SpendCue Data Processing Addendum

1. Definitions

For the purposes of this DPA:

"Customer Personal Data" means any Personal Data processed by SpendCue on behalf of Customer in connection with the Service.

"Data Protection Law" means the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR where applicable, and any other applicable laws relating to privacy, security, or the processing of Personal Data.

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in applicable Data Protection Law.

"Subprocessor" means any third party engaged by SpendCue to process Customer Personal Data on behalf of Customer.

2. Roles of the Parties

2.1 The parties acknowledge that, with respect to Customer Personal Data:

• Customer acts as Controller (or, where applicable, as a processor acting on behalf of another controller); and
• SpendCue acts as Processor.

2.2 If Customer is itself a processor, Customer warrants that it is authorised by the relevant controller to appoint SpendCue as a subprocessor or processor, as applicable.

3. Customer Instructions

3.1 SpendCue will process Customer Personal Data only on documented instructions from Customer, unless otherwise required by applicable law. In such case, SpendCue will inform Customer of that legal requirement unless prohibited by law.

3.2 The parties agree that Customer's use of the Service, configuration of the Service, and instructions given through the Service interface and related support communications constitute Customer's documented instructions.

3.3 Customer is responsible for ensuring that its instructions comply with applicable Data Protection Law.

4. Purpose and Nature of Processing

4.1 SpendCue processes Customer Personal Data solely for the purpose of providing, operating, securing, supporting, and improving the Service, and as otherwise necessary to perform its obligations under the parties' agreement.

4.2 The nature of the processing may include collection, storage, organisation, retrieval, consultation, use, transmission, deletion, and other processing operations necessary to provide the Service.

5. Categories of Data and Data Subjects

5.1 Categories of Data Subjects may include:

• Customer's employees, contractors, consultants, and team members;
• individuals acting as requesters, approvers, admins, or viewers;
• supplier or vendor contacts entered by Customer;
• other individuals whose Personal Data Customer submits to the Service.

5.2 Categories of Personal Data may include:

• names;
• email addresses;
• workspace membership and role information;
• purchase request content;
• supplier or vendor contact details entered by Customer;
• project or cost code references;
• notes, comments, and attachments;
• audit trail and workflow history;
• technical and usage data associated with access to the Service.

5.3 Customer agrees not to use the Service to process special categories of personal data under Article 9 GDPR, criminal offence data, or other highly sensitive data unless explicitly agreed in writing with SpendCue.

6. Confidentiality

SpendCue will ensure that persons authorised to process Customer Personal Data:

• are bound by confidentiality obligations; or
• are under an appropriate statutory obligation of confidentiality.

7. Security Measures

7.1 SpendCue will implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature of the processing, the state of the art, implementation costs, and the risks involved.

7.2 Such measures may include, as appropriate:

• access controls and role-based permissions;
• encryption in transit;
• encryption at rest where provided by infrastructure providers;
• logging and monitoring;
• row-level access controls;
• backup and recovery measures;
• secure development and deployment practices;
• incident response procedures.

7.3 Customer acknowledges that no security measure can guarantee absolute security.

8. Subprocessors

8.1 Customer grants SpendCue a general authorisation to engage Subprocessors in connection with the Service.

8.2 SpendCue will maintain a list of its current Subprocessors, which may be made available on its website or upon request.

8.3 SpendCue will impose data protection obligations on Subprocessors that are no less protective than those set out in this DPA to the extent applicable to the nature of the services provided by such Subprocessors.

8.4 SpendCue remains responsible for the performance of its Subprocessors' obligations to the extent required by applicable law.

9. International Transfers

9.1 Where SpendCue transfers Customer Personal Data outside the EEA, UK, or other relevant jurisdiction, SpendCue will ensure that such transfers are made in accordance with applicable Data Protection Law.

9.2 Where required, SpendCue will rely on appropriate transfer mechanisms, such as:

• adequacy decisions;
• Standard Contractual Clauses; or
• other lawful transfer mechanisms.

10. Assistance to Customer

Taking into account the nature of the processing and the information available to SpendCue, SpendCue will provide reasonable assistance to Customer with respect to:

• responding to requests from Data Subjects to exercise their rights;
• security of processing;
• personal data breach notification obligations;
• data protection impact assessments; and
• consultations with supervisory authorities,

to the extent required by applicable Data Protection Law and to the extent Customer cannot reasonably fulfil such obligations without SpendCue's assistance.

11. Personal Data Breaches

11.1 SpendCue will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

11.2 Such notification will include, where reasonably available:

• a description of the nature of the breach;
• the categories of data affected;
• the likely consequences of the breach; and
• the measures taken or proposed to address the breach.

11.3 SpendCue's notification of or response to a personal data breach does not constitute an admission of fault or liability.

12. Deletion or Return of Data

12.1 Upon termination or expiry of the Service, and at Customer's choice where technically feasible, SpendCue will delete or return Customer Personal Data, unless retention is required by applicable law.

12.2 Customer acknowledges that certain Customer Personal Data may remain in backups, logs, or archived systems for a limited period before deletion, in accordance with SpendCue's standard retention and deletion practices.

13. Information and Audit Rights

13.1 SpendCue will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

13.2 Where Customer reasonably believes that such information is insufficient to demonstrate compliance with Article 28 GDPR, Customer may request additional information or an audit, subject to the following:

• Customer must provide reasonable prior written notice;
• audits must be limited to once per year unless required by law or following a verified security incident;
• audits must be conducted during normal business hours and in a manner that minimises disruption;
• audits may be conducted by Customer or an independent auditor bound by confidentiality obligations;
• Customer will bear its own audit costs and reimburse SpendCue for reasonable internal costs incurred in supporting the audit, except where the audit reveals a material breach of this DPA by SpendCue.

13.3 SpendCue may satisfy audit obligations by providing recent independent audit reports, certifications, security documentation, or other relevant materials where appropriate.

14. Liability

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the parties' Terms of Service or other main agreement, unless applicable law requires otherwise.

15. Order of Precedence

If there is any conflict between this DPA and the parties' Terms of Service or other main agreement with respect to the processing of Customer Personal Data, this DPA will prevail to the extent of that conflict.

16. Governing Law

This DPA is governed by the laws of Sweden, unless otherwise required by applicable Data Protection Law or the parties' main agreement.

17. Contact

If Customer has questions about this DPA or wishes to exercise its rights under this DPA, Customer may contact:

SpendCue
Email: privacy@spendcue.com