RoleKick Data Processing Addendum

This Data Processing Agreement (this "Agreement") forms part of the agreement between the Controller and Kick Technology Limited (together, the "Parties") and reflects the Parties' agreement with regard to the processing of Personal Data in accordance with applicable data protection laws. This Agreement applies to the Processor's provision of the RoleKick platform and related services, including AI-enabled features where used by or on behalf of the Controller.

1. Definitions

1.1 Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under this Agreement, including the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and any applicable implementing or supplementary legislation.

1.2 Applicable AI Law means Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (the "EU AI Act"), together with any applicable implementing, delegated, or supplementary EU or Member State rules, guidance, or standards, in each case to the extent applicable to the RoleKick platform, the Processor, the Controller, or the Processing under this Agreement.

1.3 AI System, General-Purpose AI Model, Provider, Deployer, High-Risk AI System, and Intended Purpose have the meanings given to those terms under Applicable AI Law.

1.4 Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach, Supervisory Authority, and Sub-processor have the meanings given in Applicable Data Protection Law.

2. Subject Matter and Duration

2.1 Subject Matter. The subject matter of the Processing is the Personal Data described in Schedule 1.

2.2 Duration. Processing shall continue for the duration of the underlying services agreement unless otherwise agreed in writing.

3. Nature and Purpose of Processing

The nature and purpose of the Processing are described in Schedule 1, including where applicable the use of AI and automated processing to provide RoleKick chat, summary, recommendation, and insight features.

4. Categories of Data Subjects and Personal Data

The categories of Data Subjects and types of Personal Data processed are set out in Schedule 1.

5. Obligations of the Controller

The Controller shall:

5.1 Ensure that it has a lawful basis for Processing Personal Data and that all required notices have been provided to Data Subjects.

5.2 Provide documented instructions to the Processor for Processing Personal Data.

5.3 Comply with its obligations under Applicable Data Protection Law and, where applicable, Applicable AI Law.

5.4 Configure RoleKick permissions, access controls, and use cases appropriately, and ensure that authorised users only use AI-enabled features in accordance with the Processor's documentation, this Agreement, and the Controller's own policies and notices.

5.5 Ensure meaningful human review and oversight of AI-generated outputs before using them to inform decisions about individuals, and not use AI-generated outputs as the sole basis for decisions that produce legal or similarly significant effects on individuals.

5.6 Not use RoleKick or AI-generated outputs for any prohibited AI practice under Applicable AI Law, or for a High-Risk AI System use case unless that use case has been expressly agreed in writing and assessed by the Parties before deployment.

5.7 Where the Controller acts as a Deployer under Applicable AI Law, ensure appropriate AI literacy, user training, worker or user notices, human oversight, input data governance, and monitoring in relation to its use of RoleKick AI-enabled features.

6. Obligations of the Processor

6A. Use of AI, Automated Processing, and EU AI Act Alignment

6A.1 The Processor may use artificial intelligence, machine learning models, automated processing techniques, and third-party AI service providers to process Personal Data strictly for the purpose of providing, maintaining, securing, supporting, and improving the RoleKick platform and related services.

6A.2 AI Act Role Allocation and Liability.

(a) Role acknowledgement. The Parties acknowledge that data protection roles under Applicable Data Protection Law and AI Act roles under Applicable AI Law are legally distinct and independently determined. Depending on the agreed services, territory, and Intended Purpose, the Processor may act as a Provider of AI Systems and the Controller may act as a Deployer. Nothing in this Agreement transfers statutory obligations that Applicable AI Law places directly on either Party as a matter of law.

(b) Processor responsibilities as Provider. Where the Processor is the Provider of an AI System used to deliver the services, the Processor shall be responsible for:

(i) ensuring the AI System meets the conformity, documentation, transparency, and risk management obligations applicable to Providers under Applicable AI Law before making that system available for the agreed Intended Purpose;

(ii) providing the Controller with the information, instructions for use, and cooperation reasonably required for the Controller to fulfil its Deployer obligations; and

(iii) bearing primary liability to the Controller for losses arising from the Processor's failure to meet Provider obligations, subject to clause 9.2.

(c) Controller responsibilities as Deployer. Where the Controller acts as a Deployer, the Controller shall be responsible for:

(i) implementing appropriate human oversight, AI literacy, user notices, and input data governance in relation to its deployment of RoleKick AI-enabled features, in accordance with the Processor's instructions for use and this Agreement;

(ii) ensuring that AI-enabled features are deployed only for the agreed Intended Purpose and not for any High-Risk AI System use case that has not been expressly agreed under clause 6A.5; and

(iii) bearing primary liability for losses arising from the Controller's use of AI-enabled features outside the agreed Intended Purpose, in contravention of the Processor's documented instructions, or in breach of the Controller's own Deployer obligations.

(d) Shared incidents. Where an AI-related loss, serious incident, or regulatory enforcement action arises from a combination of Processor and Controller conduct, the Parties shall cooperate in good faith to apportion liability proportionally to their respective contributions to the loss. Neither Party shall make admissions of liability to a third party or regulator without the other Party's prior written consent, not to be unreasonably withheld.

(e) Indemnity — prohibited practices. The Processor shall indemnify and hold harmless the Controller against any losses, fines, penalties, or regulatory sanctions imposed directly on the Controller as a result of the Processor knowingly designing or making available an AI-enabled feature for a prohibited AI practice under Applicable AI Law, as set out in clause 6A.6. This indemnity shall be subject to the cap set out in clause 9.2.

6A.3 The Processor shall maintain a documented inventory of AI-enabled RoleKick features and shall assess and document their Intended Purpose and risk classification under Applicable AI Law before making material changes to those features or making them available for a materially different use case.

6A.4 RoleKick AI-enabled features are intended to support authorised users through conversational interactions, summaries, recommendations, and insights. They are intended as decision-support tools and are not intended to make final, autonomous, or binding decisions about individuals.

6A.5 Unless expressly agreed in writing following an AI Act assessment, RoleKick AI-enabled features are not intended to be used for recruitment or selection of natural persons, decisions affecting terms of work-related relationships, promotion or termination of work-related contractual relationships, allocation of tasks based on individual behaviour or personal traits, or monitoring or evaluation of individual performance or behaviour where such use would be classified as high-risk under Applicable AI Law.

6A.6 The Processor shall not knowingly design, market, or make RoleKick available for prohibited AI practices under Applicable AI Law, including harmful manipulation, exploitation of vulnerabilities, social scoring, unlawful biometric categorisation, prohibited workplace emotion recognition, untargeted biometric scraping, or criminal offence risk prediction based solely on profiling or personality traits.

6A.7 Where a RoleKick AI-enabled feature is classified as a High-Risk AI System under Applicable AI Law for an agreed Intended Purpose, and where the Processor is the Provider of that system, the Processor shall implement the provider obligations that apply to that feature and use case before making it available for that purpose, including as applicable: risk management, data and data governance controls, technical documentation, record-keeping and logging, instructions for use, human oversight measures, accuracy, robustness and cybersecurity measures, quality management, post-market monitoring, serious incident procedures, conformity assessment, EU declaration of conformity, CE marking, and registration.

6A.8 Where the Controller is a Deployer of a High-Risk AI System, the Processor shall provide reasonable information and cooperation required for the Controller to comply with applicable deployer obligations, including information reasonably required for human oversight, input data governance, monitoring, log access, user or worker notices, impact assessments, and escalation of risks or serious incidents.

6A.9 The Processor shall design RoleKick AI-enabled features to support transparency and human oversight, including by informing users when they are interacting with AI where required, identifying AI-generated outputs where appropriate, and enabling authorised users to review, disregard, override, or independently verify AI-generated outputs before relying on them.

6A.10 The Processor shall ensure that any AI service providers engaged, including large language model or General-Purpose AI Model providers, act as Sub-processors where they process Personal Data and are subject to written agreements imposing data protection obligations equivalent to those set out in this Agreement.

6A.11 Personal Data processed using AI technologies shall not be used by the Processor or any AI service provider to train or improve general-purpose, cross-customer, or publicly available AI or machine learning models. This is an absolute restriction and may not be waived by any controller instruction, click-wrap acceptance, or default platform setting.

6A.12 The Processor shall implement appropriate technical and organisational measures to mitigate risks associated with AI and automated processing, including measures designed to reduce unauthorised disclosure, inappropriate outputs, bias, misuse of Personal Data, over-reliance on AI outputs, and use outside the agreed Intended Purpose.

6A.13 The Processor shall monitor AI-enabled features in a manner proportionate to their risk, maintain procedures for investigating material issues, and notify the Controller without undue delay where the Processor becomes aware of an AI-related incident, serious incident, or material risk that affects the Controller, Data Subjects, or the Controller's compliance obligations.

6A.14 The Processor shall provide reasonable information to the Controller, upon request, regarding the use of AI and automated processing insofar as required to enable the Controller to comply with Applicable Data Protection Law and Applicable AI Law, subject to confidentiality, security, and the protection of trade secrets and commercially sensitive information.

6A.15 The Processor shall provide no less than 30 days' written notice of material changes to AI-enabled features, AI Sub-processors, Intended Purpose, or risk classification where such changes materially affect the Processing, the Controller's use of RoleKick, or the Controller's compliance obligations.

6B. General Processor Obligations

The Processor shall:

6B.1 Process Personal Data only on documented instructions from the Controller, unless required by law to do otherwise.

6B.2 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.

6B.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures listed in Schedule 2.

6B.4 Assist the Controller, taking into account the nature of Processing, by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.

6B.5 Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, AI-related impact assessments where applicable, and prior consultation with Supervisory Authorities.

6B.6 Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach.

6B.7 At the choice of the Controller, delete or return all Personal Data within 30 days of the end of the provision of services, unless retention is required by law.

6B.8 Make available to the Controller all information necessary to demonstrate compliance with this Agreement and allow for audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations. Where the Processor holds a current SOC 2 Type II or ISO 27001 certification, it may provide the relevant report or certificate in lieu of an on-site audit, subject to the Controller's right to conduct one on-site audit per calendar year on reasonable notice.

7. Sub-processing

7.1 The Controller grants the Processor general authorisation to engage Sub-processors. A current list of approved Sub-processors, including AI service providers, is set out in Schedule 3. The Processor shall provide no less than 30 days' written notice prior to adding or replacing any Sub-processor. The Controller may object to a new Sub-processor by written notice within that period; where the Parties cannot resolve the objection, the Controller may terminate the affected services on written notice without penalty.

7.2 The Processor shall impose data protection obligations on Sub-processors equivalent to those in this Agreement.

7.3 The Processor shall remain fully liable for the performance of its Sub-processors, including any AI service providers engaged in connection with the services.

7.4 The Processor shall carry out appropriate due diligence on AI service providers used in connection with RoleKick, including appropriate checks relating to security, confidentiality, data use restrictions, and, where relevant, compliance with Applicable AI Law.

8. International Transfers

8.1 The Processor shall not transfer Personal Data outside the UK or the European Economic Area unless appropriate safeguards are in place in accordance with Applicable Data Protection Law, including (as applicable) Standard Contractual Clauses and the UK International Data Transfer Agreement or Addendum.

8.2 Where an AI service provider processes Personal Data outside the UK or European Economic Area, the Processor shall ensure that the transfer is covered by appropriate safeguards (specifying the applicable mechanism in Schedule 3) and that the AI service provider is contractually restricted from using Personal Data for unauthorised model training or unrelated purposes.

9. Liability

9.1 General cap. The aggregate liability of either Party to the other under or in connection with this Agreement, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the total Fees paid or payable by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim (the "General Cap").

9.2 Data protection and AI Act carve-out. Notwithstanding clause 9.1, where liability arises from:

(a) a Personal Data Breach caused by the Processor's breach of this Agreement or Applicable Data Protection Law;

(b) unauthorised disclosure of Personal Data by an AI service provider engaged by the Processor; or

(c) a material breach by the Processor of its obligations under Applicable AI Law as Provider,

the General Cap shall be increased to one and a half times (1.5x) the total Fees paid or payable in the twelve (12) months immediately preceding the event giving rise to the claim.

9.3 Exclusions from cap. Nothing in this Agreement limits or excludes either Party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by applicable law, including under Applicable Data Protection Law or Applicable AI Law.

9.4 Consequential loss. Neither Party shall be liable for indirect or consequential loss, loss of profit, loss of revenue, or loss of data, except that this exclusion shall not apply to losses arising directly from a Personal Data Breach or a Processor breach of Applicable Data Protection Law or Applicable AI Law.

10. Termination

10.1 This Agreement shall terminate automatically upon termination of the underlying services agreement.

11. Governing Law

11.1 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.

Schedule 1 — Details of Processing

Subject Matter: Provision of the RoleKick software platform and related services, including AI-powered chat, summaries, recommendations, insights, administration, support, security, and maintenance features.

Nature of Processing: Collection, recording, organisation, structuring, storage, retrieval, consultation, analysis, automated processing, generation of AI outputs, transmission, restriction, deletion, and return of Personal Data.

Purpose of Processing: To provide, maintain, secure, support, and improve the RoleKick platform; to generate user-authorised summaries, recommendations, and insights; to support customer administration and user engagement; and to comply with contractual and legal obligations.

AI Act Intended Purpose: RoleKick AI-enabled features are intended to assist authorised users with conversational support, understanding, reflection, summaries, recommendations, and decision-support. They are not intended to make final, autonomous, or binding decisions about individuals, or to be used as the sole basis for employment, health, legal, or similarly significant decisions unless expressly agreed in writing following an AI Act assessment.

Duration: The duration of the underlying services agreement unless otherwise agreed in writing or required by law.

Categories of Data Subjects: Employees, workers, contractors, managers, administrators, customer representatives, and other authorised users.

Types of Personal Data: Name, email address, role, team, location, user-generated content, chat inputs, assessment responses, feedback, usage data, metadata, access logs, AI prompts and outputs, and support communications.

Special Categories of Data (if any): May include health, wellbeing, or other special category data as defined under Applicable Data Protection Law, depending on the services used by the Controller and the information submitted by users or configured by the Controller. Where special category data is processed, the Controller shall ensure an appropriate Article 9 lawful basis is in place and shall notify the Processor in writing.

AI Outputs and Logs: AI-generated summaries, recommendations, insights, chat responses, system metadata, usage records, and audit logs may be processed where necessary to provide the services, maintain security, monitor performance, investigate issues, and support compliance with this Agreement.

Schedule 2 — Technical and Organisational Security Measures

• Access controls, authentication, and role-based permissions, including permission-scoped generation and display of AI outputs.

• Encryption at rest and in transit where appropriate.

• Regular security testing, monitoring, and vulnerability management.

• Incident response and breach management procedures, including escalation procedures for material AI-related issues and serious incidents, with notification to the Controller within 48 hours of awareness.

• Data minimisation, retention controls, and deletion or return procedures (30-day post-termination window).

• Prompt, input, and output safeguards designed to reduce inappropriate disclosure, bias, misuse, and use outside the agreed Intended Purpose.

• Contractual and due diligence controls for AI service providers, including confidentiality, security, data use restrictions, and absolute prohibition on training of general-purpose or cross-customer AI models using Personal Data.

• AI risk assessment, risk classification review, and documentation proportionate to the relevant AI-enabled feature and use case.

• Monitoring and review of AI functionality, including review of inappropriate outputs, reported errors, security issues, and bias or fairness concerns where relevant.

• User-facing transparency information, instructions, and warnings designed to support appropriate use, human oversight, and avoidance of over-reliance on AI-generated outputs.

• Audit logs and records where appropriate to support security, troubleshooting, compliance, and accountability.

Schedule 3 — Approved Sub-processors

The following Sub-processors are approved as at the Effective Date. The Processor shall update this Schedule on 30 days' written notice to the Controller when adding or replacing any Sub-processor.