Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between Headman Labs Pvt Ltd ("Processor") and the Customer ("Controller"). It applies when Headman Labs Pvt Ltd processes personal data on behalf of customers for providing IoT and telematics Services.

Processing activities include: • Data collection and ingestion • Transmission and synchronization • Analytics and reporting • IoT telemetry processing • Dashboard visualization Processing is performed in accordance with documented instructions from the Controller.

Processed data includes: • Personal identifiers (name, email, contact details) • Device information (IMEI, serial numbers, MAC addresses) • Sensor data (temperature, humidity, fuel, voltage, CAN data) • Location and movement data • Usage patterns and analytics • Technical logs and diagnostics • Customer support communications All processing aligns with the purposes defined in the main service agreement.

Headman Labs Pvt Ltd shall: • Process data only on documented instructions from Controller • Ensure confidentiality of personal data • Implement appropriate technical and organizational security measures • Assist Controller in responding to data subject requests • Notify Controller without undue delay upon discovering a personal data breach • Provide reasonable assistance with data protection impact assessments • Maintain records of processing activities as required by applicable law • Ensure personnel are bound by confidentiality obligations

Technical and organizational measures include: • Encryption of data in transit (TLS 1.2+) • Encryption of data at rest (AES-256) • Role-based access control (RBAC) • Multi-factor authentication • Regular security assessments and penetration testing • Network security and firewalls

Headman Labs Pvt Ltd may engage sub-processors for: • Cloud infrastructure • Monitoring and analytics services • Communication services (SMS, email) • Customer support platforms All sub-processors are bound by data protection obligations equivalent to this DPA. Controller will be notified of any intended changes concerning sub-processors.

In the event of a personal data breach: • Processor will notify Controller without undue delay, and where feasible, within 72 hours • Notification will include: - Nature of the breach - Categories and approximate number of individuals affected - Likely consequences - Measures taken or proposed to address the breach • Processor will provide reasonable assistance in investigating and mitigating the breach • Processor will cooperate with Controller in meeting any breach notification obligations

Controller may: • Request evidence of compliance with this DPA • Request security and compliance documentation • Conduct audits no more than once per year, unless required by law • Request additional audits in case of security incidents Audits will be conducted during business hours with reasonable notice and will not unreasonably disrupt Processor's operations.

Upon termination of services: • Processor will, at Controller's choice, return or delete all personal data • Return will be in a structured, commonly used, and machine-readable format • Deletion will follow secure deletion standards • Processor may retain data if required by law, subject to confidentiality obligations Controller may request a certificate of deletion upon completion.

Data may be transferred and processed outside Controller's country. All transfers will: • Comply with applicable data protection laws • Implement appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules) • Ensure adequate levels of protection • Include necessary impact assessments Current processing locations include India and EU/US cloud regions.

This DPA is governed by and construed in accordance with the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the Courts of Gandhinagar, Gujarat, India.