This Data Processing Agreement ("DPA") is entered into between: The Customer (as defined in the Pilot Terms and Conditions) hereinafter referred to as the "Controller" - and Beam GmbH hereinafter referred to as the "Processor" - (collectively the "Parties")

This DPA forms an integral part of the "Beam GmbH - Mira Pilot Terms and Conditions" (the "Main Agreement") between the Parties.

1. Subject Matter and Scope (1) This DPA specifies the data protection obligations of the Parties arising from the Processor's processing of personal data on behalf of the Controller in the context of the services provided under the Main Agreement (the "Services"). (2) The Processor shall process personal data for the Controller in accordance with the terms of this DPA and the Controller's documented instructions. (3) The primary location for the processing of personal data by the Processor is within the European Economic Area (EEA).

2. Nature and Purpose of Processing, Type of Personal Data, and Categories of Data Subjects (1) Nature and Purpose: The Processor will process personal data for the purpose of providing the Mira software platform as a service. This includes capturing, storing, structuring, analyzing, and providing access to knowledge-based content (including video and other media) uploaded by the Controller's authorized users. The processing is carried out to enable the Controller to evaluate the Software for its internal business purposes. (2) Duration: The processing of personal data will be for the duration of the Pilot Period as defined in the Main Agreement. (3) Categories of Data Subjects: * Employees, contractors, and other authorized users such as customers of the Controller who access the Software. * Individuals (typically employees of the Controller) who are filmed, recorded, or otherwise featured in the content uploaded to the Software by the Controller's users. (4) Types of Personal Data: * User Account Data: Name, email address, user ID, login credentials. * Content Data: Personal data contained within any files uploaded to the Software, which may include: * Video and audio recordings (image, likeness, voice). * Names, job titles, and other personal identifiers mentioned in the content. * Usage Data: Technical data related to the use of the Software, such as IP addresses, device information, and activity logs.

3. Obligations of the Processor (1) Instructions: The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. (2) Confidentiality: The Processor shall ensure that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (3) Security: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Appendix 1 (Technical and Organizational Measures). (4) Sub-processing: The Controller provides a general authorization for the Processor to engage other processors ("Sub-processors") as listed in Appendix 2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall impose on its Sub-processors the same data protection obligations as set out in this DPA. (5) Data Subject Rights: The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights. (6) Assistance to Controller: The Processor shall assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. (7) Personal Data Breach Notification: The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data. The notification shall at least describe the nature of the breach, the likely consequences, and the measures taken or proposed to be taken by the Processor to address the breach. (8) Data Deletion and Return: At the end of the provision of services, the Processor shall, at the choice of the Controller, delete all personal data uploaded by the Controller, and delete existing copies unless Union or Member State law requires storage of the personal data. (9) Audits: The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall bear all costs and expenses related to any audit or inspection it chooses to conduct.

4. Obligations of the Controller (1) The Controller is solely responsible for the lawfulness of the data processing and for safeguarding the rights of data subjects. (2) The Controller is responsible for providing all necessary notices and obtaining all necessary consents from data subjects (e.g., employees being filmed) for the processing of their personal data via the Software. (3) The Controller shall provide the Processor with clear and lawful instructions for the processing of personal data.

5. Liability (1) The liability of the Parties for damages resulting from a breach of this DPA shall be determined in accordance with Article 82 of the GDPR. (2) The Processor's liability under this DPA shall be limited to the value of the services provided under the Main Agreement. This limitation shall not apply in cases of damages to life, body, or health, or in cases of the Processor's gross negligence or willful misconduct.

6. Final Provisions (1) In case of any conflict, the provisions of this DPA shall take precedence over the provisions of the Main Agreement. (2) This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Berlin, Germany.

Appendix 1: Technical and Organizational Measures (TOMs) The Processor has implemented the following measures to protect the personal data processed on behalf of the Controller, in line with GDPR requirements: - Confidentiality (Art. 32 para. 1 lit. b GDPR): To ensure confidentiality, access to systems is protected and managed via a role-based concept. All data is encrypted in transit (e.g., using TLS) and at rest. - Integrity (Art. 32 para. 1 lit. b GDPR): To ensure integrity, the Controller's data is logically segregated from other customers' data, and all changes to the production environment are logged and controlled. - Availability and Resilience (Art. 32 para. 1 lit. b GDPR): To ensure availability, regular data backups are performed, and systems are monitored for performance and resilience. - Regular Testing and Evaluation (Art. 32 para. 1 lit. d GDPR): To ensure ongoing security, the Processor conducts regular reviews of its security measures and maintains an internal process for managing data breaches.

Appendix 2: Sub-processors The Controller agrees that the Processor may engage the following Sub-processors to process personal data: - Amazon Web Services EMEA SARL: Used for cloud hosting, storage, and backend infrastructure. Country of Processing: Germany (Frankfurt). - Logto, Inc.: Used for Identity and Access Management (User Authentication). Country of Processing: Germany (Frankfurt). - OpenAI, L.L.C.: Used for AI-powered speech-to-text and text generation. Country of Processing: USA. - Sentry (Functional Software, Inc.): Used for error monitoring and performance analysis. Country of Processing: USA. - Cloudflare, Inc.: Used for Content Delivery Network (CDN) and security services. Country of Processing: USA.