Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between the customer (“Customer” or “Controller”) and Nikla Technologies AS (“Fency,” “we,” “us,” or “Processor”). This DPA supplements the Terms of Service (the “Agreement”) and reflects the parties' agreement regarding the processing of personal data in accordance with Article 28(3) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other Applicable Data Protection Law.

This DPA is effective upon Customer's acceptance of the Agreement and remains in force for the duration of the Services. By accepting the Agreement, Customer agrees to this DPA. No separate signature is required.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in Applicable Data Protection Law.

• “Applicable Data Protection Law” means all applicable data protection and privacy laws, including the GDPR, the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“Swiss FADP”), and any other applicable data protection legislation.
• “Customer Personal Data” means all Personal Data that Fency processes on behalf of Customer under the Agreement.
• “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
• “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, and destruction.
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• “Sensitive Personal Data” means special categories of data as defined in Article 9 of the GDPR, or equivalent categories under other Applicable Data Protection Law.
• “Services” means the services provided by Fency to Customer under the Agreement.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914, as may be amended or replaced.
• “Subprocessor” means any third party engaged by Fency to process Customer Personal Data on behalf of Customer.

This DPA applies when Customer Personal Data is processed by Fency as a processor in its provision of the Services to Customer, who acts as the controller of such data.

The subject matter, nature, purpose, and duration of the processing, the types of Customer Personal Data processed, and the categories of Data Subjects are described in Exhibit A.

With respect to Customer Personal Data, Fency shall:

• Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement and this DPA, unless required to do so by applicable law. In such case, Fency shall inform Customer of that legal requirement before processing, unless prohibited by law.
• Notify Customer without undue delay if, in Fency's opinion, an instruction from Customer infringes Applicable Data Protection Law.
• Not sell, share, or disclose Customer Personal Data to third parties for purposes of targeted advertising or any purpose other than providing the Services.
• Not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Fency.
• Not combine Customer Personal Data with personal data received from or on behalf of other parties, except as necessary to provide the Services.
• Ensure that all personnel authorized to process Customer Personal Data are subject to appropriate contractual or statutory obligations of confidentiality.

All of Fency's subprocessors are configured to use the European Union as the primary data processing region. However, since some subprocessors are headquartered outside the European Economic Area (EEA), we cannot guarantee that Customer Personal Data will never leave the EU — for example, in connection with ancillary operations such as support access, infrastructure maintenance, or legal obligations under foreign law.

EEA Transfers

To the extent the Services involve the transfer of Customer Personal Data from the EEA to a country that does not ensure an adequate level of protection, the EU SCCs shall apply as follows:

• Module 2 (Controller-to-Processor) applies where Customer is the data exporter and Fency is the data importer.
• Clause 7: The optional docking clause shall not apply.
• Clause 9: Option 2 (general written authorization) applies, subject to the subprocessor provisions in Section 6.
• Clause 11: The optional language shall not apply.
• Clause 17 (Option 1): The SCCs shall be governed by the laws of Norway.
• Clause 18(b): Disputes shall be resolved by the courts of Norway.
• Annex I shall be completed with the information in Exhibit A.
• Annex II shall be completed with the information in Exhibit B.
• Annex III shall be completed with the information in Exhibit C.

UK Transfers

To the extent the Services involve transfers of Customer Personal Data subject to the UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner's Office (“UK Addendum”) shall apply in conjunction with the EU SCCs as set out above.

Swiss Transfers

To the extent the Services involve transfers of Customer Personal Data subject to the Swiss FADP, the EU SCCs shall apply with the following modifications: references to “Member State” shall include Switzerland, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

Customer grants Fency a general written authorization to engage subprocessors to process Customer Personal Data in connection with the Services. The current list of subprocessors is maintained at fency.ai/subprocessors.

Fency shall enter into written agreements with each subprocessor imposing data protection obligations substantially similar to those in this DPA. Fency remains fully liable for the acts and omissions of its subprocessors as if they were Fency's own.

Fency shall notify Customer of any intended new subprocessor by updating the subprocessors page. If Customer objects on reasonable data protection grounds within 14 days of notification, the parties shall discuss the objection in good faith. If no resolution is reached, Customer may terminate the affected Services as its sole and exclusive remedy.

Customer is responsible for responding to Data Subject requests. Taking into account the nature of the processing, Fency shall provide reasonable assistance to enable Customer to fulfill such requests.

If Fency receives a Data Subject request directly, Fency shall promptly forward it to Customer and shall not respond to the Data Subject except to acknowledge receipt or refer them to Customer, unless legally compelled to do so.

Fency shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Exhibit B.

Fency shall ensure that all personnel authorized to process Customer Personal Data are subject to appropriate contractual or statutory obligations of confidentiality.

Upon becoming aware of a Security Incident, Fency shall notify Customer without undue delay. Such notification shall include, to the extent available:

• The nature of the Security Incident, including categories and approximate number of Data Subjects and records affected.
• The likely consequences of the Security Incident.
• The measures taken or proposed to address the Security Incident, including measures to mitigate its effects.

Fency shall make commercially reasonable efforts to investigate, contain, and mitigate the effects of any Security Incident and shall cooperate with Customer in fulfilling Customer's notification obligations under Applicable Data Protection Law.

Fency shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Applicable Data Protection Law.

Fency uses independent third-party auditors to verify its security controls. Upon written request, Fency will provide Customer with a copy of its most recent certifications or audit reports, subject to reasonable confidentiality obligations. Customer agrees that such reports shall satisfy its audit rights under Applicable Data Protection Law.

On-site inspections may only be conducted if the reports are demonstrably insufficient or if required by Applicable Data Protection Law or a competent supervisory authority. Any such inspection shall be conducted at Customer's expense, during normal business hours, and with reasonable advance notice.

Upon termination or expiration of the Agreement, or at Customer's written request, Fency shall promptly delete or return all Customer Personal Data, at Customer's choice. Fency shall certify deletion upon request.

Fency may retain Customer Personal Data only to the extent required by Applicable Data Protection Law or other applicable law. Any retained data shall continue to be protected in accordance with this DPA and shall not be processed for any other purpose.

Taking into account the nature of the processing and the information available, Fency shall provide reasonable assistance to Customer in conducting data protection impact assessments and in any prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Law.

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

Each party is solely responsible for any fines or penalties imposed directly on it by a supervisory authority under Article 83 GDPR or equivalent provisions of Applicable Data Protection Law. However, Fency remains liable — subject to the limitations in the Agreement — for regulatory fines imposed on Customer to the extent such fines result directly from Fency's failure to comply with its obligations under this DPA or Applicable Data Protection Law.

Precedence. In the event of a conflict, the Standard Contractual Clauses prevail over this DPA, and this DPA prevails over the Agreement.

Governing law. This DPA shall be governed by and construed in accordance with the laws of Norway, unless required otherwise by Applicable Data Protection Law or the Standard Contractual Clauses.

Term. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to any ongoing obligations regarding deletion or return of Customer Personal Data.

Modifications. Fency may update this DPA from time to time to comply with Applicable Data Protection Law. Material changes will be communicated to Customer with reasonable advance notice.

Fency implements and maintains a risk-based information security program that includes administrative, technical, and physical safeguards designed to protect Customer Personal Data. These measures include, at a minimum:

1. Encryption. Encryption of data in transit (TLS) and at rest.
2. Access Controls. Role-based and least-privilege access controls. Multi-factor authentication (MFA) for administrative access. Prompt revocation of access upon personnel changes.
3. System Security and Monitoring. Logging and monitoring of systems processing Customer Personal Data. Regular vulnerability scanning and security assessments.
4. Business Continuity. Disaster recovery and business continuity planning with tested backups.
5. Secure Development. Secure software development lifecycle, including code reviews and testing.
6. Personnel Security. Security and privacy training for employees. Appropriate confidentiality obligations for all personnel with access to Customer Personal Data.
7. Physical Security. Physical and environmental security provided by Fency's infrastructure providers.

Customer authorizes Fency to engage the subprocessors listed at fency.ai/subprocessors to process Customer Personal Data in connection with the Services.

Fency enters into written agreements with each subprocessor imposing data protection obligations substantially similar to those in this DPA. Fency remains responsible for each subprocessor's compliance.

Fency will update the subprocessors page prior to authorizing any new subprocessor. If Customer objects on reasonable data protection grounds within 14 days, the parties will discuss the objection in good faith. If no resolution is reached, Customer may terminate the affected Services as its sole and exclusive remedy.