Last updated: 1 March 2026
Effective date: 1 March 2026

This Data Processing Addendum (“DPA”) is an Additional Term incorporated by reference into the ET Cloud POS Terms of Service (the “Agreement”). Capitalised terms not defined in this DPA have the meanings given in the Agreement.

If there is a conflict between this DPA and the Agreement, this DPA governs only with respect to the processing of Personal Data.

1. Definitions

Terms used but not defined in this DPA have the meanings given in the Agreement. In addition:

• “Data Protection Laws” means applicable privacy and data protection laws and regulations that apply to processing of Personal Data under the Agreement.

• “Controller” means the entity that determines the purposes and means of processing Personal Data.

• “Processor” means the entity that processes Personal Data on behalf of a Controller.

• “Subprocessor” means a third party appointed by the Company to process Personal Data on behalf of the Merchant.

• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

• “Restricted Transfer” means a transfer of Personal Data to a country or recipient that is restricted under applicable Data Protection Laws.

2. Roles and Scope

2.1 Roles

As between the parties, the Merchant is the Controller of Personal Data included in Merchant Data, and the Company is the Processor.

2.2 Scope of Processing

The Company will process Personal Data only to provide, maintain, secure, and support the Services; to improve the Services; to comply with legal obligations; and as otherwise permitted under the Agreement.

2.3 Merchant Instructions

The Company will process Personal Data only on documented instructions from the Merchant, including as set out in the Agreement and as necessary to provide the Services. The Merchant instructs the Company to process Personal Data for the purposes described in Annex A.

If the Company believes an instruction infringes Data Protection Laws, the Company will notify the Merchant unless prohibited by law.

3. Merchant Responsibilities

The Merchant is responsible for:

1. providing required notices and obtaining required consents or other lawful bases for processing Personal Data;

2. ensuring Personal Data provided to the Company is accurate and kept up to date where required;

3. configuring the Services appropriately for the Merchant’s compliance needs (including retention settings, user permissions, and access controls);

4. responding to requests from individuals and regulators, except to the extent the Company is required to respond as a Processor under Data Protection Laws.

4. Company Processing Obligations

The Company will:

1. process Personal Data in accordance with this DPA, the Agreement, and Data Protection Laws applicable to the Company as a Processor;

2. ensure persons authorised to process Personal Data are subject to confidentiality obligations;

3. implement and maintain appropriate technical and organisational measures as described in Annex B;

4. not sell Personal Data or use Personal Data for advertising profiles unrelated to the Services.

5. Subprocessing

5.1 Authorisation

The Merchant provides general authorisation for the Company to appoint Subprocessors to support delivery of the Services.

5.2 Subprocessor Obligations

The Company will:

1. impose data protection obligations on Subprocessors that are no less protective than those in this DPA (including confidentiality and security);

2. remain responsible for Subprocessor performance of its obligations related to processing Personal Data.

5.3 Subprocessor List and Changes

The Company will make available, upon request, a list of Subprocessors used for the Services. The Company may update Subprocessors from time to time. Where reasonably practicable, the Company will provide notice of material changes to Subprocessors.

If the Merchant objects to a new Subprocessor on reasonable data protection grounds, the parties will work in good faith to address the objection, including by providing an alternative where commercially reasonable. If no resolution is possible, the Merchant may terminate the affected Services in accordance with the Agreement.

6. Security

6.1 Security Measures

The Company will implement and maintain reasonable technical and organisational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Examples are listed in Annex B.

6.2 Merchant Security Responsibilities

The Merchant is responsible for securing Merchant credentials, devices, networks, and any Merchant-managed systems; for enforcing strong authentication and access policies; and for configuring user access levels appropriately.

7. Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, the Company will:

1. notify the Merchant without undue delay after confirmation of the Personal Data Breach; and

2. provide information reasonably required by the Merchant to meet breach notification obligations under Data Protection Laws, to the extent available to the Company.

The Company’s notification will include, where practicable: (a) a description of the nature of the Personal Data Breach; (b) categories and approximate number of affected individuals and records (if known); (c) likely consequences; and (d) measures taken or proposed.

The Company will not be responsible for notifying affected individuals directly unless required by applicable law.

8. Assistance With Data Subject Requests and Compliance

8.1 Data Subject Requests

If the Company receives a request from an individual relating to Personal Data processed on behalf of the Merchant (e.g., access, correction, deletion), the Company will, where legally permitted, direct the individual to the Merchant.

The Company will provide reasonable assistance, taking into account the nature of the processing, to enable the Merchant to respond to such requests, including through self-service features and, where necessary, additional support subject to applicable fees.

8.2 Regulatory Requests

If the Company receives a request from a regulator relating to Personal Data processed on behalf of the Merchant, the Company will notify the Merchant where legally permitted.

8.3 DPIAs and Prior Consultation

Where required under Data Protection Laws, the Company will provide reasonable information available to the Company to assist the Merchant with data protection impact assessments and prior consultations, subject to confidentiality and reasonable cost recovery.

9. International Transfers

The Services may involve processing or storage of Personal Data in Sri Lanka and/or other countries depending on hosting, support, and Subprocessors.

For any Restricted Transfer, the Company will ensure appropriate safeguards are in place as required by applicable Data Protection Laws.

10. Return or Deletion of Personal Data

Upon termination of the Services:

1. the Merchant may export Merchant Data using available export tools (subject to the Agreement);

2. the Company may delete Merchant Data (including Personal Data) in accordance with the Agreement and the Company’s retention practices.

Unless an applicable Order Form, the Agreement, or Data Protection Laws require otherwise, the Company may delete Merchant Data after the deactivation and deletion window described in the Agreement. Personal Data retained in routine backups may be deleted on the Company’s standard backup lifecycle.

11. Audits

Merchant is responsible for conducting any audits Merchant requires for Merchant’s internal compliance purposes.

Except to the extent expressly required by applicable Data Protection Laws, the Company is not obligated to (a) provide audit reports, attestations, certifications, or similar materials, or (b) permit audits or inspections of the Company’s systems, premises, or records.

12. Confidentiality

Each party will keep the other party’s Confidential Information confidential and use it only as permitted by the Agreement. This includes any security documentation and audit materials disclosed under this DPA.

13. Liability

Liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent prohibited by applicable law.

14. Term

This DPA remains in effect for as long as the Company processes Personal Data on behalf of the Merchant under the Agreement.

Annex A — Details of Processing

Subject matter: Provision of point-of-sale software and related support services.

Duration: For the term of the Agreement and any additional period required for deactivation, retention, backup, or legal compliance.

Nature and purpose of processing: Hosting, storing, organising, transmitting, retrieving, viewing, and otherwise processing Merchant Data to provide the Services; providing support; maintaining security; preventing fraud and abuse; complying with legal obligations.

Categories of data subjects: Merchant staff/users; Merchant customers; suppliers; delivery partners; other individuals whose Personal Data is included in Merchant Data.

Categories of Personal Data (non-exhaustive): Names; phone numbers; email addresses; loyalty identifiers; invoice/receipt details; transaction history; customer notes (if entered); device identifiers and logs; user credentials and roles; business contact details.

Special categories/sensitive data: The Services are not intended for special categories of Personal Data unless specifically agreed in an Order Form. If the Merchant chooses to input such data, the Merchant is responsible for ensuring a lawful basis and appropriate safeguards.

Processing operations: Collection (from Merchant inputs), recording, organisation, structuring, storage, adaptation/alteration, retrieval, consultation, use, disclosure by transmission (as needed for the Services), alignment/combination, restriction, erasure, and destruction.

Annex B — Security Measures

The Company maintains a security program designed to protect Merchant Data. Measures may include (as appropriate to the Services):

1. Access controls: role-based access, least-privilege principles, and controlled administrative access.

2. Authentication: strong password requirements and support for multi-factor authentication where available.

3. Encryption: encryption in transit (e.g., TLS) and encryption at rest where applicable.

4. Monitoring and logging: system logging and monitoring for security events.

5. Vulnerability management: regular patching and remediation processes.

6. Backups and recovery: routine backups and disaster recovery practices.

7. Segregation: logical separation of tenant data where applicable.

8. Incident response: documented procedures for security incident handling.

9. Personnel security: confidentiality obligations and access limitations for personnel.

The Company may update these measures from time to time provided overall security is not materially reduced.