Company Account Agreement

1. BACKGROUND AND AGREEMENT

1.1. Invono AB, org. no. 556987-2535 ("Invono") provides a digital platform ("INVONO One") with functions and services for partly overview and follow-up of ownership in unlisted companies, partly digital business services for managing ownership, documents, meetings, authorization control and data. Invono provides INVONO One and the services online as Software as a Service services (SaaS) via Invono's website, app.invono.se.

1.2. The services are made available through two different types of accounts that can be created in INVONO One. Personal account for all natural persons who use INVONO One and Company account for companies and organizations that want to use the company services in INVONO One.

1.3. Personal account is provided free of charge, while Company account is offered in four different levels (Free, Lite, Standard and Premium) which are priced according to the amount of storage space and which services and functions of INVONO One are included. All levels of the Company Account include an unlimited number of Customer Members (as defined in point 4.5 below and in short the natural persons who are part of one or more teams in the Company Account). The customer (as defined in point 1.4 below) can switch between the different levels of Company Account at any time. When the term "Company account" is used in this agreement, it refers partly to the specific Company account - which the Customer has created in the individual case - as such, and partly to all services and functions that are available from time to time in the Customer's Company account in INVONO One.

1.4. This agreement drawn up by Invono including the appendix - or the later version that applies according to point 13.1 below - ("Customer Agreement") constitutes an agreement between Invono and the company, association or other organization that creates a Company Account in INVONO One ("Customer"). The customer agreement regulates the conditions for Invono's provision of a Company account and the Customer's use of the Company account. The customer agreement is considered approved and accepted by the customer in that the customer fills in a box for the purpose on app.invono.se in connection with the customer creating a company account on app.invono.se. The customer thereby undertakes, in relation to Invono, to comply with the terms of the Customer Agreement. Provided that the Customer fills in the said box and creates a Company account, Invono also undertakes, in relation to the Customer, to comply with the terms of the Customer Agreement. With the Customer filling in the box intended for the purpose, the parties are thus mutually bound by their respective obligations in the Customer Agreement.

1.5 For the use of the Company Account, in addition to the Customer Agreement, Invono's general terms of use for INVONO One (the "Terms of Use") and the terms for Invono's e-signing service ("Terms of Service eSigning"), which are considered approved and accepted by the Customer upon entering into - or supplement by later version – of the Customer Agreement according to point 1.4 above. In the Terms of Use, the Customer is referred to as the "User" and in the Terms of Service eSigning, the Customer is referred to as the "User". In the event of conflicts between the Customer Agreement and the Terms of Service or Terms of Service eSigning, the Customer Agreement applies with higher priority, and in the event of conflicts between the Terms of Use and the Terms of Service eSigning, the Terms of Use apply with higher priority.

2. PRICE AND PAYMENT FOR COMPANY ACCOUNT, ADDITIONAL SERVICES AND E-SIGNING

2.1. Company account is provided in four different levels where the first level "Free" is completely free, while the levels "Standard", "Lite" and "Premium" are paid services. All levels of the Company Account include an unlimited number of Customer Members and shareholders. However, the available storage space and the services and functions that are included differ between the different levels. For Company accounts at the paid level, extra storage space can also be purchased as an additional service for a separate fee.

2.2. For each e-signing that is done at the Customer's initiative (i.e. e-signing processes initiated by the Customer via their Company account), an additional cost is added to the Customer in cases where such an authentication method is used that involves a cost to Invono (formerly BankID). For e-signing with free technology (such as e-mail), however, the Customer is charged no extra cost.

2.3. Unless the parties have agreed otherwise, the information applies to, on the one hand, the prices for the different levels of Company account, on the other hand which storage space and which services and functions are included for each level of Company account, and on the other hand the prices for such e-signatures which entail an additional cost according to point 2.2 above, as well as the prices for various additional services, which at any time are published on Invono's website invono.se.

2.4. All prices here and on invono.se are stated excluding VAT. The customer is responsible for VAT as well as other taxes and public charges that are due or may be due with respect to the Company account, including any additional costs and additional services.

2.5. The price for the paid-level Company Account and any additional services is paid monthly or annually in advance. The first payment occurs at the time the Customer activates the Standard, Lite or Premium levels in their Company account. If e.g. The customer activates level Standard in their Company account on April 10 and chooses a monthly subscription. On this occasion, the customer must pay the monthly cost for level Standard in advance, i.e. through May 9. The price for the Standard Company Account level will then be charged every month on the calendar day corresponding to the first payment day for the Company Account ("Debit Date"). The same applies annually if the Customer has chosen an annual subscription. In some cases, the Debit Date can be changed, e.g. if the Customer's monthly subscription began on a date that does not exist in a given month.

2.6. The price for such e-signing, which entails an additional cost according to point 2.2 above, is paid from a payment pot loaded in advance by the Customer for this purpose. The pot is topped up by card payment directly in INVONO One.

2.7. The customer can at any time switch between the different levels of Company Account and add or remove such additional services that are available for the current level of Company Account. Changing to another level - or adding/removing an additional service - is reflected in the next monthly/annual billing. If the Customer upgrades to a more expensive level - or adds an additional service - during an ongoing payment period, the difference for the remaining time in the current payment period will be charged separately at the time of the change. If the Customer downgrades to a cheaper level - or removes an additional service - during an ongoing payment period, no refund will be made for all or part of the fee already paid for the current payment period.2.8. Det går inte att nedgradera till nivå ” Free” om mängden Kunddata (enligt definitionen i punkt 4.3 nedan) överskrider den högsta tillåtna datamängden för Free-nivån. Vid en nedgradering till ett annat Bolagskonto på betalnivå kan Kunden – om Kunddatan överskrider den tillåtna mängden för den nivå som Kunden önskar nedgradera till – välja mellan att köpa till extra lagringsutrymme som en tilläggstjänst eller att radera erforderlig mängd Kunddata före nedgraderingen.

2.9. Payment for the Company account and any additional services is made by card payment directly in INVONO One. The customer must provide the information necessary for payment from a current and valid payment card and agrees - unless the Company Account has been canceled in accordance with the Customer Agreement, or the Customer has changed the subscription to level Free ) before the Billing Date - that the fee for the next monthly or/annual payment period debited from the card on the Debit Date. If such a card debit should fail for any reason, the Customer undertakes to update his payment information immediately upon request so that a card transaction can be completed.

2.10. Invono has the right to change during the contract period; partly the price for the different levels of Company account, partly the amount of storage space and the content of services and functions in the different levels of Company account, partly the additional price for certain e-signatures, and partly the price for various additional services. An increase in the price for - or a reduction in the content of - any level of Company account or for any additional service must be notified in writing by Invono no later than ten (10) days before the price change takes effect. If the Customer does not terminate the Customer Agreement in accordance with point 3.1 below, the new price applies for such payment period that begins after the price change has entered into force.2.11. Oaktat det ovanstående har Invono rätt att höja priset med omedelbar verkan om höjningen är direkt hänförlig till externa faktorer såsom förändring av valutakurs, skatt eller liknande allmän pålaga samt vid annan liknande omständighet utom Invonos kontroll som påverkar kostnaden för tillhandahållande av Bolagskonto.

2.12. If the Customer is in arrears with payment for the Company account, statutory late payment interest is charged from the due date. In the event of such a delay, Invono is also entitled to temporarily suspend the Customer's access to the Company account until all due amounts have been paid; and/or to terminate the Customer Agreement in writing until fourteen (14) days after the Customer would have made payment.

2.13. Upon termination of the Customer Agreement, there will be no refund of the fee already paid for the Company account.

3. AGREEMENT TERM AND TERMINATION

3.1. The customer agreement applies from on the day on which the agreement was entered into according to point 1.4 above, the Customer's Company Account, and thus the Customer Agreement, is terminated via the Customer's user page in the Company Account in INVONO One. If the Customer has a paid subscription, however, the Customer Agreement only expires at the end of the current payment period.

3.2. From the date of termination of the Customer Agreement, the Customer no longer has any right to use the Company Account and Invono has, subject to clause 5.2 below, the right to delete all Customer Data (see definition in clause 4.3 below).

4. DETAILS ABOUT THE COMPANY ACCOUNT AND THE USE OF IT

4.1. Invono undertakes to provide the Company Account during the contract period, and on the terms specified in the Customer Agreement, by keeping this available to the Customer at app.invono.se, i.e. the point where Invono hands over the Company Account to a publicly available communication network.

4.2. The services and functions provided in the Company Account vary depending on which level (Free, Lite, Standard or Premium) the Customer has chosen to subscribe to. Information about what is included in the different levels and detailed descriptions of these services and functions is available on our website invono.se. In brief, however, it should be mentioned that Company Account contains digital business services for handling, among other things, ownership, documents, meetings and tasks. Company account must be provided professionally.

4.3. "Customer data" refers to such information, data and/or documentation attributable to the Customer or Customer Member (as defined in section 4.5 below) that (i) the Customer/Customer Member uploads or otherwise adds to or to the Company Account, (ii) arises as result of the use of the Company Account, or (iii) is the result of Invono's processing of such information/data/documentation.

4.4. A company account is created on behalf of the Customer by a natural person via their Personal Account in Invono One. Company account can only be created if a registered representative of the Customer - by signing with BankID - confirms that a Company account is to be created for the Customer. The natural person who creates a Company Account ("Account Owner") is the Customer's first Customer Member and this person automatically gets full access to all available services and functions as well as all Customer Data in the level of Company Account that the Customer has chosen to subscribe to. The Account Owner and the Customer hereby confirm that the Account Owner has the authority to create a Company Account on behalf of the Customer and enter into this Customer Agreement as well as to add Customer Members and give Customer Members full or limited access to the Company Account and Customer Data.

4.5. The Customer has the option to add users ("Customer Members") and grant them authorization to various teams in Company Account to use the services and functions in Company Account on behalf of the Customer and/or to allow them to access Customer Data. Each such Customer Member must register a personal free Personal Account in INVONO One and undertake to comply with the Terms of Use. The Customer is aware that it is the Customer who, through the authorization control in Company Account, regulates - and is responsible for - the access Customer members get to the services and functions in Company Account, and Customer Data. In relation to Invono, the Customer is responsible for ensuring that all Customer Members to whom the Customer gives access to the Company account, or parts of the contents of the Company account, comply with the Customer Agreement. Invono has the right, without prior warning, to suspend the Customer Member from further use of the Company Account and/or INVONO One if there is suspicion that he is using the Company Account in violation of the Customer Agreement or other applicable conditions.

4.6. The customer only gets access to the Company Account for the purpose for which the Company Account was created and may only use the Company Account in accordance with the Customer Agreement and the Terms of Use and for legal purposes and on their own account. Company account is provided as an online subscription service (so-called Software as a Service / SaaS) and only means - in accordance with the Customer Agreement and the Terms of Use - a limited right for the Customer to access and use Company Account and the services and functions available therein. Invono's provision of a Company account therefore does not imply any transfer or granting of any intellectual property rights to the Customer.

4.7. Invono carries out ongoing development work regarding the services and functions of the Company Account, and the Customer receives continuous upgrades during the validity of the Customer Agreement at no extra cost. Invono itself decides which improvements and technical adjustments are to be made and has the right during the contract period to change the services and functions of the Company Account, including to completely remove services and functions. Invono will inform the Customer when more significant changes are implemented.

4.8. Invono provides support for questions regarding the functionality of the Company Account. The customer can get in touch with support via Invono's user support which is available in the Company Account or directly via Invono's website support.invono.se.

4.9. Invono's support does not include any advice on questions regarding the application of the underlying laws and regulations that apply to such administration, etc. which can be handled through the Company Account, such as company law issues etc. The support also does not cover questions of a technical nature or corrections due to incorrect use of the Company account.

5. CUSTOMER DATA

5.1. The Customer owns and is responsible for all Customer Data that the Customer or Customer Member stores, uploads, makes available and manages in the Company Account. The customer's use of INVONO One and Company Account does not mean that any intellectual property rights to Customer Data are assigned or transferred to Invono. The customer is responsible for ensuring that the customer data - as well as the customer's or customer member's use of the company account - does not cause damage or infringe on the rights of others or contravene current legislation, e.g. regarding intellectual property rights or personal data legislation. In the event that the Customer fails in this responsibility, the Customer shall indemnify Invono in respect of all claims from third parties that are directed against Invono due to such a failure, also in respect of indirect damage and loss. Invono shall also have the right to assign to third parties the right to make such claims against the Customer.

5.2. When the Company Account has been closed and the Customer Agreement has ceased to apply, Invono must - upon written request from the Customer and at his expense - provide the Customer with his Customer Data in the format that is possible and appropriate according to Invono. Invono undertakes to store the Customer Data for one hundred and twenty (120) days after the termination of the Customer Agreement, or until a requested transfer of the Customer Data has been carried out as above. When this time has expired, all Customer Data will be deleted unless the parties have previously reached a different agreement in connection with the conclusion of a new customer agreement. If the Customer requests in writing that the deletion of Customer Data is to take place earlier than as stated above, Invono shall, notwithstanding its storage commitment above, comply with such request.

6. PERSONAL DATA

6.1. All terms in this section 6 relating to the processing of personal data shall have the meaning that appears from time to time in EU Regulation 2016/679 (Data Protection Regulation GDPR) including changes and/or additions thereof.

6.2. Invono is the personal data controller for the personal data (contact information) provided when registering a Company Account or when editing the company profile in the Company Account. Invono is also responsible for the personal data provided when using the support function. With regard to Invono's processing of personal data as a personal data controller, what is stated in Invono's privacy policy applies.

6.3 The Customer is responsible for all other processing of personal data in the Company Account. In carrying out its obligations under the Customer Agreement, Invono may, however, process personal data on behalf of the Customer. Examples of such treatment are; that Invono stores information about e.g. employees or shareholders that the Customer enters into INVONO One; that Invono logs information about e.g. name and social security number to create evidence in connection with e-signing; that Invono transfers data to providers of e-identification to enable e-signing; or that Invono - after the end of the contract period - deletes the corresponding data that the Customer had in the Company Account.

6.4 To the extent that Invono processes personal data on behalf of the Customer, Invono is to be considered a personal data processor. Regarding Invono's processing of personal data as a personal data processor, what is stated in this section 6 and in the personal data processor agreement (appendix) and its sub-appendices apply. In the personal data processor agreement, the Customer is referred to as "Personal Data Controller" and Invono as "Personal Data Processor".

7. SEKRETESS

7.1. The parties undertake without limitation in time not to, without the other party's written consent, provide or disclose Confidential Information to third parties, and not to use Confidential Information, to an extent other than what is necessary to fulfill their obligations under the Customer Agreement. With "Confidential information" in the Customer Agreement refers to any information - technical, financial, practical, commercial, personal or of any other kind, regardless of whether the information has been documented or not - that a party has received from the counterparty or which appears or is generated during the fulfillment of the Customer Agreement. As non-exhaustive examples of Confidential information, financial reports, technical product descriptions, various types of agreements, personal data, etc. can be mentioned. However, as Confidential information shall not be considered information that the party can show; (i) is generally known or comes to public knowledge in a different way than through violation of the content of the Customer Agreement; (ii) that the party had access to before the Customer Agreement was entered into; (iii) came to the party's knowledge from a third party, provided that the third party was not prevented by the other party from disclosing such information (however, in such a case, the party does not have the right to disclose to outsiders that the party received the same information from the other party as well); or (iv) that the party is obliged to disclose according to law, a decision of a court or other authority or stock market rules, provided that the other party is notified of this in advance and that the disclosure is limited as much as possible.

7.2. Regardless of what is stated in point 7.1 above, however, Invono has the right to disclose such Confidential Information to Invono's group companies, cooperation partners and/or subcontractors that need to be disclosed in order for Invono, subcontractors or cooperation partners to be able to deliver and/or develop INVONO One.

7.3. The party must, through confidentiality obligations or other appropriate measures, ensure that employees, consultants and other staff employed observe confidentiality as above. Invono is responsible for ensuring that any subcontractor or collaboration partner as well as their relevant employees sign a non-disclosure agreement of corresponding content.

7.4. Notwithstanding the above, Invono has the right to indicate for marketing purposes that the Customer uses a Company Account in INVONO One.

8. LIABILITY AND LIMITATION OF LIABILITY

8.1. The company account is normally available at all times, but Invono makes no guarantees regarding availability and the Customer is aware that both planned interruptions (e.g. for customary maintenance, updates and other measures) and unplanned interruptions and disruptions occur. Planned interruptions shall, as far as possible, take place outside office hours and Invono shall inform in advance of such interruptions.

8.2. By "error" in the Customer Agreement is meant that the Company Account, or essential parts of the Company Account, cannot be used and this is due to circumstances within Invono's control.

8.3. If an error occurs, Invono must remedy the error free of charge and without delay after the error has been reported, if possible.

8.4. To avoid misunderstandings, Invono is never responsible for errors or deficiencies arising from the Customer's or Customer Member's use of the Company Account in violation of the Customer Agreement, Terms of Use or other user instructions, or for errors or deficiencies resulting from the Customer's or Customer Member's error or negligence.

8.5. In addition to what is stated above in this section 8, Invono has no responsibility for the function or quality of the Company Account.

8.6. Invono is not responsible in any case for indirect damages, such as lost or non-existent profit, loss of production, costs for engaging another supplier and/or consultant, costs for equipment and similar costs or losses.

8.7. Invono's total liability for direct damage during a contract year shall under all circumstances be limited to a maximum of one (1) price base amount according to ch. 2. Section 6 of the Social Security Code.

9. DISCLAIMER

9.1. The customer is responsible for determining whether a certain service or function in the Company Account is suitable for achieving the purpose intended by the customer. Invono is not responsible in any case for the Customer's damage or loss as a result of, or related to, the use of the Company Account. This applies regardless of the cause of such damage or loss, i.e. regardless of whether the damage/loss stems from interruption of function or use, cessation of function or service within the Company account, malfunction, error, deficiency, bug, neglect, lack of purpose, loss of data, information or documentation, virus, operational or connection problems, intrusion or any other reason.

9.2. Information published on Invono's website (invono.se/app.invono.se) - or provided in connection with support cases or otherwise - is intended for general information only and does not constitute, and should not be used as, legal or other professional advice. There is a risk that the content is not exhaustive, up-to-date or correct.

9.3. Any use of information published on Invono's website (invono.se/app.invono.se) - or provided in connection with a support matter or otherwise - is entirely at the Customer's own risk. Invono assumes no responsibility if such information is incorrect or incomplete; or for any damages arising out of actions or decisions based on such information. The same applies to information on another website with a link to or from Invono's website.

10. COMPLAINT

10.1. In order not to expire, any claims must be presented in writing and without unreasonable delay from the time the party discovers or fails to discover the circumstance that gives rise to the claim, however no later than within two (2) months from the time the circumstance occurred.

11. FORCE MAJEURE – GROUNDS OF EXEMPTION

11.1. The following circumstances shall be considered grounds for exemption from the party's obligations to fulfill its obligations under the Customer Agreement, if such a circumstance prevents or significantly complicates the fulfillment of the obligation; circumstances that the parties cannot control or foresee, such as fire, explosion, natural disaster, war, act of war or terrorism, labor market conflict, staff resignation, reduction of working capacity or death, authority action, newly added or amended legislation, interruption of telecommunications, unauthorized intrusion into Invono's system, major loss or destruction of data, major accident and similar circumstances. In addition to this, situations are also included where the INVONO One has been exposed to an unpredictable pressure which reduced its functionality.

11.2. A party affected by a circumstance according to above must immediately notify the other party and exemption from performance is available for such time as the obstacle exists.

12. EARLY TERMINATION

12.1. In addition to what is otherwise stated in the Customer Agreement, the party has the right to terminate the Customer Agreement in writing with immediate effect if the other party commits a breach of contract and fails to take corrective action within twenty (20) days from receipt of the other party's written reminder of the breach of contract.

13. CHANGES TO THE AGREEMENT

13.1. Invono has the right to change the Customer Agreement with immediate effect without prior approval from the Customer and it is always the Customer Agreement available from time to time on Invono's website invono.se that applies. The Customer will be informed in writing of such changes that are materially detrimental to the Customer and such changes shall, notwithstanding the above, take effect thirty (30) days after the Customer is notified of the change or the later date Invono specifies.

14. WRITTEN NOTICES

14.1. Invono has the right to provide written notices according to the Customer Agreement to the Customer via Company Account and/or via letter or e-mail to the respective address that the Customer has most recently notified in Company Account. The customer is responsible for updating their contact information in the Company Account.

14.2. Notification to the Customer shall be deemed to have reached the Customer no later than three (3) days after the notification was sent if the notification is sent by letter, and immediately if the notification is sent via e-mail or notified via the Company Account.

14.3. The customer has the right to submit written messages - other than the termination of the Company account, which must take place in accordance with point 3.1 above - according to the Customer Agreement to Invono via e-mail to support@invono.se, whereby the message shall be deemed to have reached Invono immediately if receipt is confirmed .

15. ASSIGNMENT OF AGREEMENT

15.1. The customer may not fully or partially assign or pledge their rights and/or obligations under the Customer Agreement, without Invono's written approval.

16. GOVERNING LAW AND DISPUTE RESOLUTION

16.1. Invono is subject to Swedish law and Swedish law shall be applied to the Customer Agreement.

16.2. Disputes arising out of the Customer Agreement shall be finally settled by arbitration administered by the Stockholm Chamber of Commerce's Arbitration Institute (SCC). The SCC's rules for Simplified Arbitration must be applied unless the disputed value is higher than SEK 1 million. If the disputed value amounts to more than SEK 1 million, the SCC's Arbitration Rules shall be applied. However, the arbitration panel must in all circumstances consist of a single arbitrator. The disputed value includes the claimant's claim in the writ of summons as well as counterclaims made in the response to the writ of summons.

16.3. The seat of the arbitration shall be Helsingborg and the language of the proceedings shall be Swedish if both parties are Swedish and otherwise English.

16.4. The parties undertake, without time limitations, not to disclose without compelling reasons the existence or content of arbitration in connection with the Customer Agreement or information about negotiations, arbitration or mediation in connection with the Customer Agreement.

16.5. Regardless of the above, a party always has the right to turn to the Swedish general court or other competent authority if the capital amount in dispute (without taking into account any counterclaims) does not exceed SEK 100,000.

Appendix Personal data service agreement

1. DEFINITIONS

1.1. Terms in this personal data processor agreement (the "Persecutor Agreement") shall have the meaning that appears from time to time in EU Regulation 2016/679 (Data Protection Regulation GDPR) including changes and/or additions thereof.

1.2. Definitions used in the Subsidiary Agreement and the Sub-Appendices but not defined herein shall be defined in accordance with the Customer Agreement to which this Subsidiary Agreement is attached.

1.3. In the event of conflicts between this Assistance Agreement and the Customer Agreement, this Assistance Agreement applies with higher priority.

2. APPENDICES TO THE PERSONAL DATA PROVISION AGREEMENT

2.1. Specification of the processing of personal data, Sub-Annex 1

2.2. Pre-approved assistants, Sub-Appendix 2

3. PROCESSING OF PERSONAL DATA

3.1. The Personal Data Processor undertakes to only process personal data in accordance with (i) the Customer Agreement, and (ii) written, reasonable and legal instructions from the Personal Data Controller, unless such instructions prevent the Personal Data Processor from performing its obligations under the Customer Agreement or otherwise pursuant to applicable data protection legislation. The Personal Data Controller's original instructions to the Personal Data Assistant regarding the object and duration of the processing, the nature and purpose of the processing, type of personal data and categories of data subjects are stated in the Customer Agreement, this Assistant Agreement and in Sub-Appendix 1.

3.2. The Personal Data Controller confirms that the Personal Data Assistant's obligations under the Customer Agreement and this Assistant Agreement, including Sub-Annex 1 constitute the complete instructions to be followed by the Personal Data Assistant. All changes to the Data Controller's instructions must, with the exception of what is stated in clause 6.1 below, be negotiated separately and must, to be effective, be documented in writing and signed by both parties. The Personal Data Controller is obliged not, without such written agreement, to let the Personal Data Processor process other types of personal data, or process personal data about other categories of registered persons, than what is stated in Sub-Annex 1.

3.3. The personal data assistant shall, to the extent required by the applicable data protection legislation and according to the written instructions of the Personal Data Controller in each individual case, assist the Personal Data Controller in the fulfillment of his obligations according to the applicable data protection legislation.

3.4. The Personal Data Controller shall immediately inform the Personal Data Controller if the Personal Data Controller considers that an instruction from the Personal Data Controller is contrary to applicable data protection legislation.

4. UTLÄMNANDE OCH MOTTAGANDE AV PERSONUPPGIFTER

4.1. The personal data assistant provides through INVONO One service(s) where personal data may be processed. The Personal Data Controller himself decides to what extent Customer Data is uploaded or otherwise supplied in or to INVONO One and who (including third parties) shall have access to – and to what extent – ​​personal data for which the Personal Data Controller is responsible.

4.2. Regarding the Personal Data Assistant service for e-signing (which is also provided in INVONO One), the Personal Data Controller is aware of and agrees that the use of the same means that a number of personal data - for which the Personal Data Controller is responsible - will be shared with third parties as follows . The Personal Data Assistant will provide all persons invited to sign a document ("Signatory") information about the name of the person with the Personal Data Controller who requested the signature as well as access to any personal data in the PDF document to be signed. If and when the document has been signed by all Signatories, all Signatories will also have access to other personal data that is saved in the evidence log created during the signing process. Examples of information in the evidence log are information about the Signatories' electronic signatures, IP addresses, e-mail addresses and social security numbers, etc.

4.3. The above-described information sharing in connection with the use of the e-signature service can be limited to a certain extent by the Personal Data Controller through settings via digital tools in the e-signature service. As the e-signature service is essentially automated, the Personal Data Controller cannot notify the Personal Data Assistant of any restrictions other than those offered directly in the service.

4.4. With the exception of what is stated above regarding the e-signature service and below in point 5 regarding sub-agents and for such third party(ies) that the Personal Data Controller himself has assigned authority in INVONO One that can provide access to personal data, the Personal Data Controller undertakes not to without prior written consent from the Personal Data Controller, disclose or otherwise make personal data processed in accordance with this Assistance Agreement available to third parties, unless otherwise required by Swedish or European law, court or authority decision.

4.5. If a data subject requests information from the Personal Data Controller about the processing of their personal data, the Personal Data Controller shall without undue delay refer such request to the Personal Data Controller.

4.6. If the competent authority requests information from the Personal Data Controller about the processing of personal data, the Personal Data Controller shall without undue delay inform the Personal Data Controller about this, unless otherwise follows from applicable Swedish or European law, court or authority decisions. The personal data assistant may not in any respect act on behalf of the Personal Data Controller or as an agent for him, and may not, without prior consent from the Personal Data Controller, transfer or otherwise disclose personal data or other information relating to the processing of personal data to third parties, unless otherwise follows from Swedish or European applicable law, court or authority decision.

4.7. If, according to applicable Swedish or European law, the Personal Data Processor is requested to release personal data that the Personal Data Processor processes on behalf of the Personal Data Controller, the Personal Data Processor is obliged to immediately notify the Personal Data Controller of this, unless otherwise follows from current law, court or authority decision, and that in connection with the release request that the information be treated confidentially.

5. SUBSIDIARIES AND THIRD COUNTRY TRANSFERS

5.1. The Personal Data Controller approves that the Personal Data Assistant may hire sub-assistants within and outside the EU/EEA and may transfer personal data outside the EU/EEA. The personal data processor must ensure that subprocessors are bound by written agreements that impose on them the corresponding obligations in terms of data protection that apply according to this Processor Agreement. If the subcontractor does not fulfill its obligations in terms of data protection, the Personal Data Processor is responsible for the subcontractor's processing of personal data on behalf of the Personal Data Controller as for its own such processing. Sub-Annex 2 contains a list of pre-approved sub-assistants from and including the date of entry into force of this Assistant Agreement.

5.2. If personal data is transferred to, or access is enabled from, a location outside the EU/EEA, the Personal Data Assistant must ensure that there is a legal basis for the transfer according to applicable data protection legislation, by entering into the European Commission's standard contract clauses with hired sub-assistant. The Personal Data Controller hereby mandates the Personal Data Assistant to enter into the European Commission's standard contract clauses with sub-agents on behalf of the Personal Data Controller.

5.3. With regard to the sharing of information described in point 4.2 above in connection with the use of the e-signature service, the Data Protection Officer only enables access to the personal data within the EU/EEA (via a link on a secure page). The Personal Data Controller is aware of and accepts that the Personal Data Assistant, on the other hand, cannot control or take responsibility for how a Signatory who gains access to the data via the e-signature service chooses to handle the data, e.g. by transfer to third countries.

5.4. If the Personal Data Assistant intends to engage a new or replace an existing sub-assistant to process personal data covered by this Assistant Agreement, the Personal Data Assistant must inform the Personal Data Controller of this in advance and prepare the latter for the opportunity to raise objections. Such objections must be made in writing within ten (10) working days from the time the Personal Data Controller received the information. The Personal Data Assistant shall provide the Personal Data Controller with all information that the latter may reasonably request in order to assess whether the engagement of the proposed sub-assistant will ensure compliance with the Personal Data Controller's obligations under this Assistant Agreement and applicable data protection legislation. If compliance with these obligations, according to the Personal Data Controller's justified opinion, is not made possible by the proposed subcontractor and the Personal Data Controller wishes to hire the proposed subcontractor despite the Personal Data Controller's objection, the Personal Data Controller has the right to terminate the Customer Agreement in writing and get back any prepaid fees for the remainder of the contract period. If the objection is not justified, the Personal Data Controller does not have the right to terminate the Customer Agreement.

6. DATA SECURITY AND PRIVACY

6.1. The Personal Data Controller confirms that the Personal Data Controller has taken appropriate technical and organizational measures in accordance with applicable data protection legislation to ensure that the personal data processed is protected. The Personal Data Processor must follow the security measures set out in Sub-Appendix 1 and in the Personal Data Processor's own Data Security Description. The Personal Data Assistant may change its own Data Security Statement without prior written consent from the Personal Data Controller, provided that the change does not conflict with applicable data protection legislation.

6.2. The Personal Data Assistant is obliged to ensure that only such personnel who must directly have access to personal data in order to be able to fulfill the Personal Data Assistant's obligations under this Assistant Agreement have access to such data. The personal data assistant must ensure that such personnel are covered by a confidentiality obligation that is designed in accordance with the confidentiality provisions in the Customer Agreement.

6.3. The Personal Data Controller certifies that all personal data that the Personal Data Controller processes within the framework of the Customer Agreement has been collected and processed in accordance with applicable data protection legislation. The Personal Data Controller may not allow the Personal Data Processor to process sensitive personal data (e.g. information about an individual's health) without first having (i) taken the security measures required according to applicable data protection legislation, and (ii) obtained the Personal Data Processor's written approval of these measures and the processing.

7. PERSONAL DATA INCIDENTS

7.1. The Personal Data Assistant must notify the Personal Data Controller without undue delay after becoming aware of a personal data incident.

7.2. The Personal Data Assistant shall assist the Personal Data Controller with the information that may reasonably be required to fulfill his obligation to report personal data incidents.

8. RIGHT OF REVIEW

8.1. The Personal Data Controller shall, in its capacity as Personal Data Controller, have the right to take the necessary measures to verify that the Personal Data Processor can fulfill its obligations under this Assistance Agreement and that the Personal Data Processor has actually taken the necessary measures to ensure that these are fulfilled.

8.2. The Personal Data Processor undertakes to provide the Personal Data Controller with all information necessary to demonstrate compliance with the obligations set out in this Processor Agreement, as well as to enable and participate in such review, including on-site inspection, carried out by the Personal Data Controller or other reviewer appointed by this, on the condition that the persons carrying out the review enter into appropriate confidentiality agreements.

8.3. The Personal Data Controller shall bear its own costs for such review.

9. CONTRACT TERM

9.1. The provisions of this Assistant Agreement shall apply as long as the Personal Data Assistant processes personal data for which the Personal Data Controller is the Personal Data Controller.

10. RETURN AND DELETE OF PERSONAL DATA

10.1. When the Customer Agreement has ceased to apply, the Personal Data Administrator must - unless storage of the personal data is required by applicable law - return and/or delete the personal data in accordance with what appears in the Customer Agreement.

10.2. At the request of the Personal Data Controller, the Personal Data Assistant must confirm in writing what measures have been taken regarding the personal data after the end of the processing according to point 10.1 above.

11. INDEMNIFICATION

11.1. The Personal Data Processor is - to the extent that such compensation is permitted - entitled to compensation according to the Personal Data Processor's price list in effect at any time for the work performed due to the obligations in clauses 3.3, 3.4, 4.5, 4.6, 4.7, 7.2, 8.2 and 10 of this Processor Agreement .

12. LIMITATION OF LIABILITY

12.1. The limitations of liability that apply according to the Customer Agreement shall be applied to the Personal Data Processor's liability according to this Processor Agreement.

Sub-Annex 1: Instructions for the data processing

Purpose

Purposes for which personal data may be processed by the Personal Data Officer:

The Personal Data Processor The Personal Data Processor processes personal data in order to provide the Personal Data Controller INVONO One with its services and functions. For which more specific purposes personal data is processed depends on which of the services and functions in INVONO One are used by the Personal Data Controller.

Examples of purposes are:

• Keeping the share register for companies

• Administration of ownership issues in companies

• Administration of membership issues in associations

• Administration of board and/or management work in companies/associations/organizations

• Document and contract management

• Electronic signing of documents and creation of proof of such signatures

Categories of personal data

Personal data that may be processed by the Personal Data Officer:

Personal data is processed in order to provide the Personal Data Controller INVONO One with its services and functions. Which categories of personal data are processed vary depending on which of the services and functions in INVONO One are used by the Personal Data Controller, and which personal data he chooses to process in INVONO One. Certain services in INVONO One enable the Data Controller to enter free text and/or enter documents of various formats into INVONO One. The following categories of personal data are relevant:

• name

• email address

• social security number

• address

• phone number

• which bank issued the registrant's BankID

• that the registered person has identified himself or signed documents with the Data Protection Officer using BankID

• that the registered person has signed documents with the Personal Data Protection Officer using a verification code via e-mail

• technical information when communicating with the data subject via e-mail (during e-signature process), such as time of sending and opening of e-mail

• technical information when the data subject uses BankID to identify himself or sign documents with the Personal Data Controller, such as time, IP address, type of BankID and type and version of mobile phone or computer information about IP address when the data subject uses a verification code via e-mail to sign documents with the Personal Data Protection Officer

• geographic location information when the data subject uses BankID to identify himself or sign documents with the Personal Data Protection Officer,

• personnel data, such as social security number, title/position, bank account number, salary and other conditions, absence, salary basis, pension

• personal reference in invoices, contracts, etc.

• shareholding and price for/value of shares

• board/management involvement

• professional/position/role description

• other information about people in documents and/or free text

Categories of registrants

Categories of data subjects that the Personal Data Assistant may process personal data on:

• The Board and management members of the Data Controller

• Employees of the Personal Data Controller

• Other people who have been given the opportunity to interact with it in some way

• Personal data manager in INVONO One

• Persons who have been invited by the Personal Data Controller or Customer Member for electronic signing of documents

• The Personal Data Controller customers, suppliers, partners as well other categories of data subjects whose personal data on Personal data controller chooses to process in INVONO One (e.g. as part of the content of agreements, customer lists or other documentation)

• Depending on which business it is Personal data controller chooses to use The services within the Personal Data Protection Officer may process personal data about minors.

Treatment activities

Processing activities regarding personal data that may be carried out by the Personal Data Assistant:

The Personal Data Assistant will store and process personal data in connection with the provision of INVONO One and the services therein to the Personal Data Controller. The personal data processor does not knowingly process sensitive data in connection with the processing activities described in this Sub-Annex. The following treatment activities are relevant:

• Creation or introduction of personal data in INVONO One by the person in charge of Personal Data entering text or documents into INVONO One.

• Organisation, structuring and storage of personal data.

• Use of personal data for e-mail notifications.

• Use of personal data – including transfer to e-ID providers – to enable e-signing of documents.

• Use of personal data for the creation of evidence packages in connection with e-signing.

• Provision of personal data included in evidence packages regarding e-signing to persons/organizations that were involved in the signing process.

• Transfer of personal data in order to fulfill the Personal Data Officer's obligations in accordance with paragraph 4i The assistance agreement.

• Transfer/transfer of personal data to group companies, collaboration partners and/or subcontractors in accordance with the Customer Agreement (in order to be able to deliver and/or develop the content of INVONO One).

• Matching of personal data with data in INVONO One and/or external registers, e.g. to retrieve shareholders' address information in connection with drawing up the share register.

• Use of personal data for controlling the authorization to services, functions and Customer data in INVONO One.

• Return and deletion of personal data in accordance with the Customer Agreement.

• Duplication of personal data in connection with backup management.

Place(s) for processing the personal data

Places where personal data may be processed by the Personal Data Officer:

Place of processing varies depending on which of the services and Place of processing varies depending on which of the services and functions of INVONO One are used by the Personal Data Controller. Based on the processing activities as above, processing of personal data may take place at the following locations:

• Creation or introduction of personal data in INVONO One - within the EU

• Organisation, structuring and storage of personal data - within the EU

• Use of personal data for e-mail notifications – if the recipient of e-mail notifications has their e-mail server outside the EU/EEA, the name of the person who performed a notifying action in INVONO One may be transferred to such third country in connection with the notification. Otherwise, only data access within the EU is enabled.

• Use of personal data - including transfer to e-ID providers - to enable e-signing of documents - within the EU

• Use of personal data for the creation of evidence packages in connection with e-signing - within the EU

• Provision of personal data included in e-signing proof packages for persons/organizations that were involved in the signing process - access is enabled within the EU

• Transfer of personal data to fulfill the Personal Data Processor's obligations e the Processor Agreement - within the EU

Data security

The personal data assistant ensures that INVONO One is safe to use through, for example, encrypted storage, secure login with BankID or two-step verification, authorization control, the ability to make register extracts and delete personal data.

When there are no functions in INVONO One to handle personal data-related issues, the Personal Data Officer has implemented sufficient internal processes and routines for the processing of personal data.

Further information on implemented organizational and technical security measures can be found in the Personal Data Protection Officer's Data Security Description.

Sub-Annex 2: Pre-approved assistants