Last updated: 3 November 2025

This Data Processing Addendum including its appendices (together, this “DPA”) forms part of the Agreement between the applicable OneStock company listed in the applicable Order Form (‘OneStock’) and the Customer identified in the corresponding Order Form (‘Customer’) referencing this DPA (the ‘Agreement’). 

This DPA is effective as of the effective date of the Agreement or at the signature of the latest Order Form by the Customer or any other electronic or mutually executed written agreement between the parties. 

1. Data processing description. The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1 of this DPA.
2. Scope and role. The parties acknowledge and agree that with regard to the Processing of Personal Data in providing the Services under the Agreement, Customer and/or its Affiliates is the Data Controller, OneStock is a Data Processor. 
3. Customer’s obligations. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws.  Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of OneStock as Data Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that the Customer is entitled to transfer the relevant Personal Data to OneStock so that OneStock and its Sub-processors may lawfully use, process and transfer the Personal Data in accordance with this DPA and the Agreement on Customer’s and its Affiliates’ behalf. 
4. OneStock’s obligations. OneStock shall Process Personal Data in accordance with the requirements of Data Protection Laws applicable to its performance under this DPA, including:
   1. OneStock will only Process Personal Data in accordance with the Agreement and this DPA. By entering into the Agreement, Customer instructs OneStock to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form and any other electronic or mutually executed written agreement), which includes updating the Platform and preventing or addressing service or technical issues; (ii) Processing initiated by Customer’s users in their use of the Platform; and (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. This DPA and the Agreement are the documented instructions to OneStock for the Processing of Personal Data.   
   2. OneStock will treat Personal Data as confidential information and OneStock shall ensure that any person it authorized to process Personal Data has agreed to or is under similar confidentiality’s obligations as the ones OneStock committed to in the Agreement. 
   3. OneStock will upon Customer’s request and when required by Data Protection Laws, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information and to the extent such information is available to OneStock) and prior consultation with supervisory authority where applicable under the EU GDPR and UK GDPR. 

2. Duration

This DPA remains in effect until the later of (i) the expiration or termination of the Agreement; and (b) the return or deletion of Personal Data. 

3. Security

1. Security. OneStock shall implement and maintain a comprehensive information security program designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access provided that such measures are appropriate to (a) the size, scope and type of OneStock’s business; (b) the amount of resources available to OneStock; (c) the type of information that OneStock will store; and (d) the need for security and confidentiality of such information, (‘collectively OneStock Security Measures’). OneStock Security Measures are as set out in Annex 2 of this DPA. OneStock shall regularly monitor compliance with these safeguards.
2. Breach notification. To the extent permitted and required by law, OneStock shall, without undue delay notify in writing the Customer after having become reasonably aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data (‘Personal Data Breach’). Such notice will, as permitted and required by applicable Data Protection Laws, describe (i) the nature of the Personal Data Breach, including if known, the categories and approximate number of data subjects and personal data records concerned; (b) the measures OneStock has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures OneStock recommends that Customer take to address the Personal Data Breach; and (d) information related to OneStock’s point of contact with respect to the Personal Data Breach. If OneStock cannot provide all the information above in the initial notification, OneStock will provide the information to Customer as soon as it is available. 
3. Audit. 3.3.1 OneStock uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are performed at least once annually at OneStock’s expense by independent third-party security professionals appointed at OneStock’s discretion.
   3.3.2 Customer may request an audit of OneStock to verify OneStock’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and OneStock’s compliance cannot be demonstrated by means that are less burdensome on OneStock (including under section 3.3.1). Such audit will not be conducted more than once in any 12 month-period, except where required by a competent supervisory authority, and on the basis of the following requirements (1) Customer must notify OneStock in writing; (2) following receipt of such notice, Customer and OneStock shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible; (3) any audit will be subject to the confidentiality obligations set forth in the Agreement or as otherwise agreed in writing between the parties; (4) the Customer shall reimburse OneStock for any time expended for any such on-site audit at OneStock’s then-current professional services rates, which shall be made available to the Customer upon request. All reimbursement rates shall be reasonable, taking into account the resources expended by OneStock; (5) any audit must be performed during normal business hours by the Customer or the Customer’s independent, third-party auditor that is not a competitor of OneStock, and it must be limited to data relevant to Customer; (6) the Customer shall promptly notify OneStock with information regarding any non-compliance discovered during the course of an audit.  

4. Subprocessors

1. Subprocessor authorization. The Customer grants a written general authorization for (a) OneStock’s affiliates to be retained as Subprocessors; and (b) OneStock to engage third party subprocessors in connection with the provision of the Services. 
2. Identification of Suprocessors. OneStock will maintain an up-to-date list of Subprocessors available at www.onestock-retail/en/legals/subprocessors/ (the ‘Subprocessors List’). OneStock shall update the Subprocessors List with any new and replacement Subprocessor to be appointed at least thirty (30) days prior to the data on which any new and replacement Subprocessor commences Processing Personal Data. The Subprocessors List contains a mechanism for the Customer to subscribe to notifications of new and replacement Subprocessors. The Customer may sign up to receive email notification of such changes on the Subprocessors List. 
3. Objections to Subprocessors. In the event Customer has objection to such a new Subprocessor, Customer may object to OneStock’s use of a new Subprocessor by notifying OneStock promptly in writing within ten (10) days from the date of OneStock has updated its Subprocessors List. Such notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, OneStock will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If OneStock is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may within such time period, terminate immediately the applicable Order Form(s) with respect only to those Services which cannot be provided by OneStock without the use of the objected-to new Subprocessor by providing written notice to OneStock. Upon such termination, OneStock will refund Customer of any pre-paid fees covering the remainder of the term of such Order Form(s) following the effective data of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. 
4. Subprocessor requirements. OneStock will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. OneStock will be liable for the actions and omissions of its Subprocessors undertaken in connection with OneStock’ performance under this DPA to the same extent OneStock would be liable if performing the Services directly. 

5. Data subject requests

OneStock shall, to the extent legally permitted, promptly notify Customer if OneStock receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, OneStock shall assist Customer by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable Data Protection Laws.  In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, OneStock shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent OneStock is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws.

6. Return and destruction of data

As per the terms of the Agreement, upon termination or expiration of the Agreement, OneStock will delete or destroy all copies of the Customer Data in OneStock’s systems or otherwise in OneStock’s possession or control, unless legally prohibited. 

7. Data transfers

Instructions. The parties agree that the transfers of Personal Data to OneStock that are subject to an applicable adequacy decision do not require a separate approved transfer mechanism. If a transfer of Personal Data to OneStock is not subject to an applicable adequacy decision (a ‘Restricted Transfer’), the Restricted Transfer is made in accordance with the following:

1. Where a Restricted Transfer is made from the EEA or Switzerland, the SCCs are incorporated by reference into this DPA and apply to the transfer as follows:
   • Module 2 applies where the Customer is the Controller and OneStock is the Processor
   • In Clause 7 of the SCCs, the optional docking clause does not apply;
   • In Clause 9(a) of the SCCs, option 2 applies as per the terms of section 4 of this DPA;
   • In Clause 11(a of the SCCs), the optional language does not apply;
   • In Clause 17 of the SCCs, option 1 applies with the governing law being that of France;
   • In clause 18(b) of the SCCs, disputes will be resolved before the Courts in Toulouse, France;
   • Annex 1 of the SCCs is completed with the information in Appendix 1 of this DPA;
   • Annex 2 of the SCCs is completed with the information in Appendix 2 of this DPA;
   • Annex 3 of the SCCs is completed with the information in the Subprocessors List
2. Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated by reference into this DPA and applies to the transfer, as follows:
   • The UK Addendum is completed with the information in Section 7.1.1, the Subprocessors List, the Appendices 1 and 2 of this DPA;
   • Both ‘Importer’ and ‘Exporter’ are selected in Table 4
3. Specific applications of the SCCs. The following terms apply to the SCCs:
   • Customer may exercise its audit rights under the SCCs as set out in Section 3.3 of this DPA
   • OneStock may appoint Subprocessors under the SCCs as set out in Section 4 of this DPA
   • With respect to Restricted Transfers made to OneStock, OneStock may neither participate in, nor permit any Subprocessor to participate in, any further Restricted Transfer unless the further Restricted Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism. 

8. Liability

This DPA shall be subject to the limitations of liability agreed between the Parties (and any reference to the liability of a party means that party and its Affiliates in aggregate) under the Agreement. 

9. General

1. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement. 
2. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws. 
3. OneStock may modify this DPA where (i) the change is required to comply with Data Protection Laws; or (ii) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of OneStock’s processing of Personal Data and does not have a material adverse impact on Customer’s rights under this DPA. 

10. Definitions

Capitalised terms not otherwise defined in this DPA or the Agreement have the following meaning: 

1. ‘Data Controller’ means the entity which determines the purposes and means of the Processing of Personal Data
2. ‘Data Processor’ means the entity which Processes Personal Data on behalf of the Data Controller
3. “Data Protection Laws” means all local, state, national and/or foreign law, treaties, and/or regulations, including the EU GDPR and the UK GDPR, as well as laws and regulations of Switzerland,  and the United States and its states, applicable to either: (i) OneStock in its role as service provider Processing data under the Agreement or (ii) Customer and its Affiliates, as the case may be
4. ‘Data Subject’ means the identified or identifiable natural person to whom Personal Data relates
5. “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
6. “Personal Data” means any information relating to an identified or identifiable person that has been provided by or for Customer to the Platform or collected and Processed by or for Customer through the Platform
7. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
8. “Standard Contractual Clauses” or ‘SCCs’ means (i) where the EU GDPR or Swiss Federal Act on Data Processing applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (‘EU SCCs’); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (‘UK SCCs’)
9. “Subprocessor” means any Data Processor engaged by OneStock to Process Personal Data while providing the Services 
10. ‘UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018. 

ANNEXE 1

DETAILS OF THE PROCESSING

1. List of the parties

2. Description of the data processing and transfer

3. Competent supervisory authority

ANNEX 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The technical and organizational security measures are set out in OneStock Security Terms and Conditions applicable to the Platform which are either attached to the Agreement or any other electronic or mutually executed written agreement between the Parties.