Data Processing Agreement

Version: 1.0 — Effective Date: May 1st, 2026.

This Data Processing Agreement ("DPA") is publicly available and pre-signed on behalf of Compiuta S.r.l. It forms part of the Terms of Service between the Customer and Compiuta. By submitting Customer Data to the Connhex platform, the Customer agrees to be bound by this DPA.

This Data Processing Agreement is entered into between:

The Customer — the legal entity or individual registered to use the Connhex platform (the "Company" or "Controller"), and

Compiuta S.r.l. — Via T. Vecellio, 169 B, 35132 Padova (PD), Italy, VAT: IT 05375100285 (the "Processor")

(together referred to as the "Parties")

WHEREAS:

(A) The Company acts as a Data Controller in respect of Customer Data submitted to the Connhex platform.

(B) The Company wishes to engage Compiuta as a Data Processor to process certain personal data on the Company's behalf in connection with Compiuta's provision of the Connhex platform.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the "GDPR").

(D) The Parties wish to lay down their respective rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation​

1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meanings:

• "Agreement" means this Data Processing Agreement and all Schedules;
• "Company Personal Data" means any Personal Data processed by Compiuta on behalf of the Company pursuant to or in connection with the Terms of Service;
• "Data Protection Laws" means the GDPR and, to the extent applicable, the data protection or privacy laws of any other relevant jurisdiction;
• "EEA" means the European Economic Area;
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
• "Subprocessor" means any third party appointed by or on behalf of Compiuta to process Personal Data on behalf of the Company in connection with this Agreement;
• "Services" means the Connhex hosted SaaS platform, including device management, monitoring, alerting, data storage, and visualisation capabilities, made available at dashboard.connhex.com and apis.connhex.com.

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Subject Matter and Nature of Processing​

2.1 Subject matter: The subject matter of this Agreement is the processing of IoT device telemetry, sensor readings, configuration data, device metadata, and any other data submitted by the Company through the Connhex platform for the purposes of device management, monitoring, alerting, data storage, and visualisation.

2.2 Nature of personal data: Compiuta does not determine or control the nature of the data the Company submits to the platform. The Company, as Data Controller, is solely responsible for the nature, lawfulness, and accuracy of any data submitted to the platform, including any personal data. The Company shall ensure that any personal data submitted to the platform has a valid legal basis under applicable data protection law, and that appropriate notices have been provided to any data subjects whose personal data is submitted.

2.3 Categories of data subjects: Any natural persons whose personal data may be contained within Customer Data submitted by the Company, as determined solely by the Company.

2.4 Duration: This Agreement is in force for the duration of the Terms of Service between the Parties.

3. Processing of Company Personal Data​

3.1 Compiuta shall:

• comply with all applicable Data Protection Laws in the processing of Company Personal Data; and
• not process Company Personal Data other than on the Company's documented instructions, unless required to do so by applicable EU or Member State law, in which case Compiuta shall inform the Company of that legal requirement before processing, unless prohibited by law from doing so.

3.2 The Company instructs Compiuta to process Company Personal Data for the purposes of providing the Services as described in §2.

4. Personnel​

Compiuta shall take reasonable steps to ensure that any employee, agent, or contractor who may have access to Company Personal Data: (a) is subject to appropriate confidentiality obligations or professional obligations of confidentiality; and (b) has access only to the extent strictly necessary to perform their duties in connection with the provision of the Services.

5. Security​

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Compiuta shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include, at a minimum:

• Encryption of data in transit using TLS;
• Encryption of data at rest;
• Role-based access controls restricting personnel access to Company Personal Data;
• Audit logging of access to Company Personal Data;
• Infrastructure hosted exclusively on Hetzner Online GmbH data centres certified to ISO 27001.

5.2 Compiuta shall take account of the risks presented by processing, in particular from a Personal Data Breach, when assessing and maintaining the appropriate level of security.

6. Subprocessing​

6.1 Compiuta maintains a publicly available list of authorised Subprocessors at connhex.com/legal/subprocessors (the "Subprocessor List"). By entering into this DPA, the Company grants general written authorisation for Compiuta to engage the Subprocessors listed therein.

6.2 Compiuta will notify the Company of any intended addition or replacement of Subprocessors by updating the Subprocessor List and providing at least thirty (30) days' prior notice via the registered account email address.

6.3 The Company may object to a new Subprocessor on reasonable data protection grounds within that thirty-day period by notifying Compiuta at info@compiuta.com. If the Parties cannot resolve the objection within a reasonable time, the Company may terminate the relevant Services on written notice.

6.4 Compiuta shall impose data protection obligations on each Subprocessor that are no less protective than those set out in this Agreement, and shall remain liable to the Company for the acts or omissions of any Subprocessor to the extent Compiuta itself would be liable under this Agreement.

7. Data Subject Rights​

7.1 Taking into account the nature of the processing, Compiuta shall assist the Company by implementing appropriate technical and organisational measures, insofar as reasonably possible, to fulfil the Company's obligations to respond to requests to exercise Data Subject rights under the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Compiuta shall promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data, and shall not respond to that request except on the documented instructions of the Company or as required by applicable law, in which case Compiuta shall, to the extent permitted by law, inform the Company of that legal requirement before responding.

8. Personal Data Breach​

8.1 Compiuta shall notify the Company without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Company with sufficient information to allow it to meet any obligations to notify the relevant Supervisory Authority or to inform affected Data Subjects under the GDPR.

8.2 Compiuta shall co-operate with the Company and take reasonable commercial steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessments and Prior Consultation​

Compiuta shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by Article 35 or 36 of the GDPR, solely in relation to the processing of Company Personal Data by Compiuta and taking into account the nature of the processing and information available to Compiuta.

10. Deletion or Return of Company Personal Data​

10.1 Upon termination or expiry of the Terms of Service, Compiuta shall, within thirty (30) days of the termination date, permanently delete all copies of Company Personal Data from its systems, unless applicable law requires longer retention.

10.2 Upon written request by the Company during the term of this Agreement, Compiuta shall promptly delete or return Company Personal Data in a structured, commonly used, machine-readable format, as instructed by the Company.

10.3 Upon completion of deletion, Compiuta shall, upon request, provide written confirmation to the Company.

11. Audit Rights​

11.1 Compiuta shall make available to the Company, on written request, all information reasonably necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company in relation to the processing of Company Personal Data, provided that:

• the Company gives Compiuta reasonable advance notice (not less than thirty (30) days);
• the audit is conducted during normal business hours and does not unreasonably interfere with Compiuta's operations; and
• the Company and any appointed auditor execute a confidentiality agreement acceptable to Compiuta before the audit commences.

11.2 Compiuta may satisfy audit requests in whole or in part by providing up-to-date third-party audit reports or certifications (such as ISO 27001 certification for Hetzner infrastructure) where these adequately address the Company's audit requirements.

12. Data Transfers​

12.1 Compiuta shall not transfer or authorise the transfer of Company Personal Data to countries outside the EU or EEA without the prior written consent of the Company, except as set out in this clause.

12.2 All Company Personal Data is stored exclusively on Hetzner Online GmbH infrastructure located within the EU (Germany and Finland). Where any Subprocessor processes data outside the EEA, Compiuta shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including, as applicable, Standard Contractual Clauses approved by the European Commission.

13. Confidentiality​

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement confidential, and must not use or disclose that information without the prior written consent of the other Party, except: (a) as required by applicable law; or (b) to the extent the relevant information is already in the public domain through no breach of this Agreement.

14. Governing Law and Jurisdiction​

14.1 This Agreement is governed by the laws of Italy.

14.2 Any dispute arising in connection with this Agreement that the Parties are unable to resolve amicably shall be submitted to the exclusive jurisdiction of the courts of Padova, Italy.

Schedule A — Acceptance​

This DPA is publicly available and pre-signed on behalf of Compiuta S.r.l. The Company's acceptance of this DPA is effected by either:

• Online acceptance: ticking the acceptance checkbox during account registration or within the platform settings, which creates an auditable timestamp record tied to the Company's account; or
• Countersignature: downloading this DPA, signing it, and returning a countersigned copy to info@compiuta.com.

Signed on behalf of Compiuta S.r.l. (Processor):

Compiuta S.r.l., Via T. Vecellio, 169 B, 35132 Padova (PD), Italy

Date: May 1st, 2026

For questions regarding this DPA, contact: info@compiuta.com

Compiuta S.r.l. Via T. Vecellio, 169 B - 35132 Padova (PD) - Italy VAT: IT 05375100285