Governance & Compliance Statement

Effective Date: December 1, 2025 Data Controller: Lifetime Oy Registered Address: Laidunmaanraitti 2 A 25, 02330 Espoo, Finland

Regulatory Framework

Operations are conducted in strict accordance with applicable European Union statutes, specifically: * General Data Protection Regulation (GDPR) * Digital Services Act (DSA) * NIS2 Directive (Cybersecurity) * EU AI Act

I. Architecture & Data Sovereignty

1. Flexible Sovereignty: Public & Private Cloud

Lifetime DWS IQ is engineered to support diverse regulatory and operational requirements through two distinct deployment models:

• Public Cloud (EU Compliance): Our standard SaaS offering is hosted within the EU/EEA, strictly adhering to EU Law (GDPR, DSA, AI Act). This model ensures rapid scalability while maintaining full European regulatory compliance.
• Private Cloud (Local Sovereignty): For entities requiring strict data isolation, we deploy the "Industrial Brain" (DWS IQ) directly into your specific Google Cloud Platform (GCP) or Microsoft Azure environment. This model allows for adherence to local national laws and internal governance policies.
• Intellectual Property Protection: Regardless of deployment model, we adhere to a strict No-Training Policy. Your proprietary industrial data, knowledge bases, and operational metrics are never used to train our public foundation models.
• Sovereignty: The client retains 100% ownership and control of all data assets processed by the system.

II. Data Collection & Processing

2. Data Minimization & Collection Categories

In accordance with GDPR principles, we limit data collection strictly to what is necessary for service provision, security, and statutory compliance (e.g., Accounting Act).

• Commercial Information (B2B): Professional contact details (Name, Work Email, Phone, Billing Coordinates) necessary for contract fulfillment.
• Telemetry & Security Logs: Technical usage data required for license verification, system stability, and NIS2 security monitoring.
• Payment Verification Data: Transaction IDs and payment status (Success/Fail) received from our payment partners (PayPal, Revolut, Google Pay). We do not store raw credit card data.
• Commercial Outreach: Contact information sourced from public professional registers (e.g., LinkedIn) or direct engagement, processed under the legal basis of Legitimate Interest for relevant B2B communications.

3. Purpose of Processing

Data is processed strictly for defined operational purposes:

• Service Provisioning: Deployment, maintenance, and invoicing of the Lifetime software suite.
• Critical Communications: Delivery of security advisories, patch notes, and essential updates (NIS2/DSA requirements).
• Regulatory Support: Processing data as a processor on your instructions to facilitate your CSRD and Fit for 55 reporting obligations.

III. Security & Compliance Standards

4. Security Posture & NIS2 Alignment

As a digital service provider to essential entities (Energy, Transport, Manufacturing), Lifetime Oy aligns its security posture with the NIS2 Directive.

• Encryption Standards: Data is protected by industry-standard encryption both in transit (TLS 1.3) and at rest (AES-256).
• Identity & Access Management: We enforce strict Role-Based Access Control (RBAC) and mandatory Multi-Factor Authentication (MFA) for administrative access.
• Vulnerability Management: Continuous code scanning (via Snyk) and rapid patch management protocols.
• Incident Response: We are committed to the 24-hour early warning notification standard for significant cyber threats affecting client systems.

5. AI Transparency & Safety (EU AI Act)

Our AI deployments are governed by the transparency obligations of the EU AI Act.

• Disclosure of AI Interaction: Users interacting with agents (e.g., Firehorse Coach) will always be explicitly informed that they are communicating with an AI system.
• Generative Output & Oversight: Content generated by our systems (reports, analysis, imagery) is machine-generated. It should be reviewed by a qualified human expert before being used for legal or safety-critical decision-making.
• System Categorization: DWS IQ is designed as a decision-support tool. It is not classified as a "High-Risk AI System" under the Act, as it does not perform biometric identification or safety-critical component functions without human oversight.

IV. Operations & User Rights

6. International Data Transfers

Our primary deployment strategy prioritizes data residency within the EU/EEA. In instances where Google Cloud Platform or Microsoft Azure infrastructure facilitates transfer to the United States, such transfers are protected under the EU-US Data Privacy Framework (DPF) adequacy decision (July 2023), ensuring GDPR-equivalent data protection.

7. Digital Services Act (DSA) & Content Moderation

For users participating in "Lifetime World" community spaces, we enforce a strict, DSA-compliant content moderation policy.

• Illegal Content: Zero-tolerance policy for illegal content (including hate speech, terrorism, and CSAM). Such content is removed immediately upon detection.
• Code of Conduct: Harassment, bullying, and non-professional conduct are strictly prohibited.
• Procedural Rights: In the event of content removal, the affected user will receive a specific "Statement of Reasons." Appeals regarding moderation decisions may be directed to moderation@lifetime.fi.

8. Data Subject Rights (GDPR)

• Access & Rectification: You retain the right to request access to, correction of, or erasure of your personal data held by Lifetime Oy.
• Right to Object: You may opt out of direct marketing communications at any time via the unsubscribe link or by contacting the Controller.

9. Third-Party Technologies & Cookies

• Google Customer Reviews: To facilitate the Google Customer Reviews program, third parties (including Google) may place and read cookies on your browser or utilize web beacons to collect technical information.
• Transaction Data: Google may receive aggregated information regarding transactions conducted on this site for review verification purposes.
• User Control: You may manage, block, or delete cookies via your browser settings. Note that disabling essential cookies may impact service functionality.

V. Financial Integrity & Payments

10. Payment Processing (PayPal, Revolut, Google Pay)

To ensure the highest security for financial transactions, Lifetime Oy does not store or process your full credit card number or bank login credentials on our servers.

• Third-Party Processors: We utilize trusted global payment processors—specifically PayPal, Revolut, and Google Pay—to handle payments.
• Data Sharing: When you make a payment, strictly necessary details (transaction ID, amount, and billing reference) are shared with these providers.
• Privacy Governance: Your financial data is subject to the privacy policies and security standards of the respective processor. These entities act as independent Data Controllers for the financial transaction data they process.

11. Tax Compliance & Accounting (ALV/VAT)

• VAT Compliance: All invoices and transactions are processed in compliance with Finnish Tax Administration (Verohallinto) regulations, including appropriate Value Added Tax (Arvonlisävero / ALV) calculations based on the customer's location (EU Reverse Charge for valid B2B VAT IDs).
• Statutory Retention: In accordance with the Finnish Accounting Act (Kirjanpitolaki), we are legally required to retain accounting vouchers and transaction data for a minimum of six (6) to ten (10) years. This statutory obligation overrides requests for data erasure under GDPR regarding billing records.

12. Anti-Money Laundering (AML) & Sanctions

While Lifetime Oy is a software provider, we maintain a strict policy against financial crime. * Sanctions Screening: We strictly adhere to EU Sanctions Lists and international trade embargos. We do not engage in business with entities or individuals located in sanctioned jurisdictions or listed on EU asset freeze lists. * Fraud Prevention: We reserve the right to suspend any transaction that triggers our internal fraud detection systems or appears suspicious under the Act on Preventing Money Laundering and Terrorist Financing. * Identity Verification (KYC): For high-value enterprise contracts, we may request official corporate registration documentation to verify the Ultimate Beneficial Owner (UBO) of the counterparty.

VI. Contact Information

13. Contact & Governance

Data Protection Officer (DPO) Lifetime Oy Laidunmaanraitti 2 A 25 02330 Espoo, Finland

Designated Contacts: * Technical & Site Security: cso@dws10.com * Executive Controller (CEO): risto@lifetime.fi