Data Processing Agreement

This Data Processing Agreement (hereinafter “DPA”) forms an integral part of the contract relating to the provision of DWS IQ 6 Services concluded between Lifetime Oy (trading as DWS IQ) and the Customer (hereinafter “the Contract”).

The purpose of this Data Processing Agreement is to define the conditions under which Lifetime Oy undertakes to carry out, on behalf of the Customer and for the sole purpose of the strict execution of the Contract, Personal Data Processing operations. The Parties undertake henceforth to comply with the Data Protection Regulations.

This DPA shall apply to the Services covered by the Contract for which the Customer acts as Data Controller or Data Processor and Lifetime Oy acts as Data Processor or Sub-processor, within the meaning of the GDPR.

Article 1. Definitions

In addition to the terms defined in this DPA, the following terms shall have the same meaning as in the GDPR: Personal Data, Data Processing, Data Controller, Data Processor, International Organization, Data Protection Officer, Supervisory Authority, Data Subject, Personal Data Breach.

Additional definitions:

• “Data Protection Regulation” — any applicable legislation relating to data protection and privacy, including GDPR (EU 2016/679), the Finnish Data Protection Act (1050/2018), and EEA member state data protection laws.
• “Standard Contractual Clauses” — the model clauses adopted by the European Commission per Implementing Decision (EU) 2021/914.
• “Third Country” — any country outside the EEA not recognized by the European Commission as providing adequate data protection.
• “Sub-processor” — any sub-processor engaged by Lifetime Oy processing the Customer’s data as part of the Services.
• “Platform” — the DWS IQ 6 climate intelligence and compliance platform, including the Firehorse Suite, AI orchestration services, and all related modules.
• “AI Processing” — any automated processing of Personal Data using AI models, machine learning, or large language models as part of the Services.
• “EU AI Act” — Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence.

Article 2. Description of the Data Processing

2.1 The Data Processing carried out by Lifetime Oy relates only to the types of Personal Data and categories of Data Subjects defined by the Customer under its sole responsibility.

2.2 The Customer is responsible for the choice of Services used and their compatibility with its data processing requirements.

2.3 The Customer undertakes to document in writing any instructions concerning the Data Processing operated by Lifetime Oy.

2.4 Lifetime Oy undertakes to guarantee the confidentiality of Personal Data. The obligation of confidentiality shall remain in force for five (5) years following the expiration of the Contract.

2.5 Description of Data Processing

• Subject: Customer climate compliance, industrial emissions, and operational data
• Duration: Per the Customer’s choice, subject to legal retention requirements
• Nature and purpose:
  • Climate compliance analysis and reporting (Fit for 55, ETS, CBAM, CSRD)
  • Industrial emissions data processing and monitoring
  • AI-powered document analysis and automated compliance checks
  • ESG data aggregation and reporting
  • ERP integration data synchronization
  • Multi-channel communication services (Firehorse Omnichannel)
  • Identity verification (KYA — Know Your Agent framework)
  • Automated workflow orchestration
• Categories of data: Employee contact information, industrial facility data, environmental compliance data, ERP identifiers, authentication/access logs, communication metadata, biometric verification data (where KYC/IDV is enabled)
• Categories of Data Subjects: Customers, end users, employees of the Customer and its business partners

2.6 AI-Specific Processing

Article 3. Obligations of the Data Processor

3.1 As Data Processor, Lifetime Oy undertakes to:

Article 4. Register of Data Processing

4.1 Lifetime Oy shall maintain a Data Processor register including Sub-processor details, processing categories, any Third Country transfers, and technical/organizational measures per GDPR Article 32(1).

4.2 A copy of the register shall be provided to the Customer without undue delay upon request.

Article 5. Obligations of the Customer

The Customer is solely responsible for Personal Data processed via the Services and shall comply with all applicable Data Protection Regulations, including providing information to Data Subjects, maintaining processing registers, conducting Impact Analyses, defining retention periods, and implementing its own security measures.

Article 6. Obligations Relating to Employees

Lifetime Oy shall ensure Employees access only the Personal Data strictly necessary for the Contract, are bound by confidentiality obligations, and cease all processing upon termination of their assignment.

Article 7. Sub-Processors

7.1 The Customer grants Lifetime Oy general authorization to engage Sub-processors.

7.2 Lifetime Oy shall ensure each Sub-processor provides appropriate guarantees per Data Protection Regulations. Lifetime Oy remains fully responsible for Sub-processor compliance.

7.3 The list of authorized Sub-processors is set out in Annex A. The current list is also available at dws10.com/legal-hub/sub-processors.html.

7.4 Lifetime Oy shall notify the Customer thirty (30) days in advance of any Sub-processor changes. The Customer may object if the change is contrary to Data Protection Regulations.

Article 8. Security of Data Processing

8.1 Lifetime Oy implements the following technical and organizational measures:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Confidentiality, integrity, availability and resilience of systems
• Regular testing and evaluation of security measures
• Physical security of processing locations
• Event logging, including AI system logging per EU AI Act Article 12
• JWT-based authentication with role-based access control
• Data minimization and limited data retention
• Data protection by design and by default
• Staff security awareness training

Detailed Technical and Organizational Measures (TOM) are provided in Annex B.

Article 9. Personal Data Breach

9.1 In the event of a Personal Data Breach, Lifetime Oy shall:

9.2 If complete information is not immediately available, an initial notification shall be followed by additional notifications as information becomes available.

Article 10. Rights of the Data Subjects

Lifetime Oy shall cooperate with the Customer to handle Data Subject rights requests within the timeframes required by Data Protection Regulations. Requests may be managed via the Platform or sent to privacy@lifetime.fi.

Article 11. Communication and Transfer of Personal Data

11.1 Lifetime Oy Services are located within the EU by default. Primary processing takes place in EU data centers in Finland and Germany.

11.2 Lifetime Oy shall not transfer Personal Data outside the EU without informing the Customer in advance and ensuring appropriate safeguards (Standard Contractual Clauses, supplementary measures).

11.4 AI Model Provider Transfers

Where AI Processing requires transmission to AI model providers, Lifetime Oy shall ensure appropriate GDPR Chapter V safeguards, implement data minimization and pseudonymization, and maintain a record of all AI model providers in Annex A.

Article 12. Audit

12.1 Lifetime Oy shall provide documentation to demonstrate DPA compliance upon request.

12.2 The Customer may audit security measures once per year with 30 days written notice, at its own expense.

12.3 Audit results shall be confidential and subject to a non-disclosure agreement.

Article 13. End of the Contract

13.1 Upon contract termination, Lifetime Oy shall cease all processing and delete Personal Data and copies, unless retention is required by law.

13.2 The Customer shall ensure conservation of its data prior to termination.

13.3 A data export facility shall be available for thirty (30) days following termination, after which all Customer data shall be securely deleted.

Article 14. Miscellaneous Provisions

14.1 This DPA is governed by Finnish law. Espoon käräjäoikeus (Espoo District Court) has exclusive jurisdiction.

14.2 This Agreement supersedes all prior agreements relating to Personal Data.

14.3 In case of contradiction with the Contract, this DPA takes precedence for data processing matters.

Article 15. Contact

Data Protection Officer	dpo@lifetime.fi
Privacy Team	privacy@lifetime.fi
Data Breach Notification	security@lifetime.fi
Privacy Policy	dws10.com/legal-hub/

Annex A: List of Sub-Processors

The current sub-processor list is maintained at dws10.com/legal-hub/sub-processors.html and is incorporated by reference into this DPA.

Sub-processor	Purpose	Data Location	Data Processed
Supabase Inc.	Database hosting, authentication	EU (Finland/Germany)	Platform data, user authentication
Google Cloud (Google LLC)	Cloud Run compute, AI APIs (Gemini)	EU (Finland)	Application processing, AI inference
Cloudflare Inc.	CDN, edge computing, DDoS protection	EU edge nodes	Web traffic metadata, cached content
Anthropic PBC	AI language model services (Claude)	USA*	Pseudonymized compliance analysis
Groq Inc.	AI inference acceleration	USA*	Pseudonymized AI processing
Temporal Technologies	Workflow orchestration	EU	Workflow metadata, task identifiers
Shufti Pro Limited	Identity verification (KYC/IDV)	EU only**	Biometric data, identity documents

* USA-based: Standard Contractual Clauses (SCC) and supplementary measures in place. Data minimization and pseudonymization applied before cross-border transfer.

** Shufti Pro processes biometric data (GDPR Article 9) exclusively within EU/EEA. EU-only processing confirmed March 2026.

Annex B: Technical and Organizational Measures (Summary)

Category	Measures
Access Control	RBAC, JWT authentication, MFA, Supabase Row Level Security
Encryption	AES-256 at rest, TLS 1.3 in transit, SSL/TLS database connections
Network Security	Helmet.js headers, Cloudflare WAF, VPC isolation, API rate limiting
Data Minimization	Pseudonymization before AI API calls, minimal collection, automated retention
Monitoring	Comprehensive logging, EU AI Act Article 12 decision logging, security alerting
Business Continuity	Automated backups, PITR, multi-region (Finland/Germany), documented RTO/RPO
Staff	Confidentiality agreements, data protection training, background checks
Physical	ISO 27001 certified providers (Supabase, Google Cloud), managed physical access

Annex D: DORA Compliance (Where Applicable)

This annex applies when the Customer is a financial entity subject to Regulation (EU) 2022/2554 (Digital Operational Resilience Act).

DORA Requirement (Art. 30)	DPA Coverage
Service level descriptions	Defined in Service Agreement
Data processing locations	Article 11.1, Annex A
ICT incident notification	Article 9 (48-hour notification)
Audit and inspection rights	Article 12 (annual audit)
Exit strategy and transition	Article 13.3 + 90-day transition assistance
Sub-outsourcing conditions	Article 7 (30-day advance notice)
Termination rights	Article 13 + DORA-specific termination

Exit Strategy

Upon termination, Lifetime Oy provides 90-day transition assistance including data export (JSON, CSV), API access for migration, documentation of schemas, and technical support at standard rates.

DORA Termination Rights

Financial entity Customers may terminate with immediate effect if: Lifetime Oy materially breaches DORA obligations (30-day cure), a competent authority requires it, or concentration risk assessments indicate excessive reliance.

Data Processor Entity

Signatures