YUNO - GLOBAL DATA PROCESSING AGREEMENT

Effective Date: Monday, April 13th, 2026

‍

EXECUTIVE SUMMARY. This Global Data Processing Agreement establishes how Yuno processes Personal Data as a Data Processor on behalf of its Counterparties, including both Merchants and Technology Partners. Under this unified framework, Yuno primarily serves as Data Processor for its payment-orchestration Services while Counterparties act as Data Controllers for their respective data Processing purposes. Technology Partners are independent controllers and are not Yuno sub-processors. This Agreement applies across all Yuno operating jurisdictions and ensures compliance with global Applicable Data Protection Laws. It should be read together with Yuno's Group Privacy Policy, available at y.uno/privacy.

‍

ARTICLE 1: DEFINITIONS AND SCOPE

‍

1.1 Purpose and Application. This Global Data Processing Agreement (the "DPA" or "Agreement") establishes the framework for personal data protection between Yuno and its business Counterparties, including both Merchants and Technology Partners (collectively, "Counterparties"). This DPA applies to all Personal Data Processing activities conducted by Yuno in connection with the Services and incorporates the standards set forth in Yuno's Group Privacy Policy (Version 3.0 or later, available at y.uno/privacy).

‍

1.2 Definitions. For purposes of this DPA, the following terms shall have the meanings set forth below:

‍

Applicable Data Protection Laws. Means all applicable international, national, federal, state, and local laws, regulations, and regulatory guidelines concerning personal data protection, privacy, and security, including: the European Union General Data Protection Regulation (EU GDPR, Regulation 2016/679); the United Kingdom General Data Protection Regulation and Data Protection Act 2018; Brazil's General Data Protection Law (LGPD, Law 13.709/2018); Colombia's Law 1581 of 2012 and Decree 1377 of 2013; Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP); the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); Singapore's Personal Data Protection Act 2012 (PDPA); the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL, Royal Decree M/19 as amended) and its Implementing Regulations; the Qatar Financial Centre Data Protection Regulations 2021; India's Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025; and any other applicable privacy legislation in jurisdictions where the parties operate.

‍

Counterparty. Means any business entity that enters into this DPA with Yuno, including both Merchants and Technology Partners as defined below. Counterparties may act as Data Controllers or Joint Controllers depending on the factual circumstances of Processing activities.

‍

Data Controller. Means the entity that, alone or jointly with others, determines the purposes and means of Processing Personal Data. Processing roles are determined by factual circumstances rather than contractual labels. The equivalent concept applies regardless of the terminology used in local law (e.g., "Data Fiduciary" under the DPDP Act, "Responsible" under Colombia's Law 1581, "Responsable" under Mexico's LFPDPPP).

‍

Data Processor. Means the entity that processes Personal Data on behalf of and under the documented instructions of the Data Controller. The equivalent concept applies regardless of local terminology (e.g., "Data Intermediary" under Singapore's PDPA, "Encargado" under Colombia's Law 1581, "Processing Party" under KSA's PDPL).

‍

Data Subject. Means an identified or identifiable natural person whose Personal Data is processed under this DPA. The equivalent concept applies regardless of local terminology (e.g., "Data Principal" under India's DPDP Act, "Titular" under Colombia's Law 1581 and Mexico's LFPDPPP, "Consumer" under the CCPA/CPRA).

‍

End User. An individual customer of a Merchant whose Personal Data is processed through Yuno's platform.

‍

Group Privacy Policy. Means the Yuno Group Privacy Policy (Version 3.0, February 2026, or the then-current version), available at y.uno/privacy, which describes how Yuno collects, uses, retains, and transfers Personal Data across all operating jurisdictions.

‍

Joint Controller. Means two or more controllers who jointly determine the purposes and means of Processing, as defined under GDPR Article 26 and equivalent provisions in other Applicable Data Protection Laws. The determination of joint controllership shall consider the degree of influence over Processing purposes and means and shared decision-making processes.

‍

Merchant. A business entity that uses Yuno's Services to orchestrate payment data flows with its chosen Technology Partners. Merchants typically act as Data Controllers for End User Personal Data.

‍

Personal Data. Means any information relating to an identified or identifiable natural person, including but not limited to: (i) payment card data and tokenized payment credentials; (ii) transaction information and commercial data; (iii) fraud prevention and risk assessment data; (iv) device and behavioral biometrics; (v) geolocation and IP address data; (vi) authentication and identity verification data; (vii) inferred data based on observed behaviors or characteristics; and (viii) any other data processed through Yuno's platform that directly or indirectly identifies a natural person.

‍

Personal Data Breach. Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

‍

Processing. Means any operation or set of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

‍

Services. Means Yuno's cloud-based payment-orchestration platform and any related technology, including dashboards, application programming interfaces (APIs), software-development kits (SDKs), and the professional or technical support Yuno provides. Through the Services, Counterparties can access multiple payment methods, fraud-prevention tools, and other integrated payment-industry solutions via a single technical integration. The Services constitute pure technology infrastructure; Yuno does not hold, control, transmit, or settle funds, does not onboard End Users for payment schemes, does not issue e-money, and does not operate payment systems.

‍

Standard Contractual Clauses. Means the contractual clauses for the transfer of Personal Data to processors established in third countries approved by the relevant supervisory authority, including: EU SCC Modules 1, 2, and 3 (Commission Decision 2021/914); UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; Brazil ANPD Standard Contractual Clauses (Resolution CD/ANPD No. 19/2024); and KSA SDAIA Standard Contractual Clauses (issued September 2024, Controller-to-Processor and Processor-to-Processor modules).

‍

Sub-Processor. Means any third party engaged by Yuno to process Personal Data on behalf of Counterparties in connection with the delivery of the Services. For the avoidance of doubt, Technology Partners (including PSPs, fraud prevention vendors, acquirers, and alternative payment methods) that receive Personal Data upon a Counterparty's instructions and determine their own purposes and means of Processing are independent Data Controllers and not Sub-Processors, regardless of whether Yuno facilitates the technical routing of data to them.

‍

Technology Partner. Means a service provider — including PSPs, fraud prevention vendors, AML/KYC providers, acquirers, and alternative payment methods — that Merchants access through Yuno's platform to receive payment-industry services. Technology Partners operate under their own regulatory licenses, determine their own purposes and means of Processing, and act as independent Data Controllers for the Personal Data they receive. Technology Partners are not engaged by Yuno as its sub-processors; rather, the Merchant selects and instructs the routing of data to its chosen Technology Partners through the Services.

‍

Yuno. Means, collectively and individually, the following entities within the Yuno Group: Yuno Colombia S.A.S. (Colombia), Yuno Tecnologías, S.A.P.I. de C.V. (Mexico), Yuno Intermediação de Serviços Ltda. (Brazil), Yuno USA, LLC (United States), Smart Routing PTE. Ltd. (Singapore), Yuno Payments Arabia (Kingdom of Saudi Arabia), Yuno Al Saqr (Qatar, QFC-registered), Yuno Routing Solutions Pvt. Ltd. (India) together with any present or future parent, subsidiary, branch, or affiliate that (i) is under common control with any of the foregoing entities and (ii) participates in, or makes available, the Services governed by this Agreement. Unless expressly stated otherwise, each reference to "Yuno" in this Agreement shall be deemed to include the entire Yuno Group. The contracting Yuno entity for a given Counterparty relationship shall be the entity specified in the applicable Order Form or commercial agreement, or, in the absence of such specification, the entity in the jurisdiction where the Counterparty is established.

‍

1.3 Territorial Scope. This DPA applies wherever Yuno processes Personal Data in connection with the Services, regardless of whether Yuno maintains a legal entity in the jurisdiction where the Data Subject is located. Where Yuno does not maintain a local entity, the obligations of this DPA are discharged by the contracting Yuno entity and, where required by Applicable Data Protection Laws, through the appointment of local representatives.

‍

ARTICLE 2: DATA PROCESSING ROLES AND RESPONSIBILITIES

‍

2.1 Primary Processor Role. Yuno primarily acts as Data Processor for Personal Data Processing activities conducted on behalf of Counterparties. These Counterparties typically act as Data Controllers, determining the purposes and means of Processing Personal Data shared with or processed by Yuno.

‍

2.2 Merchant Relationships. The Merchant typically acts as Data Controller for Personal Data of End Users that it shares with Yuno for payment orchestration purposes. In this capacity, the Merchant determines the purposes and means of Processing End User Personal Data and bears primary responsibility for compliance with Applicable Data Protection Laws. Yuno processes End User Personal Data according to Merchant instructions following this data flow:

‍End User → Merchant (Controller) → Yuno (Processor) → Technology Partners (Independent Controllers).

‍

2.3 Technology Partner Relationships. Technology Partners act as independent Data Controllers for their specific Processing purposes (payment processing, fraud scoring, KYC verification, etc.). When a Merchant instructs Yuno to route data to a Technology Partner, Yuno acts as the Merchant's Processor for the technical transmission of that data; upon receipt, the Technology Partner processes the data as an independent Controller under its own privacy policies and regulatory obligations. At no point does a Technology Partner become Yuno's Sub-Processor by virtue of the routing relationship. Where a Technology Partner separately engages Yuno to process data on the Technology Partner's behalf (e.g., for analytics or reporting), Yuno acts as Data Processor under that Technology Partner's documented instructions. In such cases, the data flow is:

Technology Partner (Controller) → Yuno (Processor) → Processing/routing as instructed.

‍

2.4 Liability Allocation. Yuno bears liability only for Processing compliance under documented Counterparty instructions or joint controller obligations where applicable. Counterparties remain solely responsible for: (i) data subject authorizations and lawful processing bases; (ii) compliance with Controller obligations under Applicable Data Protection Laws; and (iii) lawful Processing instructions to Yuno. Yuno shall not be held liable for any Controller obligation that rests with the Counterparty, including the obligation to establish a lawful basis for Processing before transferring Personal Data to Yuno.

‍

2.5 Counterparty Compliance Monitoring. Yuno may suspend Processing services for Counterparties who materially fail to comply with their Controller obligations, including failure to obtain proper data subject authorizations or maintain lawful processing bases, provided Yuno gives reasonable notice and an opportunity to cure (no less than 10 business days, except where continued Processing would place Yuno in violation of Applicable Data Protection Laws, in which case Yuno may suspend immediately). The Counterparty acknowledges that suspension under this section is a compliance safeguard and not a breach of Yuno's service obligations.

‍

2.6 SDK-Based Joint Processing. Where Yuno provides SDK implementations that enable Counterparties to integrate Yuno's proprietary decision-making algorithms, fraud detection, or routing logic into their systems, both parties may act as Joint Controllers for specific Processing activities if both parties factually co-determine the purposes and means of Processing. Joint controller arrangements shall be documented in a separate Joint Controller Agreement specifying each party's responsibilities for compliance with Applicable Data Protection Laws, including the allocation of obligations toward Data Subjects. This section does not apply to standard API-based integrations where the Merchant simply passes instructions and Yuno executes them as Processor.

‍

2.7 Regulatory-Scope Limitation. Yuno's obligations under this Agreement are strictly limited to the provision of payment-orchestration Services. Yuno is a technology service provider and does not itself hold, control, settle, or transmit funds; does not provide regulated payment-processing or financial-services licensable activities to End Users; and does not operate payment systems. Revenue for the Services is generated through software-as-a-service (SaaS) and API fees. Yuno shall not be responsible for, nor assume any liability arising out of: (a) the Counterparty's marketing, customer-acquisition, or product-specific compliance activities; (b) the Counterparty's tax, accounting, or financial-reporting obligations; (c) the Counterparty's independent AML/KYC determinations, save where Yuno is expressly engaged under an applicable Order Form solely for the services detailed therein; (d) the legality of the Counterparty's products or services; or (e) any other processing activity outside the technical scope of the Services.

‍

ARTICLE 3: PROCESSING OBLIGATIONS AND INSTRUCTIONS

‍

3.1 Counterparty Obligations as Data Controller. Each Counterparty, in its capacity as Data Controller, represents, warrants, and undertakes that all Personal Data Processing, including transfers to Yuno, is conducted in accordance with Applicable Data Protection Laws. Each Counterparty shall obtain all necessary consents from Data Subjects and provide appropriate privacy notices describing the Processing activities and transfers to Yuno before sharing Personal Data.

‍

3.2 Yuno Processing Obligations. Yuno shall process Personal Data only in accordance with documented instructions from the respective Counterparty, except where required by applicable law. Yuno shall apply the principle of data minimization, Processing only that Personal Data which is adequate, relevant, and limited to what is necessary for the specified purposes. Yuno shall immediately inform the Counterparty if instructions violate Applicable Data Protection Laws and shall suspend non-compliant Processing until lawful instructions are received. Yuno shall not process Personal Data for any purposes other than those specified by the Counterparty.

‍

3.3 Enhanced Instruction Compliance Verification. Yuno shall inform the Counterparty in a timely manner if Processing instructions would violate Applicable Data Protection Laws and shall: (a) suspend non-compliant Processing within two (2) hours of violation identification; (b) document the nature of the legal violation and suspension actions taken; (c) propose alternative lawful Processing approaches where technically feasible; (d) maintain suspension until the Counterparty provides amended lawful instructions; and (e) bear no liability for business impacts or for the underlying legal violation resulting from lawful suspension. The Counterparty acknowledges that Yuno's suspension of non-compliant Processing is a compliance safeguard, not a breach of service obligations.

‍

3.4 Commercial Agreement Coordination. Where Processing instructions are provided through purchase orders or commercial agreements, such instructions must comply with this DPA. Any instruction conflicting with this DPA's data protection requirements is deemed invalid and shall not be implemented by Yuno.

‍

3.5 Implementation Validation. Yuno maintains technical controls to prevent Processing that exceeds Counterparty instructions or violates this DPA, including automated monitoring of data Processing activities and exception reporting.

‍

3.6 Processing Records. Both parties shall maintain comprehensive records of Processing activities as required by Applicable Data Protection Laws, including the categories of Personal Data processed, purposes of Processing, recipients of Personal Data, and retention periods.

‍

ARTICLE 4: SECURITY MEASURES AND SAFEGUARDS

‍

4.1 Technical and Organizational Measures. Yuno implements and maintains comprehensive technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include: AES-256 encryption of Personal Data at rest; TLS 1.3 encryption for data in transit; cloud-provider key management services with hardware security module (HSM) backing (including AWS KMS and GCP Cloud KMS, as applicable to the hosting region); role-based access controls with multi-factor authentication; network segregation and zero-trust architecture; 24/7 security monitoring with SIEM integration; regular vulnerability assessments and penetration testing; and ongoing evaluation of emerging cryptographic standards.

‍

4.2 Security Standards and Certifications. Yuno maintains industry-recognized security certifications including: ISO 27001 for Information Security Management; ISO 27701 for Privacy Information Management; PCI DSS Level 1 (current version) for Payment Card Industry Data Security; and SOC 2 Type II for Service Organization Controls. Current certification details are available in Yuno's Trust Center at security.y.uno. Yuno shall notify Counterparties of any material change in certification status within thirty (30) days.

‍

4.3 Counterparty Security Obligations. Each Counterparty shall implement appropriate technical and organizational measures to ensure the security of Personal Data under its control, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.

‍

4.4 Counterparty PCI DSS Compliance. If a Counterparty processes, handles, stores, or transmits Cardholder Data as defined by PCI DSS, received from or on behalf of Yuno, or otherwise in connection with the Services, the Counterparty represents and warrants that it is and will remain compliant with the then-current version of PCI DSS. Upon Yuno's request, the Counterparty shall provide a copy of its valid Attestation of Compliance (AoC) or other applicable PCI DSS validation documentation. The Counterparty shall provide Yuno with renewed AoCs annually, within thirty (30) days of issuance, and shall promptly notify Yuno in writing of any material change in its PCI DSS compliance status or any security incident that could impact Cardholder Data processed in connection with this DPA.

‍

4.5 Cloud Infrastructure and Data Localization. Yuno operates a multi-cloud infrastructure, primarily hosted on Amazon Web Services (AWS), with Google Cloud Platform (GCP) deployed where required by jurisdictional data localization rules (including the KSA Dammam region for Saudi Arabia operations). Counterparties may request information on the hosting location applicable to their data through the channels described in Article 14.

‍

ARTICLE 5: SUB-PROCESSING AND THIRD-PARTY DISCLOSURES

‍

5.1 Sub-Processor Authorization and Notification. Yuno may engage Sub-Processors to assist in providing Services, provided that such engagement complies with this DPA and Applicable Data Protection Laws. Yuno shall maintain a current list of Sub-Processors, available upon Counterparty request, and shall notify Counterparties of any intended addition or replacement of Sub-Processors at least ten (10) business days before engagement.

‍

5.2 Sub-Processor Objection. If a Counterparty objects to a new Sub-Processor on reasonable grounds related to data protection within the notification period, the parties will work in good faith to resolve the objection. If the objection cannot be reasonably resolved, the Counterparty may terminate the relevant Services impacted by the Sub-Processor engagement without penalty.

‍

5.3 Sub-Processor Agreements. Before engaging any Sub-Processor, Yuno shall execute a written agreement imposing data protection obligations equivalent to those set forth in this DPA. Yuno remains fully liable for the performance of its Sub-Processors and any breaches of data protection obligations arising from Sub-Processor activities.

‍

5.4 Technology Partners Are Not Sub-Processors. For the avoidance of doubt, Technology Partners (including PSPs, fraud prevention providers, acquirers, gateways, and alternative payment methods) to which data is routed on a Counterparty's instructions are independent Data Controllers. They are not Yuno Sub-Processors, and Yuno does not assume responsibility for their Processing activities or compliance. The Counterparty is responsible for ensuring that its chosen Technology Partners process Personal Data in accordance with Applicable Data Protection Laws.

‍

5.5 Third-Party Disclosures. Neither party shall disclose Personal Data to third parties except as necessary for the purposes set forth in this DPA, as required by law, or with the prior written consent of the other party. Any legally mandated disclosure shall be limited to the minimum necessary and the disclosing party shall provide prompt notice unless legally prohibited.

‍

ARTICLE 6: INTERNATIONAL DATA TRANSFERS

‍

6.1 Transfer Mechanisms. International transfers of Personal Data shall be conducted only with appropriate safeguards as required by Applicable Data Protection Laws. Yuno shall implement the appropriate transfer mechanism for each data corridor, which may include: EU Standard Contractual Clauses (Commission Decision 2021/914); the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; Brazil ANPD Standard Contractual Clauses (Resolution CD/ANPD No. 19/2024); KSA SDAIA Standard Contractual Clauses (Controller-to-Processor and Processor-to-Processor modules, issued September 2024); adequacy decisions where available; Binding Corporate Rules (when implemented); or other lawful transfer mechanisms recognized by the relevant supervisory authority.

‍

6.2 Transfer Impact Assessments. For transfers to jurisdictions without adequacy decisions, Yuno shall conduct transfer impact assessments and implement supplementary measures as necessary to ensure Personal Data protection substantially equivalent to that required in the originating jurisdiction.

‍

6.3 Data Localization. Certain jurisdictions impose data localization requirements. Yuno complies with such requirements through appropriate infrastructure arrangements, including local cloud hosting where mandated. The jurisdictions with current data localization obligations relevant to Yuno's operations include the Kingdom of Saudi Arabia (SAMA and PDPL requirements, served by GCP Dammam) and India (RBI payment data localization, served by local hosting arrangements as applicable). The applicable Jurisdictional Addendum provides further detail.

‍

6.4 Government Access Requests. Yuno shall assess any government or regulatory request for Personal Data access. Where legally permissible and feasible, Yuno shall provide advance notice to affected Counterparties prior to disclosure. Yuno commits to challenging overly broad, unlawful, or otherwise inappropriate requests for Personal Data access to the fullest extent permitted by law, and to limiting disclosures to the absolute minimum legally required. Yuno shall maintain records of such requests and, where permitted, shall provide transparency reports to Counterparties.

‍

ARTICLE 7: DATA SUBJECT RIGHTS

‍

7.1 Rights Facilitation. Yuno shall assist Counterparties in responding to Data Subject requests for access, rectification, erasure, portability, restriction, and objection — and their local-law equivalents — as required by Applicable Data Protection Laws. Such assistance shall include providing relevant Personal Data and Processing information through Yuno's API, a secure portal, or defined communication channels within five (5) business days of the Counterparty's verified request, to enable the Counterparty to respond within the applicable statutory timeframe.

‍

7.2 Direct Requests to Yuno. When Yuno receives Data Subject requests directly, it shall forward such requests to the appropriate Counterparty's designated privacy contact without undue delay, and in no event later than two (2) business days, unless legally required to respond directly. Yuno shall not respond to direct requests without Counterparty authorization except as required by law, and in such cases will inform the Counterparty of the response unless legally prohibited.

‍

7.3 Automated Decision-Making. Where Yuno processes Personal Data involving automated decision-making with significant effects on Data Subjects, it shall implement appropriate measures to safeguard Data Subject rights, including providing meaningful information about the logic involved and offering human review opportunities where required by Applicable Data Protection Laws.

‍

ARTICLE 8: PERSONAL DATA BREACH MANAGEMENT

‍

8.1 Jurisdiction-Specific Breach Notification Framework.

‍

8.2 Breach Documentation and Investigation. Yuno shall document all Personal Data Breaches and cooperate fully with Counterparties in breach investigations. Documentation shall include facts relating to the breach, its effects, and remedial actions taken. Yuno shall preserve evidence and provide access to forensic information as reasonably requested.

‍

8.3 Regulatory Coordination. Counterparties remain primarily responsible for regulatory notifications, with Yuno providing: comprehensive incident documentation for regulatory filings; technical expert availability for authority inquiries; remediation evidence and effectiveness documentation; and ongoing cooperation with regulatory investigations.

‍

ARTICLE 9: DATA RETENTION AND SECURE DELETION

‍

9.1 Retention Periods. Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable legal, regulatory, or contractual obligations. Yuno shall delete or return Personal Data upon termination of the underlying agreement with the Counterparty unless retention is required by law.

‍

9.2 Deletion Procedures. Upon Counterparty request or agreement termination, Yuno shall securely delete or return all Personal Data and destroy existing copies unless storage is required by applicable law. Deletion shall be carried out using industry-standard secure deletion methods, and Yuno shall provide written certification of deletion upon request.

‍

9.3 Legal Hold Requirements. Notwithstanding general deletion obligations, both parties may retain Personal Data as necessary to comply with legal preservation requirements, pending litigation, or regulatory investigations. Any such retention shall be limited to the minimum necessary for the specified legal purpose.

‍

9.4 Aggregated Analytics. Yuno may retain and use aggregated, anonymized transaction patterns and performance metrics for: (i) platform optimization and fraud prevention enhancement; (ii) industry benchmarking and market research; (iii) regulatory reporting and compliance analytics; and (iv) Technology Partner performance evaluation. Such aggregated data shall not identify specific Counterparties or End Users and may be retained indefinitely. This provision shall survive termination of this DPA.

‍

ARTICLE 10: AUDIT RIGHTS AND COMPLIANCE MONITORING

‍

10.1 Audit Authorization. Counterparties may conduct reasonable audits of Yuno's data Processing activities to verify compliance with this DPA and Applicable Data Protection Laws. Such audits shall primarily be conducted by reviewing Yuno's most recent third-party certifications (e.g., ISO 27001, PCI DSS, SOC 2 Type II reports) and summary audit reports, which Yuno shall make available upon reasonable request. Direct on-site audits, either by the Counterparty or a qualified independent auditor, shall be limited to once per year unless material compliance concerns or a Personal Data Breach arise, and shall require thirty (30) days' advance written notice.

‍

10.2 Audit Cooperation. Yuno shall provide reasonable cooperation with authorized audits, including access to relevant documentation, system logs, and personnel relevant to data Processing activities. Audits shall be conducted during business hours, in a manner that minimizes disruption to Yuno's operations, and with strict adherence to confidentiality of Yuno's proprietary information, intellectual property, and other customers' data.

‍

10.3 Audit Findings and Remediation. Any material compliance deficiencies identified through audits shall be addressed promptly through mutually agreed remediation plans. Costs associated with audits shall be borne by the requesting party unless material non-compliance is identified, in which case Yuno shall bear reasonable audit costs.

‍

ARTICLE 11: LIABILITY ALLOCATION AND INDEMNIFICATION

‍

11.1 Mutual Liability. Each party shall be liable for damages arising from its own violations of Applicable Data Protection Laws or breaches of this DPA. Neither party shall be liable for damages arising from the other party's violations or from Processing conducted in accordance with the other party's lawful instructions.

‍

11.2 Indemnification. Each party shall indemnify and hold harmless the other party from claims, damages, and expenses arising from its own violations of data protection obligations under this DPA. The Counterparty shall indemnify and hold harmless Yuno from any claims, damages, or expenses arising from Yuno's Processing of Personal Data in accordance with the Counterparty's lawful instructions where such claims arise from the Counterparty's failure to comply with its Data Controller obligations, including failure to obtain proper Data Subject authorizations or establish a lawful Processing basis.

‍

11.3 Limitation of Liability. Nothing in this DPA shall limit either party's liability for fraudulent acts, willful misconduct, or violations of data protection laws. For other claims, liability shall be limited as set forth in the underlying agreement with the Counterparty.

‍

ARTICLE 12: TERM, TERMINATION, AND TRANSITION

‍

12.1 Term. This DPA shall commence upon execution of the underlying agreement with the Counterparty and shall remain in effect for the duration of that agreement or until terminated in accordance with its terms.

‍

12.2 Termination for Cause. Either party may terminate this DPA immediately upon written notice if the other party materially breaches its data protection obligations and fails to remedy such breach within thirty (30) days of written notice.

‍

12.3 Effect of Termination. Upon termination, each party shall return or securely destroy Personal Data received from the other party, subject to legal retention requirements. Provisions relating to confidentiality, liability, indemnification, and dispute resolution shall survive termination.

‍

ARTICLE 13: GOVERNING LAW AND DISPUTE RESOLUTION

‍

13.1 Applicable Law. This DPA shall be governed by the laws of the jurisdiction specified in the underlying agreement with the Counterparty, provided that data protection obligations shall be interpreted in accordance with Applicable Data Protection Laws in the relevant jurisdictions where Personal Data is processed.

‍

13.2 Dispute Resolution. Disputes arising under this DPA shall be resolved through the dispute resolution mechanisms specified in the underlying agreement. Data protection disputes involving regulatory enforcement shall be addressed in coordination with relevant supervisory authorities.

‍

13.3 Jurisdiction and Enforcement. The parties submit to the jurisdiction of courts in the locations specified in the underlying agreement for enforcement of this DPA, while acknowledging the authority of data protection supervisory authorities in their respective jurisdictions.

‍

ARTICLE 14: MODIFICATIONS, AMENDMENTS, AND FINAL PROVISIONS

‍

14.1 Amendment Process. This DPA may be modified only through a written agreement signed by authorized representatives of both parties, except for updates required to maintain compliance with changes in Applicable Data Protection Laws.

‍

14.2 Regulatory Updates. Yuno may update this DPA as necessary to comply with changes in Applicable Data Protection Laws, provided that such updates do not materially reduce the level of protection afforded to Personal Data. Counterparties shall be notified of material updates with at least thirty (30) days' advance notice.

‍

14.3 Conflicting Terms. In the event of conflict between this DPA and the underlying commercial agreement, the terms of this DPA shall govern with respect to Personal Data protection matters. In the event of conflict between the main body of this DPA and a Jurisdictional Addendum, the Addendum shall prevail for jurisdiction-specific requirements.

‍

14.4 Severability. If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

‍

14.5 Entire Data Protection Agreement. This DPA, together with the applicable Jurisdictional Addenda and the Group Privacy Policy, constitutes the entire agreement between the parties with respect to Personal Data protection in connection with the Services.

‍

ARTICLE 15: EMERGENCY PROCESSING AUTHORITY

‍

15.1 Fraud-Prevention Override. Yuno may, without prior Counterparty consent, temporarily suspend, reroute, or modify Processing where reasonably necessary to mitigate: (a) suspected money laundering or terrorist financing; (b) payment-card fraud exceeding Card Scheme thresholds; (c) sanctions violations; or (d) platform abuse threatening the integrity or security of the Services. Yuno shall notify the affected Counterparty as soon as practicable, and in any event within twenty-four (24) hours, of any action taken under this section.

‍

15.2 Cyber-Security Incident Response. During an actual or suspected cyber-security incident, Yuno may implement emergency technical or organizational measures, including traffic diversion, additional authentication, geographic restrictions, or temporary service limitations. Such measures shall be proportionate to the threat and shall be reversed as soon as the incident is resolved.

‍

EXECUTION

This Data Processing Agreement is executed by the authorized representatives of the parties effective as of the date of execution of the Agreement.

‍

‍

ADDENDUM A: BANKING CONNECTIVITY SERVICES

‍

This Addendum forms an integral part of the Yuno Global Data Processing Agreement ("DPA") and applies where the applicable Order Form activates Banking Connectivity Services. In the event of conflict between this Addendum and the main body of the DPA, this Addendum prevails for all matters relating to Banking Connectivity Services. 

‍

A.1 Definitions.

‍

"Banking Connectivity Services" means the technology infrastructure provided by Yuno enabling API-based data transmission between the Merchant's systems and the Merchant's independently contracted Bank Partners. Banking Connectivity Services are software integration services only. They do not constitute banking, payment, financial, or electronic money services of any kind.

‍

"Bank Partner" means a licensed financial institution or payment services provider with which the Merchant has independently contracted for banking or financial services, including account opening, fund custody, and fund transfers.

‍

"Banking Connectivity Personal Data" means any Personal Data, including Special Category Personal Data, transmitted through Yuno's Banking Connectivity infrastructure pursuant to the Merchant's instruction, including identity verification data, government-issued identification documents, biometric data, proof-of-address documentation, and source-of-funds data relating to End Users.

‍

"Bank Partner Routing Instruction" means the explicit, Merchant-determined designation in each API call specifying which Bank Partner shall receive the Banking Connectivity Personal Data. Yuno does not autonomously select or assign Bank Partners; all routing is determined solely by the Merchant's instructions.

‍

A.2 Characterization of the Service. Banking Connectivity Services constitute pure technology infrastructure. Yuno operates as an API relay transmitting data between the Merchant's systems and the designated Bank Partner. Yuno does not provide or participate in any banking, account-opening, fund-custody, or fund-transfer service. Yuno does not evaluate, assess, or classify End Users for KYC, AML, or sanctions purposes; does not make or participate in decisions regarding End User acceptance or rejection; and does not apply or relay risk classifications, PEP designations, or compliance determinations of any kind. All such functions are the exclusive responsibility of the Merchant and its Bank Partners. Banking Connectivity Services are maintained as a logically distinct service module from Yuno's payment-orchestration platform. A regulatory determination that Banking Connectivity Services constitute a regulated activity in any jurisdiction shall not affect the regulatory characterization of Yuno's payment-orchestration Services.

‍

A.3 Data Processing Roles. The Merchant acts as Data Controller for all Banking Connectivity Personal Data, including Special Category Personal Data. The Merchant determines the purposes and means of processing and bears sole responsibility for compliance with all Controller obligations under Applicable Data Protection Laws in every jurisdiction where it operates. Yuno acts as a passthrough Data Processor, limited to: (i) receiving Banking Connectivity Personal Data from the Merchant; (ii) validating the API request schema for technical conformity; (iii) routing the data payload to the Bank Partner designated by the Merchant's Bank Partner Routing Instruction; and (iv) returning the Bank Partner's response to the Merchant. Yuno exercises no judgment or discretion over the content, purpose, or outcome of such processing. Bank Partners receive Banking Connectivity Personal Data as independent Data Controllers. They are not Yuno's Sub-Processors. The legal and commercial relationship governing the provision of banking services — including KYC compliance, account opening, fund custody, and fund transfers — is direct between the Merchant and each Bank Partner. Yuno is not a party to that relationship.

‍

A.4 Merchant Warranties. The Merchant represents and warrants, on a continuing basis, that before transmitting any Banking Connectivity Personal Data to Yuno:
(a) it has established a lawful basis for all processing activities under Applicable Data Protection Laws in each jurisdiction where End Users are located, including for cross-border transmission to Bank Partners;
(b) it has obtained all consents, authorizations, and approvals required for the collection and transmission of Banking Connectivity Personal Data, including where applicable explicit consent for Special Category Personal Data under GDPR Article 9 and equivalent provisions;
(c) it has provided End Users with adequate privacy notices identifying Bank Partners as independent data recipients and describing any cross-border transfers;
(d) it has confirmed that the transmission to the designated Bank Partner is lawful in the Bank Partner's jurisdiction; and
(e) it has conducted any required Data Protection Impact Assessment before transmitting Special Category Personal Data.
The Merchant shall indemnify and hold harmless Yuno from any claims, damages, fines, or expenses arising from the Merchant's breach of the warranties in this Article A.4.

‍

A.5 Yuno's Architecture Obligations. Yuno shall not store, retain, or archive identity documents, biometric data, or facial recognition data transmitted through Banking Connectivity Services. Such data shall be processed exclusively in-memory during the API routing operation and shall not be written to any persistent storage medium within Yuno's infrastructure. Yuno may retain transaction metadata — identifiers, timestamps, and anonymized routing records — solely for service delivery, audit, and dispute-resolution purposes. Yuno shall not combine Banking Connectivity Personal Data with other personal data held by Yuno, use it to train or improve any model, or disclose it to any party other than the Bank Partner designated by the Merchant's Bank Partner Routing Instruction.

‍

A.6 Liability and Regulatory Firewall. Yuno's liability in connection with Banking Connectivity Services is limited to direct damages caused by Yuno's failure to transmit data in accordance with its documented API specifications and the obligations of this Addendum. Yuno has no liability for any act or omission of a Bank Partner, for the availability or terms of any banking service, for End User losses arising from the Merchant's or Bank Partner's operations, or for any regulatory penalty imposed on the Merchant or any Bank Partner. Yuno's aggregate liability for all claims under this Addendum shall not exceed the total fees paid by the Merchant for Banking Connectivity Services during the six (6) months preceding the event giving rise to the claim. If any regulatory authority asserts that Banking Connectivity Services constitute a regulated activity in any jurisdiction, Yuno reserves the right to suspend Banking Connectivity Services in that jurisdiction upon thirty (30) days' written notice, without liability and without affecting the continuity of payment-orchestration Services.

‍

A.7 Separate Instrument Requirement. Banking Connectivity Services shall be activated only through an Order Form or Special Terms addendum that expressly identifies Banking Connectivity as a contracted service. They may not be activated by implication or as an "additional service" under a payment-orchestration Order Form that does not contain a dedicated Banking Connectivity section addressing the obligations of this Addendum.

‍

This Addendum is effective as of the date of execution of the Order Form activating Banking Connectivity Services and remains in effect for the duration of that agreement.

‍

The following addenda address specific requirements for Personal Data Processing in various jurisdictions and form integral parts of this DPA when applicable. The applicable addendum is determined by the jurisdiction where Personal Data originates or is processed, as identified by the nature of each Counterparty relationship and the applicable Order Form.

• Addendum A: Banking Connectivity Services
• Addendum B: Brazil LGPD Requirements
• Addendum C: Colombia Law 1581 Requirements
• Addendum D: Mexico LFPDPPP Requirements
• Addendum E: Singapore PDPA Requirements
• Addendum F: United States CCPA/CPRA and Multi-State Privacy Requirements
• Addendum G: Kingdom of Saudi Arabia PDPL Requirements
• Addendum H: Qatar (QFC) Data Protection Requirements
• Addendum I: India DPDP Act Requirements
• Addendum J: European Union and United Kingdom GDPR Requirements

ADDENDUM B: BRAZIL LGPD

‍

• Responsible Yuno Entity: Yuno Intermediação de Serviços Ltda. (Brazil)
• Applicable Data Protection Laws: Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018; Regulations from Autoridade Nacional de Proteção de Dados (ANPD).

B.1 LGPD Compliance Framework. Yuno commits to Processing Personal Data of Brazilian Data Subjects in accordance with LGPD principles of good faith, purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.

‍

B.2 Legal Basis for Processing. Personal Data Processing under this Addendum relies on the legal basis determined by the Counterparty as Data Controller, which may include any of the ten (10) legal bases under LGPD Article 7. Yuno shall not process Personal Data beyond the scope of Counterparty instructions without explicit authorization.

‍

B.3 Cross-Border Data Transfers. Personal Data of Brazilian residents may be transferred internationally using ANPD Standard Contractual Clauses per Resolution CD/ANPD No. 19/2024 (Controller-Processor and Processor-Processor modules), adequacy decisions when issued by ANPD, or other lawful transfer mechanisms. Yuno maintains documentation of all international transfers and applicable safeguards.

‍

B.4 Data Subject Rights Under LGPD. Yuno assists Counterparties in fulfilling Data Subject requests under LGPD Articles 17-22, including confirmation of Processing, access to data, correction of incomplete or inaccurate data, anonymization or deletion, portability, and information about sharing with public and private entities.

‍

B.5 ANPD Regulatory Compliance. Both parties acknowledge ANPD's regulatory authority and commit to compliance with ANPD guidance, regulations, and enforcement actions. Yuno maintains current registration with ANPD as required and provides necessary documentation for regulatory compliance.

‍

B.6 Data Protection Impact Assessment. For high-risk Processing activities, Yuno shall conduct Data Protection Impact Assessments in accordance with ANPD guidance and share relevant findings with Counterparties.

‍

ADDENDUM C: COLOMBIA LAW 1581 of 2012

‍

• Responsible Yuno Entity: Yuno Colombia S.A.S. (Colombia)
• Applicable Data Protection Laws: Ley 1581 de 2012; Decreto 1377 de 2013; Superintendencia de Industria y Comercio (SIC) regulations and guidance.

‍

C.1 Law 1581 Processing Framework. Yuno processes Personal Data in accordance with Law 1581 principles of legality, purpose, freedom, truthfulness, transparency, access, restricted circulation, security, and confidentiality. All Processing activities serve legitimate purposes directly related to Services.

‍

C.2 Authorization and Privacy Policies. Counterparties must obtain appropriate authorization from Data Subjects before transferring Personal Data to Yuno, implementing clear privacy policies meeting Law 1581 requirements. Yuno assists Counterparties in developing compliant authorization mechanisms.

‍

C.3 Rights of Data Subjects (Habeas Data). Yuno supports Counterparties in fulfilling Data Subject rights under Law 1581, including rights to access, update, rectify, and delete Personal Data. Response procedures ensure compliance with SIC timelines and maintain comprehensive records of all rights requests.

‍

C.4 Cross-Border Data Transfers. International transfers from Colombia comply with Law 1581 requirements for adequate protection or appropriate safeguards (SIC Declaration of Conformity or contractual clauses). Yuno maintains documentation of transfer mechanisms and updates adequacy assessments for recipient countries.

‍

C.5 SIC Regulatory Compliance. Both parties acknowledge SIC's regulatory authority over Personal Data protection and maintain necessary registrations in the National Registry of Databases (RNBD). Yuno provides Counterparties with required information for SIC filings.

‍

C.6 Security and Confidentiality Measures. Yuno implements comprehensive security measures meeting SIC requirements, including technical, administrative, and physical safeguards proportionate to the sensitivity and volume of Personal Data processed.

‍

ADDENDUM D: MEXICO LFPDPPP

‍

• Responsible Yuno Entity: Yuno Tecnologías, S.A.P.I. de C.V. (Mexico)
• Applicable Data Protection Laws: Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP); its Regulations (Reglamento); and guidance from the applicable regulatory authority (currently the Secretariat of Anti-Corruption and Good Governance, successor to INAI).

D.1 LFPDPPP Processing Principles. Yuno adheres to LFPDPPP principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability in all Personal Data Processing activities. Processing shall be limited to purposes directly related to Services.

‍

D.2 Privacy Notice Requirements. Counterparties must provide comprehensive privacy notices (Avisos de Privacidad) to Data Subjects in accordance with LFPDPPP Articles 15-18, including information about Yuno's role as Data Processor (Encargado). Yuno assists Counterparties in ensuring privacy notices meet Mexican regulatory requirements and include all mandatory elements.

‍

D.3 ARCO Rights Implementation. Yuno supports Counterparties in responding to Data Subject requests for access, rectification, cancellation, and opposition (ARCO rights) under LFPDPPP Articles 22-35. Response procedures ensure compliance with the twenty (20) business day timeline and maintain records of all requests.

‍

D.4 Cross-Border Data Transfers. International transfers (Transferencias) and onward transfers (Remisiones) of Mexican Personal Data comply with LFPDPPP Articles 36-37 requirements. Yuno maintains documentation evidencing adequate protection levels for all recipient countries.

‍

D.5 Regulatory Authority Coordination. Both parties recognize the regulatory authority of the applicable Mexican data protection authority and maintain necessary compliance documentation. Yuno responds promptly to authority information requests.

‍

D.6 Security Measures Compliance. Yuno implements administrative, physical, and technical security measures meeting LFPDPPP and regulatory standards, including access controls, encryption, incident response procedures, and regular security assessments appropriate for the sensitivity of Personal Data processed.

‍

ADDENDUM E: SINGAPORE PDPA

‍

• Responsible Yuno Entity: Smart Routing PTE. Ltd. (Singapore)
• Applicable Data Protection Laws: Personal Data Protection Act 2012 (PDPA); Personal Data Protection Commission (PDPC) Guidelines and Regulations.

E.1 PDPA Compliance Obligations. Yuno complies with PDPA obligations as a data intermediary Processing Personal Data on behalf of Counterparties. Processing activities adhere to PDPA data protection principles including consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, and transfer limitation.

‍

E.2 Consent and Notification Requirements. Counterparties must obtain appropriate consent from Data Subjects or rely on other lawful grounds under PDPA before transferring Personal Data to Yuno. Yuno assists Counterparties in implementing consent mechanisms and maintaining consent records as required by PDPC guidance.

‍

E.3 Data Breach Notification Framework. Yuno implements comprehensive data breach response procedures complying with PDPA mandatory breach notification requirements. Notification to PDPC and affected Data Subjects follows prescribed timelines and formats, with Counterparties receiving immediate notification of any incidents affecting their data.

‍

E.4 Cross-Border Transfer Compliance. Personal Data transfers from Singapore comply with PDPA Section 26 requirements, ensuring recipient countries provide adequate protection or implementing appropriate safeguards. Yuno maintains transfer documentation and regularly reviews adequacy assessments for recipient jurisdictions.

‍

E.5 Data Subject Access and Correction. Yuno assists Counterparties in responding to Data Subject access and correction requests under PDPA Sections 21-22 within prescribed timelines. Response procedures include identity verification, scope assessment, and appropriate redaction of third-party information.

‍

E.6 PDPC Regulatory Engagement. Both parties commit to transparent engagement with PDPC, including cooperation with investigations, compliance audits, and regulatory guidance implementation.

‍

ADDENDUM F: UNITED STATES CCPA/CPRA AND MULTI-STATE PRIVACY

‍

• Responsible Yuno Entity: Yuno USA, LLC (United States)
• Applicable Data Protection Laws: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA); California Civil Code Section 1798.100 et seq.; Virginia Consumer Data Protection Act; Colorado Privacy Act; Connecticut Data Privacy Act; and other applicable state privacy laws.

F.1 CCPA/CPRA Service Provider Obligations. Yuno acts as a "service provider" under CCPA/CPRA when Processing personal information on behalf of Counterparties. Yuno certifies compliance with all service provider requirements including: no selling or sharing of personal information; Processing only for specified business purposes; no retention outside the business relationship; no combining with other sources except as permitted; and maintenance of appropriate security measures.

‍

F.2 Consumer Rights Implementation. Yuno assists Counterparties in responding to California consumer requests for access, deletion, correction, and opt-out under CCPA/CPRA Sections 1798.100-1798.150. Response procedures include identity verification, scope assessment, and coordination with Counterparty business systems.

‍

F.3 Categories of Personal Information. Yuno processes the following categories of personal information as defined in CCPA Section 1798.140: identifiers; commercial information; internet activity; geolocation data; and inferences drawn from personal information. Processing serves business purposes including payment orchestration, fraud prevention, and service improvement.

‍

F.4 Sensitive Personal Information Protections. For sensitive personal information as defined in CPRA Section 1798.140(ae), Yuno implements additional safeguards including enhanced security controls, limited retention periods, and restricted access controls. Processing of sensitive information requires explicit Counterparty authorization.

‍

F.5 Multi-State Privacy Compliance. Yuno monitors developments in state privacy laws including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and other emerging state privacy legislation, implementing necessary compliance measures as laws become effective.

‍

F.6 Automated Decision-Making. Yuno assists Counterparties in meeting automated decision-making disclosure requirements and AI-related privacy obligations as they develop across state jurisdictions.

‍

ADDENDUM G: KINGDOM OF SAUDI ARABIA PDPL

‍

• Responsible Yuno Entity: Yuno Payments Arabia (Kingdom of Saudi Arabia)
• Applicable Data Protection Laws: Personal Data Protection Law (PDPL), issued by Royal Decree M/19 (September 2021) as amended by Royal Decree M/148 (March 2023), effective September 14, 2023, fully enforceable since September 14, 2024; PDPL Implementing Regulations (September 2023); Regulation on Personal Data Transfer Outside the Kingdom (September 2024); SDAIA guidelines and rules; and applicable SAMA regulations for electronic money services and payment technology service providers.

G.1 PDPL Compliance Framework. Yuno Payments Arabia processes Personal Data in compliance with the PDPL and its Implementing Regulations. As a technology service provider supporting electronic payment services under SAMA oversight, Yuno Payments Arabia's Processing activities are limited to the technical orchestration of payment data on behalf of Counterparties. Yuno Payments Arabia does not itself hold, control, or settle funds and is not a licensed payment institution.

‍

G.2 Legal Basis for Processing. Personal Data Processing relies on the legal basis determined by the Counterparty as Controller, which may include: consent (PDPL Art. 5); performance of a contract with the Data Subject; compliance with a legal obligation; protection of vital interests; processing of publicly available data; or legitimate interest (as permitted under the Implementing Regulations). Yuno assists Counterparties in documenting the applicable legal basis.

‍

G.3 Cross-Border Data Transfer. Transfers of Personal Data outside the Kingdom of Saudi Arabia comply with PDPL Article 29 and the Data Transfer Regulation (September 2024). Yuno implements SDAIA Standard Contractual Clauses (Controller-to-Processor and Processor-to-Processor modules) for transfers to Yuno Group entities and Sub-Processors outside KSA. Where required, Yuno conducts transfer risk assessments before initiating transfers involving sensitive data or large-scale continuous transfers. SDAIA has not yet published an adequacy list; Yuno monitors regulatory developments and will adopt adequacy-based transfers when available.

‍

G.4 Data Subject Rights. Yuno assists Counterparties in responding to Data Subject rights under PDPL Articles 13-18, including the right to be informed of the legal basis for Processing, the right of access, the right to obtain Personal Data in a readable format, the right to request correction, the right to request destruction of Personal Data, and the right to object to Processing. Yuno shall facilitate responses within the timeframes prescribed by the Implementing Regulations.

‍

G.5 SDAIA Regulatory Compliance. Yuno Payments Arabia complies with SDAIA registration requirements for Controllers within the Kingdom, maintains processing records as required, and cooperates with SDAIA in respect of complaints, investigations, and audits. Where required by the Implementing Regulations, Yuno Payments Arabia appoints a Data Protection Officer and notifies SDAIA of Personal Data Breaches within seventy-two (72) hours where such breaches may cause harm to Data Subjects.

‍

G.6 Data Localization and SAMA Requirements. Yuno Payments Arabia hosts Personal Data processed in connection with Saudi Arabia operations on Google Cloud Platform (GCP) in the Dammam region, in compliance with SAMA's data residency requirements for electronic payment service providers. SAMA prohibits the transfer of customer data outside KSA without SAMA's prior approval. Yuno maintains appropriate technical and organizational controls to ensure that KSA-originating data remains within the Dammam hosting environment unless a lawful transfer mechanism is in place.

‍

ADDENDUM H: QATAR (QFC) DATA PROTECTION

‍

• Responsible Yuno Entity: Yuno Al Saqr (Qatar, QFC-registered entity)
• Applicable Data Protection Laws: Qatar Financial Centre Data Protection Regulations 2021 (QFC DP Regulations); QFC Authority guidance. Note: As a QFC-registered entity, Yuno Al Saqr is subject to the QFC data protection regime, not Qatar's national Law No. 13 of 2016.

H.1 QFC DP Regulations Compliance Framework. Yuno Al Saqr processes Personal Data as a Processor under the QFC DP Regulations 2021. Processing is conducted in accordance with the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

‍

H.2 Legal Basis for Processing. Processing relies on the legal basis established by the Counterparty as Controller under the QFC DP Regulations, which may include: consent; contractual necessity; legal obligation; vital interests; public interest; or legitimate interests. Sensitive Personal Data is processed only where the additional conditions under the QFC DP Regulations are satisfied.

‍

H.3 Cross-Border Data Transfer. Transfers of Personal Data outside the QFC comply with the QFC DP Regulations' transfer provisions. Yuno implements appropriate safeguards, which may include Standard Contractual Clauses, adequacy assessments, or binding corporate rules. The QFC Authority's guidance on international transfers is applied as updated.

‍

H.4 Data Subject Rights. Yuno assists Counterparties in responding to Data Subject rights under the QFC DP Regulations, including rights of access, rectification, erasure, restriction, portability, and objection. Yuno shall facilitate responses within the prescribed timeframes.

‍

H.5 QFC Authority Compliance. Yuno Al Saqr cooperates with the QFC Authority in respect of investigations, audits, and guidance. Yuno Al Saqr maintains Processing records and, where required, notifies the QFC Authority of Personal Data Breaches within the timeframes prescribed by the QFC DP Regulations.

‍

H.6 Regulatory Positioning. For the avoidance of doubt, Yuno Al Saqr operates as a technology service provider within the QFC and has obtained a written exemption from Qatar Central Bank (QCB) Payment System Regulations Section 6.1. Yuno Al Saqr does not provide regulated payment services within Qatar.

‍

ADDENDUM I: INDIA DPDP ACT

‍

• Responsible Yuno Entity: Yuno Routing Solutions Pvt. Ltd. (India)
• Applicable Data Protection Laws: Digital Personal Data Protection Act 2023 (DPDP Act); DPDP Rules 2025 (notified November 14, 2025, with phased compliance through May 13, 2027); and applicable RBI regulations including data localization requirements.

I.1 DPDP Act Compliance Framework. Yuno Routing Solutions processes Personal Data as a Processor (referred to as a "Data Processor" acting on behalf of a "Data Fiduciary" under the DPDP Act). Yuno processes digital Personal Data of Data Principals only for the purposes specified by the Counterparty and in accordance with documented instructions.

‍

I.2 Legal Basis for Processing. The DPDP Act provides for processing based on: (a) consent of the Data Principal; or (b) certain "legitimate uses" without consent (such as performance of a contract, compliance with legal obligations, or voluntary provision of data without indication of non-consent). The Counterparty, as Data Fiduciary, is responsible for establishing the lawful basis before transferring Personal Data to Yuno.

‍

I.3 Data Principal Rights. Yuno assists Counterparties in responding to Data Principal rights under the DPDP Act, including: right of access to information about Processing; right to correction of inaccurate data; right to erasure; right to grievance redressal; and right to nominate another person to exercise rights. Response timelines follow the DPDP Rules 2025.

‍

I.4 Cross-Border Data Transfer. The DPDP Act permits cross-border transfers of Personal Data except to countries specifically restricted by the Central Government. Yuno monitors the Government of India's notifications regarding restricted jurisdictions. Yuno implements appropriate contractual safeguards for all international transfers of Indian Personal Data.

‍

I.5 Data Localization — RBI Compliance. Yuno acknowledges that RBI regulations (including RBI Circular DPSS.CO.PD.No.1810/02.14.008/2017-18 and subsequent directions) require that all payment system data, including full end-to-end transaction details and information collected, carried, or processed as part of payment instructions, be stored in systems located only in India. Yuno Routing Solutions shall ensure that payment data processed on behalf of Counterparties who are RBI-regulated entities or their agents is stored within India. Yuno operates local hosting infrastructure to comply with this requirement.

‍

I.6 Consent Manager Framework. Where applicable, Yuno shall cooperate with registered Consent Managers through which Data Principals manage their consent. Yuno provides technical integration points to facilitate consent verification and withdrawal workflows.

‍

I.7 Significant Data Fiduciary Obligations. If the Central Government designates the Counterparty as a Significant Data Fiduciary, Yuno shall provide reasonable cooperation for the Counterparty's compliance obligations, including support for Data Protection Impact Assessments, audits by independent data auditors, and periodic reporting to the Data Protection Board of India.

‍

ADDENDUM J: EUROPEAN UNION AND UNITED KINGDOM

‍

• Responsible Yuno Entity: Entity of the United Kingdom for UK data subjects and Smart Routing PTE. Ltd. (Singapore) for EU data subjects, unless specified differently in the Order Form. If Yuno does not maintain an establishment in the EU, Yuno shall appoint an EU representative under GDPR Article 27 where required.
• Applicable Data Protection Laws: EU General Data Protection Regulation (GDPR) 2016/679; UK General Data Protection Regulation; Data Protection Act 2018.

J.1 GDPR Article 28 Compliance. This Addendum implements the requirements of GDPR Article 28 for Processor relationships. Yuno undertakes to process Personal Data only on documented instructions from the Counterparty, including with regard to transfers to third countries or international organizations, unless required to do so by Union or Member State law to which Yuno is subject.

‍

J.2 Processing Activities and Legal Basis. Yuno processes Personal Data for payment orchestration services under the legal basis determined by the Counterparty. Special categories of Personal Data as defined in GDPR Article 9 are not processed except where explicitly authorized and legally permitted.

‍

J.3 Data Subject Rights Implementation. Yuno shall assist the Counterparty in responding to Data Subject requests within the timeframes required by GDPR Articles 12-22, including rights of access, rectification, erasure, restriction, portability, and objection. Response times shall not exceed one month, extendable by two months for complex requests.

‍

J.4 Standard Contractual Clauses Integration. For transfers of Personal Data from the EEA or United Kingdom to Yuno entities in third countries, the parties incorporate the applicable Standard Contractual Clauses (EU SCC Modules 2 or 3; UK IDTA or UK Addendum to EU SCCs) as required by the specific Processing relationship and transfer scenario. The applicable module is determined by the parties' Processing roles for each transfer.

‍

J.5 Data Protection Officer Coordination. Where either party has appointed a Data Protection Officer, such officer shall serve as the primary contact for data protection matters arising under this Addendum. Yuno's DPO may be contacted at privacy@y.uno.

‍

J.6 Supervisory Authority Cooperation. Both parties commit to full cooperation with supervisory authorities in the European Union and United Kingdom, including providing information, documentation, and access as reasonably requested for regulatory investigations or audits.

‍

GENERAL PROVISIONS FOR ALL ADDENDA

‍

Precedence and Integration. These Addenda form integral parts of the Yuno Global Data Processing Agreement and shall be applied based on the jurisdictions where Personal Data originates or is processed. In case of conflict between an Addendum and the main DPA, the Addendum shall prevail for jurisdiction-specific requirements.

‍

Regulatory Updates. Yuno monitors regulatory developments in all applicable jurisdictions and may update Addenda as necessary to maintain compliance with evolving legal requirements. Counterparties receive advance notice of material changes affecting their Processing activities.

‍

Multi-Jurisdictional Processing. Where Processing involves Personal Data from multiple jurisdictions, the most protective standards shall apply unless specific jurisdictional requirements mandate different treatment. Yuno maintains comprehensive documentation of applicable legal requirements for each Processing activity.

‍

Effective Date. These Addenda become effective simultaneously with the execution of the main Data Processing Agreement and remain in effect for the duration of the Agreement unless terminated in accordance with applicable termination provisions.

‍

Global Privacy Officer Contact:

‍

• Email: privacy@y.uno
• Global Address: Cráter 38, Jardines del Pedregal, Álvaro Obregón, Ciudad de México, C.P. 01900
• Trust Center: security.y.uno
• 24/7 Incident Response: security@y.uno

‍