Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Customer kindergarten ("Controller") and FlutraBlue ("Processor"), a company registered in the Republic of Kosovo.

This DPA forms part of, and is incorporated into, the Terms & Conditions ("Terms") agreed between the Controller and FlutraBlue. By accepting the Terms — whether by clicking an acceptance button, by registering for an account, or by continuing to use the Platform — the Controller also accepts this DPA on its own behalf and, where applicable, on behalf of the affiliated entities entitled to use the Platform under the Controller's Subscription.

In the event of any conflict or inconsistency between this DPA and the Terms with respect to the processing of personal data or data-protection obligations, this DPA shall prevail to the extent of that conflict.

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in Applicable Data-Protection Law or in the Terms.

Controller

The Customer kindergarten that determines the purposes and means of the processing of personal data entered into the Platform on behalf of its children, parents/guardians, and staff.

Processor

FlutraBlue, which processes personal data on behalf of the Controller in accordance with this DPA and the documented instructions of the Controller.

Sub-Processor

Any third party engaged by FlutraBlue to carry out specific processing activities with respect to the personal data covered by this DPA, as listed in Annex III.

Personal Data

Any information relating to an identified or identifiable natural person that the Controller submits to, or that is generated through the Controller's use of, the Platform.

Processing

Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

Data Subject

The natural person to whom personal data relates — including enrolled children (through their parents/guardians), parents and legal guardians, and kindergarten staff members.

Personal-Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed under this DPA.

Applicable Data-Protection Law

Kosovo Law No. 06/L-082 on Protection of Personal Data; Albania Law No. 124/2024 On Personal Data Protection; and the North Macedonia Law on Personal Data Protection (Official Gazette No. 42/2020), each as amended or replaced from time to time, to the extent applicable to the relevant processing activity.

FlutraBlue processes personal data on behalf of the Controller for the purpose of providing the Platform and related services described in the Terms. The subject-matter, nature, and purpose of the processing, the types of personal data processed, and the categories of data subjects are set out in Annex I to this DPA.

FlutraBlue shall process personal data only for as long as the Controller's Subscription remains active. On expiry or termination of the Subscription — for whatever reason — FlutraBlue shall cease processing the Controller's personal data and shall delete or return it in accordance with Section 12 (Deletion & Return) of this DPA.

Nothing in this DPA prevents FlutraBlue from retaining personal data for a longer period where and to the extent that it is required to do so by Applicable Data-Protection Law or another applicable legal obligation, provided that FlutraBlue informs the Controller of that requirement before deleting the data, unless prohibited from doing so by law.

FlutraBlue shall process personal data only on the documented instructions of the Controller, unless required to process for another purpose by Applicable Data-Protection Law or another applicable legal obligation to which FlutraBlue is subject. In such a case, FlutraBlue shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law on grounds of public interest.

The Controller's instructions are set out in this DPA and in the Terms. The Controller may issue additional written instructions from time to time; FlutraBlue shall acknowledge receipt and confirm whether it can comply with such instructions. If FlutraBlue believes that any instruction infringes Applicable Data-Protection Law, FlutraBlue shall promptly inform the Controller. FlutraBlue shall not be required to follow an instruction that it reasonably believes to be unlawful.

FlutraBlue shall not process, sell, retain, use, or disclose the Controller's personal data for any purpose other than the specific purpose of performing the services under the Terms and this DPA, including for FlutraBlue's own commercial benefit.

FlutraBlue shall ensure that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations — whether by contract, professional rules, or statutory duty — and that those obligations continue after the termination of the relevant individual's engagement.

FlutraBlue shall limit access to personal data to those personnel who require access for the purpose of performing FlutraBlue's obligations under the Terms and this DPA, and shall ensure that such personnel are informed of the confidential nature of the data and of their obligations in relation to it.

FlutraBlue shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.

At a minimum, FlutraBlue shall implement the security measures set out in Annex II to this DPA. FlutraBlue may update or replace specific measures from time to time, provided that the overall level of protection is not materially reduced.

FlutraBlue shall assess, on a regular basis, the effectiveness of the technical and organisational measures implemented and shall adjust them as necessary in light of new vulnerabilities, developments in processing, and changes in the risk landscape.

The Controller grants FlutraBlue general written authorisation to engage the sub-processors listed in Annex III to this DPA for the purposes and in the locations set out in that Annex.

FlutraBlue shall notify the Controller of any intended addition to, or replacement of, a listed sub-processor by updating Annex III and publishing a notice (by email to the Controller's registered address or via an in-platform notice) at least thirty (30) days before the change takes effect. The Controller may object to the proposed change on reasonable, documented grounds relating to data protection by notifying FlutraBlue in writing within that period. The parties shall cooperate in good faith to resolve the objection; if no resolution is reached, the Controller may terminate the affected service on reasonable notice.

FlutraBlue shall impose data-protection obligations on each sub-processor that are no less protective than those set out in this DPA. FlutraBlue remains fully liable to the Controller for the performance of the sub-processor's data-protection obligations to the extent that the sub-processor fails to fulfil those obligations.

FlutraBlue shall, to the extent technically feasible and having regard to the nature of the processing, assist the Controller in responding to requests by data subjects to exercise their rights under Applicable Data-Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

Where a data subject submits a rights request directly to FlutraBlue, FlutraBlue shall promptly forward the request to the Controller and shall not respond to it independently, except to acknowledge receipt, unless the Controller instructs FlutraBlue otherwise or except where required to respond by Applicable Data-Protection Law.

FlutraBlue shall implement and maintain appropriate technical and organisational features in the Platform (such as data-export and account-deletion tools) to assist the Controller in meeting its obligations to data subjects. Any assistance that requires significant additional resources beyond routine operational activities may be subject to reasonable additional fees agreed in writing.

FlutraBlue shall notify the Controller without undue delay — and in any event within seventy-two (72) hours — after becoming aware of a personal-data breach affecting the Controller's personal data. Where notification within seventy-two hours is not possible, FlutraBlue shall provide an initial notification within that period and shall supplement it with further information as it becomes available.

The notification shall include, to the extent known at the time of notification: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal-data records concerned; (b) the name and contact details of FlutraBlue's data-protection contact from whom further information can be obtained; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

FlutraBlue shall cooperate with the Controller and shall provide all reasonable assistance required to enable the Controller to comply with its own notification obligations to supervisory authorities and data subjects under Applicable Data-Protection Law.

Where the nature of the processing is likely to result in a high risk to the rights and freedoms of natural persons — for example, large-scale processing of children's personal data — FlutraBlue shall assist the Controller in carrying out a data-protection impact assessment ("DPIA") in accordance with Applicable Data-Protection Law.

Such assistance shall include providing the Controller with relevant information about FlutraBlue's processing operations and technical and organisational measures, where that information is reasonably required to complete the DPIA and is not otherwise available to the Controller. Where the DPIA indicates that the processing would result in a high residual risk and the Controller is required to consult its supervisory authority prior to processing, FlutraBlue shall provide reasonable assistance in preparing the required documentation for that prior consultation.

On expiry or termination of the Subscription, the Controller may, within thirty (30) days of termination, request that FlutraBlue either: (a) return all personal data to the Controller in a structured, commonly used, machine-readable format; or (b) securely delete all personal data from FlutraBlue's systems and confirm deletion in writing.

If the Controller makes no request within that thirty-day period, FlutraBlue shall securely delete all of the Controller's personal data, unless Applicable Data-Protection Law or another legal obligation requires FlutraBlue to retain the data for a longer period. FlutraBlue shall notify the Controller of any such legal retention requirement.

The foregoing obligations apply to all copies of personal data held by FlutraBlue, including copies held by sub-processors. Deletion shall be carried out using industry-standard secure-erasure methods appropriate to the media on which the data is stored. Confirmation of deletion shall be provided to the Controller in writing within fourteen (14) days of completion.

FlutraBlue shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for — and contribute to — audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall give FlutraBlue reasonable prior written notice of any intended audit (at least thirty (30) days, except in cases of an ongoing personal-data breach or a binding order from a supervisory authority). Audits shall be conducted during normal business hours, shall not unreasonably disrupt FlutraBlue's operations, and shall be subject to reasonable confidentiality obligations. The Controller may exercise its audit right no more than once per calendar year unless there are reasonable grounds to believe that a breach of this DPA has occurred.

FlutraBlue may satisfy the audit obligation by providing the Controller with up-to-date third-party audit reports (such as ISO 27001 certification, SOC 2 Type II reports, or equivalent) covering the relevant processing activities, provided that such reports are reasonably sufficient to allow the Controller to verify FlutraBlue's compliance. The Controller may request an on-site audit only if the third-party reports are insufficient to demonstrate compliance with a specific obligation.

FlutraBlue and its sub-processors may process personal data in the jurisdictions listed in Annex III. Processing locations are the European Union (specifically Germany and Ireland). To the extent that any transfer of personal data to a third country (i.e., a country not recognised as providing an adequate level of protection under Applicable Data-Protection Law) is required, FlutraBlue shall ensure that such transfers are subject to appropriate safeguards, including (as applicable) standard contractual clauses approved or recognised by the relevant supervisory authority, binding corporate rules, or any other lawful transfer mechanism available under Applicable Data-Protection Law.

FlutraBlue shall promptly inform the Controller if, in FlutraBlue's reasonable opinion, a change in Applicable Data-Protection Law or a decision by a supervisory authority or court affects the validity or sufficiency of the transfer safeguard relied upon, and the parties shall cooperate in good faith to implement an alternative safeguard.

Each party's liability to the other under or in connection with this DPA (whether in contract, tort, or otherwise) is subject to the limitation of liability provisions set out in the Terms, which are incorporated into this DPA by reference.

Where a data subject or a supervisory authority holds the Controller and FlutraBlue jointly or severally liable for a breach of Applicable Data-Protection Law, FlutraBlue shall indemnify the Controller for that portion of any resulting liability, fine, penalty, or compensation that is directly attributable to FlutraBlue's own failure to comply with its obligations as Processor under this DPA, provided that the Controller has not contributed to the same damage by its own acts or omissions.

This DPA, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of the Republic of Kosovo. Each party irrevocably submits to the exclusive jurisdiction of the courts of Kosovo in respect of any such dispute or claim, except where Applicable Data-Protection Law requires the involvement of the supervisory authority or courts of another jurisdiction.

This Annex sets out the subject-matter, duration, nature and purpose of the processing, and the categories of personal data and data subjects covered by this DPA.

The following technical and organisational measures are implemented by FlutraBlue as Processor to protect the personal data covered by this DPA.

• Encryption of personal data in transit using TLS 1.2 or higher.
• Encryption of personal data at rest using AES-256 or equivalent industry-standard encryption.
• Role-based access controls limiting access to personal data to authorised personnel who require it for the performance of their duties.
• Multi-factor authentication for access to production systems and administrative interfaces.
• Regular automated backups with tested restoration procedures to ensure data availability.
• Vulnerability scanning and penetration testing on at least an annual basis, with prompt remediation of critical findings.
• Patch management processes ensuring timely application of security updates to operating systems, databases, and application dependencies.
• Logging and monitoring of access to personal data and security-relevant events, with alerts for anomalous activity.
• Incident response plan covering detection, containment, eradication, recovery, and post-incident review.
• Physical security controls at hosting facilities (managed by sub-processors), including access-card authentication, CCTV, and environmental controls.
• Confidentiality obligations imposed on all personnel with access to personal data.
• Regular security awareness training for all personnel handling personal data.
• Vendor assessment process for sub-processors prior to engagement and on an ongoing basis.
• Data minimisation practices ensuring only personal data necessary for the stated purpose is collected and retained.

The following sub-processors are approved by the Controller pursuant to Section 7 (Sub-Processors) of this DPA.