Data Processing Agreement
This Data Processing Agreement governs the processing of personal data by Modular Finance when acting as a personal data processor on behalf of a customer, in its capacity as personal data controller.

DATA PROCESSING AGREEMENT

Version. 1.2. Last updated on 1 June 2026

This data processing agreement (hereinafter referred to as the “processing agreement”) is incorporated by reference into the Order Form and Terms of Service (collectively, the “Agreement”) entered into between the Customer (hereinafter the “Personal Data Controller”) and Modular Finance (hereinafter “Modular Finance”) - hereinafter referred to as the “Parties”. By accepting the Order Form, or by continuing to access and use the Services, the Personal Data Controller accepts and agrees to be bound by the terms of this processing agreement.”

BACKGROUND AND PURPOSE

Modular Finance has developed Monitor, MFN and Strictlog (each a ”Service” and collectively the “Services”). The Parties have entered into an agreement under which Modular Finance shall provide certain Services to the Personal Data Controller. For the provision of such Services, Modular Finance will process personal data on behalf of the Personal Data Controller. Such processing shall be governed by the terms of this processing agreement.

Monitor

Monitor is an analytical platform through which Modular Finance’s clients can access certain financial information regarding, among other things, ownership-, short-, and liquidity data. The data is collected and aggregated by Modular Finance. Monitor also has functionality for logging tasks, such as meetings with investors and other stakeholders and follow up on these. There is also functionality for compiling and exporting information.

MFN

MFN is a news distribution platform through which Modular Finance facilitates distribution of information on behalf of its clients.

Strictlog

Strictlog is a digital logbook provided to listed companies for the purpose of creating and managing insider lists.

The Parties acknowledge that this processing agreement may describe data processing activities relating to multiple services offered by Modular Finance. Notwithstanding the foregoing, this processing agreement shall apply solely to those Services that have been purchased by the Client pursuant to the applicable agreement between the Parties.

All references in this processing agreement to Regulation 2016/679/EU (the “General Data Protection Regulation”) shall include any other rules governing the processing of personal data that may apply in addition to or in place of the General Data Protection Regulation, including but not limited to the UK General Data Protection Regulation as defined by section 3(10) of the Data Protection Act 2018.

1. THE PROCESSING AGREEMENT IN RELATION TO OTHER AGREEMENTS

If a provision of the processing agreement contradicts a provision in any other agreement between the Parties, the processing agreement shall take precedence in questions regarding personal data processing.

2. THE EXTENT OF THE PROCESSING AGREEMENT

The processing agreement includes the personal data processing necessary for Modular Finance’s accommodation of certain parts of the Service to the Personal Data Controller and their use of those parts of the Service.

3. THE VALIDITY OF THE PROCESSING AGREEMENT

The processing agreement is valid from the effective date of the agreement between the Parties and will expire when Modular Finance ceases to process personal data for the Personal Data Controller or when this processing agreement is replaced by another personal data processing agreement.

4. MODULAR FINANCE’S PROCESSING OF PERSONAL DATA

4.1. The Processor may transfer and process personal data in countries outside the EU/EEA area. The Processor shall inform the Personal Data Controller of any such transfers. Any transfer of personal data outside the EU/EEA requires strict compliance with the requirements of the General Data Protection Regulation, Articles 44-49, ensuring appropriate legal safeguards and security measures are in place.”

4.2. Modular Finance will process the following categories of personal data for the data subjects stated below on behalf of the Personal Data Controller.

Monitor:

MFN:

Strictlog:

5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Modular Finance shall take appropriate technical and organizational measures at any time to ensure an appropriate level of security in relation to the risks associated with the current personal data processing.

6. STORAGE, CHANGE, DELETION AND BLOCKING

6.1. Modular Finance may only modify, delete or block personal data processed on behalf of the Personal Data Controller on the instructions of the Personal Data Controller, see section 11 below. If a data subject applies directly to Modular Finance regarding the modification or deletion of the personal data of the data subject, Modular Finance shall forward such request to the Personal Data Controller as soon as possible.

6.2. Personal data processed in the Service will be stored throughout the duration of the service agreement and legal requirements. Upon termination of the service agreement, the Personal Data Controller may request that the personal data processed in the Service shall be transferred to the Personal Data Controller.

7. CONTROL FUNCTIONS AND MODULAR FINANCE’S OTHER COMMITMENTS REGARDING PERSONAL DATA PROCESSING

In addition to complying with the provisions of the processing agreement, Modular Finance has the following obligations regarding the processing of personal data.

8. SUB-PROCESSORS

8.1. Through this agreement, the Personal Data Controller provides a written permission to Modular Finance to transfer and grant access to the personal data covered by this agreement to one or more other Personal Data Processors (Sub-Processors) that Modular Finance employ. Modular Finance is fully responsible towards the Personal Data Controller for the Sub-Processor’s fulfilments of their obligations with regards to data protection in the same way and to the extent that Modular Finance performs the processing. Modular Finance shall enter into written agreements with each and all the Sub-Processors.

Upon hiring or change of Sub-Processors, Modular Finance shall inform the Personal Data Controller in advance to let the Personal Data Controller object to the change. The Personal Data Controller shall upon receipt of the information, notify Modular Finance without delay and no later than within 30 days, of any objections and the reasons for them. Should the Personal Data Controller object, Modular Finance has the right to negotiate with the Personal Data Controller to reach a satisfactory solution for both Parties based on the objection. If the Personal Data Controller does not raise an objection as stated above, then the Personal Data Controller shall be deemed to have approved the appointment or replacement of the Sub- Processor.

8.2. These provisions do not prevent Modular Finance from hiring and entering into agreements with third parties for support functions that are necessary for its operation, such as telecommunication-, cleaning- or audit services. However, to protect the personal data of the Personal Data Controller, Modular Finance shall when employing such support functions ensure that necessary contractual terms are in place and applied.

8.3. By accepting the Order Form, the Personal Data Controller grants general written authorization for Modular Finance to use the Sub-Processors listed at https://terms.modularfinance.com/docs/subprocessors. Regardless of the location of the headquarters of the Sub-Processors, all data will be stored and processed within the EU/EEA at all times.

9. RIGHT TO AUDIT

9.1. Modular Finance shall provide the Personal Data Controller with the information, including documentation, that may be deemed necessary to enable the Personal Data Controller to comply with their responsibilities.

9.2. If the Personal Data Controller or their appointed auditor will carry out on-site inspections, the operation of Modular Finance’s activities shall be considered, and the Personal Data Controller shall notify Modular Finance of such inspection at least two weeks in advance. Modular Finance shall assist the Personal Data Controller in connection with such inspection in the best conceivable way.

10. OBLIGATION TO REPORT SHORTCOMINGS

Modular Finance and the Personal Data Controller shall immediately notify each other if any errors, deficiencies or violations of the personal data protection occur or are suspected to have occurred. This includes incidents or events where loss of or accidental disclosure or access to personal data occurs or is suspected to have occurred. The Parties undertake to take all reasonable steps to resolve any violations immediately.

11. PERSONAL DATA CONTROLLER’S RIGHT TO ISSUE INSTRUCTIONS

11.1. Modular Finance may only process the personal data of the Personal Data Controller in accordance with its instructions. Modular Finance may only disclose personal data to third Parties or the data subject(s) with the written consent of the Personal Data Controller. All instructions from the Personal Data Controller must be in written form.

11.2. Modular Finance may not use personal data for any purpose other than for the completion of the processing agreement. No copies or duplicates may be made without the knowledge of the Personal Data Controller. This does not apply to backups, log files etc. when these are necessary to ensure legal processing of personal data and to fulfil the requirements of the agreement between the Parties, provided that the data are not changed and that the processing does not violate the interests of the Personal Data Controller.

11.3. Modular Finance shall immediately notify the Personal Data Controller in case Modular Finance considers that an instruction is in violation of any applicable rules on the protection and processing of personal data. Modular Finance may then postpone the completion of the instruction until it has been confirmed or modified by the Personal Data Controller.

12. CHANGES AND ADDITIONS

Modular Finance may modify or update this processing agreement from time to time to reflect changes in law, regulatory guidance, or our privacy practices. Modular Finance shall notify the Personal Data Controller of any material changes in writing (e.g., via email or an in-app notification) at least thirty (30) days prior to the changes taking effect.

If the Personal Data Controller strongly objects to the changes on reasonable data protection grounds, they must notify Modular Finance within this 30-day period. If no objection is received, the continued use of the Services will constitute acceptance of the updated processing agreement. If an objection cannot be resolved, the Personal Data Controller holds the right to terminate the main service agreement.

13. LIABILITY

In case of a breach of the Personal Data Processing Agreement of one of the Parties, that party shall indemnify the other against any losses, damages or sanctions incurred as a result of the breach of this agreement.

14. INVALIDITY

If a provision of the processing agreement is declared partly invalid or invalid, this shall not affect the validity and applicability of the other provisions of the processing agreement. The Parties agree to replace such provisions with a valid provision that best corresponds to the Parties’ original intention and financial interest.

15. FORCE MAJEURE, CAUSES OF EXEMPTION

Modular Finance is exempted from penalties for failure to fulfil its obligations under this processing agreement, if the failure is due to circumstances beyond their control. This includes, without limitation, government action or failure, new or amended legislation, illness or other impairment of work ability, death, occupational conflict, blockade, fire, flood, data- or telecommunications breakdown, loss or destruction of data or property of major importance or accidents of greater extent.