Data Processing Addendum

1. Parties and incorporation

This Data Processing Addendum ("DPA") forms part of the Agreement between Customer (controller) and Flagship Fintech (processor). If a separately executed DPA exists, it prevails over this template.

Processor address: Flagship Fintech, F-207 Greek Campus, 171 El Tahrir Street, Bab El Louq, Cairo Downtown 11513, Arab Republic of Egypt.

2. Subject matter and duration

Flagship processes personal data solely to provide the Services under the Agreement, for the term of the Agreement and until return or deletion per Section 10.

3. Nature and purpose of processing

Processing includes collection, storage, retrieval, use, disclosure by transmission, and deletion as required to operate ordered platform features (orchestration, gateway, switch, wallet, fraud, settlement), security monitoring, and support.

4. Categories of data subjects and data

• Customer's authorised users (staff and contractors).
• End users such as cardholders or wallet holders where the module requires it.
• Transaction and technical metadata needed to authorise, route, settle, and reconcile payments.
• Contact data submitted to support channels.

Special categories of personal data must not be submitted unless expressly agreed in writing and lawfully processed.

5. Customer instructions

Flagship processes personal data only on documented instructions from Customer (including the Agreement, product configuration, and lawful support requests), unless applicable law requires processing—in which case Flagship will inform Customer before processing unless prohibited.

6. Confidentiality and personnel

Flagship ensures persons authorised to process personal data are bound by confidentiality or are under a statutory duty of confidentiality.

7. Security

Flagship implements appropriate technical and organisational measures as described in Annex A.

8. Subprocessors

Customer authorises Flagship to engage subprocessors subject to: (a) written agreements imposing data-protection obligations substantially similar to this DPA; (b) a general subprocessor list made available to Customer plus notice of material changes at least thirty (30) days before they take effect unless urgent replacement is required for security; (c) Customer's right to object on reasonable data-protection grounds within the notice period.

9. Data subject requests

Where a data subject contacts Flagship regarding Customer-controlled data, Flagship will promptly forward the request to Customer and assist Customer as required by law, at Customer's expense where permitted.

10. Return and deletion

Upon termination, Flagship will delete or return personal data per Customer's instructions and the Agreement, except where retention is required by law. Backup copies are deleted per the schedule in Annex A.

11. Breach notification

Flagship will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, with information required under applicable law (including GDPR Articles 33 and 34 where applicable), and will cooperate on investigation and mitigation.

12. Audits and demonstrations

Upon reasonable written request, Flagship will provide information to demonstrate compliance and allow audits required by law or agreed in the Agreement, subject to confidentiality, security, and frequency limits (not more than once per year unless required by a regulator).

13. International transfers

Where personal data protected by GDPR or UK GDPR is transferred outside the EEA or UK, the parties will execute Standard Contractual Clauses (Module Two: controller to processor) and, if applicable, the UK Addendum, as specified in Annex B.

14. Records

Flagship maintains records of processing activities as required by Article 30 GDPR where applicable.

15. Liability

Liability for breach of this DPA follows the liability and cap provisions of the Agreement, except where mandatory law provides otherwise.

16. Annexes

Annex A — Security measures

• Role-based access control and least-privilege provisioning for production systems.
• Encryption in transit (TLS) for customer-facing APIs and admin interfaces.
• Encryption at rest for production databases and object storage holding Customer Data.
• Centralised logging, monitoring, and alerting for security-relevant events.
• Vulnerability management and patching on a risk-based schedule.
• Incident response procedures with defined roles and escalation paths.
• Business continuity and backup procedures; backups encrypted and retained per documented retention.
• Personnel security screening and confidentiality obligations for staff with data access.
• Vendor due diligence for subprocessors handling personal data.

Annex B — International transfers

Where Module Two EU Standard Contractual Clauses (2021/914) apply, they are incorporated by reference and executed as part of this DPA. The parties will complete Annex I and II details in the Order Form or a signed appendix. A transfer impact assessment will be conducted where required by supervisory guidance.

DPA version 1.0 — effective 16 May 2026. Execution date for a specific customer is the date of the applicable Order Form or Agreement.