CLIENT ONBOARDING AGREEMENT

Letter of Engagement & Contractual Acknowledgement

ORYNTECH SRL | Effective Date: May 13, 2026 | Version 1.0

IMPORTANT: This Client Onboarding Agreement is a legally binding document. By signing below, the Client confirms acceptance of all documents forming the Contractual Framework of ORYNTECH SRL — including the Terms of Use (v1.0), Privacy Policy (v1.0), Earnings Disclaimer (v1.0), Cookie Policy (v1.0), Refund Policy (v1.0), Acceptable Use Policy (v1.0), Service Level Agreement (v1.0), and the Data Processing Agreement set out in Annex A — all of which are incorporated herein by reference. Read this Agreement and all referenced documents carefully before signing. Do not sign until you have read and understood the complete Contractual Framework.

PART A — CLIENT DETAILS

B2B Confirmation. By providing the details above and signing this Agreement, the Client expressly declares, in accordance with Section 11.1 of the Terms of Use, that it is acquiring the Services in its capacity as a Professional (legal entity or natural person carrying out an authorised independent professional activity) and not as a Consumer within the meaning of OG no. 34/2014 and Directive 2011/83/EU.

PART B — SUBSCRIPTION PLAN DETAILS

Plan Mechanics Summary. Kickstart Plan: rolling monthly billing, may be cancelled at any time effective at the end of the current billing cycle (3 days' notice required), no minimum commitment beyond the current month, conditional 7-day refund window for the first paid month under Section 4.5(a) Terms of Use. Dominate Plan: 14-day Free Trial, after which the 12-month minimum term begins automatically, all 12 instalments due regardless of use, early termination only via Extended Underperformance Termination Right (SLA Section 5.4) or proven material breach.

PART C — SCOPE OF SERVICES

ORYNTECH SRL will deliver the following Services under the selected Subscription Plan, customised to the Client's industry and business requirements:

• CRM setup and configuration: contacts, pipelines, custom fields, tags, smart lists;
• Workflow and automation design: lead capture, follow-up sequences, nurture campaigns, reactivation flows;
• Funnel and landing page build: designed and configured within the Platform;
• Website build: business website hosted on the Platform;
• Calendar and booking system: online appointment scheduling and confirmation automations;
• AI conversational agent setup: trained and deployed for the Client's niche and use case;
• AI voice agent setup: inbound/outbound voice automation, where applicable;
• Communication automations: SMS, email, WhatsApp, Instagram DM, Facebook Messenger, missed call text-back;
• Email and SMS marketing campaigns: templates and automated sequences;
• Reputation management: automated review request and monitoring;
• Onboarding support: dedicated setup assistance during initial Platform configuration.

Additional services or features outside the above scope may be available at additional cost and will be agreed in writing prior to commencement. Usage Fees (SMS, telephony, email volume, AI processing) are billed separately in accordance with Section 5.3 of the Terms of Use.

PART D — CLIENT ACKNOWLEDGEMENTS

By signing this Agreement, the Client expressly acknowledges and confirms each of the following statements. Each acknowledgement is independently binding.

D.1 Contractual Framework

The Client confirms having read, understood, and agreed to be legally bound by all documents forming the Contractual Framework of ORYNTECH SRL, available at www.oryntech.ai. The Client acknowledges having had sufficient opportunity to review them before signing and that no oral statement made outside the Contractual Framework has been relied upon.

D.2 Subscription Commitment

Kickstart Plan Clients: the Client understands that the Kickstart Plan is billed on a rolling monthly basis with no minimum commitment beyond the current monthly billing cycle, and may be cancelled with at least three (3) calendar days' written notice before the next billing date, in accordance with Section 4.2 of the Terms of Use.

Dominate Plan Clients: the Client understands and accepts that the Dominate Plan represents a fixed-term minimum commitment of twelve (12) consecutive months commencing on the first paid monthly billing. The Client expressly acknowledges and accepts that early cancellation does not release the Client from the obligation to pay all remaining monthly instalments for the full 12-month term, in accordance with Section 4.3 of the Terms of Use, except where the Extended Underperformance Termination Right under SLA Section 5.4 applies. The Client further understands that the plan auto-renews on a rolling monthly basis at the end of the committed term unless written cancellation notice is provided at least 30 calendar days before the renewal date.

D.3 Refund Mechanisms

The Client understands that the refund mechanism applicable to the subscription depends exclusively on the plan selected:

• Kickstart Plan: a conditional 7-Day Service Quality Refund Window applies for the first paid month, available exclusively where a Qualifying Service Defect attributable to ORYNTECH SRL has occurred and the Cure Procedure has been complied with, in accordance with Section 4.5(a) of the Terms of Use and Section 3 of the Refund Policy.
• Dominate Plan: a 14-Day Free Trial applies, during which the Client may cancel at any time at no cost; after trial conversion, no money-back refund is available except in the case of proven material breach by ORYNTECH SRL or the Extended Underperformance Termination Right.

The Client acknowledges that no refund will be granted on the basis of commercial outcomes (lack of leads or sales, ROI, business decisions, etc.), in accordance with Section 4 of the Refund Policy and Section 4.5(c) of the Terms of Use. Usage Fees are non-refundable in all circumstances.

D.4 Earnings and Results

The Client confirms having read and understood the Earnings Disclaimer (v1.0). The Client acknowledges that ORYNTECH SRL makes no guarantee of any specific financial result, revenue, lead volume, conversion rate, return on investment, or business outcome from the use of the Services. The Client further acknowledges that AI-generated outputs may be inaccurate or incomplete and that the Client is solely responsible for reviewing and validating AI outputs before use, in accordance with Earnings Disclaimer Section 3.

D.5 Acceptable Use, Anti-Spam, and A2P Compliance

The Client confirms that the Client will use the Platform in compliance with the Acceptable Use Policy (AUP) at all times, including: email marketing consent (GDPR + ePrivacy), SMS opt-in requirements (10DLC for US-bound traffic where applicable, ePrivacy for EU-bound traffic), A2P messaging compliance, prohibited content restrictions, and all applicable data protection obligations.

The Client expressly warrants that all contact lists uploaded to the Platform consist exclusively of individuals who have provided genuine, documented, prior opt-in consent to receive communications from the Client's business, and that the Client maintains records of such consent that may be produced to ORYNTECH SRL or to a Supervisory Authority upon request.

D.6 Data Protection — Controller / Processor Roles

The Client understands and accepts that, in respect of personal data uploaded or processed through the Platform on behalf of the Client's own customers, leads, employees, and contacts:

• The Client acts as the Data Controller and is solely responsible for determining the purposes and means of the processing, the lawfulness of all processing activities, providing privacy notices to data subjects, and responding to data subject rights requests within statutory timeframes;
• ORYNTECH SRL acts as the Data Processor on behalf of the Client and processes personal data only on the Client's documented instructions;
• The Client warrants having a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) for all personal data transferred to ORYNTECH SRL for processing;
• The Client has reviewed and accepts the Data Processing Agreement set out in Annex A to this Agreement, including the named list of authorised sub-processors, and provides general written authorisation under Art. 28(2) GDPR for ORYNTECH SRL to engage those sub-processors.

D.7 Intellectual Property and Anti-Circumvention

The Client understands that all Program Materials, Platform configurations, automation architectures, workflow logic, AI agent designs, prompt engineering, and methodologies delivered by ORYNTECH SRL remain the exclusive intellectual property of ORYNTECH SRL, protected by Romanian Law no. 8/1996 on copyright and Law no. 11/1991 on combating unfair competition. The Client is granted only a limited, non-exclusive, non-transferable, revocable licence during the active Subscription Plan.

The Client expressly accepts the anti-circumvention restrictions set out in Section 11.3 of the Terms of Use, including the 24-month post-termination non-replication obligation, the 12-month non-solicitation of ORYNTECH SRL personnel, and the liquidated damages of EUR 3,588 in case of breach.

D.8 No Professional Advice

The Client understands that ORYNTECH SRL is an AI automation and business systems agency and is not licensed or authorised to provide legal, financial, accounting, tax, medical, or other regulated professional advice. The Client agrees to consult qualified professionals independently for any such decisions and acknowledges that AI-generated outputs do not constitute professional advice.

D.9 AI Act EU Roles

Pursuant to Regulation (EU) 2024/1689 (AI Act), the Client acknowledges that ORYNTECH SRL acts as a "provider" of AI systems integrated into the Platform, while the Client typically acts as a "deployer" of those AI systems within the Client's own business operations. The Client undertakes to comply with all deployer obligations applicable to its specific use case, including transparency obligations under Art. 50 AI Act, monitoring of outputs, and human oversight where required. The Client confirms that it will not use the AI features for prohibited practices under Art. 5 AI Act or for high-risk purposes under Annex III without separate written agreement with ORYNTECH SRL.

D.10 Statutory Right of Withdrawal (Consumers Only)

This Section applies only in the unlikely event that the Client qualifies as a Consumer under OG no. 34/2014 and Directive 2011/83/EU, notwithstanding the B2B confirmation in Part A above. If the Client is a Consumer, the Client has a 14-day statutory right of withdrawal from this distance contract. However, by signing this Agreement and expressly requesting commencement of the Services, the Client expressly requests that performance begins immediately and acknowledges that the right of withdrawal will be lost once the Services have been fully performed, in accordance with Art. 16(a) of Directive 2011/83/EU as transposed into Romanian law by OG no. 34/2014, Art. 16(a).

PART E — ORYNTECH SRL COMMITMENTS

ORYNTECH SRL commits to the following in connection with this Agreement and the Subscription Plan:

• Deliver the Services set out in Part C within agreed onboarding timelines, using commercially reasonable skill and care;
• Maintain Platform availability in accordance with the Service Level Agreement (v1.0), including the 99.5% Core Platform uptime target and the Service Credit schedule under SLA Section 5;
• Process the Client's personal data in accordance with the Privacy Policy (v1.0), the Data Processing Agreement (Annex A), and the GDPR;
• Provide technical support in accordance with the priority and response time commitments in SLA Section 3;
• Notify the Client of any material changes to the Contractual Framework with at least 30 calendar days' advance notice, in accordance with Section 14 of the Terms of Use;
• Notify the Client of any addition or replacement of sub-processors with at least 15 calendar days' advance notice, in accordance with DPA Section 6;
• Keep the Client's Confidential Information secure and not disclose it to third parties except as required for service delivery or by mandatory law, in accordance with Section 9 of the Terms of Use;
• Notify the Client of any personal data breach affecting the Client's data within 72 hours of becoming aware, in accordance with DPA Section 8.

PART F — SIGNATURES

By signing below, both parties confirm that they have read, understood, and agree to the terms of this Client Onboarding Agreement, the complete Contractual Framework of ORYNTECH SRL, and the Data Processing Agreement set out in Annex A, and that the signatories have full authority to enter into this legally binding agreement on behalf of their respective organisations.

FOR AND ON BEHALF OF THE CLIENT:

FOR AND ON BEHALF OF ORYNTECH SRL:

Field	Details
Full Name	Andrei Butarita
Title / Position	Administrator
Date	15 May 2026
Electronic Signature (or wet ink)

This Agreement is executed in two (2) original counterparts, one for each party. Electronic signatures are accepted as legally binding under Romanian Law no. 455/2001 on electronic signatures and Regulation (EU) No 910/2014 (eIDAS). For signatures executed via DocuSign, SignNow, or equivalent qualified or advanced electronic signature platforms, the electronic audit trail constitutes conclusive evidence of execution.

ANNEX A — DATA PROCESSING AGREEMENT

Incorporated into and forming part of the Client Onboarding Agreement

ORYNTECH SRL (Processor) & Client (Controller) | Version 1.0

IMPORTANT: This Data Processing Agreement ("DPA") forms an integral part of the Client Onboarding Agreement and the Contractual Framework of ORYNTECH SRL. It governs the processing of personal data by ORYNTECH SRL (as data processor) on behalf of the Client (as data controller), in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Romanian Law no. 190/2018, Law no. 506/2004 on electronic communications privacy, and Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses for transfers to third countries). The Standard Contractual Clauses are hereby incorporated into this DPA by reference where applicable.

DPA 1. DEFINITIONS AND INTERPRETATION

Capitalised terms used in this DPA and not otherwise defined have the meanings given to them in the Terms of Use of ORYNTECH SRL or in the GDPR. The terms "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings set forth in Art. 4 GDPR.

"AI-Specific Processing" means processing of Personal Data through machine learning algorithms for CRM automation purposes, including without limitation lead scoring, behavioural prediction, automated communication generation, conversational AI agents, and voice AI agents.

"Documented Instructions" means the Client's instructions to ORYNTECH SRL to process Personal Data, given through: (i) this DPA and the Client Onboarding Agreement; (ii) configuration choices made by the Client within the Platform (workflows, automations, audience segments); (iii) written instructions submitted by email, support ticket, or signed amendment; or (iv) instructions implicit in standard use of features ordered under the Subscription Plan. Verbal instructions are not Documented Instructions.

DPA 2. SCOPE, SUBJECT MATTER, AND DURATION

2.1 Subject Matter. ORYNTECH SRL shall process Personal Data provided by the Client solely for the purpose of providing the Services as defined in the Client Onboarding Agreement, the Terms of Use, and the SLA. No other processing is authorised.

2.2 Duration. This DPA remains in effect for the entire duration of the active Subscription Plan plus the additional period required for data deletion or return as specified in DPA Section 11. Obligations of confidentiality, security, and accountability survive termination of this DPA in accordance with Section 13.5 of the Terms of Use.

DPA 3. CATEGORIES OF DATA AND DATA SUBJECTS

3.1 Categories of Data Subjects. Personal Data processed under this DPA may relate to: (i) the Client's own customers and end-users; (ii) the Client's prospects, leads, and inbound enquiries; (iii) the Client's employees and contractors with access to the Platform; (iv) the Client's business contacts and partners. Where the Client uploads or processes Personal Data of additional categories of Data Subjects, the Client warrants having a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) for doing so.

3.2 Categories of Personal Data. ORYNTECH SRL processes the following categories of Personal Data on behalf of the Client:

• Identification data: full name, email address, phone number, postal address;
• Professional data: company name, job title, business sector, role;
• CRM interaction history: call logs, email exchanges, SMS records, chatbot transcripts, voice agent recordings (where enabled), appointment history, pipeline stage changes;
• Technical data: IP addresses, device identifiers, browser type, geolocation data (where applicable to specific Client workflows);
• AI-generated profiling data: lead scores, interest categories, behavioural predictions, intent classifications generated by Platform automation features;
• Marketing data: opt-in records, unsubscribe records, communication preferences, campaign engagement metrics;
• Any additional categories specifically uploaded or generated by the Client within the Platform.

3.3 Special Categories of Personal Data. Special category data within the meaning of Art. 9 GDPR (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) shall not be uploaded to the Platform without prior written notice to ORYNTECH SRL and the Client's express documentation of the legal basis under Art. 9(2) GDPR. Where the Client operates in a sector that may involve special category data (e.g. healthcare, legal services), the Client warrants having a written DPIA (Data Protection Impact Assessment) and explicit consent of the Data Subjects concerned.

3.4 Processing Operations. The processing operations performed by ORYNTECH SRL on behalf of the Client comprise: collection, recording, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure, and destruction — solely as necessary to deliver the Services.

DPA 4. OBLIGATIONS OF THE CONTROLLER (CLIENT)

4.1 Lawful Basis. The Client warrants that it has identified and documented a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) for collecting, processing, and transferring all Personal Data to ORYNTECH SRL. The Client is solely responsible for the lawfulness of all such processing.

4.2 Documented Instructions. The Client shall provide clear, lawful, and documented processing instructions. ORYNTECH SRL shall promptly inform the Client if, in its opinion, an instruction infringes the GDPR or other applicable data protection law, and may suspend processing pending clarification.

4.3 Data Subject Notices. The Client is solely responsible for: (i) providing adequate privacy notices to its Data Subjects under Art. 13–14 GDPR; (ii) responding to Data Subject Rights Requests within statutory timeframes; (iii) maintaining records of consent, opt-in, and opt-out; (iv) ensuring full compliance with all applicable national and EU data protection legislation.

4.4 Marketing and Communications. The Client warrants that all marketing communications dispatched through the Platform comply with applicable consent requirements under the GDPR, ePrivacy Directive 2002/58/EC, Romanian Law no. 506/2004, and (where applicable to non-EU recipients) corresponding national legislation. The Client maintains and produces upon request evidence of opt-in for each recipient.

DPA 5. OBLIGATIONS OF THE PROCESSOR (ORYNTECH SRL)

5.1 Processing Limitation. ORYNTECH SRL shall process Personal Data only on Documented Instructions from the Client, unless required to do otherwise by applicable Union or Member State law to which ORYNTECH SRL is subject. In such a case, ORYNTECH SRL shall inform the Client of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

5.2 Confidentiality. ORYNTECH SRL ensures that all persons authorised to process Personal Data — including employees, contractors, and other authorised personnel — have committed themselves to confidentiality or are under appropriate statutory confidentiality obligations. Confidentiality obligations survive termination of the underlying employment or contractor relationship.

5.3 Technical and Organisational Measures (Art. 32 GDPR). ORYNTECH SRL implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. These measures, set out in detail in Schedule 1 to this DPA, include without limitation:

• Encryption of Personal Data in transit using industry-standard TLS protocols (TLS 1.2 or higher);
• Encryption at rest of Personal Data, as implemented by the Platform infrastructure provider on cloud infrastructure;
• Pseudonymisation of identifiers where technically feasible;
• Multi-factor authentication (MFA) for all administrative access by ORYNTECH SRL personnel;
• Role-based access control on a need-to-know basis, with quarterly review of access rights;
• Audit logging of access to administrative interfaces and Client accounts;
• Regular review of security configurations and prompt application of security updates;
• Documented incident response procedures (see DPA Section 8);
• Reliance on sub-processors holding recognised security certifications (ISO 27001, SOC 2, or equivalent) for underlying infrastructure;
• Mandatory security and data protection training for personnel with access to Personal Data;
• Contractual confidentiality obligations imposed on all sub-processors and personnel.

5.4 Records of Processing. ORYNTECH SRL maintains a record of processing activities under Art. 30(2) GDPR available to ANSPDCP and, upon reasonable request and subject to confidentiality, to the Client.

5.5 Cooperation with Supervisory Authorities. ORYNTECH SRL shall cooperate, on request, with ANSPDCP and any other competent supervisory authority in the performance of their tasks.

DPA 6. SUB-PROCESSORS

6.1 General Authorisation. The Client hereby grants general written authorisation, in accordance with Art. 28(2) GDPR, for ORYNTECH SRL to engage the sub-processors listed in DPA Section 6.2 below for the purpose of delivering the Services. Any addition or replacement of a sub-processor will follow the procedure set out in DPA Section 6.3.

6.2 Authorised Sub-processors as of the Effective Date

As of the Effective Date of this DPA, ORYNTECH SRL engages the following sub-processors in the delivery of the Services:

Note on the role of HighLevel Inc. The Platform delivered to the Client is built on infrastructure provided by HighLevel Inc. under a white-label arrangement. HighLevel Inc. may engage further sub-sub-processors (including hosting providers, AI providers, and communications providers) to deliver its underlying infrastructure. Updated information on HighLevel's sub-processors is available from ORYNTECH SRL upon written request to oryntechai@gmail.com. By signing this DPA, the Client provides general authorisation under Art. 28(2) GDPR for the engagement of HighLevel Inc. and its sub-sub-processors as required to deliver the Services.

6.3 Notification of Changes and Right to Object

ORYNTECH SRL shall inform the Client of any intended addition or replacement of a sub-processor at least fifteen (15) calendar days in advance, in writing by email to the Primary Contact Email on file. The notice shall include the identity of the new sub-processor, its location of processing, the services it will perform, and the transfer safeguards that will apply.

The Client may object to the proposed sub-processor change within ten (10) calendar days of the notice by submitting a written, reasoned objection on legitimate data protection grounds to oryntechai@gmail.com. The parties shall engage in good-faith discussions to identify a mutually acceptable solution. If no resolution is reached within a further fifteen (15) calendar days, the Client may terminate the affected Services with respect to the processing concerned, with effect at the end of the then-current monthly billing cycle, without further payment obligation in respect of that processing. For Dominate Plan Clients, this constitutes the exclusive exit mechanism in connection with sub-processor changes and does not extend to other Services unless the new sub-processor is essential to the entire Platform.

6.4 Liability and Equivalent Obligations

ORYNTECH SRL shall impose data protection obligations on each sub-processor that are no less protective than those imposed on ORYNTECH SRL under this DPA, by means of a written contract or other binding legal instrument. ORYNTECH SRL remains fully liable to the Client for the performance of each sub-processor's obligations under such contracts.

DPA 7. DATA SUBJECT RIGHTS

7.1 Assistance to the Controller. Taking into account the nature of the processing, ORYNTECH SRL shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to Data Subject Rights Requests under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). Such assistance may include providing data export functionalities through the Platform, deletion functionalities, and access to records relating to specific Data Subjects.

7.2 Direct Requests Received by ORYNTECH SRL. Any Data Subject Rights Request received directly by ORYNTECH SRL in respect of Personal Data processed on behalf of the Client shall be acknowledged but not substantively responded to by ORYNTECH SRL. ORYNTECH SRL shall forward the request to the Client within forty-eight (48) hours of receipt, with sufficient information to enable the Client (as Controller) to respond. The Client remains the sole party responsible for providing a substantive response to the Data Subject.

7.3 Cooperation Costs. ORYNTECH SRL provides reasonable assistance under this Section at no additional cost. Where assistance requires significant engineering effort beyond standard Platform functionalities (e.g. custom data extraction, manual review of large datasets), ORYNTECH SRL may charge a reasonable fee at its standard professional services rate, with prior written quotation to the Client.

DPA 8. PERSONAL DATA BREACH NOTIFICATION

8.1 Notification Timing. ORYNTECH SRL shall notify the Client of any Personal Data Breach affecting Client data without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, as required by Art. 33 GDPR and aligned with Section 4.3 of the SLA and Section 10 of the Privacy Policy.

8.2 Content of the Notification. The notification shall include, to the extent then known and as it becomes available:

• The nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of records concerned;
• The name and contact details of the ORYNTECH SRL point of contact where more information can be obtained;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Cooperation with the Controller. ORYNTECH SRL shall cooperate fully with the Client in meeting the Client's own breach notification obligations to ANSPDCP under Art. 33 GDPR (within 72 hours where required) and to affected Data Subjects under Art. 34 GDPR (without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons). The Client retains responsibility for determining whether the breach triggers notification obligations and for executing those obligations vis-à-vis the supervisory authority and Data Subjects.

8.4 Records of Breaches. ORYNTECH SRL maintains internal records of all Personal Data Breaches, including their facts, effects, and remedial actions, in accordance with Art. 33(5) GDPR. These records are made available to the Client upon written request.

DPA 9. INTERNATIONAL DATA TRANSFERS

9.1 Transparency on Location. The Client acknowledges and accepts that the Platform infrastructure on which Client Personal Data is processed is operated by HighLevel Inc., a sub-processor located in the United States. As a result, Personal Data uploaded by the Client to the Platform is transferred to and processed in the United States. ORYNTECH SRL also engages additional sub-processors located in third countries (United States, primarily) as set out in DPA Section 6.2.

9.2 Transfer Mechanisms. All transfers of Personal Data outside the European Economic Area are made in compliance with Chapter V GDPR, using one or more of the following mechanisms, as set out in the table in DPA Section 6.2:

• Adequacy decisions adopted by the European Commission, including the EU-US Data Privacy Framework where the recipient is certified;
• Standard Contractual Clauses (Modules 2, 3, or 4 as applicable) adopted by Commission Implementing Decision (EU) 2021/914, hereby incorporated into this DPA by reference where applicable;
• Binding Corporate Rules, where applicable;
• Other safeguards permitted under Art. 46 GDPR.

9.3 Transfer Impact Assessment. Where required by the Schrems II case-law of the Court of Justice of the European Union and EDPB Recommendations 01/2020, ORYNTECH SRL has performed Transfer Impact Assessments (TIAs) for transfers of Personal Data to the United States and other third countries, taking into account the legal context of the destination country, supplementary technical measures (encryption in transit, access controls), supplementary contractual measures (additional warranties from sub-processors), and supplementary organisational measures (data minimisation policies). A summary of the TIA is available to the Client upon reasonable written request.

9.4 Documentation. Upon written request, ORYNTECH SRL will provide the Client with copies of applicable transfer mechanism documentation, including signed Standard Contractual Clauses and Data Privacy Framework certifications, subject to confidentiality redactions where appropriate.

DPA 10. AUDIT AND INSPECTION

10.1 Right to Information. ORYNTECH SRL shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR. Such information may include security policies, sub-processor agreements (subject to confidentiality), recent third-party audit reports (e.g. ISO 27001, SOC 2 reports of sub-processors), incident logs, and the Record of Processing Activities under Art. 30(2) GDPR.

10.2 Audit Rights — Remote and Documentary. The Client may, no more than once per calendar year (and more frequently only where required by a Supervisory Authority or following a confirmed Personal Data Breach attributable to ORYNTECH SRL), conduct an audit of ORYNTECH SRL's compliance with this DPA. Audits shall be conducted on a remote and documentary basis, including review of policies, procedures, written responses to questionnaires, and applicable third-party audit reports of sub-processors. ORYNTECH SRL shall respond to reasonable audit questions in writing within 20 business days of receipt.

10.3 On-Site Audit — Restricted. On-site physical inspections of ORYNTECH SRL premises are not permitted by default, given the small-team operational structure of ORYNTECH SRL and the fact that core processing infrastructure is operated by sub-processors who are themselves subject to recognised third-party audit certifications. On-site physical inspections may be permitted exceptionally where: (i) required by a binding decision of a Supervisory Authority; (ii) following a confirmed Personal Data Breach with material impact on the Client; or (iii) where the Client demonstrates that remote and documentary audit is insufficient to address a specific compliance concern. In such exceptional cases, the Client shall provide at least 30 calendar days' written notice, conduct the inspection during normal business hours, and minimise disruption to ORYNTECH SRL's operations.

10.4 Audit Costs. The Client bears the cost of any third-party auditor it engages and any reasonable cost incurred by ORYNTECH SRL in supporting an audit beyond the response to the standard annual questionnaire (e.g. if an on-site inspection is required). Where audit reveals material non-compliance attributable to ORYNTECH SRL, ORYNTECH SRL shall bear all reasonable audit costs and remediate without delay.

DPA 11. TERMINATION AND DATA DELETION

11.1 Return or Deletion at Termination. Upon termination of the Subscription Plan for any reason, ORYNTECH SRL shall, at the written choice of the Client expressed within 30 calendar days from the effective termination date:

• (a) delete all Personal Data and confirm deletion in writing within 30 calendar days from the date of the Client's instruction; or
• (b) return all Personal Data to the Client in a commonly used machine-readable format (CSV, JSON, or equivalent) within 30 calendar days from the date of the Client's instruction, after which all copies will be deleted.

11.2 Default. Where the Client does not provide a choice within the 30-day window, ORYNTECH SRL shall proceed with deletion of all Personal Data within a further 30 calendar days, subject to DPA Section 11.3.

11.3 Mandatory Retention. ORYNTECH SRL may retain Personal Data only to the extent and for the duration required by applicable EU or Romanian law (e.g. for accounting purposes under Law no. 82/1991), in which case the retained data shall remain subject to the confidentiality and security obligations of this DPA.

DPA 12. AI TRANSPARENCY AND AI ACT EU

12.1 Logic of Automated Decisions. Upon written request, ORYNTECH SRL shall provide the Client with high-level documentation regarding the logic involved in automated decision-making functionalities of the Platform (e.g. lead scoring, behavioural prediction), to the extent within ORYNTECH SRL's control, to allow the Client to fulfil its transparency obligations under Art. 22 GDPR vis-à-vis Data Subjects.

12.2 AI Act Roles. Pursuant to Regulation (EU) 2024/1689 (AI Act), ORYNTECH SRL acts as a "provider" of AI systems integrated into the Platform, while the Client acts as a "deployer". Detailed responsibilities under each role are set out in Section 3 of the Earnings Disclaimer (v1.0).

12.3 Limits of AI Bias Testing. The Client acknowledges that the AI features integrated into the Platform are based on third-party AI models (including those provided by sub-processors listed in DPA Section 6.2). ORYNTECH SRL applies reasonable monitoring of AI outputs in the context of standard Platform features but is not in a position to perform deep bias testing on third-party foundation models. The Client, as deployer of AI systems for specific business uses, is responsible for monitoring AI outputs in the Client's specific deployment context, in line with Art. 26 AI Act obligations applicable to deployers.

12.4 No AI Training on Client Content. Consistent with Section 6.4 of the Terms of Use and Section 5 of the Privacy Policy, ORYNTECH SRL does not use, and does not permit its sub-processors to use, Client Personal Data or Client Content to train, retrain, or fine-tune AI models, without the Client's prior, explicit, written consent.

DPA 13. LIABILITY, GOVERNING LAW AND JURISDICTION

13.1 Liability under this DPA. The liability of each party under this DPA is governed by and subject to the limitations set out in Section 10.3 of the Terms of Use, except for: (i) liability that cannot be excluded under mandatory applicable law; (ii) liability arising from each party's own breach of GDPR obligations applicable to it directly; and (iii) liability for which Art. 82 GDPR provides direct recourse for Data Subjects.

13.2 Governing Law. This DPA is governed by the laws of Romania and applicable European Union law, in accordance with Section 15.1 of the Terms of Use.

13.3 Jurisdiction. Disputes arising under or in connection with this DPA between ORYNTECH SRL and Professional Clients are subject to the exclusive jurisdiction of the courts of the Municipality of Craiova, Dolj County, Romania, in accordance with Section 15.2 of the Terms of Use, subject to the mandatory rights of Consumers under Section 15.4 of the Terms of Use.

SCHEDULE 1 — TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

This Schedule sets out the technical and organisational measures implemented by ORYNTECH SRL under DPA Section 5.3 to ensure the security of processing in accordance with Art. 32 GDPR.

S1.1 Access Control and Authentication

• Multi-factor authentication (MFA) required for all administrative access to the Platform and to internal ORYNTECH SRL systems containing Client Personal Data;
• Role-based access control (RBAC) on a need-to-know basis;
• Quarterly review of access rights, with immediate revocation upon role change or termination of employment / contractor relationship;
• Strong password requirements and rotation policies aligned with current NIST SP 800-63B guidance.

S1.2 Encryption

• Encryption in transit using TLS 1.2 or higher for all Platform connections;
• Encryption at rest as implemented by the Platform infrastructure provider (HighLevel Inc.) on its underlying cloud infrastructure;
• Pseudonymisation of identifiers where technically feasible and consistent with the purpose of processing.

S1.3 Logging and Monitoring

• Audit logging of access to administrative interfaces and Client accounts where supported by the Platform infrastructure provider;
• Regular review of security events and anomalies;
• Incident response procedures documented and exercised periodically.

S1.4 Sub-processor Security

• Reliance on sub-processors that hold recognised third-party security certifications (ISO 27001, SOC 2 Type II, or equivalent) for underlying infrastructure;
• Contractual obligation on each sub-processor to implement appropriate technical and organisational measures consistent with this DPA;
• Periodic review of sub-processor security postures based on publicly available certifications and audit reports.

S1.5 Personnel Security

• Confidentiality obligations imposed on all employees and contractors with access to Personal Data;
• Mandatory data protection and security awareness training for personnel with access to Personal Data;
• Background checks on personnel where appropriate to the role and applicable employment law.

S1.6 Resilience and Recovery

• Reliance on Platform infrastructure provider's backup, disaster recovery, and business continuity capabilities;
• Regular testing of restoration procedures by the Platform infrastructure provider;
• Documented incident response plan for ORYNTECH SRL personnel.

DPA EXECUTION

This Data Processing Agreement is executed as Annex A to the Client Onboarding Agreement and is binding upon both parties from the Effective Date of the Client Onboarding Agreement.

ACCEPTED BY THE CLIENT (Controller):

ACCEPTED BY ORYNTECH SRL (Processor):

Field	Details
Full Name	Andrei Butarita
Title / Position	Administrator
Date	15 May 2026
Electronic Signature (or wet ink)

© 2026 ORYNTECH SRL | All rights reserved | CONFIDENTIAL — DO NOT DISTRIBUTE