Data Processing Agreement

AI-Powered Recruitment Platform Services

Effective Date: November 2, 2025

NetConnect Private Limited

Operating as Welocity™
CIN: U32202KA1997PTC021881

INTRODUCTION

This Data Protection Agreement (“Agreement”) forms an integral part of, and is incorporated into, the Welocity Terms of Service (the “Principal Agreement”) and governs the Processing of Personal Data by NetConnect Private Limited, operating as Welocity™ (“Welocity”, “we”, “us”, “our”) in connection with the Services, in its dealings with any entity that accesses or uses the Welocity platform (“Client”, “Customer”, “you”, “your”).

Roles — read this first. Welocity is the controller of candidate Personal Data Processed within the platform, however a candidate enters it (direct application, Welocity sourcing, or Client self-service upload). Welocity determines the purposes and means of that Processing, including sourcing, profile creation, AI-assisted interviews through Octo, assessment, talent pooling, and matching. When Welocity discloses a candidate to a Client, the Client receives that data as a separate, independent controller and is responsible for its own subsequent Processing. Welocity and Clients are therefore independent controllers — not joint controllers. The controller-to-controller terms in Articles 1–4 and 6–14 govern this default relationship. Welocity acts as a processor only in the limited circumstances described in the Processor Annex (Annex 1) — namely, where a Client instructs Welocity to screen the Client’s own applicants against the Client’s own criteria. In that case, the Article 28 processor terms in Annex 1 apply to that Processing.

By accessing or using the platform, the Client agrees to this Agreement, which is binding for the purposes of the GDPR and equivalent Data Protection Laws. It applies to all Customers upon use of the platform; the parties may also execute a countersigned copy on request. In the event of conflict between this Agreement and the Principal Agreement on data-protection matters, this Agreement prevails.

ARTICLE 1: DEFINITIONS AND INTERPRETATION

1.1 Definitions

“Applicable Law” means any law, statute, regulation, rule, order, decree, judgment, or other legally binding requirement in the relevant jurisdiction.

“Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and data security, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR and the UK Data Protection Act 2018, India’s Digital Personal Data Protection Act, 2023, and any other applicable laws, in each case as amended or replaced from time to time.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates, including job candidates, employees, contractors, and authorized users.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Platform” means the Welocity AI-assisted recruitment platform, including all associated services, features, and functionalities.

“Platform Data” means aggregated, anonymized, or de-identified data derived from Processing activities that cannot be attributed to any specific Data Subject or Controller.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.

“Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data that materially compromises the confidentiality, integrity, or availability of the Controller’s Personal Data.

“Services” means the AI-assisted recruitment and talent-assessment services provided through the Platform.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Implementing Decision (EU) 2021/914), and any applicable UK International Data Transfer Addendum and Swiss amendments, in the module appropriate to the relationship (controller-to-controller or controller-to-processor).

“Sub-processor” means any third party engaged by Welocity to Process Personal Data in connection with the Services.

1.2 Interpretation

references to statutory provisions include amendments and re-enactments;
headings are for convenience only;
“including” means “including without limitation”;
references to the singular include the plural and vice versa; and
in case of conflict between this Agreement and the Principal Agreement on data-processing matters, this Agreement prevails.

ARTICLE 2: SCOPE AND PURPOSE OF PROCESSING

2.1 Subject Matter and Duration

The subject matter of Processing under this Agreement is the provision of AI-assisted recruitment services through the Platform, including automated candidate assessment, interview analysis, skills evaluation, talent matching, and duplicate detection. Processing continues for as long as the Controller uses the Services, subject to the retention and deletion terms of Article 11.

2.2 Nature and Purpose

The nature of Processing includes:

(a) collection via API integration and web interfaces;

(b) storage in encrypted cloud infrastructure;

(d) duplicate detection within job requisitions;

(e) transmission to authorized recipients;

(f) retention for platform optimization , subject to explicit, freely-given and documented Data Subject consent obtained via the Platform, for cross-client talent pool management;

(g) Client access and use for a maximum of sixty (60) days for a specific job (the “Client Use Window”); and
(h) deletion upon Controller instruction or at the end of the applicable retention period .

The purpose is to provide the recruitment Services and to maintain and improve Platform capabilities in accordance with Data Protection Laws.

2.3 Categories of Data Subjects

Job candidates and applicants
Current employees subject to internal mobility
Contractors and temporary workers
Authorized users (recruiters, hiring managers)
Reference providers

2.4 Categories of Personal Data

Identification Data: name, email, phone, address.

Professional Data: CV/resume, work history, education, certifications, skills.

Assessment Data: interview recordings, responses, evaluation scores.

Technical Data: IP addresses, device identifiers, browser information.

Special Categories: processed only where a lawful condition under Article 9 GDPR (or equivalent) applies, such as the Data Subject’s explicit consent. Welocity does not use the Platform to infer special-category data, and does not perform emotion recognition in the employment context

Article 3: Roles of the Parties; Platform Operations and Proprietary Rights

3.1 Roles of the Parties

Welocity as controller (default). Welocity is the controller of candidate Personal Data Processed within the platform, however the candidate entered it — by direct application, by Welocity sourcing, or by Client self-service upload. Welocity determines the purposes and means of that Processing (sourcing, profile creation, Octo interviews, AI assessment, talent pooling, matching, and the candidate’s use of the candidate portal).

Client as independent controller. When Welocity discloses a candidate to a Client, the Client receives that data as a separate, independent controller and is responsible for its own Processing under its own privacy practices and lawful basis. Welocity and the Client are independent controllers, not joint controllers, and neither determines the purposes and means of the other’s Processing.

Moment of transfer. A candidate ceases to be solely Welocity’s responsibility only when, and to the extent that, the Client exports or records that candidate’s Personal Data in the Client’s own systems following the Client’s own interview or selection decision. Before that moment, responsibility for the in-platform record rests with Welocity; after it, the Client is responsible for its own copy.

Welocity as processor (limited case). Welocity acts as a processor only where a Client instructs it to screen the Client’s own applicants against the Client’s own criteria, with no talent-pooling or cross-client matching of those applicants. The Article 28 terms in Annex 1 (Processor Annex) govern that Processing.

Anonymized data. Welocity Processes anonymized and aggregated Platform Data for its own purposes; such data is not Personal Data.

3.2 Responsibility for Data-Subject Requests

For as long as candidate Personal Data is held within the platform, Welocity is responsible for responding to data-subject requests in respect of that data (including access, rectification, erasure, restriction, objection, and portability), and will action them directly without requiring Client permission. Where a Client has exported a copy of a candidate’s data into its own systems, the Client is the controller of, and responsible for, that copy; Welocity may forward a request to the Client as a courtesy but is not responsible for the Client’s copy. Each party will provide reasonable cooperation to the other in handling requests that touch both copies.

3.3 Client Use Window

A Client’s right to access and use identifiable candidate Personal Data made available through the platform for a particular job requisition is limited to the active recruitment period for that requisition and, in any event, shall not exceed sixty (60) days from the date the candidate is first made available for that requisition (the “Client Use Window”), unless the Client has exported the candidate into its own systems following its own selection, in which case the Client’s own retention rules apply to its copy. Within the platform, Welocity applies the retention rules in Article 11.

3.4 Multiple-Client Access and Duplicate Detection

Welocity may make a candidate’s profile available to more than one Client where it has a lawful basis to do so, and the same CV may be considered for more than one opportunity. Duplicate checking applies only within the context of a specific job requisition (Job ID) unless the candidate has agreed to cross-requisition or cross-client duplicate detection, in which case Welocity documents the scope. No Client acquires exclusive rights over a candidate by virtue of a submission or upload.

3.5 Platform Intelligence and Anonymized Data

As controller, Welocity may analyze submitted data to recognize patterns, improve its AI algorithms, create industry insights and benchmarks, develop predictive models, and build talent pools, on a valid lawful basis (typically legitimate interests, subject to a balancing test, or consent where required). Welocity may retain anonymized or aggregated Platform Data indefinitely, provided it cannot be used to re-identify Data Subjects.

3.6 No Exclusivity; Candidate Freedom

No exclusive rights to any candidate are granted to any Client through submission to, or upload into, the platform. Candidates remain free to search and apply for opportunities through the platform, and no Client may assert that a candidate’s in-platform profile is the Client’s data while it is held within the platform. Welocity may proactively match candidates across its client base in compliance with Data Protection Laws.

3.7 Proprietary Rights

Welocity retains all rights, title, and interest in (a) the platform and underlying technology; (b) its algorithms, models, and AI systems; (c) anonymized, aggregated, and de-identified Platform Data and derived insights; and (d) all improvements and enhancements to the platform. No party “owns” Personal Data; the candidate is the data subject, and the parties’ responsibilities are as set out in this Article. Welocity does not claim ownership of identifiable candidate Personal Data and processes it only on a lawful basis under Data Protection Laws.

3.8 Client Self-Service Uploads

Where a Client uploads a candidate’s CV or details through self-service, the Client warrants that it had a lawful basis to share that data and gave the candidate any notice required of it. On ingestion, the data enters the Welocity talent pool and Welocity becomes the controller for all in-platform Processing, and will provide its own candidate-facing notice as required by Articles 13 and 14 GDPR. The Client remains the controller only of its own retained copy.

Article 4: Obligations of the Parties

4.1 Welocity’s Obligations (as controller)

As controller of in-platform candidate data, Welocity shall:

Process Personal Data only on a valid lawful basis under Data Protection Laws, and provide candidates with transparent information about the Processing (Articles 13–14 GDPR), including where data is obtained by sourcing rather than from the candidate directly;

ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations;

implement and maintain the technical and organizational security measures set out in Article 6 and Schedule A, appropriate to the risk and consistent with Article 32 GDPR;

engage Sub-processors only in accordance with Article 5;

respond to data-subject requests for the in-platform record as set out in Article 3.2, and honour withdrawal of consent and objections;

maintain a Record of Processing Activities (Article 30 GDPR) and carry out Data Protection Impact Assessments where required (Article 35 GDPR), including for the AI-assisted interview;

make available, on reasonable request and under confidentiality, the information reasonably necessary to demonstrate compliance with this Agreement and Data Protection Laws; and

where Welocity acts as a processor under Annex 1, comply with the Article 28 obligations set out there.

4.2 Welocity’s Operational Discretion

Subject to the proviso below, Welocity retains discretion regarding:

(a) technical implementation methods;

(b) choice of Sub-processors and vendors;

(d) security measures and protocols;

(e) platform features and functionality;

(f) service improvements and updates. Welocity shall exercise such discretion in a manner that does not materially reduce the level of data protection required under this Agreement or Applicable Law.

4.3 Client’s Obligations (as independent controller)

The Client shall:

(a) ensure it has a lawful basis for its own Processing of any candidate data it receives or uploads;

(b) for self-service uploads, warrant lawful basis and that it has given any notice required of it;

(c) use candidate data received from Welocity only to evaluate candidates for its own roles, and not for any incompatible purpose;

(d) not make onward transfers of that data without an appropriate lawful basis;

(e) provide its own privacy notice to candidates for its own Processing;

(f) comply with applicable Data Protection Laws; and

(g) not use the platform for any unlawful purpose.

Article 5: Sub-processors

5.1 General Authorization. The Controller provides a general written authorization for Welocity to engage Sub-processors to Process Personal Data in connection with the Services, subject to this Article.

5.2 List and Changes. A list of current Sub-processors is available to Controllers on request under appropriate confidentiality terms. Welocity will give the Controller prior notice of the addition or replacement of a Sub-processor (for example, by Platform notice or email) and a reasonable opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, the Controller may suspend or terminate the affected Services.

5.3 Flow-down. Welocity will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, in particular those required by Article 28(4) GDPR.

5.4 Liability. Welocity remains responsible to the Controller for the performance by its Sub-processors of their data-protection obligations.

Article 6: Security Measures

6.1 Technical and Organizational Measures

Welocity implements and maintains technical and organizational security measures appropriate to the risk, consistent with Article 32 GDPR and the controls described in Schedule A, including:

Encryption of data at rest and in transit;
Access controls and authentication mechanisms;
Regular security assessments and updates;
Network security and monitoring; and
Documented incident-response procedures.

6.2 Service Availability

THE PLATFORM IS PROVIDED ON AN “AS AVAILABLE” BASIS. WELOCITY DOES NOT GUARANTEE UNINTERRUPTED SERVICE, ERROR-FREE OPERATION, OR ABSOLUTE SECURITY. NO SYSTEM IS COMPLETELY SECURE, AND CONTROLLERS ACKNOWLEDGE THIS INHERENT RISK. THIS DOES NOT REDUCE WELOCITY’S OBLIGATION TO MAINTAIN APPROPRIATE SECURITY MEASURES UNDER ARTICLE 6.1 AND APPLICABLE LAW.

Article 7: Data Subject Rights

7.1 Responsibilities

7.1.1 In-platform data. As controller of candidate data held within the platform, Welocity is responsible for responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) in respect of that data, and for honouring withdrawal of consent and objections, as set out in Article 3.2. Welocity provides candidates with a clear means to make such requests (including via the candidate portal and privacy@welocity.ai).

7.1.2 Exported copies. Where a Client has exported candidate data into its own systems, the Client is responsible, as independent controller, for responding to requests concerning its own copy. Each party will reasonably cooperate with the other where a request affects both copies; Welocity may forward to the Client any request it receives that concerns the Client’s copy.

7.1.3 Processor case. Where Welocity acts as a processor under Annex 1, it will not respond to a data-subject request except on the Client’s documented instructions or as required by Applicable Law, and will assist the Client in responding, as set out in Annex 1.

7.2 Limitations

Data-subject rights do not apply to anonymized or aggregated data that cannot reasonably be re-identified

Article 8: Security Incidents

8.1 Incident Notification

In the event of a confirmed Security Incident affecting the Controller’s Personal Data, Welocity shall notify the Controller without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of it. Notifications will be provided by email or Platform notification and will contain, to the extent reasonably available, the nature and scope of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the mitigation steps taken or proposed.

8.2 Incident Response

Welocity will take reasonable steps to investigate, contain, and mitigate Security Incidents, and will cooperate with and provide reasonable assistance to the Controller in any regulatory notifications, mitigation, and remediation. The Controller remains responsible for its own incident-response and regulatory-notification obligations as controller.

Article 9: Liability and Indemnification

9.1 Limitation of Liability

To the maximum extent permitted by law:

Welocity’s total aggregate liability under this Agreement shall not exceed the fees paid by the Controller in the three (3) months preceding the event giving rise to the claim;

Welocity shall not be liable for indirect, consequential, special, incidental, or punitive damages;

Welocity shall not be liable for regulatory fines or penalties imposed on the Controller as a result of the Controller’s own acts or omissions; and

these limitations apply regardless of the theory of liability.

Nothing in this Agreement excludes or limits either party’s liability where it cannot be excluded or limited under Applicable Law, including a party’s liability to Data Subjects under Article 82 GDPR, or liability for fraud, wilful misconduct, or gross negligence.

9.2 Controller Indemnification

The Controller shall defend, indemnify, and hold harmless Welocity from third-party claims, damages, losses, and expenses (including reasonable attorneys’ fees) arising from (a) the Controller’s use of the Platform; (b) the Controller’s violation of law; (c) the Controller’s breach of this Agreement; (d) claims by Data Subjects to the extent caused by the Controller’s acts or omissions; and (e) the Controller’s instructions, except to the extent such claims arise from Welocity’s own breach of this Agreement or Data Protection Laws.

9.3 Risk Acknowledgment

The limitations of liability reflect the allocation of risk between the parties and are a fundamental element of the basis of the bargain. Welocity would not provide the Services without these limitations

Article 10: Audit and Compliance

10.1 Compliance Documentation and Audits

Welocity shall make available to the Controller, on reasonable written request and subject to confidentiality undertakings, the information and relevant third-party audit reports or certifications (for example, SOC 2 or ISO/IEC 27001) reasonably necessary to demonstrate compliance with this DPA. Document-based remote review is the default means of audit. Where such documentation is insufficient to demonstrate compliance, or where required by a competent supervisory authority or by Applicable Law, the Controller (or a mandated independent auditor bound by confidentiality) may conduct an audit on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a Security Incident), during business hours, and in a manner that does not unreasonably disrupt Welocity’s operations.

10.2 Compliance Costs

Extraordinary compliance assistance beyond the provision of standard documentation may be subject to Welocity’s reasonable professional-services fees, agreed in advance.

Article 11: Data Retention and Deletion

11.1 Retention Periods

Active recruitment data: retained for the duration of the recruitment process.

Candidate profiles: as controller, Welocity retains identifiable candidate Personal Data on a valid lawful basis (typically legitimate interests for talent-pooling and re-engagement, subject to a balancing test, or consent where required), and only for as long as necessary for the notified purposes or as required/permitted by Applicable Law. Where no lawful basis applies, Welocity deletes or irreversibly anonymizes the data. Candidates may withdraw consent or object at any time.

Platform optimization data: anonymized or aggregated data derived from Personal Data may be retained indefinitely, provided it cannot be used to re-identify Data Subjects.

Audit logs: retained for a minimum of 24 months or as required by Applicable Law. (d) Audit logs: Retained for a minimum of 24 months or as required by Applicable Law.

11.2 Termination Effects

Upon termination of a Client’s use of the Services: (a) the Client’s access ceases immediately; (b) the Client remains the independent controller of any candidate data it has exported into its own systems and is responsible for deleting or retaining its own copy under Applicable Law; (c) within the platform, candidate data continues to be governed by Welocity as controller under the retention rules in Article 11.1; (d) anonymized Platform Data may be retained by Welocity in accordance with Article 11.1(c); and (e) where Welocity acted as a processor under Annex 1, it will delete or return the applicable Personal Data at the Client’s choice, save where retention is required by Applicable Law.

Article 12: Cross-Border Transfers

12.1 General. Welocity and its Sub-processors may Process Personal Data in India and other countries. Welocity transfers Personal Data only where a lawful transfer mechanism under Data Protection Laws is in place.

12.2 Transfer mechanism. Where Personal Data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision — including India, which as at the date of this Agreement is not the subject of an EU adequacy decision — the Standard Contractual Clauses, together with the UK Addendum and Swiss amendments as applicable, are incorporated by reference and apply to that transfer. The applicable module is used for the relevant relationship: Module One (controller-to-controller) for disclosures between Welocity and Clients as independent controllers, and Module Two (controller-to-processor) where Welocity acts as a processor under Annex 1 or engages a Sub-processor. Welocity will implement supplementary technical and organizational measures where necessary to ensure an essentially equivalent level of protection.

12.3 Conflict and onward transfers. In the event of any conflict between the SCCs and this DPA in respect of a restricted transfer, the SCCs prevail. Welocity will ensure that onward transfers to Sub-processors are subject to appropriate safeguards consistent with this Article.

Article 13: General Provisions

13.1 Governing Law. This Agreement is governed by the laws of India, and the courts of Bangalore, Karnataka, India shall have exclusive jurisdiction, without prejudice to any mandatory rights of Data Subjects or to the terms of the SCCs (which are governed as stated therein).

13.2 Amendments. Welocity may amend this Agreement on at least fifteen (15) days’ prior notice to Controllers through the Platform or by email. Continued use of the Services after the effective date constitutes acceptance. Material changes that affect Controller rights under Data Protection Laws are subject to reasonable notice and, where required, Controller consent.

13.3 Severability. If any provision is held invalid or unenforceable, the remaining provisions continue in full force and effect.

13.4 Entire Agreement. This Agreement, together with the Principal Agreement and Privacy Policy, constitutes the entire agreement regarding data processing.

13.5 No Third-Party Beneficiaries. This Agreement does not create third-party beneficiary rights, except as expressly provided for Data Subjects under Applicable Law or the SCCs.

13.6 Force Majeure. Neither party is liable for failures or delays due to causes beyond its reasonable control.

13.7 Survival. Provisions relating to data rights, liability, confidentiality, transfers, and any others that by their nature should survive, survive termination of this Agreement.

Article 14: Contact Information

NetConnect Private Limited, operating as Welocity™ — Registered office: WeWork Salarpuria Symbiosis, Bannerghatta Main Road, Arekere, Bengaluru, Karnataka 560076, India.

Data-protection inquiries: privacy@welocity.ai

Data Protection Officer: dpo@welocity.ai

Legal notices: legal@welocity.ai

EU Representative (GDPR Article 27): an EU-based representative is being appointed as the contact point for individuals in the European Economic Area and supervisory authorities; the current details are published at www.welocity.ai/legal. Until then, EEA individuals may contact privacy@welocity.ai or dpo@welocity.ai.

ACCEPTANCE OF TERMS

By using the Welocity platform, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This Agreement is effective upon your use of the Platform and supersedes previous versions. If you do not agree, you must not use the Platform.

Schedule A: Technical and Organizational Measures

Encryption: AES-256 for data at rest; TLS 1.3 for data in transit.

Access management: multi-factor authentication and role-based access control.

Network security: firewalls, intrusion detection, and DDoS protection.

Monitoring: security monitoring and automated threat detection.

Physical security: secure data centers with restricted access.

Backup: regular automated backups with geographic redundancy.

Incident response: documented procedures and regular drills.

Security measures may evolve with technology. Welocity may modify controls provided that the level of protection is not materially reduced.

Schedule B: Data Processing Details

Processing Activities

Collection via web forms, APIs, and file uploads;

Storage in cloud infrastructure;

AI-assisted analysis and scoring;

Duplicate detection per job requisition;

Interview processing;

Cross-client talent matching, only with candidate consent or another lawful basis;

Analytics and reporting; and

Platform improvement and optimization.

Data Flow

Candidate enters the platform (direct application, Welocity sourcing, or Client self-service upload) → Welocity Processes as controller (profile, Octo interview, assessment, matching) → Welocity discloses a shortlist to a Client, which then acts as independent controller → within the platform, identifiable candidate data is governed by the retention rules in Article 11; talent-pool building and cross-client matching proceed on Welocity’s lawful basis. A Client’s separate copy, once exported following its own selection, is governed by the Client’s own retention rules.

Schedule C: Sub-processors

Welocity engages Sub-processors in the categories below to deliver the Services. The specific identity of each Sub-processor is confidential and is made available to Controllers on request under appropriate confidentiality terms. Controllers receive prior notice of changes and may object in accordance with Article 5.

Where a Sub-processor Processes Personal Data outside its country of origin, the transfer is governed by the mechanism shown above and by Article 12 of this DPA.

Annex 1: Processor Annex (Article 28 GDPR)

A1.1 Instructions

Welocity will Process the applicable Personal Data only on the Client’s documented instructions, including as to transfers, unless required to do otherwise by Applicable Law (in which case Welocity will inform the Client unless legally prohibited). The Client is the controller and is responsible for the lawfulness of its instructions.

A1.2 Subject matter and details

Subject matter: screening of the Client’s applicants. Duration: the term of the instruction. Nature and purpose: CV parsing, assessment, and interview processing for the Client’s own roles. Data subjects: the Client’s applicants. Data categories: identification, professional, and assessment data, and special-category data only where the Client has a lawful basis and instructs accordingly.

A1.3 Article 28 obligations

confidentiality: persons authorized to Process are bound by confidentiality;

security: the measures in Article 6 and Schedule A apply (Article 32);

sub-processors: engaged only under the general authorization and flow-down in Article 5;

data-subject requests: Welocity assists the Client by appropriate technical and organizational measures, and does not respond directly except on the Client’s instruction or as required by law;

assistance: Welocity assists the Client with its Article 32–36 obligations (security, breach notification, DPIAs, prior consultation), taking into account the nature of Processing and information available;

return/deletion: at the Client’s choice, Welocity deletes or returns the applicable Personal Data at the end of the Processor Processing, save where retention is required by Applicable Law; and

audit: Welocity makes available the information necessary to demonstrate compliance and allows for and contributes to audits in accordance with Article 10.

A1.4 Breach notification

Welocity notifies the Client without undue delay after becoming aware of a personal-data breach affecting the applicable Personal Data, with the information the Client reasonably needs to meet its own obligations.