DATA PROCESSING ADDENDUM

Effective date: 24 June 2026

1. INTRODUCTION

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Service Terms published by Klok AD ("Processor") and applies to the processing of Personal Data by Processor on behalf of the Customer in connection with the Services.

This DPA reflects the requirements of Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

For the purposes of this DPA:

the Customer acts as the Controller of Customer Personal Data;

Klok AD acts as the Processor of Customer Personal Data.

Where the Customer acts as a processor on behalf of another controller, the Customer represents and warrants that it has sufficient authority to enter into this DPA and authorize the processing activities described herein.

Capitalized terms not defined in this DPA shall have the meanings assigned to them in the Service Terms.

2. DEFINITIONS

For the purposes of this DPA:

Applicable Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR.

Controller, Processor, Data Subject, Personal Data, Processing, and Personal Data Breach shall have the meanings assigned to them under Applicable Data Protection Laws.

Subprocessor means any third party engaged by Processor to process Personal Data on behalf of the Customer in connection with the provision of the Services.

3. SUBJECT MATTER AND DURATION OF PROCESSING

Processor shall process Customer Personal Data solely for the purposes described in this DPA and only for the duration necessary to provide the Services.

Processing shall continue for the duration of the Customer's use of the Services and any applicable retention periods described in the Service Terms.

4. NATURE AND PURPOSE OF PROCESSING

Processor processes Personal Data for the following purposes:

• provision and operation of the Services;
• reservation and hospitality management;
• guest journey and guest communication services;
• payment processing and related financial operations;
• customer support;
• system administration, security, maintenance and monitoring;
• reporting and analytics;
• execution of integrations activated by the Customer;
• compliance with legal obligations.

The categories of Data Subjects, categories of Personal Data and processing activities are further described in Annex A.

5. PROCESSING OF PERSONAL DATA

Processor shall process Personal Data solely in accordance with:

a) the Service Terms;

b) the applicable Commercial Agreement;

c) the configurations, settings and features selected by the Customer within the Services;

d) this DPA; and

e) Applicable Data Protection Laws.

The Customer authorizes Processor to process Personal Data as necessary to provide, maintain, secure, support and improve the Services and to perform the processing activities described in this DPA.

The Customer acknowledges that the Services are provided as a standardized software-as-a-service solution and that Processor is not required to accept or implement processing requirements that are inconsistent with the Service Terms, the functionality of the Services or Applicable Data Protection Laws.

Where Processor is required by applicable law to process Personal Data other than as described in this DPA, Processor shall inform the Customer unless prohibited by law.

6. CUSTOMER-ACTIVATED INTEGRATIONS

The Services may enable the Customer to activate integrations with third-party systems and services.

Processor may provide information regarding the categories of data exchanged with such third-party systems before activation of the integration.

By activating an integration, the Customer authorizes and requests Processor to exchange the data required for the operation of the selected integration in accordance with the functionality of the Services.

Third-party systems selected and activated by the Customer are not considered Subprocessors appointed by Processor unless expressly identified as such by Processor.

The Customer remains responsible for assessing the suitability and compliance of any third-party system selected by the Customer.

7. CONFIDENTIALITY

Processor shall ensure that personnel authorized to process Personal Data:

• are subject to appropriate confidentiality obligations;
• receive appropriate security and privacy training;
• access Personal Data only where necessary for their duties.

Processor shall ensure that access to Personal Data is limited in accordance with the principles of least privilege and business need-to-know.

8. SECURITY OF PROCESSING

Processor shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

The measures implemented by Processor are described in Annex B.

Processor may update such measures from time to time provided that the overall level of protection is not materially reduced.

Customer acknowledges that the Services include configurable security settings, access controls and user permission structures and that Customer is responsible for configuring and using such controls appropriately.

9. ASSISTANCE TO CUSTOMER

Taking into account the nature of the processing and the information available to Processor, Processor shall provide reasonable assistance to Customer in fulfilling Customer's obligations relating to:

• requests from Data Subjects;
• security of processing;
• personal data breach notifications;
• data protection impact assessments;
• consultations with supervisory authorities where required by law.

Such assistance shall be limited to information and functionality available to Processor within the ordinary operation of the Services and shall not require Processor to develop custom functionality, provide legal advice, perform legal analysis on behalf of Customer or materially modify the Services.

Where a Data Subject submits a request directly to Processor, Processor may direct the Data Subject to the Customer.

10. PERSONAL DATA BREACHES

Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

Such notification shall include available information reasonably necessary for Customer to comply with its obligations under Applicable Data Protection Laws.

11. SUBPROCESSORS

Customer authorizes Processor to engage Subprocessors as necessary for the provision, maintenance, security and support of the Services.

Processor shall maintain an up-to-date list of Subprocessors in Annex C and on its website.

Processor shall remain responsible for ensuring that any Subprocessor engaged by Processor is subject to contractual obligations providing a level of protection for Personal Data substantially equivalent to those set forth in this DPA.

12. INTERNATIONAL TRANSFERS

Processor primarily hosts and processes Customer Personal Data within the European Economic Area.

Certain Subprocessors and their affiliates may access or process Personal Data from locations outside the European Economic Area where necessary to provide support, maintenance, operational or related services.

Where required by Applicable Data Protection Laws, Processor shall ensure that appropriate safeguards are implemented for such processing.

a) where such transfer results from a third-party integration or service activated by the Customer;

b) where necessary for provision of the Services and permitted under Applicable Data Protection Laws;

c) where required by applicable law.

Where required by Applicable Data Protection Laws, Processor shall implement an appropriate transfer mechanism.

13. GOVERNMENT ACCESS REQUESTS

Where legally permitted, Processor shall use reasonable efforts to notify Customer of any legally binding request from a public authority seeking access to Customer Personal Data before disclosing such data.

Processor shall use reasonable efforts to limit any disclosure to the minimum amount of Personal Data required by law.

14. COMPLIANCE INFORMATION

Upon reasonable written request, Processor shall make available information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

Processor may satisfy such requests through the provision of policies, procedures, security documentation, compliance questionnaires or similar materials.

Any requests must be proportionate, limited in scope and not require disclosure of confidential information relating to other customers, Processor's security architecture or trade secrets.

Customer shall not have a right to conduct on-site inspections of Processor's facilities except where required by Applicable Data Protection Laws and only where the information provided by Processor is insufficient to demonstrate compliance.

15. RETENTION AND DELETION OF DATA

Customer Personal Data shall be retained, exported, and deleted in accordance with the Service Terms and the functionality of the Services.

Processor may retain Personal Data where required by law or for legitimate backup, archival, fraud prevention, security or compliance purposes.

16. ARTIFICIAL INTELLIGENCE

Processor shall not use Customer Personal Data to train publicly available or general-purpose artificial intelligence or machine learning models unless expressly authorized by Customer.

Any third-party artificial intelligence service engaged by Processor in connection with the Services shall be treated as a Subprocessor where required by Applicable Data Protection Laws.

17. LIABILITY

Any liability arising under this DPA shall be subject to the exclusions, limitations and liability provisions set forth in the Service Terms.

Nothing in this DPA shall be interpreted as expanding the liability of either party beyond that provided in the Service Terms.

18. RELATIONSHIP WITH THE SERVICE TERMS

Except as expressly modified by this DPA, the Service Terms remain unchanged and continue in full force and effect.

In the event of a conflict between this DPA and the Service Terms with respect to the processing of Personal Data, this DPA shall prevail.

ANNEX A – DESCRIPTION OF PROCESSING ACTIVITIES

A.1 Subject Matter

Provision of cloud-based hospitality management, guest journey, payment enablement, event management, communication, reporting and related services.

A.2 Nature of Processing

The processing may include:

• collection;
• recording;
• organisation;
• structuring;
• storage;
• retrieval;
• consultation;
• use;
• disclosure by transmission;
• alignment;
• combination;
• restriction;
• deletion;
• destruction.

A.3 Categories of Data Subjects

Processor may process Personal Data relating to:

• hotel guests;
• prospective guests;
• event attendees;
• loyalty programme participants;
• authorized users of the Services;
• representatives of corporate customers, event organizers and business contacts managed through the Services;
• individuals communicating with Customer through the Services.

A.4 Categories of Personal Data

Identification Data

• names;
• titles;
• nationality;
• date of birth;
• identification document details where entered by Customer.

Contact Details

• email addresses;
• telephone numbers;
• postal addresses;
• company information.

Reservation and Stay Data

• reservation details;
• arrival and departure information;
• room assignments;
• accommodation history;
• preferences;
• special requests;
• guest profile information.

Event and Activity Data

• event participation details;
• meeting and event bookings;
• activity bookings;
• attendance records.

Communication Data

• guest communications;
• email correspondence;
• support communications;
• notes entered by Customer personnel.

Financial and Payment Data

• invoices;
• transaction records;
• payment status information;
• payment tokens;
• masked payment card information where applicable.

Processor does not intentionally store sensitive authentication data as defined by PCI DSS.

Loyalty and Marketing Data

• loyalty programme participation;
• membership identifiers;
• customer preferences;
• communication preferences.

Support and Technical Data

• user account information;
• audit logs;
• support records;
• system usage information.

A.5 Purposes of Processing

Personal Data is processed for:

• reservation management;
• hospitality operations;
• guest relationship management;
• event management;
• guest communications;
• online check-in and check-out;
• payment processing and reconciliation;
• reporting and analytics;
• customer support;
• security and fraud prevention;
• operation of customer-activated integrations;
• compliance with legal obligations.

A.6 Duration

Personal Data shall be processed for the duration of the Services and retained in accordance with the Service Terms and applicable legal requirements.

ANNEX B – TECHNICAL AND ORGANISATIONAL MEASURES

B.1 Governance and Security Management

Processor maintains documented information security policies and procedures.

Processor designates personnel with responsibility for information security governance and oversight.

Information security policies are reviewed periodically and updated where appropriate.

Personnel receive security awareness and privacy training relevant to their responsibilities.

B.2 Access Controls

Processor implements access controls designed to ensure that access to Personal Data is granted only where required for legitimate business purposes.

Measures include:

• role-based access controls;
• unique user credentials;
• password controls;
• privileged access management;
• periodic access reviews;
• access restrictions based on business need-to-know principles.

Multi-factor authentication is required for personnel accessing sensitive payment-related environments and may be made available or recommended for other categories of users.

B.3 Encryption and Protection of Data

Measures include:

• encryption of data transmitted over public networks;
• encryption of sensitive removable media where used;
• protection of payment-related information in accordance with PCI DSS requirements;
• protection of cryptographic keys and authentication credentials.

B.4 Network and Infrastructure Security

Measures include:

• network segmentation where appropriate;
• firewall protections;
• secure remote access controls;
• monitoring of network activity;
• security hardening of production environments.

B.5 Monitoring and Vulnerability Management

Measures include:

• audit logging;
• system monitoring;
• security alerting;
• vulnerability monitoring;
• patch management processes;
• investigation and response procedures for security incidents.

B.6 Secure Development Practices

Measures include:

• secure software development lifecycle procedures;
• code review processes;
• testing prior to production release;
• change management procedures;
• post-deployment review processes.

B.7 Business Continuity and Recovery

Measures include:

• backup procedures;
• protection of backup media;
• disaster recovery procedures;
• restoration and recovery processes.

B.8 Personnel Security

Personnel with access to Personal Data are subject to confidentiality obligations and are required to follow Processor's security policies and procedures.

Access rights are removed or adjusted when no longer required for business purposes.

ANNEX C – SUBPROCESSORS

Processor may engage the following Subprocessors:

Processor may update this Annex from time to time. The version published at the above address shall constitute the current version of Annex C.