Data Processing Agreement

For Scheme Data, the Scheme Entity is the Responsible Party and VulaKomplex is the Operator. The Scheme Entity determines the purposes and means for processing Scheme Data — including levy administration, resident communications, maintenance management, access control and governance records — regardless of whether a Managing Agent or other administrator operates the Scheme workspace on a day-to-day basis. A Managing Agent granted access to a Scheme workspace acts as an authorised administrator or delegated operator of the Scheme Entity. The appointment of a Managing Agent does not transfer Responsible Party status or ownership of Scheme Data to the Managing Agent. Where VulaKomplex processes Personal Information for its own purposes — such as billing, security administration, legal compliance and customer relationship management — VulaKomplex acts as a Responsible Party for that limited processing.

VulaKomplex will process Customer Personal Information only on documented Customer instructions, including instructions contained in the Agreement, configuration settings, user permissions, support requests and lawful written instructions.

The purpose of processing is to provide, secure, support, maintain, improve and administer the Platform and related services. Processing continues for the subscription term and any legally required or agreed retention/export period after termination.

• Role-based access controls and least-privilege administration. • Encryption in transit and, where technically supported, encryption at rest. • Authentication controls and MFA for privileged access where available. • Audit logging for material account, security, data and configuration events. • Secure development and change-management practices. • Backups, monitoring and vulnerability management proportionate to the business stage and risk profile. • Confidentiality obligations for personnel and contractors.

VulaKomplex will ensure that personnel authorised to process Customer Personal Information are subject to confidentiality obligations and receive reasonable data-protection instructions appropriate to their role.

The Customer authorises VulaKomplex to use Sub-processors necessary to provide the Platform. VulaKomplex will maintain a Sub-processor Register and impose contractual obligations designed to protect Personal Information. VulaKomplex remains responsible to the Customer for the performance of Sub-processors in accordance with this DPA. A full list of current Sub-processors is available on request at legal@vulakomplex.co.za.

Customer Personal Information may be hosted, stored, accessed or processed outside South Africa where the relevant requirements of POPIA are met, including appropriate contractual, organisational or legal safeguards.

VulaKomplex will notify the Customer without undue delay after becoming aware of a confirmed security compromise affecting Customer Personal Information. The notice will, where reasonably available, describe: • The nature of the compromise • The categories and approximate volume of data affected • The likely consequences • Mitigation steps taken or proposed • Recommended Customer actions

VulaKomplex will reasonably assist the Customer with data subject requests where the Customer cannot respond using Platform functionality. VulaKomplex may charge reasonable fees for complex, repetitive or manual assistance unless caused by VulaKomplex's breach.

On termination, VulaKomplex will make Customer Data available for export for the period stated in the Data Retention and Deletion Policy or Order Form. After that period, VulaKomplex may delete Customer Data from production systems, subject to legal retention obligations and ordinary backup cycles.

A Managing Agent may be granted access to a Scheme workspace by the Scheme Entity or, where the Managing Agent activates a Scheme workspace, the Managing Agent warrants that it has authority to act on behalf of the Scheme Entity and to instruct VulaKomplex to process Scheme Data. The Scheme Entity may at any time direct VulaKomplex to remove, replace, suspend or limit the access of a Managing Agent. VulaKomplex may require reasonable proof of authority — including a trustee resolution, chairperson confirmation, AGM/SGM resolution, appointment or termination letter, or other governance record — before making such access changes.

Scheme Data belongs to the Scheme Entity and not to the Managing Agent, VulaKomplex or any individual platform user. VulaKomplex will not treat a Managing Agent as having ownership of or continuing control over Scheme Data after the Managing Agent's appointment has ended, unless the Scheme Entity has provided written authorisation to the contrary. On termination or replacement of a Managing Agent, the Scheme Entity's trustees, chairperson or other authorised representative may request continuity of access to Scheme Data through VulaKomplex, subject to reasonable proof of authority.

The party responsible for payment of subscription fees may differ from the Responsible Party for Scheme Data. Payment of fees by a Managing Agent does not make the Managing Agent the owner of Scheme Data or the Responsible Party for Scheme Data under POPIA, unless otherwise expressly agreed in writing between the Scheme Entity and VulaKomplex. Where a Managing Agent pays fees on behalf of multiple Scheme Entities, each Scheme Entity remains the Responsible Party for its own Scheme Data. Scheme Data is ring-fenced per scheme workspace and is not accessible across scheme workspaces.

The Customer may request reasonable written assurance of VulaKomplex's security and POPIA controls. On-site audits are subject to reasonable notice, confidentiality, security limitations, cost recovery and restrictions protecting other customers and VulaKomplex systems. Questions about this Agreement or data subject requests: Email: legal@vulakomplex.co.za Address: 44 Amhurst Place, Midstream Estate, Olifantsfontein, Gauteng, 1692 Company registration: 2026/311419/07