Data Processing Addendum

ZEAL IO LIMITED

DATA PROCESSING ADDENDUM

UK GDPR Article 28 Compliant

Version 2.0 | Effective: January 2026

This Data Processing Addendum forms part of and is incorporated

into each Zeal partnership and service agreement

DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") is entered into between Zeal IO Limited, a company incorporated in England and Wales under company number 11998285, whose registered office is at 85 Great Portland Street, First Floor, London, W1W 7LT, UK ("Zeal") and the counterparty to the Principal Agreement ("Partner").

This DPA supplements and forms part of any agreement between Zeal and Partner under which Personal Data is processed (the "Principal Agreement"), including but not limited to:

• PSP Authorization Agreement
• ZMS Controller Partnership Agreement
• Merchant Terms of Service
• Any Commercial Agreement incorporating the Global Partnership Terms and ConditionsThis DPA shall prevail over any conflicting terms in the Principal Agreement to the extent such conflict relates to data protection matters.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this DPA, unless the context otherwise requires:

"Applicable Data Protection Laws" means: (a) the UK GDPR; (b) the Data Protection Act 2018; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"); (d) the EU GDPR (where applicable to processing activities); and (e) any other applicable data protection or privacy legislation in force from time to time, including any binding guidance or codes of practice issued by the Information Commissioner's Office ("ICO") or other relevant supervisory authority.

"Controller" has the meaning given in Article 4(7) UK GDPR.

"Cross-Merchant Loyalty Program" means a loyalty program where a Consumer's account (identified by phone number linked to card token) enables recognition and reward accumulation across multiple Merchants who have each independently enrolled the Consumer.

"Data Subject" has the meaning given in Article 4(1) UK GDPR.

"Data Subject Request" means a request from a Data Subject to exercise any of their rights under Chapter III of UK GDPR (Articles 12-23).

"EEA" means the European Economic Area.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914.

"International Data Transfer" means any transfer of Personal Data from the United Kingdom or EEA to a country or territory outside the United Kingdom or EEA (as applicable) that is not subject to an adequacy decision.

"Joint Controller Arrangement Notice" means the public-facing document setting out the essence of joint controller arrangements as required by Article 26(2) UK GDPR, available at getzeal.io/legal/joint-controller-arrangement.

"Personal Data" has the meaning given in Article 4(1) UK GDPR.

"Personal Data Breach" has the meaning given in Article 4(12) UK GDPR.

"Processing" has the meaning given in Article 4(2) UK GDPR, and "Process" and "Processed" shall be construed accordingly.

"Processor" has the meaning given in Article 4(8) UK GDPR.

"Restricted Transfer" means: (a) where UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country outside the United Kingdom that is not covered by an adequacy regulation; or (b) where EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not covered by an adequacy decision.

"Security Measures" means the technical and organisational measures set out in Annex 2.

"Services" means the services provided by Zeal under the Principal Agreement.

"Single-Merchant Loyalty Program" means a loyalty program operated by an individual Merchant where Consumer data and rewards are scoped exclusively to that Merchant's business.

"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"Sub-processor" means any Processor engaged by Zeal (or by any other Sub-processor of Zeal) to Process Personal Data on behalf of Partner in connection with this DPA.

"Supervisory Authority" means: (a) in the United Kingdom, the Information Commissioner's Office; and (b) in any EEA member state, the competent data protection authority.

"Token" means a surrogate value generated by a Payment Service Provider that replaces the Primary Account Number (PAN) for the purpose of identifying a payment card without exposing the actual card number.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under section 119A(1) of the Data Protection Act 2018 (version B1.0, in force 21 March 2022).

"UK GDPR" means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).

1.2 Interpretation

(a) References to Articles are to Articles of UK GDPR unless otherwise stated.

(b) Terms defined in UK GDPR have the same meaning in this DPA unless otherwise defined.

(c) The Annexes form part of this DPA and have the same force and effect as if set out in the body of this DPA.

(d) In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail in respect of data protection matters.

2. SCOPE AND DATA PROCESSING ROLES

2.1 Scope of Processing

(a) This DPA applies to all Processing of Personal Data by either party in connection with the Principal Agreement.

(b) The categories of Data Subjects, types of Personal Data, purposes of Processing, and duration of Processing are set out in Annex 1 (Processing Details).

(c) Zeal shall not Process Personal Data other than as set out in Annex 1 or as otherwise instructed by Partner in writing.

2.2 Data Processing Roles - General Framework

The parties acknowledge and agree that their respective roles depend on the nature of the Processing activity:

(a) Zeal as Independent Controller

Zeal acts as an independent Controller in respect of:

• Aggregated and anonymised analytics data derived from transaction data
• Platform usage data and service improvement analytics
• Data required for Zeal's own legal and regulatory compliance
• Cross-merchant identification infrastructure (as detailed in Section 2.3)(b) Joint Controllers

Zeal and Partner (or Merchant, as applicable) act as joint Controllers under Article 26 UK GDPR in respect of:

• Consumer Personal Data collected at the point of sale where both parties determine purposes
• Single-Merchant Loyalty Program data where the Merchant operates a branded programme through Zeal
• Marketing communications where both parties have legitimate interestsWhere the parties act as joint Controllers, the arrangement set out in Section 3 shall apply.

(c) Zeal as Processor

Zeal acts as Processor on behalf of Partner in respect of:

• Merchant Data uploaded by PSPs or ZMS Controllers for deployment purposes
• Transaction data processed solely for Partner-facing analytics and reporting
• Any other Personal Data processed on Partner's documented instructionsWhere Zeal acts as Processor, the provisions of Section 4 shall apply.

(d) Partner as Processor

Partner acts as Processor on behalf of Zeal where Partner processes Personal Data solely on Zeal's instructions, including where ZMS Controllers upload Merchant Data under Zeal's direction for platform deployment.

Where Partner acts as Processor, the provisions of Section 5 shall apply.

2.3 Cross-Merchant Loyalty Data Processing

The parties acknowledge that Zeal's platform enables Cross-Merchant Loyalty Programs where Consumers may link their phone number to card Tokens for recognition across multiple Merchants. The following provisions govern data processing roles in this context:

(a) Zeal as Independent Controller for Cross-Merchant Infrastructure

Zeal acts as Independent Controller for the cross-merchant identification infrastructure, including:

• The card Token-to-phone number linkage infrastructure that enables Consumer recognition across Merchants
• Cross-merchant Consumer account management via the Consumer portal at getzeal.io/account
• The unified loyalty profile containing: phone number, name (if provided), email (if provided), and linked card Tokens
• Cross-merchant enrollment prompts displayed at payment terminalsLawful Basis for Cross-Merchant Infrastructure:

Consumer consent under Article 6(1)(a) UK GDPR, obtained via clear prompts at payment terminals or through the Zeal mobile application. Consent is collected at the point of phone number entry and includes clear explanation that the phone number will be linked to the Consumer's card Token for recognition at participating Merchants.

Data Minimisation Requirements:

• Phone number entry is always optional and never required to complete a payment transaction
• A clear "Skip" or "No Thanks" option is always presented alongside enrollment prompts
• Consumer accounts are deleted within 30 days of account closure request
• Linked Tokens are removed immediately upon Consumer request(b) Merchant as Independent Controller

Each Merchant acts as Independent Controller for their own loyalty program operations, including:

• Reward structure, points balances, and redemption rules for their business
• Transaction data at their business locations
• Consumer preferences specific to their business
• Loyalty campaign design and execution for their businessThe Merchant determines the purposes and means of processing for their own loyalty program. Zeal provides the technology platform but does not direct how the Merchant uses loyalty data for their own business purposes.

(c) Data Sharing Restrictions Between Merchants

DEFAULT POSITION: Transaction data and loyalty data from one Merchant is NOT shared with any other Merchant. Each Merchant's data remains isolated and accessible only to that Merchant.

The following exceptions apply:

Exception 1 - Aggregated Anonymised Benchmarking:

Zeal may use transaction data from multiple Merchants to create aggregated, anonymised benchmarking insights (e.g., 'average transaction value for coffee shops in Central London'). Such aggregated data cannot be used to identify any individual Merchant, Consumer, or transaction.

Exception 2 - Cross-Promotional Campaigns with Explicit Consent:

Where two or more Merchants wish to run a joint promotional campaign (e.g., 'Visit Café A and Restaurant B to earn bonus points'), limited Consumer data may be shared between those Merchants ONLY where:

• A clear prompt is displayed to the Consumer explaining the specific data sharing
• The Consumer provides active, affirmative consent (not pre-ticked boxes)
• Only the minimum data necessary for the campaign is shared
• The consent and its scope are recorded in Zeal's consent management systemTechnical Measures for Data Isolation:
• Role-based access control (RBAC) ensuring Merchant users can only access their own data
• Database row-level security scoped by Merchant identifier
• API authorization checks validating Merchant ID on every request
• Audit logging of all data access with Merchant scope verification
• Annual security audits verifying data isolation controlsBreach of Data Isolation Protocol:

In the event of any actual or suspected breach of data isolation between Merchants:

• Immediate suspension of access for any compromised accounts
• Investigation completed within 48 hours
• Notification to affected Data Subjects and ICO within 72 hours if Personal Data Breach threshold met
• Termination of relationship with any party responsible for intentional violation(d) Joint Controller Arrangements for Individual Merchant Loyalty Programs

Zeal and each individual Merchant act as Joint Controllers under Article 26 UK GDPR for that specific Merchant's loyalty program. This joint controllership covers:

• Consumer enrollment into that Merchant's loyalty program
• Transaction observation and recording for that Merchant
• Reward calculation and redemption for that Merchant's program
• Consumer communications sent on behalf of that MerchantIMPORTANT: The joint controller arrangement with each Merchant is specific to that Merchant's individual loyalty program. It does NOT extend to the cross-merchant identification infrastructure, which remains under Zeal's independent controllership as set out in Section 2.3(a).

3. JOINT CONTROLLER ARRANGEMENTS

3.1 Article 26 Arrangement

Where the parties act as joint Controllers, this Section 3 constitutes the arrangement required under Article 26 UK GDPR.

3.2 Allocation of Responsibilities

The parties allocate their respective responsibilities as follows:

3.3 Contact Point for Data Subjects and Transparency

(a) Data Subjects may exercise their rights against either Controller.

(b) Zeal shall make available to Data Subjects the essence of this joint controller arrangement through its Privacy Policy and the Joint Controller Arrangement Notice.

(c) The designated contact points are:

• Zeal: dpo@getzeal.io
• Partner: As notified to Zeal in writing(d) Joint Controller Transparency (Article 26(2) Compliance)

In compliance with Article 26(2) UK GDPR, which requires that the essence of joint controller arrangements be made available to Data Subjects, the parties agree to the following transparency framework:

(i) Public Joint Controller Arrangement Notice

Zeal shall publish and maintain a public-facing Joint Controller Arrangement Notice at getzeal.io/legal/joint-controller-arrangement. This notice shall include:

• A plain language explanation of when joint controller relationships arise
• A clear responsibility allocation table showing which party handles each obligation
• Contact points for both Zeal and participating Merchants
• An explanation of how Data Subjects can exercise their rights against either party
• The notice shall be written at a general public reading level without excessive legal jargonResponsibility Allocation to be Published:

(ii) Consumer Privacy Policy Integration

The Zeal Privacy Policy at getzeal.io/privacy shall clearly reference the joint controller arrangement and explain:

• That Zeal and participating Merchants are joint controllers for individual loyalty programs
• That Zeal is the independent controller for cross-merchant identification infrastructure
• How Consumers can contact either party to exercise their rights(iii) Merchant-Facing Privacy Notices

The Merchant Terms of Service (Section 5(e)) and Merchant Privacy Policy shall explain:

• The distinction between joint controllership (for the Merchant's individual loyalty program) and Zeal's independent controllership (for cross-merchant infrastructure)
• That Merchants remain responsible for their own data protection compliance
• A link to the full Joint Controller Arrangement Notice(iv) Updates to Transparency Documents

Any material changes to the joint controller arrangement or transparency documents shall be:

• Reflected in the Joint Controller Arrangement Notice within 30 days of the change
• Communicated to Partners and Merchants via email notification
• Communicated to affected Data Subjects via in-app notification or email where the change materially affects their rights
• Version history maintained with clear "Last Updated" date

3.4 Cooperation

(a) Each party shall provide reasonable assistance to the other in complying with their respective obligations under Applicable Data Protection Laws.

(b) The parties shall notify each other without undue delay of any Data Subject Request, complaint, or regulatory inquiry relating to jointly controlled Personal Data.

(c) Neither party shall respond to a Data Subject Request relating to jointly controlled data in a manner that prejudices the other party without prior consultation (except where legally required to do so).

4. ZEAL AS PROCESSOR

This Section 4 applies where Zeal Processes Personal Data as a Processor on behalf of Partner as Controller, and constitutes the written contract required under Article 28(3) UK GDPR.

4.1 Processing Instructions

(a) Zeal shall Process Personal Data only on documented instructions from Partner, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law to which Zeal is subject; in such a case, Zeal shall inform Partner of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

(b) Partner instructs Zeal to Process Personal Data to the extent necessary to provide the Services in accordance with the Principal Agreement.

(c) Partner may issue additional instructions in writing, provided such instructions are lawful and consistent with the Principal Agreement. Zeal may charge reasonable fees for compliance with instructions outside the scope of the Services.

(d) Zeal shall immediately inform Partner if, in Zeal's opinion, an instruction infringes Applicable Data Protection Laws.

4.2 Confidentiality

(a) Zeal shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) Zeal shall limit access to Personal Data to those personnel who require access for the performance of the Services.

4.3 Security

(a) Zeal shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

(b) The Security Measures implemented by Zeal are set out in Annex 2.

(c) Zeal shall regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the Processing.

4.4 Sub-processing

(a) Partner provides general authorisation for Zeal to engage Sub-processors, subject to the requirements of this Section 4.4.

(b) Zeal shall maintain a list of Sub-processors, which shall be made available to Partner upon request and is set out in Annex 3.

(c) Zeal shall inform Partner of any intended changes concerning the addition or replacement of Sub-processors, giving Partner the opportunity to object to such changes on reasonable grounds. Zeal shall provide at least thirty (30) days' prior written notice of any proposed Sub-processor change.

(d) If Partner objects on reasonable grounds within fourteen (14) days of receiving notice, the parties shall discuss the objection in good faith. If the parties cannot resolve the objection within a reasonable period, Partner may terminate the affected Services without penalty.

(e) Zeal shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA by way of a written contract.

(f) Zeal shall remain fully liable to Partner for the performance of Sub-processors' obligations.

4.5 Assistance with Data Subject Rights

(a) Taking into account the nature of the Processing, Zeal shall assist Partner by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Partner's obligation to respond to Data Subject Requests.

(b) Zeal shall promptly notify Partner if Zeal receives a Data Subject Request relating to Personal Data Processed under this Section 4, and shall not respond to such request except on Partner's documented instructions or as required by applicable law.

(c) Zeal shall provide reasonable assistance to Partner in responding to Data Subject Requests within the timeframes required by Applicable Data Protection Laws.

4.6 Assistance with Compliance

(a) Taking into account the nature of Processing and the information available to Zeal, Zeal shall assist Partner in ensuring compliance with the obligations pursuant to Articles 32 to 36 UK GDPR, including:

• Implementing appropriate Security Measures
• Notifying Personal Data Breaches to the Supervisory Authority
• Notifying Personal Data Breaches to Data Subjects
• Conducting data protection impact assessments
• Prior consultation with Supervisory Authorities(b) Zeal may charge reasonable fees for assistance beyond what is necessary for Zeal to comply with its own obligations under Applicable Data Protection Laws.

4.7 Personal Data Breach Notification

(a) Zeal shall notify Partner without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this Section 4.

(b) The notification shall include:

• A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of Zeal's data protection officer or other contact point
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects(c) Where it is not possible to provide all information at the same time, information may be provided in phases without undue further delay.

(d) Zeal shall cooperate with Partner and take such reasonable steps as are directed by Partner to assist in the investigation, mitigation and remediation of each Personal Data Breach.

4.8 Deletion and Return

(a) Upon termination or expiry of the Principal Agreement, Zeal shall, at Partner's election:

• Delete all Personal Data Processed under this Section 4 and certify such deletion in writing; or
• Return all Personal Data to Partner in a commonly used, machine-readable format and delete all copies.

(b) Zeal may retain Personal Data to the extent required by applicable law, provided that Zeal:

4.9 Audit

• Maintains the confidentiality of such Personal Data
• Processes such Personal Data only for the purpose of compliance with the applicable legal requirement
• Deletes such Personal Data as soon as the legal requirement expires(c) Unless otherwise instructed by Partner, Zeal shall delete Personal Data within ninety (90) days of termination or expiry of the Principal Agreement.

(a) Zeal shall make available to Partner all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR and this DPA.

(b) Zeal shall allow for and contribute to audits, including inspections, conducted by Partner or an auditor mandated by Partner, subject to the conditions set out in Annex 2 Section 12(e).

(c) In lieu of a Partner-conducted audit, Zeal may provide:

• Current ISO 27001 certification or SOC 2 Type II report (when available)
• Results of independent third-party security assessments
• Completed security questionnaires or self-assessment reports

5. PARTNER AS PROCESSOR

This Section 5 applies where Partner Processes Personal Data as a Processor on behalf of Zeal as Controller.

5.1 Processing Instructions

(a) Partner shall Process Personal Data only on documented instructions from Zeal.

(b) Partner shall immediately inform Zeal if, in Partner's opinion, an instruction infringes Applicable Data Protection Laws.

5.2 Partner Obligations

Partner shall:

(a) Ensure that persons authorised to Process Personal Data are bound by confidentiality obligations;

(b) Implement appropriate technical and organisational security measures in accordance with Annex 2;

(c) Not engage Sub-processors without Zeal's prior written consent;

(d) Assist Zeal in responding to Data Subject Requests;

(e) Assist Zeal in ensuring compliance with Articles 32-36 UK GDPR;

(f) Notify Zeal without undue delay (and in any event within twenty-four (24) hours) of any Personal Data Breach;

(g) Delete or return Personal Data upon termination as directed by Zeal;

(h) Make available information necessary to demonstrate compliance and allow for audits.

6. INTERNATIONAL DATA TRANSFERS

6.1 General Restriction

(a) Neither party shall make a Restricted Transfer unless such transfer is made in compliance with Applicable Data Protection Laws.

(b) For the avoidance of doubt, a transfer to a country or territory subject to an adequacy decision (including the United Kingdom, where UK GDPR applies to the transfer) does not constitute a Restricted Transfer.

6.2 Transfer Mechanisms

Where a Restricted Transfer is made, it shall be subject to appropriate safeguards, which may include:

(a) Standard Contractual Clauses: The parties agree that where EU SCCs are required, they shall be deemed incorporated and executed as follows:

• Module One (Controller to Controller): For transfers between Zeal and Partner as independent Controllers
• Module Two (Controller to Processor): For transfers from Partner (as Controller) to Zeal (as Processor)
• Module Three (Processor to Processor): For transfers between Processors
• Module Four (Processor to Controller): For transfers from Zeal (as Processor) to Partner (as Controller)(b) UK International Data Transfer Addendum: For Restricted Transfers from the United Kingdom, the UK Addendum shall be deemed incorporated and completed as set out in Annex 4.

(c) Binding Corporate Rules: Where either party has approved Binding Corporate Rules, such rules may be used for intra-group transfers.

(d) Other Mechanisms: Any other transfer mechanism approved under Applicable Data Protection Laws.

6.3 Transfer Impact Assessment

(a) Before making any Restricted Transfer, the transferring party shall conduct a transfer impact assessment to evaluate whether the laws and practices in the destination country ensure an adequate level of protection.

(b) Where the assessment identifies risks, the transferring party shall implement supplementary measures to address those risks.

(c) The parties shall cooperate in conducting transfer impact assessments and implementing supplementary measures.

6.4 Zeal Sub-processor Locations

(a) Zeal's current Sub-processors and their locations are set out in Annex 3.

(b) Zeal shall ensure that all Restricted Transfers to Sub-processors are subject to appropriate safeguards.

7. GENERAL PROVISIONS

7.1 Term

(a) This DPA shall commence on the Effective Date of the Principal Agreement and shall continue in force until the later of:

• Termination or expiry of the Principal Agreement; or
• Deletion of all Personal Data by Zeal in accordance with this DPA.(b) The obligations in Sections 4.7 (Personal Data Breach Notification), 4.8 (Deletion and Return), 4.9 (Audit), and Section 6 (International Data Transfers) shall survive termination or expiry of this DPA.

7.2 Liability

(a) Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement.

(b) Nothing in this Section 7.2 shall limit or exclude either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be limited or excluded by Applicable Data Protection Laws
• Fines imposed by a Supervisory Authority on a party directly(c) Each party shall be liable for its own regulatory fines. Where a fine is imposed on one party as a result of the other party's breach of this DPA, the breaching party shall indemnify the other party in respect of that fine.

7.3 No Variation

This DPA may only be varied by written agreement signed by authorised representatives of both parties.

7.4 Governing Law and Jurisdiction

(a) This DPA shall be governed by and construed in accordance with the laws of England and Wales.

(b) The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

7.5 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

7.6 Third Party Rights

(a) Save as expressly provided, a person who is not a party to this DPA shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.

(b) Data Subjects are intended third party beneficiaries of the data protection rights set out in this DPA and may enforce such rights directly against the relevant party.

7.7 Regulatory Cooperation

(a) Each party shall cooperate with Supervisory Authorities and respond to inquiries, investigations, or audits.

(b) Each party shall notify the other party promptly upon receiving any inquiry or investigation from a Supervisory Authority relating to Processing under this DPA (unless prohibited by law).

(c) The parties shall coordinate their responses to any such inquiry or investigation affecting both parties.

ANNEX 1: DETAILS OF PROCESSING

Part A: Merchant Data Processing

Part B: Transaction Data Processing

Part C: Consumer Loyalty Data Processing

Part D: Processing Purposes Summary

For clarity, the purposes of Processing under this DPA include:

• Operating individual Merchant loyalty programs (joint controller with each Merchant)
• Operating cross-merchant identification infrastructure (Zeal independent controller)
• Enabling cross-merchant Consumer account management via getzeal.io/account
• Providing aggregated analytics and benchmarking (Zeal independent controller)
• PSP and ZMS Controller reporting and revenue share calculation
• Platform improvement and service development

ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

1. Information Security Management

(a) Zeal maintains an information security management system aligned with ISO 27001 principles.

(b) Zeal has appointed a Data Protection Officer contactable at dpo@getzeal.io.

(c) Information security policies are reviewed annually and updated as necessary.

2. Access Control

(a) Role-based access control (RBAC) with principle of least privilege.

(b) Unique user identifiers for all personnel; no shared accounts.

(c) Multi-factor authentication (MFA) required for:

• All administrative access to production systems
• Remote access to Zeal networks
• Access to the Zeal Platform portals (PSP Portal, ZMS Portal, Merchant Portal)(d) Strong password requirements: minimum 12 characters, complexity requirements, 90-day rotation.

(e) Automatic session timeout after 15 minutes of inactivity for sensitive systems.

(f) Access reviews conducted quarterly; access revoked within 24 hours of termination.

3. Encryption

(a) Data in transit: TLS 1.2 minimum (TLS 1.3 preferred) for all external communications.

(b) Data at rest: AES-256 encryption for all Personal Data stored in databases and file systems.

(c) Cryptographic key management: Keys stored in hardware security modules (HSMs) or equivalent secure key management systems; key rotation performed annually.

(d) End-to-end encryption for sensitive data transmissions between terminals and Zeal Platform.

4. Network Security

(a) Network segmentation between production, development, and corporate environments.

(b) Firewalls with default-deny policies at network perimeter and between segments.

(c) Intrusion detection and prevention systems (IDS/IPS) monitored 24/7.

(d) DDoS protection and mitigation services.

(e) Virtual Private Networks (VPNs) required for remote administrative access.

(f) Regular vulnerability scanning: external scans monthly; internal scans quarterly.

(g) Critical vulnerabilities remediated within 72 hours; high within 7 days; medium within 30 days.

5. Application Security

(a) Secure software development lifecycle (SSDLC) incorporating security at all stages.

(b) Code reviews required for all production deployments.

(c) Static application security testing (SAST) integrated into CI/CD pipeline.

(d) Dynamic application security testing (DAST) performed prior to major releases.

(e) Third-party penetration testing conducted annually by qualified testers.

(f) Security findings tracked and remediated according to severity.

6. Physical Security

(a) Zeal Platform hosted in ISO 27001 certified data centres.

(b) Data centres equipped with:

• 24/7 security personnel and CCTV monitoring
• Biometric and card access controls
• Environmental controls (fire suppression, climate control, UPS)
• Redundant power and network connectivity(c) Zeal office premises secured with access controls and visitor management.

7. Monitoring and Logging

(a) Centralised logging of security events, access attempts, and system activities.

(b) Log retention: minimum 12 months for security logs; 7 years for audit logs.

(c) Logs protected from tampering with write-once storage or cryptographic verification.

(d) Real-time monitoring and alerting for security events.

(e) Regular review of security logs by security operations team.

8. Incident Response

(a) Documented incident response plan covering identification, containment, eradication, recovery, and lessons learned.

(b) Designated incident response team with defined roles and responsibilities.

(c) Incident response plan tested annually through tabletop exercises.

(d) Post-incident reviews conducted within 5 Business Days of incident closure.

(e) Contact for security incidents: security@getzeal.io (24-hour monitoring).

9. Business Continuity and Disaster Recovery

(a) Business continuity plan and disaster recovery plan maintained and tested annually.

(b) Regular backups: daily incremental, weekly full; encrypted; stored in geographically separate location.

(c) Recovery Point Objective (RPO): 24 hours maximum.

(d) Recovery Time Objective (RTO): 72 hours maximum.

(e) Backup restoration tested quarterly.

10. Personnel Security

(a) Background checks (including DBS where applicable) for personnel with access to Personal Data.

(b) Confidentiality agreements signed by all personnel and contractors.

(c) Security awareness training: upon onboarding and annually thereafter.

(d) Role-specific security training for personnel handling sensitive data.

(e) Clear desk and clear screen policies in effect.

11. Vendor Management

(a) Security assessments conducted on all Sub-processors prior to engagement.

(b) Contractual data protection obligations imposed on all Sub-processors.

(c) Annual review of Sub-processor security posture.

(d) Right to audit Sub-processors or receive third-party audit reports.

12. Security Certifications and Compliance Framework

(a) Current Certification Status

As of the Effective Date, Zeal does not hold formal security certifications. Zeal is committed to achieving and maintaining industry-standard certifications as set out in the roadmap below.

(b) Certification Roadmap

(c) Interim Security Assurance

Pending achievement of formal certifications, Zeal provides the following assurances:

• Security controls are aligned with ISO 27001:2022 Annex A (93 controls), NIST Cybersecurity Framework v1.1, and OWASP Top 10
• Annual third-party penetration testing conducted by CREST or CHECK-approved security firms
• Documented Information Security Management System (ISMS) including: security policies and procedures, incident response plan, business continuity and disaster recovery plans, vendor security assessment procedures, and security awareness training program
• Annual penetration test summary reports available to Partners upon request (redacted for sensitive findings, provided under NDA)(d) PCI DSS Applicability

CURRENT SCOPE: OUT OF SCOPE

Zeal's current processing activities are OUT OF SCOPE for PCI DSS because:

• Zeal processes only payment card Tokens, not Primary Account Numbers (PANs)
• Zeal does not process, store, or transmit cardholder data including: full PANs, CVV/CVC codes, PINs, magnetic stripe data, or EMV chip data
• Tokens are generated by Payment Service Providers and cannot be reverse-engineered to derive the original PAN
• Token processing is scoped to the Zeal platform only and cannot be used for payment authorisationFUTURE COMMITMENT:

If Zeal's processing scope changes to include cardholder data requiring PCI DSS compliance:

• Zeal will provide Partners with at least 90 days' advance written notice of the scope change
• Zeal will obtain PCI DSS Level 1 or Level 2 certification (as appropriate) BEFORE commencing any processing of cardholder data
• Certification will include: Report on Compliance (ROC) by a Qualified Security Assessor (QSA), Attestation of Compliance (AOC), and quarterly Approved Scanning Vendor (ASV) scans
• Partners will receive: annual AOC upon request, ROC executive summary (redacted), and quarterly ASV scan confirmations
• No retroactive liability shall attach to Partners for Zeal's pre-certification activities(e) Partner Audit Rights

Partners may request the following documentation:

• Penetration test reports (executive summary, redacted for sensitive findings)
• Security certifications and attestations (when available)
• Security policies and procedures (summary versions)
• Training records (anonymised completion statistics)
• Sub-processor security assessmentsDocumentation requests shall be fulfilled within 30 days, provided under NDA, with appropriate redactions for security-sensitive information.

Partners may conduct or commission security audits subject to the following conditions:

• Maximum of one audit per calendar year (unless a security incident occurs or regulatory requirement mandates additional audit)
• Audit scope limited to systems and processes relating to the Services
• Audits shall not interfere with Zeal's operations or other customers
• Audits conducted during normal business hours with at least 30 days' advance notice
• Auditor must execute NDA and audit findings treated as Confidential Information
• Partner bears audit costs UNLESS audit reveals material non-compliance, in which case Zeal reimburses reasonable audit costs and remediates findings within 30 days
• Zeal may offer existing third-party audit reports (SOC 2, ISO 27001 when available) in lieu of direct audit(f) Notification of Certification Milestones

Zeal shall notify Partners within 30 days of achieving any security certification, including:

• Certification name and scope
• Certification date and validity period
• Certifying body
• Availability of attestation documentsAttestation documents will be made available via the Partner Portal or upon request to compliance@getzeal.io.

Partners may reference Zeal's certifications in their own compliance documentation and customer communications.

ANNEX 3: AUTHORISED SUB-PROCESSORS

The following Sub-processors are authorised as at the date of this DPA:

Zeal maintains an up-to-date list of Sub-processors at https://getzeal.io/legal/sub-processors.

Partners may subscribe to notifications of Sub-processor changes by emailing dpo@getzeal.io.

ANNEX 4: UK INTERNATIONAL DATA TRANSFER ADDENDUM

For Restricted Transfers from the United Kingdom, the UK Addendum is incorporated and the following elections apply:

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

The Appendix Information is set out in Annex 1 (Processing Details), Annex 2 (Security Measures), and Annex 3 (Sub-processors) of this DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes

ANNEX 5: CONTACT DETAILS AND NOTICES

Zeal Contact Details

Partner Contact Details

As specified in the Principal Agreement.

Supervisory Authority

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Website: https://ico.org.uk

Helpline: 0303 123 1113

EXECUTION

This DPA is incorporated into and forms part of the Principal Agreement. Where the Principal Agreement is executed, this DPA is deemed executed simultaneously.

Where this DPA is executed as a standalone addendum:

--- END OF DATA PROCESSING ADDENDUM ---

© 2026 Zeal IO Limited. All rights reserved.

‍

‍

‍

‍