DPA — Swan Data Processing Agreement — Swan Between: Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller") Data Processor: Swan SAS ("Processor") Effective Date: [DATE] Product: Drop payment services — Banking-as-a-Service (BaaS) This DPA supplements the generic DPA template ( dpa-template.md ) with Swan-specific processing details. All general terms from the template apply unless overridden below. Appendix 1 — Processing Details Field Description Purpose Banking infrastructure for Drop: account management, payment initiation (PISP), account information (AISP), transaction processing, and regulatory reporting via Swan's BaaS platform Nature Collection, storage, processing, and transmission of financial and identity data for payment services Duration Duration of BaaS service agreement between Controller and Swan Data subjects Drop end users (account holders), payment recipients, merchants accepting QR payments Data types Full name, IBAN/account number, bank name, transaction data (amount, currency, timestamp, reference), exchange rates, payment status, balance information, payment initiation requests, beneficiary details for remittance Special categories None Appendix 2 — Security Measures (Swan) Encryption: TLS 1.3 in transit; AES-256 at rest; HSM for cryptographic key management Access Control: RBAC with MFA, segregation of duties, principle of least privilege Data Residency: EU data centers (France) — all data processed within EEA Logging: Complete audit trail for all financial transactions and API access Data Retention: Transaction data retained per Controller instructions (aligned with bokfoeringsloven 5-year requirement); account data retained during relationship + regulatory period Incident Response: 24/7 security operations, breach notification within 24 hours Certifications: PCI DSS Level 1, licensed by ACPR (French banking regulator), PSD2 compliant Financial Regulations: Compliant with PSD2, EMD2, and applicable French/EU banking regulations Additional Swan-Specific Terms Regulatory Compliance Swan operates as a licensed payment institution under French law, supervised by ACPR Processing of payment data complies with PSD2 requirements for strong customer authentication (SCA) Transaction data available for regulatory reporting to Norwegian authorities (Finanstilsynet) upon Controller's request Payment Data All payment initiation and account information services comply with PSD2 PISP/AISP requirements Transaction data includes full audit trail with timestamps, amounts, currencies, and counterparty information Idempotency controls prevent duplicate transactions Data Subject Rights Swan shall assist Controller in responding to data subject requests within 10 business days Account data and transaction history exportable in machine-readable format (JSON/CSV) Data erasure subject to regulatory retention requirements (minimum 5 years for financial records) Business Continuity Redundant infrastructure with 99.9% uptime SLA Regular disaster recovery testing Data backup with point-in-time recovery capability Signatures Data Controller — ALAI Holding AS Name: ___________________________ Title: ___________________________ Date: ___________________________ Data Processor — Swan SAS Name: ___________________________ Title: ___________________________ Date: ___________________________