Data Processing Addendum

This Data Processing Addendum ("DPA") governs Mentara's processing of Customer Data (i) provided by Customer to Mentara through Mentara's AI Coach or any Mentara services for businesses ("AI Coach Services") or (ii) pursuant to Mentara's provision of the Mentara Coach Enterprise service for businesses (the "Mentara Coach Enterprise Services") (for purposes of this DPA, the AI Coach Services and Mentara Coach Enterprise Services are together the "Services") under the terms of the Mentara Business Terms (located at mentara.io/policies/business-terms), Enterprise Agreement, or other agreement between Customer and Mentara governing Customer's use of the Services (the "Agreement") and is hereby incorporated into the Agreement.

As a Data Processor, Mentara agrees to:

1. process Customer Data only (i) on Customer's behalf for the purpose of providing and supporting Mentara's Services (including to provide insights, reporting, analytics, and platform abuse, trust and safety monitoring); (ii) in compliance with the written instructions received from Customer; and (iii) in a manner that provides no less than the level of privacy protection required of it by Data Protection Laws;
2. promptly inform Customer in writing if Mentara cannot comply with the requirements of this DPA;
3. not provide Customer with remuneration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not "sold" (as such term is defined by the CCPA) Customer Data to Mentara;

Mentara will inform Customer if Mentara becomes aware of:

1. any legally binding request for disclosure of Customer Data by a law enforcement authority, unless Mentara is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;
2. any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a "Supervisory Authority") with respect to Customer Data;
3. any complaint or request received directly from Customer's data subjects.

Mentara will provide reasonable assistance to Customer regarding:

1. information necessary, taking into account the nature of the processing, to respond to requests received pursuant to Data Protection Laws;
2. the investigation of any breach of Mentara's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data;
3. where appropriate, the preparation of data protection impact assessments.

If Mentara is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, Mentara will inform Customer of this requirement in advance of any such processing, unless legally prohibited.

Mentara will:

1. maintain reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data;
2. take appropriate steps to confirm that Mentara personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA;
3. notify Customer of any Personal Data Breach by Mentara, its Subprocessors, or any other third parties acting on Mentara's behalf without undue delay after Mentara becomes aware of such Personal Data Breach.

1. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to Mentara.
2. Customer shall comply with all applicable Data Protection Laws.
3. Customer shall reasonably cooperate with Mentara to assist Mentara in performing any of its obligations with regard to any requests from Customer's data subjects.
4. Customer acknowledges and agrees that it, rather than Mentara, is responsible for certain configurations and design decisions for the services.
5. Customer shall not provide Customer Data to Mentara except through agreed mechanisms.
6. Customer shall not take any action that would render the provision of Customer Data to Mentara a "sale" under U.S. Privacy Laws.

1. Mentara Ltd. will process Customer Data provided by Customer that originates in the EEA or Switzerland.
2. Mentara Inc. will process Customer Data provided by Customer located in the UK in accordance with the EU SCCs as amended by the UK addendum.
3. For each module of the EU SCCs, where applicable:
   • The optional docking clause in Clause 7 does not apply
   • In Clause 9, Option 2 (general written authorization) applies
   • In Clause 11, the optional language does not apply
   • All square brackets in Clause 13 are hereby removed
   • In Clause 17 (Option 1), the EU SCCs will be governed by the laws of England and Wales

This DPA shall remain in effect as long as Mentara carries out Customer Data processing operations on Customer's behalf or until the termination of the Agreement. Mentara will retain Customer Data during the term of the Agreement, unless otherwise stated in the Agreement or Order Form.

Introduction

Mentara's mission is to provide AI-powered coaching and support at scale for the benefit of all founders. In accordance with this mission, Mentara maintains an information security program designed to safeguard its systems, data, and Customer Data.

To learn more about Mentara's technical and organizational security measures to protect Customer Data, see the Mentara Trust Portal at https://trust.mentara.io/ (the "Trust Portal"). The Security Measures below include the subset of the information available in the Trust Portal which applies to this DPA.

Security Measures

Corporate Identity, Authentication, and Authorization Controls

Mentara maintains industry best practices for authenticating and authorizing internal employee and service access, including the following measures:

• Single sign-on (SSO) to authenticate to third-party services used in the delivery of the Services
• Mandatory multi-factor authentication for authenticating to Mentara's identity provider
• Unique login identifiers for each user
• Established review and approval processes for access requests
• Periodic access audits
• Established procedures for promptly revoking access rights
• Established procedures for reporting and revoking compromised credentials
• Established password reset procedures

Cloud Infrastructure and Network Security

Mentara maintains industry best practices for securing and operating its cloud infrastructure, including the following measures:

• Separate production and non-production environments
• Primary backend resources are deployed behind a VPN
• The Services are routinely audited for security vulnerabilities
• Application secrets and service accounts are managed by a secrets management service
• Network security policies and firewalls are configured for least-privilege access against a pre-established set of permissible traffic flows. Non-permitted traffic flows are blocked
• Services logs are monitored for security and availability

System and Workstation Control

Mentara maintains industry best practices for securing Mentara's corporate systems, including laptops and on-premises infrastructure, including:

• Endpoint management of corporate workstations
• Endpoint management of mobile devices
• Automatic application of security configurations to workstations
• Mandatory patch management
• Maintaining appropriate security logs

Data Access Control

Mentara maintains industry best practices for preventing authorized users from accessing data beyond their authorized access rights and for preventing the unauthorized input, reading, copying, removal, modification, or disclosure of data. Such measures include:

• Employee access to the Services follows the principle of least privilege. Only employees whose job function involves supporting the delivery of Services are credentialed to the Services environment
• Customer Data submitted to the Services is only used in accordance with the terms of the DPA, Agreement, and any other applicable contractual agreements in place with Customer

Security Incident Response

Mentara maintains a security incident response plan for responding to and resolving events that compromise the confidentiality, availability, or integrity of the Services or Customer Data including the following:

• Mentara aggregates system logs for security and general observability from a range of systems to facilitate detection and response
• If Mentara becomes aware that a Personal Data Breach has occurred, Mentara will notify Customer in accordance with the DPA

Description of Transfer

• Frequency of the transfer: Continuous.
• Nature of the processing: The performance of the services described in the agreement to which this exhibit is attached.
• Purpose(s) of the data transfer and further processing: The performance of the services described in the agreement to which this exhibit is attached.
• Period for retention: During the term of the agreement
• For transfers to (sub-) processors: The performance of the services described in the agreement to which this exhibit is attached.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13: Information Commissioner's Office ("ICO").

As part of our commitment to maintaining the highest standards of security, Mentara also implements:

• Regular security assessments and penetration testing
• Continuous monitoring and improvement of security measures
• Employee security awareness training
• Regular updates to security policies and procedures
• Incident response drills and simulations

Mentara maintains compliance with various data protection regulations including: