Data Processing Addendum

---

Data Processing Addendum (DPA)

Effective Date: October 21, 2025

Version: v1.0

Parties and Incorporation

This Data Processing Addendum forms part of the agreement between Y Capital Partners, LLC (“Provider”) and the counterparty identified in an order form or online acceptance (“Customer”). Capitalized terms not defined here have the meanings in the Platform Use Agreement and any applicable order form (the “Agreement”). This DPA applies only when Provider processes Personal Data on behalf of Customer.

Acceptance and Deemed Execution

By accepting the Agreement, or by selecting a control indicating that Customer requires processor terms, or by submitting Inputs for which Provider processes Personal Data on Customer’s behalf under applicable law, Customer agrees to this DPA. The parties agree that this DPA, including the Standard Contractual Clauses and any addenda incorporated by reference, is validly entered into and executed electronically. No physical signatures are required. Provider’s acceptance logs are sufficient evidence of assent.

1.1 This DPA applies when Provider processes Personal Data on behalf of Customer in providing the Services under the Agreement.

1.2 Roles. For such processing, Customer is the controller and Provider is the processor under GDPR and UK GDPR, the controller and operator under Brazil’s LGPD, and the business and service provider or the controller and processor under U.S. state privacy laws, as applicable.

1.3 Exclusions. This DPA does not apply where Provider acts as an independent controller, including for Capital Partner intake data and Provider’s own operations, as described in the Privacy & AI Processing Notice.

2.1 Provider will process Personal Data only on documented instructions from Customer, including the Agreement, this DPA, and Annex I.

2.2 Provider will not sell or share Personal Data, will not process Personal Data for targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects, and will not use Personal Data to train generalized models.

2.3 Provider will not combine Personal Data with personal data obtained from another source except as permitted to provide and secure the Services or as otherwise instructed by Customer.

2.4 Provider may process Aggregated Data and De‑identified Data for service improvement, security, analytics, and reporting, provided it does not re‑identify individuals or disclose Customer Confidential Information.

Provider will ensure that persons authorized to process Personal Data are subject to confidentiality obligations and receive appropriate data protection training.

4.1 Provider will implement and maintain appropriate technical and organizational measures to protect Personal Data as described in Annex II, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

4.2 Measures include encryption in transit and at rest, access control, least privilege, logging and monitoring, vulnerability and patch management, secure development, and business continuity.

5.1 Customer provides a general authorization for Provider to appoint Subprocessors. Current categories are listed in the Privacy & AI Processing Notice and a detailed list is available on request at privacy@ycapital.pe.

5.2 Provider will impose on Subprocessors data protection obligations no less protective than those in this DPA and remains liable for Subprocessor performance.

5.3 Provider will notify Customer of intended changes to Subprocessors that materially affect Customer Personal Data and will afford a reasonable opportunity to object on reasonable, documented data protection grounds. If the parties cannot resolve an objection, Customer may terminate the affected Services for convenience.

6.1 Data subject requests. Taking into account the nature of processing, Provider will assist Customer by appropriate technical and organizational measures to fulfill Customer’s obligation to respond to data subject requests.

6.2 DPIAs and consultations. Provider will provide information reasonably necessary to assist Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Provider.

6.3 Records. Provider will maintain records of processing activities where required by law.

7.1 Provider will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

7.2 The notice will include, where available, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

7.3 Provider will cooperate with Customer to investigate, mitigate, and remediate the breach and to meet any legal obligations that apply to Customer.

8.1 Upon written request, Provider will make available information reasonably necessary to demonstrate compliance with this DPA, which may include third‑party security reports or certifications where available.

8.2 If such information is insufficient, Customer may conduct an audit no more than once annually, on 30 days’ prior written notice, during normal business hours, and without disrupting Provider operations. On‑site audits may be limited to areas where Customer Personal Data is processed, will be subject to confidentiality, and will be at Customer’s expense.

8.3 If an audit reveals a material non‑compliance, Provider will promptly take corrective actions.

9.1 Upon termination or expiry of the Services, Provider will, at Customer’s choice and subject to legal retention requirements, return or delete Customer Personal Data.

9.2 Provider may retain copies in backup archives for up to 90 days, after which backup copies are overwritten in the ordinary course of business. Upon request, Provider will certify deletion.

10.1 Where Provider or a Subprocessor processes Customer Personal Data subject to GDPR outside the EEA, the parties incorporate by reference the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 (the “SCCs”) as follows:

a) Module 2 (Controller to Processor) applies when Customer is a controller and Provider is a processor.

b) Module 3 (Processor to Processor) applies when Customer is a processor and Provider is a subprocessor.

c) The parties complete the SCCs as set out in Annex I and Annex II. Clause 7 (docking clause) applies. Clause 9(a) option 2 (general authorization) applies with a ten business day notice period. Clause 17 option 1 selects Irish law. Clause 18 selects the courts of Ireland, unless the parties agree otherwise in writing.

10.2 For the UK, the parties incorporate the UK ICO Addendum to the SCCs, with the tables completed by the information in Annex I and Annex II.

10.3 For Switzerland, the parties adopt the SCCs with the Swiss FDPIC adaptations, including references to the Swiss FADP.

10.4 Provider will assess transfer risks, implement supplementary measures where appropriate, and notify Customer if Provider cannot comply with the SCCs or equivalent transfer mechanisms.

When U.S. state privacy laws apply, Provider will act as a service provider or processor and will:

a) process Personal Data only for the limited and specified purposes described in Customer’s instructions, the Agreement, and this DPA,

b) not sell or share Personal Data, not process it for targeted advertising, and not combine it with other data except as permitted to provide and secure the Services,

c) comply with applicable consumer request obligations and assist Customer as required, and

d) permit reasonable assessments as required by applicable law.

These terms are intended to meet the requirements of the CPRA, CPA, VCDPA, CTDPA, UTPA, and similar laws.

Provider will notify Customer of any legally binding request from a public authority for disclosure of Customer Personal Data, unless prohibited by law. Provider will review the legality of the request, challenge overbroad requests where reasonable, and disclose only the minimum amount of information necessary to comply with the law.

13.1 Each party’s aggregate liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement.

13.2 If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict with respect to processing of Personal Data.

“Aggregated Data” means data combined with other data that does not identify a person or device.

“De‑identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable person.

“Personal Data,” “processing,” “controller,” “processor,” and “data subject” have the meanings given in GDPR and the closest equivalent terms under other applicable laws.

“Subprocessor” means a processor engaged by Provider to process Personal Data on behalf of Customer.

“Services” has the meaning in the Agreement.

A. Parties

Data exporter: Customer, as set forth in the order form or online acceptance. Role: controller or processor.

Contact details: as provided by Customer.

Data importer: Y Capital Partners, LLC. Role: processor or subprocessor.

Contact details: privacy@ycapital.pe.

B. Description of Transfer and Processing

Subject matter: Provision of Yellowwood Services to Customer under the Agreement.

Duration: Term of the Agreement plus the deletion period in Section 9.

Nature and purpose: Hosting, storage, transformation, analysis, reporting, communications, support, security, and operations.

Categories of data subjects: Customer employees and contractors, Customer investors and advisors, and individuals whose data Customer includes in Inputs.

Categories of Personal Data: Identification and contact data, business role or affiliation, service usage metadata, and any Personal Data included by Customer in Inputs.

Special categories: Not intended and prohibited unless expressly agreed in writing.

Frequency of transfer: Continuous and as initiated by Customer.

Retention: As set out in Section 9.

Competent supervisory authority for SCCs: Irish Data Protection Commission, unless the parties agree otherwise in writing.

C. Subprocessors

A current list of key Subprocessors is available on request at privacy@ycapital.pe. Customer consents to the engagement of these Subprocessors under Section 5.

D. Transfers to the United States

Where Personal Data is transferred to the United States, the SCCs and any applicable addenda apply. Provider will implement supplementary measures where appropriate.

Provider maintains the following measures, subject to reasonable updates that do not materially lower protection:

1. Information security management with policies approved by senior management and reviewed at least annually.
    
2. Access controls including unique IDs, strong authentication, role‑based access, least privilege, and periodic access reviews.
    
3. Encryption of Personal Data in transit via TLS and at rest using industry‑standard encryption.
    
4. Secure development practices including code review, dependency management, secrets management, and separation of environments.
    
5. Network security including firewalls, segmentation, and intrusion detection or prevention where appropriate.
    
6. Logging and monitoring of security events with alerts for anomalous activity.
    
7. Vulnerability and patch management including regular scanning and timely remediation based on severity.
    
8. Business continuity and disaster recovery with regular backups and tested restoration procedures.
    
9. Personnel security including background checks where lawful and appropriate training on data protection and security.
    
10. Vendor risk management including due diligence and contractual security and privacy obligations for Subprocessors.
     
11. Data minimization and retention controls to limit Personal Data to what is necessary and to delete it when no longer needed.
     
12. Incident response plan with defined roles, escalation, customer notification, and post‑incident review.
     

References

Platform Use Agreement

Privacy & AI Processing Notice