring across all production systems

Annex 1 — Description of Processing Activities

Data Importer

• Name: Coherendz India Private Limited
• Address: H.No. 2-17-76/3/1, Plot No.105, Raghavendra Nagar Uppal, Hyderabad, TG 500039, India
• Contact: Paresh Masade, CEO — hello@hoopstr.ai
• Role: Processor

Categories of Personal Data Transferred

1. Name
2. Email ID
3. Personal Phone Number
4. Location / Address
5. Last Details at Company / Educational Institution
6. Professional Details (Current Work, Education)
7. Date of Birth
8. Gender

Sensitive Personal Data

None.

Frequency of Transfer

Continuous, throughout the contract period.

Annex 2 — List of Sub-Processors

Data Protection Officer

• Name: Jaipal Reddy K
• Designation: Data Protection Officer & Director
• Email: jaipal@hoopstr.ai