DATA PROCESSING AGREEMENT

CONTROLLER: The Client engaging Rowville Consulting for accounting services, as detailed in the Master Services Agreement (the "Client").

PROCESSOR: Rowville Consulting (Pty) Ltd, a company registered in Botswana with its principal place of business at Gaborone, Botswana, operating through its website at https://rowvilleconsulting.co.bw (the "Processor").

This DPA is incorporated into and forms part of the Master Services Agreement between the Parties. In case of conflict, this DPA prevails regarding data protection matters.

Subject Matter & Duration

Processing of Personal Data necessary to provide the accounting and finance services described in the Master Services Agreement. Duration matches the term of the Agreement plus applicable statutory retention periods.

Nature & Purpose

Processing includes: preparation of management accounts, financial statements, tax computations, payroll processing, bookkeeping, and related advisory services as instructed by Controller.

Types of Personal Data

May include: Employee details (name, salary, contact info), customer/vendor information, financial transaction data, and any other data provided by Controller for accounting purposes.

Categories of Data Subjects

Controller's employees, directors, shareholders, customers, suppliers, and other individuals whose data is included in financial records provided to Processor.

Instructions & Compliance

Processor shall only process Personal Data on documented instructions from Controller, unless required by applicable law. Processor shall immediately inform Controller if, in its opinion, an instruction infringes UK/Irish GDPR.

Confidentiality

Processor ensures persons authorised to process Personal Data are subject to confidentiality obligations (contractual or statutory) that survive termination of their engagement.

Security Measures

Processor implements and maintains technical and organisational measures detailed in Appendix 1 to ensure a level of security appropriate to the risk.

Sub-processing

Controller grants general authorisation for Processor to engage Sub-processors listed in Appendix 2. Processor shall provide 30 days' notice of intended changes, giving Controller opportunity to object.

Data Subject Rights

Processor shall assist Controller in responding to Data Subject requests by appropriate technical and organisational measures.

Security Incident Notification

Processor shall notify Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Security Incident. Notifications shall include available details and proposed mitigation steps.

Deletion/Return of Data

At Controller's choice, Processor shall delete or return all Personal Data after termination of services, and delete existing copies unless applicable law requires storage.

Audit Rights

Upon reasonable notice, Processor shall make available to Controller (or its independent auditor) information necessary to demonstrate compliance. Audits shall be conducted at Controller's expense, no more than annually, and subject to confidentiality agreements.

Controller warrants that it has lawful basis for processing and necessary notices/consents for Processor to process Personal Data as described herein.

Controller shall provide clear instructions and any necessary cooperation for Processor to perform its obligations.

Controller is responsible for responding to Data Subject requests regarding data processed by Processor.

Controller acknowledges that Processor's primary processing operations are in Botswana.

Where UK/Irish Personal Data is transferred to Botswana, such transfer shall be governed by:

• UK International Data Transfer Agreement or Addendum
• EU Standard Contractual Clauses (Module Two: Controller to Processor)
• Supplementary technical measures as detailed in Appendix 1

Processor shall not transfer Personal Data to any third country not covered by adequacy regulations without Controller's prior written consent.