Data Processing Agreement

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below: "Controller" means the bank or financial institution that determines the purposes and means of processing Personal Data through the LitFin Platform. "Processor" means LitFin Technologies Limited, which processes Personal Data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to loan applicant data, financial records, identification documents, and credit information. "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

This DPA governs the processing of Personal Data by LitFin as Processor on behalf of the Controller (subscribing bank) in connection with the LitFin loan origination platform. The purpose of processing includes: • Loan application intake and processing • Credit scoring and risk assessment • Document verification and intelligent processing • Identity verification (KYC/AML compliance) • Communication with loan applicants • Regulatory reporting and compliance • Analytics and portfolio management Processing is carried out in accordance with the Tanzania Data Protection Act, 2022, the Banking and Financial Institutions Act, 2006, and applicable Bank of Tanzania regulations.

LitFin as Processor shall: 1. Process Personal Data only on documented instructions from the Controller 2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality 3. Implement appropriate technical and organisational security measures 4. Assist the Controller in responding to data subject access requests 5. Delete or return all Personal Data upon termination of services, at the Controller's choice 6. Make available all information necessary to demonstrate compliance with this DPA 7. Immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law 8. Maintain a record of all categories of processing activities carried out on behalf of the Controller 9. Conduct data protection impact assessments where required 10. Appoint a data protection officer where required by law

LitFin implements the following technical and organisational measures to ensure the security of Personal Data: Technical Measures: • AES-256 encryption of data at rest • TLS 1.3 encryption of data in transit • Multi-factor authentication for all platform access • Role-based access control (RBAC) • Regular penetration testing and vulnerability assessments • Automated threat detection and monitoring • Secure API authentication using OAuth 2.0 • Database-level encryption and access logging Organisational Measures: • Staff training on data protection and information security • Background checks for personnel with access to Personal Data • Incident response procedures and breach notification protocols • Regular security audits and compliance reviews • Data minimisation and purpose limitation policies • Vendor security assessment programme

The Controller provides general authorisation for LitFin to engage Sub-processors, subject to the following conditions: 1. The current list of Sub-processors is published at https://litfin-credit.com/legal/sub-processors and machine-readable at https://litfin-credit.com/api/legal/sub-processors. The list carries a version number that changes whenever the roster changes. 2. When LitFin intends to add or replace a Sub-processor, the Controller shall be notified at the registered DPA contact email and at privacy@litfin-credit.com subscribers, with at least thirty (30) calendar days' notice prior to the change taking effect. 3. The Controller may object in writing to any new Sub-processor within the 30-day notice window. Where the objection cannot be resolved by reasonable accommodation (for example, a documented alternate Sub-processor for the affected data flow), the Controller shall have the right to terminate the affected services with no liability for unused subscription term. 4. LitFin shall impose the same or stricter data protection obligations on every Sub-processor by binding written contract, including obligations of confidentiality, technical and organisational security, breach notification, deletion / return of data on termination, and audit rights flowed down from this DPA. 5. LitFin remains fully liable to the Controller for the acts and omissions of every Sub-processor. 6. The current published list at https://litfin-credit.com/legal/sub-processors is incorporated into this DPA by reference.

Personal Data processed through LitFin is primarily stored and processed within East Africa. Where international data transfers are necessary (for example, for cloud infrastructure or AI processing), LitFin ensures appropriate safeguards are in place, including: • Standard contractual clauses approved by the Tanzania Information and Communications Technology Commission • Adequacy assessments of the receiving jurisdiction • Supplementary technical measures (encryption, pseudonymisation) The Controller will be informed of any change in data storage location. All transfers comply with the requirements of the Tanzania Data Protection Act, 2022.

In the event of a Personal Data breach, LitFin shall: 1. Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach 2. Provide the Controller with sufficient information to assess the impact of the breach 3. Cooperate with the Controller in investigating and mitigating the breach 4. Maintain a record of all data breaches The breach notification shall include: • Description of the nature of the breach • Categories and approximate number of data subjects affected • Likely consequences of the breach • Measures taken or proposed to address the breach • Contact details of the LitFin data protection officer

The Controller acknowledges and authorises LitFin to derive anonymized aggregate insights from Processing carried out under this DPA, subject to the following safeguards: 1. Aggregation pipeline. Raw events flow into a per-tenant store and are then passed through an anonymization pipeline that (a) strips direct identifiers, (b) generalises quasi-identifiers (region, age range, time-of-day buckets), (c) applies k-anonymity with k of at least five (k>=5), and (d) adds calibrated Laplace noise (epsilon <= 1.0) to numeric counts. 2. Result. The output of the pipeline is no longer Personal Data within the meaning of section 2 of the Tanzania Personal Data Protection Act, 2022 and Recital 26 of the GDPR. 3. Use. LitFin may use the anonymized aggregate output to operate, secure, evaluate, and improve the Platform, including the LitFin internal admin intelligence layer. LitFin shall not attempt to re-identify, link, or otherwise reverse the anonymization. 4. Documentation. The pipeline parameters, drop rates, and noise budget are documented and made available to the Controller upon reasonable request as part of the audit cooperation under Section "Audits". 5. Controller-specific data. Nothing in this Section authorises the use of Controller-identified Personal Data outside the documented Processing instructions.

LitFin shall assist the Controller in fulfilling its obligations to respond to data subject requests, including: • Right of access to Personal Data • Right to rectification of inaccurate data • Right to erasure ("right to be forgotten") • Right to restriction of processing • Right to data portability • Right to object to processing LitFin provides technical mechanisms within the platform to facilitate these rights, including data export, anonymisation, and deletion tools. Response to data subject requests will be provided within the timeframes required by applicable law.

This DPA shall remain in effect for the duration of the Controller's subscription to the LitFin Platform. Upon termination: 1. LitFin shall cease all processing of Personal Data within 30 days 2. At the Controller's choice, LitFin shall delete or return all Personal Data 3. LitFin shall provide certification of data deletion upon request 4. Certain data may be retained where required by law or regulation (for example, audit logs, regulatory records) The obligations of confidentiality and data protection survive termination of this DPA.