Dimensionless Technologies Private Limited Data Protection Addendum (PropelPro)

This Data Protection Addendum ("Addendum") between Dimensionless Technologies Private Limited ("Dimensionless Technologies", "PropelPro") and the Customer (as defined in the Agreement) forms part of the agreement governing Customer's access to and use of PropelPro, whether set out in a Master Service Agreement, Statement of Work, Order Form, Terms of Use, or such other written or electronic agreement incorporating this Addendum (the "Agreement"). This Addendum was last updated in June 2026.

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Dimensionless Technologies. For the purposes of this Addendum only, and except where otherwise indicated, references to "Customer" shall include Customer and such Affiliates.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.2 The terms "Business", "Business Purpose", "commercial purpose", "Contractor", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor", "Sell", "Service Provider", "Share", "Subprocessor", "Supervisory Authority", and "Third Party" have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

2. Scope of Addendum

2.1 This Addendum applies to Dimensionless Technologies's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

3. Roles of the Parties

3.1 The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto, Customer acts as a Business or Controller, and Dimensionless Technologies acts as a Service Provider or Processor. This Addendum shall apply solely to the Processing of Customer Personal Data by Dimensionless Technologies acting as a Processor, Subprocessor, or Third Party (as specified in Annex 1).

3.2 The Parties expressly agree that Customer shall be solely responsible for ensuring timely communications to Customer's Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Customer's Affiliates or the relevant Controller(s) to comply with such Laws.

3.3 Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.

4. Description and Purpose of Personal Data Processing

4.1 In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the subject matter and details of the Processing of the Customer Personal Data to be Processed by Dimensionless Technologies pursuant to this Addendum. The Parties may make reasonable amendments to Annex 1 on mutual written agreement and as reasonably necessary to meet those requirements or to address the requirements of Data Protection Laws from time to time. Annex 1 does not create any obligation or rights for any Party.

4.2 The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement and any Order Form(s).

5. Data Processing Terms

5.1 Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. In connection with its access to and use of the Services, Customer shall Process Customer Personal Data within such Services and provide Dimensionless Technologies with instructions in accordance with applicable Data Protection Laws. As between the Parties, Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Dimensionless Technologies of Customer Personal Data. Customer agrees not to provide Dimensionless Technologies with any data concerning a natural person's health, religion or any special categories of data as defined in Article 9 of the GDPR, except to the extent such data is incidentally contained within Customer Content uploaded to PropelPro for the purpose of bid/tender management, in which case Customer warrants it has obtained all necessary consents and has a valid legal basis for providing such data.

5.2 Dimensionless Technologies shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and Dimensionless Technologies shall:

In relation to any notice received under Section 5.2(d)(i), Customer shall have a period of 30 (thirty) days from the date of the notice to inform Dimensionless Technologies in writing of any reasonable objection on data protection grounds to the use of that Sub-processor. The parties will then, for a period of no more than 30 (thirty) days from the date of Customer's objection, work together in good faith to attempt to find a commercially reasonable solution for Customer which avoids the use of the objected-to Sub-processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Agreement) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty or indemnification whatsoever (but without prejudice to any fees incurred by Customer prior to termination);

6. Warranties

6.1 The Parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the term.

7. Restricted Transfers

7.1 The parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates (as exporter) to Dimensionless Technologies (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, which shall be deemed incorporated into and form part of this Addendum as follows:

7.2 Dimensionless Technologies shall not participate in any other Restricted Transfers of Customer Personal Data (whether as an importer or an exporter of the Customer Personal Data) unless the Restricted Transfer is made in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses implemented between the relevant exporter and importer of the Customer Personal Data, as necessary in order to comply with applicable Data Protection Law.

7.3 Customer should routinely review all international transfers of Personal Data on a case-by-case basis in order to monitor new risks because of the changes in local laws, data practices, etc., and implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks to ensure the Personal Data remains protected to the standard required under Data Protection Laws.

7.4 Transfer mechanism. Where a party is located outside the EEA or an adequate country and receives Personal Data: (a) that party will act as the data importer, (b) the other party is the data exporter, and (c) the relevant Transfer Mechanism will apply. "Transfer Mechanism" refers to any lawful means of transferring personal data from the European Economic Area (EEA) or any adequate country to a third country in compliance with applicable data protection laws. This may include, but is not limited to, the following:

7.5 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

7.6 Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed): challenge the request and promptly notify the data exporter about it, and only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

8. Precedence

8.1 The provisions of this Addendum are supplemental to the provisions of the Agreement. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Agreement, they will take priority in this order: (a) any Standard Contractual Clauses or other measures to which the parties have agreed to (Cross-Border Transfer Mechanisms), (b) this Addendum, (c) the Agreement. In the event that any provision of this Addendum and/or the Agreement contradicts, directly or indirectly, the Controller to Processor SCCs, the Controller to Processor SCCs will control.

9. Indemnity

9.1 To the extent permissible by law, Customer shall (a) defend Dimensionless Technologies and its Affiliates (collectively, "Indemnified Parties") from and against any and all claims, demands, suits, or proceedings made or brought against any of the Indemnified Parties by any third party (each, a "Claim"), and (b) indemnify and hold harmless the Indemnified Parties from and against any and all losses, damages, liabilities, fines and administrative fines, penalties, settlements, and costs and expenses of any kind (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) incurred or suffered by any of the Indemnified Parties, in each case arising from any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws. Dimensionless Technologies may participate in the defense and/or settlement of a Claim under this Section 9 with counsel of its choosing at its own expense.

10. Severability

10.1 The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

11. Miscellaneous

11.1 The Addendum considers the following and follows:

11.2 Dimensionless Technologies shall comply with all statutory and regulatory requirements applicable to it, and maintains ISO/IEC 27001:2022 certification and a SOC 2 Type II report covering the Security, Confidentiality, and Availability Trust Services Criteria, and, where applicable, the EU GDPR and India's Digital Personal Data Protection Act, 2023.

11.3 In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Law, including, but not limited to, a data subject's right of access, correction and/or erasure of its Personal Data in Dimensionless Technologies's control, the Data Subjects can submit such request by contacting Dimensionless Technologies's Grievance Officer below. Also, for raising concerns and/or any complaints related to the Customer Personal Data, this can be done by contacting the Grievance Officer below:

Name: Kushagra Singhania, Chief Operating Officer Email ID: privacy@dimensionless.ai

11.4 There are no temporary files generated during Processing that are retained beyond the duration necessary to complete the relevant Processing activity.

Annex 1 to Data Protection Addendum

Description of Processing Activities for Customer Personal Data

This Annex includes certain details of the Processing of Customer Personal Data by Dimensionless Technologies in connection with the Services.

1. List of Parties

Data Exporter

Data Importer

2. Competent Supervisory Authority

3. Processing Information

4. Technical and Organisational Security Measures

Description of the technical and organisational security measures implemented by Dimensionless Technologies as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons:

Security

  • Security Management System.
    • Organization. Dimensionless Technologies designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Management System (ISMS).
    • Policies. Management reviews and supports all security-related policies to ensure the security, availability, integrity, and confidentiality of Customer Personal Data. These policies are reviewed and updated at least once annually.
    • Assessments. Dimensionless Technologies engages a reputable independent third party to perform risk assessments and vulnerability assessments/penetration tests of systems containing Customer Personal Data at least once annually.
    • Risk Treatment. Dimensionless Technologies maintains a formal risk treatment program covering penetration testing, vulnerability management, and patch management to identify and protect against potential threats to the security, integrity, or confidentiality of Customer Personal Data.
    • Vendor Management. Dimensionless Technologies maintains a vendor management program requiring signed agreements with vendors and Sub-processors, covering scope of services, roles and responsibilities, compliance requirements, and confidentiality obligations.
    • Incident Management. Dimensionless Technologies reviews security incidents regularly, including determination of root cause and corrective action.
    • Standards. Dimensionless Technologies operates an information security management system certified to ISO/IEC 27001:2022, and has obtained a SOC 2 Type II report covering the Security, Confidentiality, and Availability Trust Services Criteria.
  • Personnel Security.
    • Dimensionless Technologies personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Dimensionless Technologies conducts background checks on employees who will have access to Customer Personal Data, to the extent legally permissible.
    • Personnel are required to execute a confidentiality agreement/NDA at the time of hire. Personnel receive security and privacy awareness training upon hire and at least annually thereafter, and complete code of conduct training annually.
  • Access Controls
    • Access Management. Dimensionless Technologies maintains a formal access management process, based on the principle of least privilege and need-to-know, for the request, review, approval, and provisioning of personnel access to Customer Personal Data. Access is reviewed on a quarterly basis to confirm continued business need.
    • Access Control and Privilege Management. Administrators and end users authenticate via individual user accounts using multi-factor or two-step authentication.
    • Internal Data Access Processes and Policies. Access rights are granted, modified, or revoked only against written authorization, based on job responsibilities. Privileged access is allocated on a need-to-use basis. Predefined, role-based security groups are used for in-scope systems. Account credentials of exited personnel are deactivated within one business day of exit, and reactivation of such credentials is prohibited.
  • Data Center and Network Security
    • Infrastructure. Dimensionless Technologies's production infrastructure, including the PropelPro platform, is hosted on Microsoft Azure.
    • Resiliency. The PropelPro platform is implemented in a high-availability configuration using multiple, redundant Azure availability zones, with current supporting regions including Central India, South India, and UAE North. For Customers requiring private deployment, the platform can be configured to operate from a dedicated Azure environment and region of the Customer's choosing, in accordance with the applicable service agreement.
    • Tenant Isolation. PropelPro is built on a multi-tenant architecture in which each Customer's data, including Customer Content, is logically segregated within tenant-isolated storage and databases (including per-tenant database schemas and isolated vector stores), such that no Customer has access to another Customer's data.
    • Backups. Incremental and full backup procedures are performed on production databases on a daily basis. Backup restoration is tested at least annually.
    • Disaster Recovery. Dimensionless Technologies maintains a documented Business Continuity and Disaster Recovery plan, tested at least annually.
    • Security Logs and Monitoring. Logging and monitoring systems are in place to support security audits and to monitor and detect actual or attempted attacks on, or intrusions into, Dimensionless Technologies's systems.
    • Vulnerability Management. Vulnerability assessments and penetration tests of the network are performed at least annually by a third party, with identified vulnerabilities remediated on a risk basis.
    • Networks and Transmission. Production environments are protected by virtual firewall/security group rules. Direct access to production instances is restricted to authenticated SSH sessions or authenticated secure browser sessions using HTTPS.
    • Encryption Technologies. HTTPS/TLS encryption is used for data in transit, and encryption technologies are implemented for data at rest, to ensure the security and confidentiality of Customer Personal Data.
    • AI/LLM Processing. Where Customer Personal Data or Customer Content is processed via Azure AI Foundry (including Azure OpenAI, Anthropic, DeepSeek, and associated Vision/OCR and Document Intelligence services) to power PropelPro's AI-driven features, such Processing occurs within the Azure region(s) selected by Customer to meet its data residency requirements, and such data is not used to train any underlying AI or foundation model.
    • Data Destruction. Dimensionless Technologies ensures secure disposal of Customer Personal Data and Customer Content through documented data destruction processes set out in its Media Handling Policy and Data Retention and Disposal Policy.

Annex 2

Dimensionless Technologies's Sub-processors

The following table lists Dimensionless Technologies's current Sub-processors engaged in connection with the provision of the Services. This list applies commonly across Dimensionless Technologies's products and services, including PropelPro.

Dimensionless Technologies will notify Customer in accordance with Section 5.2(d) of this Addendum of any intended changes or additions to this Sub-processor list.