YUNO - GLOBAL DATA PROCESSING AGREEMENT

EXECUTIVE SUMMARY. This Global Data Processing Agreement establishes how Yuno processes personal data as a Data Processor on behalf of its Counterparties, including both Merchants and Technology Partners, with provisions for joint controllership where factually determined. Under this unified framework, Yuno primarily serves as Data Processor for payment orchestration services while Counterparties act as Data Controllers for their respective data Processing purposes, except where joint determination of Processing purposes and means creates joint controllership arrangements. This Agreement ensures compliance with global Applicable Data Protection Laws including GDPR, CCPA/CPRA, LGPD, and local privacy regulations across all Yuno operating jurisdictions while providing streamlined onboarding and clear liability allocation.

‍

ARTICLE 1: DEFINITIONS AND SCOPE
1.1 Purpose and Application. This Global Data Processing Agreement (the "DPA" or “Agreement”) establishes the framework for personal data protection between Yuno and its business Counterparties, including both Merchants and Technology Partners (collectively, ”Counterparties"). This DPA applies to all personal data Processing activities conducted by Yuno in connection with Services and incorporates the standards set forth in Yuno's Global Privacy Policy.

‍

1.2 Definitions.  For purposes of this DPA, the following terms shall have the meanings set forth below:

‍

Applicable Data Protection Laws. Means all applicable international, national, federal, state, and local laws, regulations, and regulatory guidelines concerning personal data protection, privacy, and security, including the European Union General Data Protection Regulation, United Kingdom General Data Protection Regulation, Brazil's General Data Protection Law, Colombia's Colombia Data Protection Regulations of 2012, Mexico's Federal Law on Protection of Personal Data Held by Private Parties, California Consumer Privacy Act as amended by the California Privacy Rights Act, Singapore's Personal Data Protection Act, and any other applicable privacy legislation in jurisdictions where the parties operate.
Counterparties. Means any business entity that enters into this DPA with Yuno, including both Merchants and Technology Partners as defined below. Counterparties may act as Data Controllers, Data Processors, or Joint Controllers depending on the factual circumstances of Processing activities.
Data Controller. Means the entity that, alone or jointly with others, determines the purposes and means of Processing Personal Data. Processing roles are determined by factual circumstances rather than contractual labels.
Data Processor. Means the entity that processes Personal Data on behalf of and under the documented instructions of the Data Controller. Processing roles are determined by factual circumstances rather than contractual labels.
Data Subject. Means an identified or identifiable natural person whose Personal Data is processed under this DPA.
End User. An individual customer of a Merchant whose Personal Data is processed through Yuno's platform.
Joint Controller. Means two or more controllers who jointly determine the purposes and means of Processing, as defined under GDPR Article 26 and equivalent provisions in other Applicable Data Protection Laws. The determination of joint controllership shall consider factors such as the degree of influence over Processing purposes and means, shared business objectives, and integrated decision-making processes.
Merchant. A business entity that uses Yuno's Services to process payments from their customers (End Users). Merchants typically act as Data Controllers for End User Personal Data, except where joint controllership is factually established.
Personal Data. Means any information relating to an identified or identifiable natural person, including but not limited to: (i) payment card data and tokenized payment credentials, (ii) transaction information and commercial data, (iii) fraud prevention and risk assessment data, (iv) device and behavioral biometrics, (v) geolocation and IP address data, (vi) authentication and identity verification data, (vii) inferred data based on observed behaviors or characteristics, and (viii) any other data processed through Yuno's platform that directly or indirectly identifies a natural person.
Personal Data Breach. Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Processing. Means any operation or set of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

Services. “Services” means Yuno’s cloud‑based payment‑orchestration platform and any related technology, including dashboards, application programming interfaces (APIs), software‑development kits (SDKs), and the professional or technical support we provide. Through the Services, Customers can access multiple payment methods, fraud‑prevention tools, and other integrated payment‑industry solutions.

Standard Contractual Clauses. Means the contractual clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission or other relevant supervisory authorities, including EU SCC Modules 1, 2, and 3 (Decision 2021/914), UK IDTA, and Brazil ANPD Standard Contractual Clauses (Resolution CD/ANPD nº 19/2024).

Sub-Processor. Means any third party engaged by Yuno to process Personal Data on behalf of the Counterparties.

Technology Partner. Means a service provider (including, but not limited to, PSPs, fraud prevention vendors, AML/KYC providers, acquirers, gateways, alternative payment methods, and emerging payment technologies) that Yuno engages to facilitate payment orchestration services. Technology Partners typically act as Data Controllers for their specific processing activities, except where joint controllership is factually established.

Yuno: means, collectively and individually, Smart Routing Pte. Ltd.; Yuno Payments Ltd.; Yuno Payments LLC; Yuno USA, LLC; Yuno Colombia S.A.S.; Yuno Intermediação de Serviços Ltda.; and Yuno Tecnologías S.A.P.I. de C.V., together with any present or future parent, subsidiary, branch, or affiliate that (i) is under common control with any of the foregoing entities, and (ii) participates in, or makes available, the Services governed by this Agreement. Unless expressly stated otherwise, each reference to “Yuno” in this Agreement shall be deemed to include the entire Yuno Group.

‍

ARTICLE 2: DATA PROCESSING ROLES AND RESPONSIBILITIES

2.1 Primary Processor Role. Yuno primarily acts as Data Processor for Personal Data Processing activities conducted on behalf of Counterparties. These Counterparties typically act as Data Controllers, determining the purposes and means of Processing Personal Data shared with or processed by Yuno.

2.2 Merchant Relationships. The Merchant typically acts as Data Controller for Personal Data of End Users that it shares with Yuno for payment orchestration purposes. In this capacity, the Merchant determines the purposes and means of Processing End User Personal Data and bears primary responsibility for compliance with Applicable Data Protection Laws. Yuno processes End User Personal Data according to Merchant instructions with data flow: 

‍

End User → Merchant (Controller) → Yuno (Processor) → Technology Partners (per Merchant instructions).

‍

2.3 Technology Partner Relationships. Technology Partners typically act as Data Controllers for their specific Processing purposes (fraud scoring, KYC verification, payment Processing, etc.). Yuno processes Personal Data according to Technology Partner instructions for specific service delivery. Data flows may include: (i) Technology Partner (Controller) → Yuno (Processor) → Processing/routing as instructed, or (ii) Merchant (Controller) → Yuno (Processor) → Technology Partner (Sub-processor per Merchant instructions).

2.4 Liability Allocation. Yuno bears liability only for Processing compliance under documented Counterparty instructions or joint controller obligations where applicable. Counterparties remain solely responsible for: (i) data subject authorizations and lawful processing bases, (ii) compliance with Controller obligations under Applicable Data Protection Laws, and (iii) lawful Processing instructions to Yuno.

2.5 Counterparty Compliance Monitoring. Yuno may suspend Processing services for Counterparties who materially fail to comply with their Controller obligations, including failure to obtain proper data subject authorizations or maintain lawful processing bases, provided reasonable notice and opportunity to cure.

2.6 SDK-Based Joint Processing. Where Yuno provides SDK implementations that enable Counterparties (including Merchants and Technology Partners) to integrate Yuno's decision-making algorithms, fraud detection, or routing logic into their systems, both parties may act as joint controllers for such Processing activities. Joint controller responsibilities shall be documented in SDK-specific Processing schedules and separate Joint Controller Agreements. This may include, but is not limited to, scenarios where Yuno's proprietary algorithms are used by the Counterparty to inform strategic business decisions that go beyond simple payment routing, such as risk management models where Yuno defines the overarching purpose of the data analysis in conjunction with the Counterparty's specific use case.

2.7 Regulatory-Scope Limitation. Yuno's obligations under this Agreement are strictly limited to the provision of payment-orchestration Services. Yuno shall not be responsible for, nor assume any liability arising out of: (a) the Counterparty's marketing, customer-acquisition or product-specific compliance activities; (b) the Counterparty's tax, accounting or financial-reporting obligations; (c) the Counterparty's independent AML/KYC determinations, save where Yuno is expressly engaged as a regulated provider and solely for the services detailed in the applicable Order Form; (d) the legality of the Counterparty's products or services; or (e) any other processing activity outside the technical scope of the Services. The Counterparty acknowledges that Yuno operates a technology platform and does not itself provide regulated payment-processing or financial-services licensable activities to End Users.

‍

ARTICLE 3: PROCESSING OBLIGATIONS AND INSTRUCTIONS

3.1 Counterparty Obligations as Data Controller. Each Counterparty, as Data Controller, represents, warrants, and undertakes that all Personal Data Processing, including transfers to Yuno, is conducted in accordance with Applicable Data Protection Laws. Each Counterparty shall obtain all necessary consents from data subjects and provide appropriate privacy notices describing the processing activities and transfers to Yuno.

3.2 Yuno Processing Obligations. Yuno shall process Personal Data only in accordance with documented instructions from the respective Counterparty, except where required by applicable law. Yuno shall apply the principle of data minimization, Processing only that Personal Data which is adequate, relevant, and limited to what is necessary for the specified purposes. Yuno shall immediately inform the Counterparty if instructions violate Applicable Data Protection Laws and shall suspend non-compliant Processing until lawful instructions are received. Yuno shall not process Personal Data for any purposes other than those specified by the Counterparty.

3.3 Enhanced Instruction Compliance Verification. Yuno shall inform the Counterparty in a timely manner if Processing instructions would violate Applicable Data Protection Laws and shall: (a) Suspend non-compliant Processing within 2 hours of violation identification, (b) Document the nature of the legal violation and suspension actions taken, (c) Propose alternative lawful Processing approaches where technically feasible, (d) Maintain suspension until Counterparty provides amended lawful instructions, and (e) Bear no liability for business impacts or for the underlying legal violation resulting from lawful suspension. The Counterparty acknowledges that Yuno's suspension of non-compliant Processing is a compliance safeguard, not a breach of service obligations or an assumption of liability for the Counterparty's unlawful instructions.

3.4 Commercial Agreement Coordination. Where Processing instructions are provided through purchase orders or commercial agreements, such instructions must comply with this DPA. Any instruction conflicting with this DPA's data protection requirements is deemed invalid and shall not be implemented by Yuno.

3.5 Implementation Validation. Yuno maintains technical controls to prevent Processing that exceeds Counterparty instructions or violates this DPA, including automated monitoring of data Processing activities and exception reporting.

3.6 Processing Records. Both parties shall maintain comprehensive records of Processing activities as required by Applicable Data Protection Laws, including the categories of Personal Data processed, purposes of Processing, recipients of Personal Data, and retention periods.

‍

ARTICLE 4: ENHANCED SECURITY MEASURES AND SAFEGUARDS

4.1 Comprehensive Technical and Organizational Measures. Yuno implements and maintains comprehensive technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include AES-256 encryption of Personal Data at rest, TLS 1.3 encryption for data in transit, AWS KMS with HSM backing for key management, role-based access controls with multi-factor authentication, network segregation and zero-trust architecture, 24/7 security monitoring with SIEM integration, regular vulnerability assessments and penetration testing, and quantum-ready cryptography preparation framework.

4.2 Security Standards and Certifications. Yuno maintains industry-recognized security certifications including ISO 27001 for Information Security Management, ISO 27701 for Privacy Information Management, PCI DSS Level 1 for Payment Card Industry Data Security, and SOC 2 Type II for Service Organization Controls. Current certification details are available in Yuno's Trust Center at security.y.uno

4.3 Counterparty Security Obligations. Each Counterparty shall implement appropriate technical and organizational measures to ensure the security of Personal Data under its control, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.

4.4 Counterparty PCI DSS Compliance. If a Counterparty processes, handles, stores, or transmits Cardholder Data, as defined by the Payment Card Industry Data Security Standard (PCI DSS), received from or on behalf of Yuno, or otherwise in connection with the Services provided under the Agreement, the Counterparty represents and warrants that it is and will remain compliant with the then-current version of PCI DSS. Upon Yuno's request, the Counterparty shall provide Yuno with a copy of its valid Attestation of Compliance (AoC) or other applicable PCI DSS validation documentation. The Counterparty shall provide Yuno with renewed AoCs or validation documentation annually, or as otherwise renewed, within thirty (30) days of its issuance. The Counterparty shall promptly notify Yuno in writing of any material changes to its PCI DSS compliance status or of any security incident that could impact the security of Cardholder Data processed in connection with this DPA.

‍

ARTICLE 5: SUB-PROCESSING AND THIRD-PARTY DISCLOSURES

5.1 Sub-Processor Authorization. Yuno may engage Sub-Processors to assist in providing Services, provided that such engagement complies with this DPA and Applicable Data Protection Laws. If a Counterparty objects to a new Sub-Processors on reasonable grounds related to data protection within 10 business days of receiving notification, the parties will work in good faith to resolve the objection. If the objection cannot be reasonably resolved, the Counterparty may terminate the relevant Services impacted by the Sub-Processors engagement without penalty.

5.2 Sub-Processor Agreements. Before engaging any Sub-Processors, Yuno shall execute a written agreement imposing data protection obligations equivalent to those set forth in this DPA. Yuno remains fully liable for the performance of Sub-Processors and any breaches of data protection obligations.

5.3 Third-Party Disclosures. Neither party shall disclose Personal Data to third parties except as necessary for the purposes set forth in this DPA, as required by law, or with the prior written consent of the other party. Any legally mandated disclosures shall be limited to the minimum necessary and the disclosing party shall provide prompt notice unless legally prohibited.

‍

ARTICLE 6: INTERNATIONAL DATA TRANSFERS

6.1 Transfer Mechanisms. International transfers of Personal Data shall be conducted only with appropriate safeguards as required by Applicable Data Protection Laws. Yuno shall implement Standard Contractual Clauses, rely on adequacy decisions, or utilize other lawful transfer mechanisms as appropriate for specific jurisdictions.

6.2 Transfer Impact Assessments. For transfers to jurisdictions without adequacy decisions, Yuno shall conduct transfer impact assessments and implement supplementary measures as necessary to ensure Personal Data protection substantially equivalent to that required in the originating jurisdiction.

6.3 Government Access Requests. Yuno shall assess any government or regulatory requests for Personal Data access. Where legally permissible and feasible, Yuno shall provide advance notice to affected Counterparties prior to disclosure. Yuno commits to challenging overly broad, unlawful, or otherwise inappropriate requests for Personal Data access to the fullest extent permitted by law, and to limiting disclosures to the absolute minimum legally required. Yuno shall maintain records of such requests and, where permitted, shall provide transparency reports to Counterparties or publicly disclose statistics on such requests.

‍

ARTICLE 7: DATA SUBJECT RIGHTS

7.1 Rights Facilitation. Yuno shall assist Counterparties in responding to data subject requests for access, rectification, erasure, portability, restriction, and objection as required by Applicable Data Protection Laws. Such assistance shall include, but not be limited to, providing relevant Personal Data and Processing information through Yuno's API, a secure portal, or defined communication channels within 5 business days of the Counterparty's verifiable request, to enable the Counterparty to respond within the statutory timeframes.

7.2 Direct Requests to Yuno. When Yuno receives data subject requests directly, it shall forward such requests to the appropriate Counterparty's designated privacy contact via email to privacy@y.uno and security@y.uno with a clear subject line without undue delay, and in no event later than 2 business days, unless legally required to respond directly. Yuno shall not respond to direct requests without Counterparty authorization except as required by law, and in such cases, will inform the Counterparty of the response unless legally prohibited.

7.3 Automated Decision-Making. Where Yuno processes Personal Data involving automated decision-making with significant effects on data subjects, it shall implement appropriate measures to safeguard data subject rights, including providing meaningful information about the logic involved and offering human review opportunities where required.

‍

ARTICLE 8: PERSONAL DATA BREACH MANAGEMENT

8.1 Jurisdiction-Specific Breach Notification Framework

‍

‍

8.2 Breach Documentation and Investigation. Yuno shall document all Personal Data breaches and cooperate fully with Partners in breach investigations. Documentation shall include facts relating to the breach, its effects, and remedial actions taken. Yuno shall preserve evidence and provide access to forensic information as reasonably requested.
8.3 Regulatory Coordination and Compliance. Partners remain primarily responsible for regulatory notifications, with Yuno providing: comprehensive incident documentation for regulatory filings, technical expert availability for authority inquiries, remediation evidence and effectiveness documentation, and ongoing cooperation with regulatory investigations.

‍

ARTICLE 9: DATA RETENTION AND SECURE DELETION

9.1 Retention Periods. Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable legal, regulatory, or contractual obligations. Yuno shall delete or return Personal Data upon termination of the underlying agreement with the Counterparty unless retention is required by law.

9.2 Deletion Procedures. Upon Counterparty request or agreement termination, Yuno shall securely delete or return all Personal Data and destroy existing copies unless storage is required by applicable law. Deletion shall be carried out using industry-standard secure deletion methods, and Yuno shall provide written certification of deletion upon request.

9.3 Legal Hold Requirements. Notwithstanding general deletion obligations, both parties may retain Personal Data as necessary to comply with legal preservation requirements, pending litigation, or regulatory investigations. Any such retention shall be limited to the minimum necessary for the specified legal purpose.

9.4 Aggregated Analytics Yuno may retain and utilize aggregated, anonymized transaction patterns and performance metrics for: (i) platform optimization and fraud prevention enhancement; (ii) industry benchmarking and market research; (iii) regulatory reporting and compliance analytics; and (iv) Technology Partner performance evaluation. (b) Such aggregated data shall not identify specific Counterparties or End Users and may be retained indefinitely. 

‍

ARTICLE 10: MULTI-TIER AUDIT RIGHTS AND COMPLIANCE MONITORING

10.1 Audit Authorization. Counterparties may conduct reasonable audits of Yuno's data Processing activities to verify compliance with this DPA and Applicable Data Protection Laws. Such audits shall primarily be conducted by reviewing Yuno's most recent third-party certifications (e.g., ISO 27001, PCI DSS, SOC 2 Type II reports) and summary audit reports, which Yuno shall make available to Counterparties upon reasonable request. Direct on-site audits, either by the Counterparty or a qualified independent auditor, shall be limited to once per year unless material compliance concerns or a Personal Data Breach arises, and shall require 30 days' advance written notice.

10.2 Audit Cooperation. Yuno shall provide reasonable cooperation with authorized audits, including access to relevant documentation, system logs, and personnel relevant to data Processing activities. Audits shall be conducted during business hours, in a manner that minimizes disruption to Yuno's operations, and with strict adherence to confidentiality of Yuno's proprietary information, intellectual property, and other customers' data.

10.3 Audit Findings and Remediation. Any material compliance deficiencies identified through audits shall be addressed promptly through mutually agreed remediation plans. Costs associated with audits shall be borne by the requesting party unless material non-compliance is identified, in which case Yuno shall bear reasonable audit costs.

‍

ARTICLE 11: LIABILITY ALLOCATION AND INDEMNIFICATION

11.1 Mutual Liability. Each party shall be liable for damages arising from its own violations of Applicable Data Protection Laws or breaches of this DPA. Neither party shall be liable for damages arising from the other party's violations or from Processing conducted in accordance with the other party's lawful instructions.

11.2 Indemnification. Each party shall indemnify and hold harmless the other party from claims, damages, and expenses arising from its own violations of data protection obligations under this DPA. Furthermore, the Counterparty shall indemnify and hold harmless Yuno from any claims, damages, or expenses arising from Yuno's Processing of Personal Data in accordance with the Counterparty's lawful instructions where such claims, damages, or expenses arise from the Counterparty's failure to comply with its obligations as Data Controller under Applicable Data Protection Laws, including but not limited to, failure to obtain proper data subject authorizations or establish a lawful Processing basis.

11.3 Limitation of Liability. Nothing in this DPA shall limit either party's liability for fraudulent acts, willful misconduct, or violations of data protection laws. For other claims, liability shall be limited as set forth in the underlying agreement with the Counterparty.

‍

ARTICLE 12: TERM, TERMINATION, AND TRANSITION

12.1 Term. This DPA shall commence upon execution of the underlying agreement with the Counterparty and shall remain in effect for the duration of that agreement or until terminated in accordance with its terms.

12.2 Termination for Cause. Either party may terminate this DPA immediately upon written notice if the other party materially breaches its data protection obligations and fails to remedy such breach within thirty days of written notice.

12.3 Effect of Termination. Upon termination, each party shall return or securely destroy Personal Data received from the other party, subject to legal retention requirements. Provisions relating to confidentiality, liability, and dispute resolution shall survive termination.

‍

ARTICLE 13: GOVERNING LAW AND DISPUTE RESOLUTION

13.1 Applicable Law. This DPA shall be governed by the laws of the jurisdiction specified in the underlying agreement with the Counterparty, provided that data protection obligations shall be interpreted in accordance with Applicable Data Protection Laws in the relevant jurisdictions where Personal Data is processed.

13.2 Dispute Resolution. Disputes arising under this DPA shall be resolved through the dispute resolution mechanisms specified in the underlying agreement with the Counterparty. Data protection disputes involving regulatory enforcement shall be addressed in coordination with relevant supervisory authorities.

13.3 Jurisdiction and Enforcement. The parties submit to the jurisdiction of courts in the locations specified in the underlying agreement with the Counterparty for enforcement of this DPA, while acknowledging the authority of data protection supervisory authorities in their respective jurisdictions.

‍

ARTICLE 14: MODIFICATIONS, AMENDMENTS, AND FINAL PROVISIONS

14.1 Amendment Process. This DPA may be modified only through a written agreement signed by authorized representatives of both parties, except for updates required to maintain compliance with changes in Applicable Data Protection Laws.

14.2 Regulatory Updates. Yuno may update this DPA as necessary to comply with changes in Applicable Data Protection Laws, provided that such updates do not materially reduce the level of protection afforded to Personal Data. Counterparties shall be notified of such updates with reasonable advance notice.

14.3 Conflicting Terms. In the event of conflicts between this DPA and the Agreement, the terms of this DPA shall govern with respect to Personal Data protection matters.

‍

ARTICLE 15 – EMERGENCY PROCESSING AUTHORITY
15.1 Fraud-Prevention Override. Yuno may, without prior Counterparty consent, temporarily suspend, reroute, or modify Processing where reasonably necessary to mitigate: (a) suspected money laundering or terrorist financing; (b) payment-card fraud exceeding Card-Scheme thresholds; (c) sanctions violations; or (d) platform abuse threatening the integrity or security of the Services.
15.2 Cyber-Security Incident Response. During an actual or suspected cyber-security incident, Yuno may implement emergency technical or organisational measures, including traffic diversion, additional authentication, geographic restrictions, or temporary service limitations.

‍

EXECUTION

This Data Processing Agreement is executed by the authorized representatives of the parties effective as of the date of execution of the Agreement.

‍

‍

‍

JURISDICTIONAL ADDENDA

‍

The following addenda address specific requirements for Personal Data Processing in various jurisdictions and form integral parts of this DPA when applicable:

‍

Addendum A: European Union and United Kingdom GDPR Requirements

Addendum B: Brazil LGPD Requirements

Addendum C: Colombia Colombia Data Protection Requirements

Addendum D: Mexico LFPDPPP Requirements

Addendum E: Singapore PDPA Requirements

Addendum F: United States CCPA/CPRA and Multi-State Privacy Requirements

‍

Specific addenda shall apply based on the jurisdictions where Personal Data originates or is processed, as determined by the nature of each Counterparty relationship.

‍

YUNO DATA PROCESSING AGREEMENT - JURISDICTIONAL ADDENDA

‍

ADDENDUM A: EUROPEAN UNION AND UNITED KINGDOM

• Responsible Yuno Entity: Smart Routing PTE. Ltd. (Singapore) acting through its European operations, unless specified differently in the order form. 
• Applicable Data Protection Laws: EU General Data Protection Regulation (GDPR) 2016/679; UK General Data Protection Regulation; Data Protection Act 2018

‍

A.1 GDPR Article 28 Compliance. This Addendum A implements the requirements of GDPR Article 28 for Processor relationships. Yuno undertakes to process Personal Data only on documented instructions from the Counterparty, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by Union or Member State law to which Yuno is subject.

A.2 Processing Activities and Legal Basis. Yuno processes Personal Data for payment orchestration services under the legal basis determined by the Counterparty. Special categories of Personal Data are not processed except where explicitly authorized and legally permitted.

A.3 Data Subject Rights Implementation. Yuno shall assist the Counterparty in responding to data subject requests within the timeframes required by GDPR Articles 12-22, including rights of access, rectification, erasure, restriction, portability, and objection. Response times shall not exceed one month, extendable by two months for complex requests.

A.4 Standard Contractual Clauses Integration. For transfers of Personal Data from the European Economic Area or United Kingdom to Yuno entities in third countries, the parties incorporate the applicable Standard Contractual Clauses (e.g., EU SCC Modules 2 or 3, UK IDTA, or UK Addendum to EU SCCs) as required by the specific Processing relationship and transfer scenario.

A.5 Data Protection Officer Coordination. Where either party has appointed a Data Protection Officer, such officer shall serve as the primary contact for data protection matters arising under this addendum. Communication protocols shall ensure timely resolution of privacy inquiries and regulatory requests.

A.6 Supervisory Authority Cooperation. Both parties commit to full cooperation with supervisory authorities in the European Union and United Kingdom, including providing information, documentation, and access as reasonably requested for regulatory investigations or audits.

‍

ADDENDUM B: BRAZIL LGPD

• Responsible Yuno Entity: Yuno Intermediação de Serviços Ltda. (Brazil)
• Applicable Data Protection Laws: Lei Geral de Proteção de Dados (LGPD) Law 13.709/2018; Regulations from Autoridade Nacional de Proteção de Dados (ANPD)

‍

B.1 LGPD Compliance Framework. This Addendum B ensures compliance with LGPD requirements for Processing Personal Data of Brazilian data subjects. Yuno commits to Processing Personal Data in accordance with LGPD principles of good faith, purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.

B.2 Legal Basis for Processing. Personal Data Processing under this addendum relies on the legal basis determined by the Counterparty as Data Controller. Yuno shall not process Personal Data beyond the scope of Counterparty instructions without explicit authorization.

B.3 Cross-Border Data Transfers. Personal Data of Brazilian residents may be transferred internationally using ANPD Standard Contractual Clauses per Resolution CD/ANPD nº 19/2024 (Controller-Processor and Processor-Processor modules), adequacy decisions when issued by ANPD, or other lawful transfer mechanisms. Yuno maintains documentation of all international transfers and applicable safeguards.

B.4 Data Subject Rights Under LGPD. Yuno assists Counterparties in fulfilling data subject requests under LGPD Articles 17-22, including confirmation of Processing, access to data, correction of incomplete or inaccurate data, anonymization or deletion, portability, and information about sharing with public and private entities.

B.5 ANPD Regulatory Compliance. Both parties acknowledge ANPD's regulatory authority and commit to compliance with ANPD guidance, regulations, and enforcement actions. Yuno maintains current registration with ANPD as required and provides necessary documentation for regulatory compliance.

B.6 Data Protection Impact Assessment. For high-risk Processing activities, Yuno shall conduct Data Protection Impact Assessments in accordance with ANPD guidance and share relevant findings with Counterparties to ensure comprehensive risk management.

‍

ADDENDUM C: COLOMBIA

• Responsible Yuno Entity: Yuno Colombia S.A.S. (Colombia)
• Applicable Data Protection Laws : Law 1581 of 2012 and its regulatory decree 1377 of 2013, as well as other regulations that complement, supplement, and modify this regulatory framework. (hereinafter referred to as “Colombia Data Protection Regulations”)

‍

C.1 Colombia Data Protection Regulations Processing Framework. Yuno processes Personal Data in accordance with Colombia Data Protection Regulations principles of legality, purpose, freedom, truthfulness, transparency, access, restricted circulation, security, and confidentiality. All Processing activities serve legitimate purposes directly related to Services.

C.2 Authorization and Privacy Policies. Counterparties must obtain appropriate authorization from data subjects before transferring Personal Data to Yuno, implementing clear privacy policies meeting Colombia Data Protection Regulations requirements. Yuno assists Counterparties in developing compliant authorization mechanisms and privacy notice content.

C.3 Rights of Data Subjects (Habeas Data). Yuno supports Counterparties in fulfilling data subject rights under Colombia Data Protection Regulations, including rights to access, update, rectify, and delete Personal Data. Response procedures ensure compliance with SIC regulations and maintain comprehensive records of all rights requests.

C.4 Cross-Border Data Transfers. International transfers from Colombia comply with Colombia Data Protection Regulations requirements for adequate protection or appropriate safeguards. Yuno maintains documentation of transfer mechanisms and regularly updates adequacy assessments for recipient countries.

C.5 SIC Regulatory Compliance. Both parties acknowledge SIC's regulatory authority over Personal Data protection and maintain necessary registrations in the National Registry of Data Bases (RNBD). Yuno provides Counterparties with required information for SIC filings and regulatory compliance.

C.6 Security and Confidentiality Measures. Yuno implements comprehensive security measures meeting SIC requirements, including technical, administrative, and physical safeguards proportionate to the sensitivity and volume of Personal Data processed. Regular security assessments ensure ongoing compliance with evolving regulatory standards.

‍

ADDENDUM D: MEXICO LFPDPPP

• Responsible Yuno Entity: Yuno Tecnologías, S.A.P.I. de C.V. (Mexico)
• Applicable Data Protection Laws: Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) as amended in 2025; Secretariat of Anti-Corruption and Good Governance regulations

‍

D.1 LFPDPPP Processing Principles. Yuno adheres to LFPDPPP principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability in all Personal Data Processing activities. Processing shall be limited to purposes directly related to Services.

D.2 Privacy Notice Requirements. Counterparties must provide comprehensive privacy notices to data subjects in accordance with LFPDPPP Article 15, including information about Yuno's role as Data Processor. Yuno assists Counterparties in ensuring privacy notices meet Mexican regulatory requirements and include all mandatory disclosures.

D.3 ARCO Rights Implementation. Yuno supports Counterparties in responding to data subject requests for access, rectification, cancellation, and opposition (ARCO rights) under LFPDPPP Articles 22-31. Response procedures ensure compliance with relevant regulatory authority regulations and maintain detailed records of all requests.

D.4 Cross-Border Data Transfers. International transfers of Mexican Personal Data comply with LFPDPPP Chapter VI requirements, including use of binding corporate rules, standard contractual clauses, or adequacy certifications. Yuno maintains documentation evidencing adequate protection levels for all recipient countries.

D.5 Regulatory Authority Coordination. Both parties recognize the Secretariat of Anti-Corruption and Good Governance's regulatory authority and maintain necessary registrations and compliance documentation. Yuno provides Counterparties with required information for regulatory filings and responds promptly to authority information requests.

D.6 Security Measures Compliance. Yuno implements administrative, physical, and technical security measures meeting LFPDPPP and relevant regulatory authority standards, including access controls, encryption, incident response procedures, and regular security assessments appropriate for the sensitivity of Personal Data processed.

‍

ADDENDUM E: SINGAPORE PDPA

• Responsible Yuno Entity: Smart Routing PTE. Ltd. (Singapore)
• Applicable Data Protection Laws: Personal Data Protection Act 2012 (PDPA); Personal Data Protection Commission (PDPC) Guidelines and Regulations

‍

E.1 PDPA Compliance Obligations. Yuno complies with PDPA obligations as a data intermediary Processing Personal Data on behalf of Counterparties. Processing activities adhere to PDPA data protection principles including consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, and transfer limitation.

E.2 Consent and Notification Requirements. Counterparties must obtain appropriate consent from data subjects or rely on other lawful grounds under PDPA Schedule 2 before transferring Personal Data to Yuno. Yuno assists Counterparties in implementing consent mechanisms and maintaining consent records as required by PDPC guidance.

E.3 Data Breach Notification Framework. Yuno implements comprehensive data breach response procedures complying with PDPA mandatory breach notification requirements. Notification to PDPC and affected data subjects follows prescribed timelines and formats, with Counterparties receiving immediate notification of any incidents affecting their data.

E.4 Cross-Border Transfer Compliance. Personal Data transfers from Singapore comply with PDPA Section 26 requirements, ensuring recipient countries provide adequate protection or implementing appropriate safeguards. Yuno maintains transfer documentation and regularly reviews adequacy assessments for recipient jurisdictions.

E.5 Data Subject Access and Correction. Yuno assists Counterparties in responding to data subject access and correction requests under PDPA Sections 21-22 within prescribed timelines. Response procedures include identity verification, scope assessment, and appropriate redaction of third-party information.

E.6 PDPC Regulatory Engagement. Both parties commit to transparent engagement with PDPC, including cooperation with investigations, compliance audits, and regulatory guidance implementation. Yuno maintains current PDPC registration and implements recommended best practices.

‍

ADDENDUM F: UNITED STATES CCPA/CPRA AND MULTI-STATE PRIVACY

• Responsible Yuno Entity: Yuno USA, LLC (United States)
• Applicable Data Protection Laws: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA); California Civil Code Section 1798.100 et seq.; Virginia Consumer Data Protection Act; Colorado Privacy Act; Connecticut Data Privacy Act; and other applicable state privacy laws

‍

F.1 Enhanced CCPA/CPRA Service Provider Obligations. Yuno acts as a service provider under CCPA/CPRA when Processing personal information on behalf of Counterparties. Yuno certifies compliance with all service provider requirements including: no selling or sharing of personal information, Processing only for specified business purposes, no retention outside business relationship, no combining with other sources except as permitted, and maintenance of appropriate security measures. The Counterparty retains audit rights and remediation authority for service provider compliance.

F.2 Consumer Rights Implementation. Yuno assists Counterparties in responding to California consumer requests for access, deletion, correction, and opt-out under CCPA/CPRA Sections 1798.100-1798.150. Response procedures include identity verification, scope assessment, and coordination with Counterparty business systems.

F.3 Categories of Personal Information. Yuno processes the following categories of personal information as defined in CCPA Section 1798.140: identifiers, commercial information, internet activity, geolocation data, and inferences drawn from personal information. Processing serves business purposes including payment Processing, fraud prevention, and service improvement.

F.4 Sensitive Personal Information Protections. For sensitive personal information as defined in CPRA Section 1798.140(ae), Yuno implements additional safeguards including enhanced security controls, limited retention periods, and restricted access controls. Processing of sensitive information requires explicit Counterparty authorization.

F.5 Multi-State Privacy Compliance. Yuno monitors developments in state privacy laws including Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and other emerging state privacy legislation, implementing necessary compliance measures as laws become effective.

F.6 Automated Decision-Making and AI Compliance. Yuno assists Counterparties in meeting automated decision-making disclosure requirements and AI-related privacy obligations as they develop across state jurisdictions.

‍

GENERAL PROVISIONS FOR ALL ADDENDUMS

‍

Precedence and Integration. These addenda form integral parts of the Yuno Global Data Processing Agreement and shall be applied based on the jurisdictions where Personal Data originates or is processed. In case of conflicts between addenda and the main DPA, addenda provisions shall prevail for jurisdiction-specific requirements.

Regulatory Updates. Yuno monitors regulatory developments in all applicable jurisdictions and may update addenda as necessary to maintain compliance with evolving legal requirements. Counterparties receive advance notice of material changes affecting their processing activities.

Multi-Jurisdictional Processing. Where Processing involves Personal Data from multiple jurisdictions, the most protective standards shall apply unless specific jurisdictional requirements mandate different treatment. Yuno maintains comprehensive documentation of applicable legal requirements for each Processing activity.

Effective Date. These addenda become effective simultaneously with the execution of the main Data Processing Agreement and remain in effect for the duration of the Agreement unless terminated in accordance with applicable termination provisions.

‍

Global Privacy Officer Contact:

• Email: privacy@y.uno 
• Address: Cráter 38, Jardines del Pedregal, Álvaro Obregón, Ciudad de México
• 24/7 Incident Response: security@y.uno

‍