Data Processing Addendum

Last Updated: June 9, 2026

This Data Processing Addendum, including its Schedules, (“DPA”) forms part of the Platform Agreement (the “Agreement”) between Outcome and Customer and reflects the Parties’ agreement, with regard to the Processing of Personal Data in Customer’s use of the Services. In the course of providing the Services to Customer, pursuant to the Agreement, Outcome may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Processing of Personal Data

1.1 Customer’s Processing of Personal Data

Customer as Controller shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Outcome as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations.

1.2 Outcome’s Processing of Personal Data

Outcome shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

1.3 Details of the Processing

i.) Subject Matter. The subject matter of the data processing under this DPA is Customer Data; ii.) Duration. The duration of the data processing under this DPA is until the expiration or termination of the Platform Agreement in accordance with its terms; iii.) Nature and Purpose. The purpose of the data processing under this DPA is the provision of the Services to Customer in accordance with the Platform Agreement; iv.) Types of Personal Data. The types of Personal Data processed under this DPA include any Customer Data uploaded to the Services by Customer. Customer warrants that it will not Process any Sensitive Personal Data using the Services; v.) Categories of Data Subjects. The data subjects may include Customer’s customers, tenants, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to the Services.

1.4 Customer Instructions

Outcome shall inform Customer (i) if, in its opinion, an instruction from Customer constitutes a breach of the Data Protection Laws and Regulations and/or (ii) if Outcome is unable to follow Customer’s instructions for the Processing of Personal Data.

2. Rights Of Data Subjects

2.1 Data Subject Request

Outcome shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Outcome shall not respond to a Data Subject Request itself, except that Customer authorizes Outcome to redirect the Data Subject Request as necessary to allow Customer to respond directly.

2.2 Required Assistance

Taking into account the nature of the Processing, Outcome shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

2.3 Additional Assistance

To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Outcome shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Outcome is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Outcome’s provision of such assistance.

3. Personnel And Data Protection Officer

3.1 Confidentiality, Reliability and Limitation of Access

Outcome shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Outcome shall: i.) ensure that such confidentiality obligations survive the termination of the personnel engagement; ii.) take commercially reasonable steps to ensure the reliability of any Outcome personnel engaged in the Processing of Personal Data; and iii.) ensure that Outcome’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement, any applicable Order Form(s) and Documentation.

3.2 Data Protection Officer

Members of the Outcome Group have appointed a data protection officer. The appointed person may be reached at legal@outcomelabs.ai.

4. Sub-processors

4.1 Appointment of Sub-processors

Customer acknowledges and agrees that (a) Outcome’s Affiliates may be retained as Subprocessors; and (b) Outcome and Outcome’s Affiliates respectively may engage third-party Sub-processors to provide the Services. Outcome or an Outcome Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.

4.2 Current List of Sub-processors and Notification of New Sub-processors

The current list of Sub-processors engaged in Processing Personal Data for the performance of each applicable Service, including a description of their processing activities and countries of location, can be found as Schedule 2 below. Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data. Outcome shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data to provide the applicable Services, such notice to be provided by email and a subsequent update to the Legal webpage mentioned herein.

4.3 Objection Right for New Sub-processors

Customer may object to Outcome’s use of a new Sub-processor by notifying Outcome promptly in writing within thirty (30) days of receipt of Outcome’s notice in accordance with the mechanism set out in the above Section. If Customer objects to a new Sub-processor as permitted in the preceding sentence, Outcome will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Outcome is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Outcome without the use of the objected-to new Sub-processor by providing written notice to Outcome. Outcome will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

4.4 Liability

Outcome shall be liable for the acts and omissions of its Sub-processors to the same extent Outcome would be liable if performing the services of each Sub-processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.

5. Security And Audit

5.1 Controls for the Protection of Customer Data

Outcome shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. The current technical and organizational measures can be found as Schedule 1 below. Outcome regularly monitors compliance with these measures. Outcome will not materially decrease the overall security of the Services during a subscription term.

5.2 Audit Program

Outcome shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA, including those obligations required by applicable Data Protection Laws and Regulations.

5.3 Data Protection Impact Assessment

Upon Customer’s request, Outcome shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Outcome.

6. CCPA Obligations

Customer Data may include “personal information” (as that term is defined under CCPA) that Customer uploads into the Services that is Processed by Outcome. Outcome is a “service provider” as defined in CCPA. Outcome will not i.) retain, use, or disclose Customer Data for any purpose other than providing the Services; ii.) retain, use, or disclose Customer Data outside of the direct business relationship between Outcome and Customer; iii.) sell or share Customer Data (as the terms “sell” and “share” are defined in CCPA); or iv.) combine Customer Data with personal information that Outcome has received from another Outcome customer, except as permitted under CCPA.

7. Cross-Border Transfers Of Customer Data

Outcome participates in and certifies compliance with the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (together, the “Data Transfer”). As required by the Data Transfer, Outcome will (i) provide at least the same level of privacy protection to Customer Data as is required by the Data Transfer Principles, (ii) notify Customer if Outcome makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Transfer Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorized processing of Customer Data. Where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Laws and Regulations, Outcome agrees to process that Customer Personal Data in compliance with the applicable Standard Contractual Clauses either directly or via onward transfer to any Third Country. Customer consents to Outcome (and its Sub-processor) transferring Customer Data to a Third Country, provided that where such Processing occurs Outcome has sought a valid Data Transfer.

8. Customer Data Incident Management And Notification

Outcome maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Outcome or its Sub-processors of which Outcome becomes aware (a “Customer Data Incident”). Outcome shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Outcome deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within Outcome’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

9. Return And Deletion Of Customer Data

Outcome shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement. Until Customer Data is deleted or returned, Outcome shall continue to comply with this DPA and its Schedules.

10. Termination

This DPA will continue in force until the termination of the Agreement (the “Termination Date”).

11. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Outcome, but has not signed its own Order Form with Outcome.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.

“Customer Data” means what is defined in the Agreement as “Customer Data”, provided that such data is electronic data and information submitted by or for Customer to the Services. This DPA does not apply to Third Party Applications or Non-Outcome Applications as defined in the Agreement or otherwise.

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“Standard Contractual Clauses” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable. For data transfers subject to UK GDPR, the parties shall incorporate the UK Addendum to the SCCs issued by the UK Information Commissioner’s Office.

“Sub-processor” means any Processor engaged by Outcome.

“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).

Schedule 1 — Security Standards

Capitalized terms not otherwise defined herein have the meanings assigned to them in the Agreement.

Information Security Program. Outcome will maintain an information security program designed to (a) enable Customer to secure Customer Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Services, and (c) minimize physical and logical security risks to the Services, including through regular risk assessment and testing. Outcome will designate one or more employees to coordinate and be accountable for the information security program.

Outcome’s information security program will include the following measures:

Logical Security

Access Controls. Outcome will make the Services accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Outcome will maintain access controls and policies to manage authorizations for access to the Services from each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Outcome will maintain access controls designed to (i) restrict unauthorized access to data, and (ii) segregate each customer’s data from other customers’ data.

Restricted User Access. Outcome will (i) provision and restrict user access to the Services in accordance with least privilege principles based on personnel job functions, (ii) require review and approval prior to provisioning access to the Services above least privileged principles, including administrator accounts; (iii) require at least quarterly review of Services access privileges and, where necessary, revoke Services access privileges in a timely manner, and (iv) require two-factor authentication for access to the Services from remote locations.

Vulnerability Assessments. Outcome will perform regular external vulnerability assessments and penetration testing of the Services, and will investigate identified issues and track them to resolution in a timely manner.

Application Security. Before publicly launching new Services or significant new features of Services, Outcome will perform application security reviews designed to identify, mitigate and remediate security risks.

Change Management. Outcome will maintain controls designed to log, authorize, test, approve and document changes to existing Services resources, and will document change details within its change management or deployment tools. Outcome will test changes according to its change management standards prior to migration to production. Outcome will maintain processes designed to detect unauthorized changes to the Services and track identified issues to a resolution.

Data Integrity. Outcome will maintain controls designed to provide data integrity during transmission, storage and processing within the Services. Outcome will provide Customer the ability to delete Customer Data from the Services.

Incident Management. Outcome will maintain corrective action plans and incident response plans to respond to potential security threats to the Services. Outcome incident response plans will have defined processes to detect, mitigate, investigate, and report security incidents. The Outcome incident response plans include incident verification, attack analysis, containment, data collection, and problem remediation.

Storage Media Decommissioning. Outcome or any Sub-processor that its uses to provide the Services will maintain a media decommissioning process that is conducted prior to final disposal of storage media used to store Customer Data. Prior to final disposal, storage media that was used to store Customer Data will be degaussed, erased, purged, physically destroyed, or otherwise sanitized in accordance with industry standard practices designed to ensure that the Customer Data cannot be retrieved from the applicable type of storage media.

Outcome Employees

Employee Security Training. Outcome will implement and maintain employee security training programs regarding Outcome information security requirements. The security awareness training programs will be reviewed and updated at least annually.

Background Checks. Where permitted by law, and to the extent available from applicable governmental authorities, Outcome will require that each employee undergo a background investigation that is reasonable and appropriate for that employee’s position and level of access to the Services.

Continued Evaluation. Outcome will conduct periodic reviews of the information security program for the Services. Outcome will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.

Schedule 2 — Sub-processors

The current list of Sub-processors engaged in Processing Personal Data for the performance of the Services, including a description of their processing activities and countries of location, is maintained in the Outcome Trust Center at trust.outcomelabs.ai. Outcome updates the Trust Center to reflect any additions to or changes in its Sub-processors in accordance with Section 4 of this DPA.

Schedule 3 — Standard Contractual Clauses

1. For purposes of this Schedule 3, “Standard Contractual Clauses” means, as the circumstances may require, the applicable module(s) of the Standard Contractual Clauses approved by the European Commission in decision 2021/914, or any subsequent versions of the Standard Contractual Clauses which may be adopted by the European Commission from time to time. Upon the effective date of adoption for any revised Standard Contractual Clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.

2. Pursuant to Section 7 of the DPA, where the transfer of Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Laws and Regulations, then the Standard Contractual Clauses shall apply in accordance with this Schedule 3.

3. Incorporation of the Standard Contractual Clauses

3.1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 2 above, the parties agree that:

• 3.1.1 Clause 7 will not apply.
• 3.1.2 in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set forth in Section 4.2 of the DPA.
• 3.1.3 in Clause 11(a), the optional language will not apply.
• 3.1.4 in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.
• 3.1.5 in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.

3.2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):

3.2.1 Data Exporter: Customer. Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications. Data Exporter Role: Data Exporter’s role is outlined in Section 1 of the DPA. Signature & Date: By entering into the Platform Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 3 to the DPA, as of the effective date of the Platform Agreement.

3.2.2 Data Importer: NeuronX. Inc. doing business as Outcome. Contact Details: Outcome’s DPO at legal@outcomelabs.ai. Data Importer Role: Data Importer’s role is outlined in Section 1 of the DPA. Signature & Date: By entering into the Platform Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 3 to the DPA, as of the Effective Date.

3.3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer): 3.3.1 The categories of data subjects are described in Section 1 of the DPA. 3.3.2 The forms of Customer Personal Data transferred are described in Section 1 of the DPA. 3.3.3 The frequency of the transfer is on a continuous basis for the duration of the Platform Agreement, subject to Data Exporter's right to suspend or terminate transfers upon written notice if Data Importer fails to comply with its obligations under the Standard Contractual Clauses or if Data Exporter reasonably determines that continued transfer would violate applicable Data Protection Laws and Regulations. 3.3.4 The nature and purpose of the processing is described in Section 1 of the DPA. 3.3.5 The period of retention of Personal Data in relation to the processing will end upon termination of the Platform Agreement, except that Data Importer shall delete or return all Customer Personal Data within thirty (30) days following such termination, unless longer retention is required by applicable law, in which case Data Importer shall isolate and protect such data from further processing except as required by law. 3.3.6 For transfers to Sub-processors, the subject matter and nature of the processing is described at: Schedule 2 of this DPA. The duration of processing by Sub-processors is the same as by Data Importer. Data Importer shall ensure that all Sub-processors are subject to the same data protection obligations as set out in this DPA and the Standard Contractual Clauses, and Data Importer shall remain fully liable to Data Exporter for any Sub-processor's failure to fulfil such obligations.

3.4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.

3.5. Schedule 1 of the DPA contains the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures).

3.6. In addition to the above stipulations, each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:

3.6.1 Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter may exercise its audit right(s) under Clause 8.9 either by instructing Data Importer to comply with the audit measures described in Section 5 of the DPA or, upon reasonable notice and no more than once per year (unless required by Data Protection Laws or following a confirmed data breach), by conducting its own audit or engaging a qualified third-party auditor to conduct an audit of Data Importer's relevant processing activities, at Data Exporter's sole expense.

3.6.2 Clause 9(c) of the Standard Contractual Clauses: Disclosure of Sub-processor agreements. The parties acknowledge that, pursuant to Sub-processor confidentiality restrictions, Data Importer may be restricted from disclosing onward Sub-processor agreements to Data Exporter in their entirety. However, Data Importer shall use commercially reasonable efforts to ensure that all Sub-processor agreements include terms that permit disclosure of the agreement to Data Exporter under appropriate confidentiality obligations. Upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide either the full Sub-processor agreement or, at minimum, appropriate information regarding: (i) the Sub-processor's data processing activities; (ii) the security measures implemented; (iii) the Sub-processor's location and any cross-border data transfers; (iv) liability and indemnification provisions; and (v) data breach notification procedures.

3.6.3 Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Laws and Regulations, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Platform Agreement, except that no limitation of liability shall apply to either Party’s gross negligence or wilful misconduct. In no event shall any limitation of liability prevent either Party from recovering direct damages actually incurred as a result of a breach of the Standard Contractual Clauses.

4. Transfers of Customer Personal Data Protected by FADP

4.1. With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above, with the following modifications:

• 4.1.1 any references in the Standard Contractual Clauses to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to FADP;
• 4.1.2 references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
• 4.1.3 references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

5. Transfers of Customer Personal Data Protected by UK GDPR

With respect to transfers of Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 3. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 3 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.

This DPA forms part of, and is governed by, the Outcome Platform Agreement. For privacy or data protection questions, contact legal@outcomelabs.ai.