Data Processing Agreement

1.1 "Controller", "Processor", "Processing", "Data Subject", "Personal Data", "Personal Data Breach", "Special Categories of Personal Data", and "Supervisory Authority" shall have the meanings assigned to them in the applicable Data Protection Legislation.

1.2 "Data Protection Legislation" means Regulation (EU) 2016/679 (the "GDPR") and any applicable national implementing legislation, as well as any other data protection legislation applicable to the Processing of Personal Data under this DPA, including the Swiss Federal Act on Data Protection ("FADP") where applicable.

1.3 "Services" means the services provided by the Processor to the Controller as set out in the Principal Agreement.

1.4 "Sub-processor" means a third-party processor engaged by the Processor which, as part of the Processor's role under this DPA, will Process Personal Data on behalf of the Controller.

1.5 "Technical and Organisational Measures" means the security measures described in Annex 2 that the Processor implements to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

2.1 In the performance of the Services, the Processor shall Process Personal Data on behalf of and in accordance with (i) the documented instructions of the Controller, (ii) this DPA, and (iii) the obligations set out in the applicable Data Protection Legislation that apply directly to Processors.

2.2 The nature and purpose of the Processing, the duration, the type of Personal Data, and the categories of Data Subjects are set out in Annex 1 (Information Relating to the Processing).

2.3 Technical Architecture. The Parties acknowledge that the Product (Involv Intranet) is a software application that operates entirely within the Controller's own Microsoft 365 tenant. All Personal Data processed through the Product—including intranet content, documents, user profiles, and activity logs—is stored and processed within the Controller's Microsoft 365 environment. Cognit does not maintain a separate infrastructure for the storage or processing of the Controller's Personal Data.

2.4 License Telemetry. The Product transmits a daily, automated count of active users ("License Telemetry") to Cognit's systems for the sole purpose of license compliance verification. The License Telemetry consists exclusively of an aggregate numerical count and does not contain Personal Data, pseudonymised identifiers, or any information that could directly or indirectly identify a natural person.

2.5 Product Telemetry. The Product may collect pseudonymised usage data (feature usage patterns, navigation flows, and product interaction metrics) within the Controller's Microsoft 365 tenant and transmit this data to the Processor's own Microsoft 365 tenant for the purposes of measuring product adoption and improving product quality ("Product Telemetry"). Product Telemetry consists of audit logs containing pseudonymised identifiers (UIDs) that do not directly identify a natural person. The Product Telemetry data is stored and processed on the Processor's infrastructure. The Controller may disable Product Telemetry upon written request to Cognit.

2.6 AI Features. Where the Controller has enabled AI Features within the Product, the Parties acknowledge that such features operate through the Controller's own Microsoft Azure OpenAI services. Cognit does not process, access, or store any Personal Data processed by the AI Features. The Controller is solely responsible for the configuration, use, and compliance of the AI Features with applicable Data Protection Legislation.

3.1 The Controller shall be responsible for complying with all its obligations as set out in the Data Protection Legislation, including ensuring compliance with the principles relating to the Processing of Personal Data.

3.2 The Controller shall be solely responsible for determining the purposes of the Processing and for providing the documented instructions according to which the Processor shall be entitled to Process Personal Data.

3.3 The Controller shall designate a single point of contact (the "Data Protection SPOC") for all matters concerning the Processing under this DPA. All decisions and instructions from the Data Protection SPOC are assumed to be authorised by the Controller. The Data Protection SPOC shall be identified in Annex 4 (SPOC).

4.1 The Processor shall Process Personal Data only upon documented instruction of the Controller. If the Processor believes that an instruction conflicts with the requirements of the applicable Data Protection Legislation, the Processor shall immediately inform the Controller, unless prohibited by law.

4.2 The Processor shall ensure that all persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, the Processor shall implement appropriate Technical and Organisational Measures to protect Personal Data, as described in Annex 2 (Technical and Organisational Measures).

4.4 Upon reasonable request and taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate Technical and Organisational Measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under the applicable Data Protection Legislation. The Processor shall notify the Controller of any such request received directly from a Data Subject. The Processor shall be entitled to compensation for such assistance at its standard hourly rates.

4.5 Upon reasonable request, the Processor shall provide assistance to the Controller in relation to (i) the security of Processing, (ii) the notification of a Personal Data Breach, (iii) the carrying out of a data protection impact assessment, and (iv) prior consultation with the Supervisory Authority, taking into account the nature of the Processing and the information available to the Processor. The Processor shall be entitled to compensation for such assistance at its standard hourly rates.

4.6 The Processor shall make available all information reasonably necessary to demonstrate compliance with its obligations under this DPA and shall contribute to audits, including inspections, in accordance with Article 7.

5.1 The Controller grants the Processor general authorisation to engage Sub-processors for the Processing of Personal Data under this DPA. The Sub-processors engaged at the date of this DPA are listed in Annex 3 (Sub-processors).

5.2 For the avoidance of doubt, the Controller's own Microsoft 365 environment (including SharePoint Online, Azure Active Directory, and associated services) is provided to the Controller directly by Microsoft under the Controller's own agreement with Microsoft. Microsoft is not a Sub-processor of Cognit with respect to Personal Data stored and processed within the Controller's tenant. The Sub-processors listed in Annex 3 relate exclusively to data that the Processor stores or processes on its own infrastructure.

5.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. If the Controller objects within thirty (30) days of notification, the Parties shall work together in good faith to find a mutually acceptable solution. If no resolution can be reached within a reasonable period, the Controller may terminate the affected Services.

5.4 Where the Processor engages a Sub-processor, the Processor shall impose on the Sub-processor the same data protection obligations as set out in this DPA by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

6.1 In the event of a Personal Data Breach affecting Personal Data that the Processor stores or processes on its own infrastructure (including Product Telemetry data, License Telemetry data, and support correspondence), the Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of the breach.

6.2 The Parties acknowledge that the Processor does not have access to, and cannot monitor, the Controller's Microsoft 365 security environment. The Processor's breach notification obligation under this Article 6 is limited to Personal Data within the Processor's own systems and infrastructure. The Controller is solely responsible for monitoring, detecting, and responding to security incidents within the Controller's own Microsoft 365 tenant.

6.3 In the event the Processor becomes aware of a vulnerability in the Product that could compromise the security of Personal Data within the Controller's tenant, the Processor shall notify the Controller without undue delay.

6.4 The notification under Article 6.1 shall include, to the extent such information is reasonably available to the Processor:

1. a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate numbers of Data Subjects and Personal Data records concerned;
2. the name and contact details of the Data Protection SPOC or other contact point where more information can be obtained;
3. the likely consequences of the Personal Data Breach; and
4. the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.5 Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

7.1 Upon the Controller's reasonable request, the Processor may demonstrate compliance with its obligations by providing the Controller with relevant certifications, summary audit reports, or other documentation concerning the Technical and Organisational Measures taken. The Controller may ask additional questions and the Processor will reasonably cooperate by providing additional information.

7.2 Where no such certifications or summary reports are available, the Controller shall be entitled to audit or have audited the Processor's compliance with this DPA, subject to the following conditions:

1. any such audit may not take place more than once per calendar year;
2. the Controller shall provide the Processor with at least thirty (30) days' prior written notice;
3. the audit shall take place during normal business hours and shall not unreasonably interfere with the Processor's operations;
4. the external auditor shall not be a competitor of the Processor and shall sign a non-disclosure agreement prior to the audit; and
5. the Controller shall bear all costs of the audit.

7.3 The Controller shall, or shall request its auditors to, share a draft version of the audit report with the Processor. The Processor shall be entitled to present its comments within a reasonable timeframe. The auditor shall take into account the Processor's comments in the final report.

8.1 Given that the Product operates entirely within the Controller's own Microsoft 365 tenant, the standard use of the Product does not involve any transfer of Personal Data by the Processor to a third country or international organisation.

8.2 To the extent that any Processing under this DPA involves a transfer of Personal Data to a third country or international organisation (for example, where support activities require temporary access to the Controller's environment from a location outside the EEA), such transfer shall only take place in accordance with the principles set out in the applicable Data Protection Legislation and on the basis of:

1. an adequacy decision by the European Commission or, where applicable, the Swiss Federal Council;
2. appropriate safeguards, including standard contractual clauses adopted by the European Commission; or
3. any other valid transfer mechanism under the applicable Data Protection Legislation.

8.3 The Processor shall inform the Controller of any intended transfer of Personal Data to a third country prior to such transfer taking place, and the Controller shall have the right to object within thirty (30) days of notification.

9.1 This DPA shall come into force on the date of signature of this DPA or the Principal Agreement (whichever is later) and shall remain in force for the duration of the Principal Agreement.

9.2 Upon termination of the Principal Agreement, the Processor shall cease all Processing activities. At the choice of the Controller, the Processor shall delete or return all Personal Data related to the terminated Services and delete existing copies, except where storage of Personal Data is required by applicable law.

9.3 Given the technical architecture described in Article 2.3, the Parties acknowledge that Personal Data processed through the Product remains within the Controller's Microsoft 365 tenant at all times. Upon termination, the Controller retains full control of its data. The Processor's obligation under Article 9.2 is therefore limited to the deletion of any Personal Data that the Processor may hold outside the Controller's tenant (such as support correspondence or Product Telemetry data).

10.1 The Processor shall be liable only for damage caused by Processing that does not comply with the obligations of the Data Protection Legislation specifically directed to Processors, or that is outside of or contrary to the lawful instructions of the Controller.

10.2 The limitations of liability as set out in the Principal Agreement shall apply to claims under this DPA, except where such limitation is prohibited by applicable Data Protection Legislation.

11.1 This DPA shall be governed by and construed in accordance with Belgian law.

11.2 Any dispute arising out of or in connection with this DPA that cannot be amicably settled shall be submitted to the exclusive jurisdiction of the courts of Belgium.

12.1 If any provision of this DPA is held to be invalid or unenforceable, it shall be deemed to be severable and the validity of the remaining provisions shall not be affected.

12.2 This DPA may only be modified by a written amendment signed by the authorised representatives of both Parties.

12.3 This DPA supersedes any prior data processing agreements between the Parties.