Data Processing Agreement (DPA)

of heyteo AG, Steigstrasse 18, 8463 Benken (ZH), Switzerland

Version 2.0 · Valid from 21 May 2026

1 Definitions

1.1 Main Agreement. The agreement concluded between heyteo and the Partner for the provision of the heyteo Services — consisting of the Terms of Use (ToU), the General Project Terms (GPT) and the order form or an equivalent agreement — in which this DPA has been incorporated as an integral part.

1.2 Services. The software agent and AI chat services provided by the Provider under the Main Agreement, including product-specific variants such as Teo HR Coach or sector-specific concierge agents.

1.3 Subcontractors. Third parties who process personal data on behalf of heyteo.

1.4 Personal Data. All information relating to an identified or identifiable natural person which is transmitted to heyteo under the Main Agreement and for which the Partner is responsible.

1.5 DPA. This Data Processing Agreement including Exhibit 1 and Exhibit 2, which forms an integral annex to the Main Agreement.

2 Subject matter of the agreement

2.1 The Partner instructs heyteo to process personal data in accordance with the provisions of this DPA. The Partner is responsible for the personal data.

2.2 The subject matter of the personal data to be processed, the duration of processing, the type and category of the personal data, as well as the purpose of processing, are set out in the Main Agreement and in Exhibit 1 to this DPA, insofar as they are not already sufficiently specified in the Main Agreement and the order form.

3 Processing in accordance with instructions

3.1 Heyteo processes the personal data exclusively for the purposes of the Main Agreement, including this DPA, and in accordance with the Partner's documented instructions.

3.2 The Partner may at any time issue new instructions regarding the processing of personal data or supplement or amend existing instructions, provided these arise from the applicable data protection laws or are made in connection with the performance of the Main Agreement. This includes, in particular, deviations regarding rectification, deletion and blocking of personal data. Both the Partner and heyteo are obliged to document all instructions issued by the Partner.

3.3 If heyteo considers that an instruction from the Partner breaches applicable data protection provisions, heyteo shall notify the Partner without undue delay. Heyteo is entitled to refuse to carry out an instruction that is manifestly unlawful.

3.4 The mandatory applicable data protection obligations of heyteo remain unaffected by the Partner's right to issue instructions.

4 Confidentiality

Heyteo undertakes to oblige all employees entrusted with the processing of personal data to maintain the confidentiality of the personal data. This confidentiality obligation shall continue to apply after the end of the work for the Partner.

5 Security measures

Heyteo warrants that appropriate technical and organisational measures (TOMs) in accordance with Art. 8 FADP and/or Art. 32 GDPR have been implemented in order to ensure an adequate level of protection for the processing of personal data. Upon request, heyteo shall provide the Partner with information about the implemented TOMs. Disclosure of such evidence may be subject to appropriate confidentiality obligations. The Partner acknowledges that personal data may also be disclosed to subcontractors and that, even with careful selection and review of subcontractors, absolute protection of the personal data cannot be guaranteed.

6 Duties of assistance

Heyteo shall support the Partner regarding the project at any time upon request and, where possible, in complying with the applicable data protection laws. In particular, heyteo undertakes:

a) to support the Partner in preparing any data protection impact assessment and to provide information so that the Partner can comply with its data protection obligations in responding to requests from data subjects and supervisory authorities (access, rectification, erasure, data portability, objection, automated decision-making) within the statutory deadlines (see Chapter III GDPR and Art. 25 et seq. FADP);

b) to forward data protection requests from third parties to the Partner without delay, provided heyteo is not itself legally obliged to respond to such requests;

c) to support the Partner, taking into account the information available to heyteo, in complying with the obligations set out in Art. 32 to Art. 36 GDPR and/or Art. 8, 22 and 24 FADP (data security measures, data protection impact assessment, prior consultation, notification of breaches);

d) to notify the Partner without delay if (i) heyteo becomes aware of an actual or suspected data protection breach in relation to personal data, (ii) heyteo becomes aware on its side of an actual or impending impairment of the personal data that prevents compliance with the Main Agreement or this DPA, or (iii) heyteo becomes aware of any requests from authorities for access to or actual access to personal data, provided that such notification is not prohibited by law.

7 Return or deletion

7.1 At the Partner's request — and at the latest after the expiry of the retention period set out below — heyteo shall return to the Partner, delete or anonymise all personal data, unless heyteo is subject to a statutory retention obligation. Heyteo shall confirm deletion in writing at the Partner's request.

7.2 Retention period. To the extent permitted by law and required by contract, heyteo retains personal data in accordance with its privacy policy for ten (10) years from the end of the service for the respective Partner. Content entered by users and responses provided by the systems are usually deleted or anonymised after 48 months. Technical data is usually deleted after a few days, and at the latest after 2 years.

8 Inspection rights

In order to verify heyteo's compliance with this DPA, heyteo shall provide the Partner with all necessary data protection information. The Partner is entitled, during business hours and without disrupting business operations, to have a data protection audit in relation to the personal data carried out by an auditor appointed by the Partner at the Partner's expense.

9 Subcontractors and disclosure abroad

9.1 Heyteo is entitled to engage the subcontractors listed in Exhibit 2 to this DPA for the performance of the project. If heyteo intends to engage additional subcontractors or remove individual subcontractors, heyteo shall inform the Partner accordingly and disclose the identity of such subcontractors. In the event of concerns on the part of the Partner, the Parties shall coordinate in advance.

9.2 The engagement of subcontractors as processors of personal data is permitted insofar as they, within the scope of the subcontract, also meet the requirements of this Agreement. Subject to any other agreements between the Parties, heyteo is obliged to conclude agreements with the subcontractors regarding appropriate data protection and information security measures and to ensure that the subcontractors in turn meet the requirements of this DPA.

9.3 The Partner agrees that the personal data may be used by the subcontractors and by heyteo for the purposes set out in Exhibit 1 to the DPA, and undertakes to inform the users about this use beyond the purpose of the project.

9.4 The Partner acknowledges and agrees that heyteo may also disclose personal data to subcontractors that are not separately certified for HR data, and that heyteo is not obliged, in relation to such personal data, to take contractual or technical protective measures beyond the level agreed in this DPA. Insofar as the Teo HR Coach is part of the Services, the Partner undertakes to obtain, before disclosing the personal data to heyteo, the consent of the affected users for the disclosure of the corresponding user data to WhatsApp/Meta Platforms Inc. and Twilio Inc. in the USA.

10 Governing law and place of jurisdiction

10.1 This DPA is subject exclusively to Swiss law, to the exclusion of conflict of laws rules.

10.2 The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Andelfingen, Canton of Zurich, Switzerland, subject to mandatory jurisdictions.

11 Relationship with the annexes and the Main Agreement

11.1 In the event of discrepancies between the Exhibits to this DPA and the main body of this DPA, the main body of the DPA shall take precedence over the Exhibits.

11.2 In the event of discrepancies between this DPA and the remaining Main Agreement (ToU, GPT, order form), this DPA shall prevail in matters of data protection.

Exhibit 1 to the DPA — Subject matter, type, purpose

1 Subject matter, type and purpose of processing

In addition to the provision of the services under the Main Agreement, personal data are processed for the purposes described here. The following data protection provisions and processing policies of the subcontractors used apply in addition:

- WhatsApp Ireland Ltd. — Merrion Road, Dublin 4, D04 X2K5 — Ireland

- OpenAI Ireland Ltd. — 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43 — Ireland - Google Ireland Ltd. — Gordon House, Barrow Street, Dublin 4 — Ireland

- Twilio, Inc. — 101 Spear St, San Francisco, California 94105 — USA

- XIAG AG — Archstrasse 7, 8400 Winterthur — Switzerland

2 Duration of processing

The personal data for which the Partner is responsible are processed for the duration of the Main Agreement and the retention periods set out in clause 7 of this DPA.

3 Type of personal data

Information entered by the user, responses provided by the software agents, contact and master data of the users (insofar as transmitted), as well as technical data (e.g. IP address, device and connection data). A product-specific specification may arise from the order form or a project-specific agreement.

4 Categories of personal data

Customer and user data.

Exhibit 2 to the DPA — Subcontractors

As at: 21 May 2026

Note: This list includes subcontractors who process end-user personal data in the course of providing the Services. Payment service providers, CRM and accounting service providers of heyteo (for managing the business relationship with the Partner) do not process end-user personal data within the meaning of this DPA.