Data Processing Agreement

Last updated: January 2025

Welcome to Mynzo CarbonThis Data Processing Agreement ("DPA") forms part of the Terms of Use between Customer and "Mynzo Carbon" under which the Processor provides the Controller with the software and services (the "Services"). The Controller and the Processor are individually referred to as a "Party" and collectively as the "Parties". The Parties seek to implement this DPA to comply with the requirements of EU GDPR in relation to Processor's processing of Personal Data as part of its obligations under the Agreement.This DPA shall apply to Processor's processing of Personal Data, provided by the Controller as part of Processor's obligations under the Agreement.

1. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:Data Transfer:A transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub- processor by the Processor.EU GDPR:The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with nregard to the processing of personal data.Controller:The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.Processor:A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.Sub-processor:A processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

2. Purpose of this Agreement

This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be

limited to the Processor's obligations under the Agreement. If there is a conflict between the provisions of the

Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data

The Controller authorizes permission to the Processor to process the Personal Data to the extent determined and regulated by

the Controller.

4. Purpose of Processing

The objective of Processing shall be limited to the Processor's provision of the Services to the Controller,pursuant to the Agreement.

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the

Controller.

6. Data Controller's Obligations

The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services.• Provide all natural persons with relevant privacy notices• Request Data Processor to purge Personal Data when required• Ensure appropriate legal basis for data processing activities• Obtain necessary Data Subject consents for Processing

7. Data Processor's Obligations

Processing InstructionsThe Processor will follow written and documented instructions received from the Controller with respect to the Processing of Personal Data. The Processing described in the Agreement shall be considered as Instruction from the Controller.

Assistance and Compliance

• Provide reasonable assistance in responding to Data Subject requests• Obtain consent and provide notice in accordance with Data Protection Laws• Ensure contractual obligations for data transfers outside territorial boundaries• Inform Controller if processing instruction infringes applicable legislation• Assist in conducting Data Protection Impact Assessments (DPIAs)

8. Data Secrecy

To Process the Personal Data, the Processor will use personnel who are: • Informed of the confidential nature of the Personal Data• Perform the Services in accordance with the AgreementThe Processor will regularly train individuals having access to Personal Data in data security and privacy, ensuring all

Personal Data is kept strictly confidential with appropriate technical and organizational measures.

9. Audit Rights

Upon Controller's reasonable request, the Processor will make available information necessary to demonstrate

compliance with EU GDPR obligations.• Controller must provide at least fifteen (15) days' prior written notice for audits• Processor will provide reasonable cooperation and assistance• Controller shall bear the expense of such audits

10. Data Transfers

Any Data Transfer outside the European Economic Area (EEA) shall only take place in compliance with detailed Schedule 1 requirements and appropriate safeguards.

11. Sub-processors

Processor may engage third-party Sub-processors with appropriate technical and organizational measures. Controller will be notified at least thirty (30) calendar days before changes.

12. Personal Data Breach Notification

The Processor shall maintain defined procedures for Personal Data Breaches and notify Controller without undue delay if it becomes aware of any breach unless such breach is unlikely to result in risk to rights and freedoms of natural persons.Note: Processor's notification of or response to a Personal Data Breach will not be construed as an acknowledgement of any fault or liability.

13. Return and Deletion

At least thirty (30) days from the end of the Agreement, Processor shall return or delete all Personal Data as instructed by Controller in a commonly used format.

14. Technical Measures

Processor will take appropriate technical and organizational measures against unauthorized processing and accidental loss, ensuring security appropriate to potential harm and data nature.

Contact Information

Data Importer (Mynzo Carbon)Address:

6th Floor, Avanta Coworking Space,

Park Centra, Sector 30,

Gurugram, HaryanaData Protection Officer: Ravi KiranEmail: ravi.kiran@mynzocarbon.comThis DPA forms an integral part of our commitment to data protection and GDPR compliance in all processing activities.

Data Processing Agreement

Last updated: January 2025

Welcome to Mynzo CarbonThis Data Processing Agreement ("DPA") forms part of the Terms of Use between Customer and "Mynzo Carbon" under which the Processor provides the Controller with the software and services (the "Services"). The Controller and the Processor are individually referred to as a "Party" and collectively as the "Parties". The Parties seek to implement this DPA to comply with the requirements of EU GDPR in relation to Processor's processing of Personal Data as part of its obligations under the Agreement.This DPA shall apply to Processor's processing of Personal Data, provided by the Controller as part of Processor's obligations under the Agreement.

1. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:Data Transfer:A transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub- processor by the Processor.EU GDPR:The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with nregard to the processing of personal data.Controller:The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.Processor:A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.Sub-processor:A processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

2. Purpose of this Agreement

This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be

limited to the Processor's obligations under the Agreement. If there is a conflict between the provisions of the

Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data

The Controller authorizes permission to the Processor to process the Personal Data to the extent determined and regulated by

the Controller.

4. Purpose of Processing

The objective of Processing shall be limited to the Processor's provision of the Services to the Controller,pursuant to the Agreement.

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the

Controller.

6. Data Controller's Obligations

The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services.• Provide all natural persons with relevant privacy notices• Request Data Processor to purge Personal Data when required• Ensure appropriate legal basis for data processing activities• Obtain necessary Data Subject consents for Processing

7. Data Processor's Obligations

Processing InstructionsThe Processor will follow written and documented instructions received from the Controller with respect to the Processing of Personal Data. The Processing described in the Agreement shall be considered as Instruction from the Controller.

Assistance and Compliance

• Provide reasonable assistance in responding to Data Subject requests• Obtain consent and provide notice in accordance with Data Protection Laws• Ensure contractual obligations for data transfers outside territorial boundaries• Inform Controller if processing instruction infringes applicable legislation• Assist in conducting Data Protection Impact Assessments (DPIAs)

8. Data Secrecy

To Process the Personal Data, the Processor will use personnel who are: • Informed of the confidential nature of the Personal Data• Perform the Services in accordance with the AgreementThe Processor will regularly train individuals having access to Personal Data in data security and privacy, ensuring all

Personal Data is kept strictly confidential with appropriate technical and organizational measures.

9. Audit Rights

Upon Controller's reasonable request, the Processor will make available information necessary to demonstrate

compliance with EU GDPR obligations.• Controller must provide at least fifteen (15) days' prior written notice for audits• Processor will provide reasonable cooperation and assistance• Controller shall bear the expense of such audits

10. Data Transfers

Any Data Transfer outside the European Economic Area (EEA) shall only take place in compliance with detailed Schedule 1 requirements and appropriate safeguards.

11. Sub-processors

Processor may engage third-party Sub-processors with appropriate technical and organizational measures. Controller will be notified at least thirty (30) calendar days before changes.

12. Personal Data Breach Notification

The Processor shall maintain defined procedures for Personal Data Breaches and notify Controller without undue delay if it becomes aware of any breach unless such breach is unlikely to result in risk to rights and freedoms of natural persons.Note: Processor's notification of or response to a Personal Data Breach will not be construed as an acknowledgement of any fault or liability.

13. Return and Deletion

At least thirty (30) days from the end of the Agreement, Processor shall return or delete all Personal Data as instructed by Controller in a commonly used format.

14. Technical Measures

Processor will take appropriate technical and organizational measures against unauthorized processing and accidental loss, ensuring security appropriate to potential harm and data nature.

Contact Information

Data Importer (Mynzo Carbon)Address:

6th Floor, Avanta Coworking Space,

Park Centra, Sector 30,

Gurugram, HaryanaData Protection Officer: Ravi KiranEmail: ravi.kiran@mynzocarbon.comThis DPA forms an integral part of our commitment to data protection and GDPR compliance in all processing activities.

Data Processing Agreement

Last updated: January 2025

Welcome to Mynzo CarbonThis Data Processing Agreement ("DPA") forms part of the Terms of Use between Customer and "Mynzo Carbon" under which the Processor provides the Controller with the software and services (the "Services"). The Controller and the Processor are individually referred to as a "Party" and collectively as the "Parties". The Parties seek to implement this DPA to comply with the requirements of EU GDPR in relation to Processor's processing of Personal Data as part of its obligations under the Agreement.This DPA shall apply to Processor's processing of Personal Data, provided by the Controller as part of Processor's obligations under the Agreement.

1. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:Data Transfer:A transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub- processor by the Processor.EU GDPR:The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with nregard to the processing of personal data.Controller:The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.Processor:A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.Sub-processor:A processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

2. Purpose of this Agreement

This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be

limited to the Processor's obligations under the Agreement. If there is a conflict between the provisions of the

Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data

The Controller authorizes permission to the Processor to process the Personal Data to the extent determined and regulated by

the Controller.

4. Purpose of Processing

The objective of Processing shall be limited to the Processor's provision of the Services to the Controller,pursuant to the Agreement.

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the

Controller.

6. Data Controller's Obligations

The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services.• Provide all natural persons with relevant privacy notices• Request Data Processor to purge Personal Data when required• Ensure appropriate legal basis for data processing activities• Obtain necessary Data Subject consents for Processing

7. Data Processor's Obligations

Processing InstructionsThe Processor will follow written and documented instructions received from the Controller with respect to the Processing of Personal Data. The Processing described in the Agreement shall be considered as Instruction from the Controller.

Assistance and Compliance

• Provide reasonable assistance in responding to Data Subject requests• Obtain consent and provide notice in accordance with Data Protection Laws• Ensure contractual obligations for data transfers outside territorial boundaries• Inform Controller if processing instruction infringes applicable legislation• Assist in conducting Data Protection Impact Assessments (DPIAs)

8. Data Secrecy

To Process the Personal Data, the Processor will use personnel who are: • Informed of the confidential nature of the Personal Data• Perform the Services in accordance with the AgreementThe Processor will regularly train individuals having access to Personal Data in data security and privacy, ensuring all

Personal Data is kept strictly confidential with appropriate technical and organizational measures.

9. Audit Rights

Upon Controller's reasonable request, the Processor will make available information necessary to demonstrate

compliance with EU GDPR obligations.• Controller must provide at least fifteen (15) days' prior written notice for audits• Processor will provide reasonable cooperation and assistance• Controller shall bear the expense of such audits

10. Data Transfers

Any Data Transfer outside the European Economic Area (EEA) shall only take place in compliance with detailed Schedule 1 requirements and appropriate safeguards.

11. Sub-processors

Processor may engage third-party Sub-processors with appropriate technical and organizational measures. Controller will be notified at least thirty (30) calendar days before changes.

12. Personal Data Breach Notification

The Processor shall maintain defined procedures for Personal Data Breaches and notify Controller without undue delay if it becomes aware of any breach unless such breach is unlikely to result in risk to rights and freedoms of natural persons.Note: Processor's notification of or response to a Personal Data Breach will not be construed as an acknowledgement of any fault or liability.

13. Return and Deletion

At least thirty (30) days from the end of the Agreement, Processor shall return or delete all Personal Data as instructed by Controller in a commonly used format.

14. Technical Measures

Processor will take appropriate technical and organizational measures against unauthorized processing and accidental loss, ensuring security appropriate to potential harm and data nature.

Contact Information

Data Importer (Mynzo Carbon)Address:

6th Floor, Avanta Coworking Space,

Park Centra, Sector 30,

Gurugram, HaryanaData Protection Officer: Ravi KiranEmail: ravi.kiran@mynzocarbon.comThis DPA forms an integral part of our commitment to data protection and GDPR compliance in all processing activities.