TERMS AND CONDITIONS GLBNXT B.V.

Effective date : 25 November 2025

Contracting party: GLBNXT B.V. located at Druivenstraat 5-7, 4816 KB Breda, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 95536779.

1. DEFINITIONS

   
   In these Terms and Conditions, the following terms have the following meanings.

   
   "AI Act" means Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonisation rules for artificial intelligence (the "AI Act"), including all implementing acts, delegated regulations, guidelines and interpretative documents adopted from time to time by the European Commission or competent authorities. The term also includes all obligations that apply to Client when Client acts as a provider or deployer of an AI system under the AI Act, regardless of the way in which Client configures or applies GLBNXT's AI Platform.

   "Agreement" means these Terms and Conditions, together with the Order, the Data Processing Agreement, the Sub-processor List, and any additional documentation expressly agreed to in writing by the Parties. The Agreement constitutes a binding whole for the use of the Services.
   "Authorized Users" are the natural persons designated by Customer to access the Services and the AI Platform, typically employees or contractors of Customer. Customer bears full responsibility for compliance with the Agreement by Authorized Users.
   "Customer" is the legal entity that purchases the Services, as defined in the Order.
   "Customer Data" includes any data, information, prompts, instructions, texts, documents, datasets, metadata, audio files, configurations, agents, workflows, scripts, or other content entered, uploaded, transmitted, generated, or processed into the AI Platform by or on behalf of Customer, including the Output resulting from the use of the Services.
   "GLBNXT" means GLBNXT B.V., the provider of the Services.
   "DPA" means the Data Processing Agreement that forms an integral part of the Agreement and in which the parties further define their obligations under the General Data Protection Regulation (EU 2016/679).
   "Fee" means the prices and rates payable by Customer for the use of the Services, consisting of fixed subscription fees and variable charges based on actual usage, as set forth in the Order.
   "Order" means the written or electronic order confirmation that refers to these Terms and Conditions and includes the fees, subscription duration, variable user components, any modules and additional terms and conditions.
   "Output" includes all AI-generated results that arise from Customer Data, including text, predictions, classifications, analytics, reports, generated artifacts, AI agent actions, or other system generated outcomes.
   "Services" include GLBNXT's AI Platform and all associated functionalities, APIs, tools, agent systems, model connections, documentation, hosting, and operational infrastructure made available by GLBNXT.
   "Subscription Period" means the duration of the subscription as set out in the Order, including any renewals.
   "Sub-processor" means a third party engaged by GLBNXT for the processing of Customer Data within the European Union in accordance with the DPA.

   
   

2. THE SERVICES

2.1 Nature of the Services
GLBNXT offers a professional AI Platform that enables Customer to design, configure, test, develop, and manage AI agents and AI-driven processes. The AI Platform enables Customer to use one or more AI models, including models from third parties. The Platform supports the construction of logic, workflows, and decisioning processes through technical tools, API integrations, and agent features.
The Services are provided solely as Software-as-a-Service. Customer does not acquire ownership of any software, model code, model parameters, or infrastructure, regardless of the degree of use or interaction with the AI Platform.
GLBNXT does not provide professional implementation services, no customization and no project-based configurations, unless expressly agreed otherwise. Any managed services will be provided solely by GLBNXT's partners on the basis of a separate contractual relationship between Client and such partner.
GLBNXT is not responsible for the design, content, accuracy, or legality of the AI agents, prompts, workflows, datasets, or Outputs created or used by Client. The Customer independently determines the purposes and means of the processing and qualifies as a provider or deployer under the AI Act.

2.2 Availability
GLBNXT endeavours to make the Services available with reasonable care and skill during the Subscription Period. Availability may be affected by maintenance, security incidents, problems with third-party model providers, network failures, legal obligations, or circumstances beyond GLBNXT's reasonable control. GLBNXT will, to the extent possible, communicate planned maintenance work in advance, unless this is not reasonably possible for security, urgent operational or legal reasons.
Information about support, maintenance, and the availability of the AI Platform is included in the separate Service Level Agreement (SLA) to which this Agreement refers. The SLA does not form part of these Terms and Conditions but is a separate document on which performance is assessed.

2.3 Changes to the Services
GLBNXT may change, improve, suspend or discontinue the functionalities of the Services at any time, provided that such changes do not constitute a material reduction in functionality unless it is necessary for compliance with laws, security regulations or operational stability. GLBNXT reserves the right to replace model providers or technical components with functionally equivalent alternatives if this is necessary for continuity, security or legal compliance.

3. Obligations of Customer
Customer is responsible for using the Services in a manner consistent with the Agreement, applicable laws and regulations, and the instructions provided by GLBNXT. Customer is fully responsible for complying with all obligations incumbent on it, including the obligation to carry out risk as-sessments, documentation, transparency towards end users and compliance with applicable requirements with regard to the deployment of AI systems in its own business processes or products.
Client acknowledges that GLBNXT has no responsibility for the Output or the manner in which Output is interpreted, reviewed, or used within Client's business operations. If Customer builds hybrid systems with external models or additional third-party AI components, Customer is fully responsible for the integration, compatibility and compliance with the license conditions and legal obligations applicable to those components.

4. Use of the Services
Client is prohibited from selling, renting, leasing, sublicensing, distributing, making available to third parties, or in any way commercially exploiting the Services or any portion thereof outside of the use rights granted by GLBNXT. Customer may not copy, reproduce, modify, reverse engineer, decompile, or attempt to discover the source code, model architecture, or internal workings of the models or systems of the AI Platform, the underlying models, model connections, or any other component of the Services.
Customer warrants that its use of the AI Platform is solely for legitimate business purposes and that both Customer Data and the agents, workflows, or other AI components configured by Customer will not infringe any third party rights, be misleading, or otherwise cause harm. Customer is not permitted to use the Services for applications that are misleading, create improper risks for individuals or groups, or lead to forms of profiling, decision-making or automated actions that fall under a strict risk framework without Customer having implemented the necessary safeguards for this purpose.

5.Data and Ownership
Customer remains the owner of all Customer Data and Output at all times. Nothing in the Agreement shall be construed as a transfer of ownership rights to Customer Data, Output or any data entered or generated by Customer in the AI Platform. GLBNXT retains ownership of the AI Platform, all underlying software, model connections, documentation, frameworks, agent functions, system templates, model architectures, scripts, configuration components, and all other intellectual property rights associated with the Services.
GLBNXT uses Customer Data solely for the purpose of providing the Services, performing technical support, complying with legal obligations, and performing security and operational processes nec-essary for the functioning of the AI Platform. GLBNXT will never use Customer Data to train or improve generic models without Customer's prior written explicit consent. All rights not expressly granted to GLBNXT shall remain with Client. GLBNXT acknowledges that Customer Data and Output may contain confidential information of Customer and treats it as such in accordance with the Agreement and the DPA.
GLBNXT may only process fully anonymized, non-traceable, and aggregated technical usage data for the purpose of improving the AI Platform, measuring performance, and developing analytical insights. This anonymized data contains no personal data, no substantive prompts and no traceable Output. Anonymization is done in accordance with the highest standards applicable under applicable law.
During the Subscription Period, Customer has the right to request, export, transport and receive Customer Data in a structured, commonly used and machine-readable format. Customer is re-sponsible for the secure storage, processing and management of exported data.

6.Security and Processing
GLBNXT will implement appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Data, taking into account the nature of the data, the risks of processing and the state of the art. These measures include at least such controls, access restrictions, encryption, logging and network security as are reasonably necessary to prevent unauthorized access, unauthorized disclosure or loss of Customer Data. GLBNXT is committed to continuously improving its security measures.
GLBNXT processes Customer Data exclusively within the European Union. All Sub-processors engaged by GLBNXT are located within the European Union and operate under contractual terms that are at least equivalent to the obligations set out in the Agreement and the DPA. The current list of Sub-processors is published by GLBNXT on its website, which may be updated periodically. GLBNXT will notify Client of material changes in accordance with the notification requirements set forth in the DPA.
Customer acknowledges that the security of Customer Data is partly dependent on the way in which Customer uses the AI Platform. Customer is responsible for protecting its own systems, accounts and login credentials from unauthorized access and taking appropriate measures to prevent misuse or manipulation of the Services. Customer is not entitled to circumvent technical restrictions or security measures of the AI Platform. Nor shall Client attempt to use the AI Platform in a manner that harms the performance, stability, or security of GLBNXT's infrastructure, including generating disproportionately high volumes of prompts, model requests, compute usage, or other forms of systematic overload. GLBNXT reserves the right to monitor the use of the Services to detect abuse, security risks, and violations of the Agreement.
In the event of a security incident involving Customer Data, GLBNXT will inform Customer in a timely manner in accordance with the DPA and applicable law. GLBNXT will use reasonable efforts to mitigate the impact of such incident and to take remedial actions. GLBNXT is not responsible for security incidents caused by Client, third parties, models integrated by Client or systems under Client's control.

7.Fees and Payment
Customer shall pay all fees as specified in the Order. The fees consist of fixed subscription fees for access to the AI Platform and additional fees based on actual usage of the Services, including but not limited to the use of model tiers, tokens, compute capacity, storage, transactions, and other usage-related components. The exact parameters for variable compensation are described in the Order or in the supporting documentation.
GLBNXT invoices in accordance with the billing cycle specified in the Order. Invoices must be paid by the Client within a payment term of thirty calendar days after the invoice date. In the event of late payment, GLBNXT reserves the right to suspend access to the Services until payment has been made. Suspension does not relieve Client of the obligation to pay outstanding invoices and does not affect other rights of GLBNXT.
GLBNXT is entitled to adjust the fees upon extension of the Subscription Period, provided that Customer is informed of this in a timely manner, with reasonable advance notice. If Customer objects to an intended adjustment, Customer has the option to terminate the Agreement with effect from the end of the current Subscription Period. If Customer continues to use the Services after the effective date of the adjustment, Customer will be deemed to accept the adjusted fees.
Customer is fully responsible for taxes, duties, and other legal withholdings arising from the use of the Services. If GLBNXT is required by law to withhold or collect such amounts, GLBNXT will specify them on the invoice and Customer will pay such amounts in addition to the fees for the Services.

8.Intellectual Property
Customer is and remains the exclusive owner of Customer Data and of all configurations, models, workflows, prompts, instructions, agents and other artefacts that Customer creates or provides within the AI Platform. If Customer uses GLBNXT's templates, workflows or system components and develops its own variants thereon, such variants will remain the property of Customer, provided that the underlying technology, logic and structure on which the variant is based will remain the property of GLBNXT.
GLBNXT is and will remain the exclusive owner of all intellectual property rights in the AI Platform, including but not limited to software, model connections, framework modules, agent systems, scripts, architectures, algorithms, security implementations, documentation, manuals, tem-plates, system prompts, workflows, and other technical or functional elements developed or used by GLBNXT for the provision of the Services. Nothing in the Agreement shall be construed as a transfer of ownership rights from GLBNXT to Client.
Neither Party acquires any rights to the intellectual property rights of the other Party, except for the limited rights of use expressly granted in the Agreement. Customer only acquires the right to use the Services during the Subscription Period, in accordance with the terms of the Agreement. This right of use is limited, revocable, non-exclusive and non-transferable.
If any third parties make any claim of infringing use of the Services by Customer, Customer shall promptly notify GLBNXT. GLBNXT shall indemnify Client against any third-party claims arising from any alleged infringement caused solely by the AI Platform in its unmodified form, excluding breaches arising from Customer Data, content provided by Client, modifications by Client, or use in viola-tion of the Agreement. If GLBNXT determines, in its sole discretion, that the AI Platform may be in-fringing, GLBNXT may at its discretion offer a replacement remedy, modify the Services, or termi-nate access with a refund of any unconsumed fees for the remaining Subscription Period.

9.Warranties
GLBNXT warrants that the Services will function materially during the Subscription Period as described in the applicable documentation, SLA, and the Order. GLBNXT warrants that it will provide the Services with reasonable care, expertise, and professionalism. This warranty does not apply to interruptions or limitations arising from circumstances beyond GLBNXT's reasonable control, in-cluding failures of third-party model providers, necessary security measures, changes in legislation, or corrective actions to protect the AI Platform.
GLBNXT makes no warranties as to the accuracy, completeness, or suitability of Output for any particular application. Output is generated from probabilistic models and may be inaccurate, incorrect, misleading, or contextually inappropriate. Client acknowledges that Output is inherently variable and that its use requires professional review. GLBNXT shall not be liable for damages resulting from the interpretation or application of Output by Customer or by Customer's end users.
GLBNXT does not warrant that the Services will be free from errors, interruptions, security incidents, or that the Services will always be uninterrupted. GLBNXT also does not warrant that the Services will meet any specific technical requirements or objectives of Customer, unless expressly agreed to in writing. All other warranties, express or implied, statutory or otherwise, including warranties of merchantability or fitness for a particular purpose, are excluded to the fullest extent permitted by law.
If Customer becomes aware of a defect in the Services that affects its essential functioning, Customer must notify GLBNXT in writing. GLBNXT will make every effort to remedy the defect within a reasonable period of time. This provision constitutes Customer's exclusive remedy for defects in the Services.

10.Indemnification
GLBNXT shall indemnify and defend Customer against any third party claims alleging that the Services provided by GLBNXT in their unaltered form infringe any intellectual property rights of a third party, provided that Customer notifies GLBNXT in writing of the claim in a timely manner, gives GLBNXT exclusive control over the defense and any settlement, and Customer fully cooperates. This indemnification obligation does not apply to claims arising out of Customer Data, modifications by Customer, use in violation of the documentation or the Agreement, or combinations of the Services with systems or data of Customer or third parties.
If GLBNXT determines that the AI Platform may infringe or may infringe any third-party rights, GLBNXT may, in its sole discretion, take measures to mitigate the risk, including modifying the Services, replacing parts with functionally equivalent alternatives, or terminating access to the Services with reimbursement of prepaid fees for unused periods. This provision constitutes GLBNXT's exclusive obligation in the event of intellectual property claims.
Customer shall indemnify GLBNXT for all claims, liabilities, damages, and costs, including reasonable attorneys' fees, arising out of or relating to Customer Data or Customer's or Authorized Users' use of the Services in violation of the Agreement, applicable law, or third party rights. This indemnification includes, but is not limited to, claims arising from unlawful or inaccurate processing of Customer Data, Customer's failure to comply with applicable legal requirements regarding transparency or provision of information by Customer to end users, use of Output without appropriate verification, and claims arising from Customer generating, disseminating or using false or mislead-ing information in the context of its own products or services.
Customer acknowledges that Customer Data is its sole responsibility and that GLBNXT does not exercise any control over the content of the data that Customer enters or generates through the AI Platform. Customer therefore indemnifies GLBNXT against any third-party claims relating to viola-tions of privacy, intellectual property rights, confidentiality, trade secrets or contractual obligations arising out of Customer Data or from workflows or agents established by Customer.

11.Liability
GLBNXT's liability to Customer arising out of or in connection with the Agreement, regardless of the basis of the claim, shall in all cases be limited to the total amount paid by Customer for the Services during the twelve month period prior to the event to which the liability relates, with an absolute maximum of twenty-five thousand euros (€ 25,000). If Customer purchases multiple Ser-vices or has multiple Orders, this limit will be applied to the relevant Service to which the incident relates and the limit will not be applied cumulatively.
In no event shall GLBNXT be liable for any indirect, consequential, business interruption, loss of profits, loss of data, loss of goodwill, damages resulting from delay, damages arising from reliance on Output or other AI-generated information, or damages caused by Customer's ability to set up or apply workflows, configurations, or agents. Client acknowledges that Output is inherently variable, probabilistic, and potentially inaccurate and that the use of Output requires professional review.
Nor shall GLBNXT be liable for damages resulting from the processing of Customer Data entered or generated by Customer, nor for violations of applicable laws if arising from Customer's acts or omissions. GLBNXT is not responsible for Client's compliance with applicable regulations for AI use, including its obligations as a provider or user responsible under the AI Act.
The limitations set forth in this section do not apply to liability arising from GLBNXT's willful misconduct or willful recklessness, nor to liability that may not be excluded or limited by law. Any claim must be submitted in writing to GLBNXT within twelve months of the date on which the inci-dent occurred, failing which the claim shall be extinguished.

12.Confidentiality
Each Party shall treat all confidential information it receives from the other Party under the Agreement as strictly confidential and shall not disclose it to any third party unless this is necessary for the performance of the Agreement and the receiving Party ensures that such third parties are bound by at least equivalent confidentiality obligations. Confidential information means any information provided by one Party to the other Party that can reasonably be considered confiden-tial, regardless of the form in which it is transmitted.
Confidential Information does not include information that was already public without breach of the Agreement, information that was developed independently without using confidential infor-mation of the other Party, information that was lawfully provided by a third party without restriction, or information that is required to be disclosed pursuant to a legal regulation or court order. If a Party is required by law to disclose confidential information, it shall notify the other Party prior to disclosure, unless prohibited by law.
The Parties shall use confidential information only for the purposes directly related to the perfor-mance of the Agreement and shall implement reasonable technical and organizational measures to protect this information from unauthorized access or disclosure. The obligations under this article shall remain in force for the term of the Agreement and for a period of three years after its termination, regardless of the reason for termination.

13.Duration and Renewal
The Agreement shall enter into force on the date specified in the Order and shall remain in effect for the Subscription Period specified in the Order, unless terminated earlier in accordance with the terms of the Agreement. At the end of the Subscription Period, the Agreement shall be auto-matically extended for subsequent periods of twelve months, unless one of the Parties has notified the other Party in writing no later than thirty days before the end of the current period that it does not wish to renew the Agreement.
If Customer activates additional Services or purchases extensions of the AI Platform during the Subscription Period, the subscription term for these additional components will commence on the date of activation and correspond to the remaining term of the existing Subscription Period, unless otherwise agreed in the Order. Fees for Additional Services will be prorated for the remaining period. All obligations that by their nature should continue even after termination of the Agreement, in-cluding obligations with regard to confidentiality, ownership of data, indemnities, limitations of liability, remain in full force and effect.

14.Suspension of Services
GLBNXT shall be entitled to suspend Customer's access to the Services, in whole or in part, if Customer is in default of any material obligation under the Agreement, including but not limited to late payment of fees, breach of security obligations, uploading or processing Customer Data in violation of law or using the Services in a manner that, in GLBNXT's opinion, poses a risk to integrity, security or availability of the AI Platform.
GLBNXT shall, to the extent reasonably practicable, inform Client prior to a suspension and give it an opportunity to remedy the relevant shortcoming within a reasonable period of time. If immediate suspension is necessary to protect security, infrastructure, or comply with laws, GLBNXT may suspend access without notice. Suspension does not affect the Client's obligation to pay outstanding fees.
If the ground for suspension continues for more than thirty days, GLBNXT shall be entitled to termi-nate the Agreement in accordance with Article 15. In the event of suspension, the Client is not entitled to a refund of fees or any form of compensation. Suspension under this section shall not be deemed to constitute a breach of the Agreement by GLBNXT.

15.Termination
The Agreement may be terminated by either Party by written notice if the other Party breaches a material obligation under the Agreement and has not cured such breach within thirty days of written notice thereof. GLBNXT may terminate the Agreement immediately if Customer processes Customer Data in violation of legislation, if Customer endangers the security of the AI Platform, or if Customer acts materially in violation of applicable regulations.
Customer may terminate the Agreement with effect from the end of the Subscription Period by giv-ing written notice no later than thirty days before the end of that period. Upon termination of the Agreement, outstanding payment obligations will remain in full force. Fees already paid for ser-vices not yet provided will not be refunded, unless the Agreement is terminated due to an attribut-able failure on the part of GLBNXT.
Upon termination, GLBNXT will terminate Customer's access to the Services. GLBNXT will make Customer Data available for export in a structured, commonly used and machine-readable format for a period of thirty days after termination. At the end of this period, GLBNXT will delete Customer Data in accordance with the DPA. Customer is responsible for the timely export of data.
If the Agreement is terminated by Customer in connection with switching to another provider, GLBNXT will provide such technical and organizational support as is reasonably necessary. Any additional work that is not covered by the standard export functionality can be performed by GLBNXT at cost-based rates.

16.Governing Law
The Agreement is exclusively governed by Dutch law. Disputes arising out of or in connection with the Agreement shall be submitted exclusively to the competent court in the Netherlands.
The parties shall endeavour to resolve disputes amicably in the first instance through consultations at an appropriate level within their organisations before initiating proceedings. If the Parties are unable to reach a solution within a reasonable period of time, either Party shall be free to submit the matter to the competent court.
If any provision of the Agreement is held to be invalid or unenforceable by a court of law, the re-maining provisions shall remain in full force and effect and the provision declared invalid shall be replaced by a provision that comes as close as possible to the intent of the original provision within the limits of the law.

17.Miscellaneous
The Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior agreements, undertakings, or representations made orally or in writing. Amendments or additions to the Agreement are only valid if they have been agreed in writing by both Parties.
Neither Party may transfer any rights or obligations under the Agreement to a third party without the prior written consent of the other Party, unless the transfer is made in the context of a merger, acquisition or transfer of a substantial part of the transferring Party's business activities. However, GLBNXT may assign rights and obligations within its group of companies without Customer's consent.
The failure of a Party to enforce any right or provision under the Agreement shall not be deemed a waiver of such right or provision. A waiver of rights is only valid if it has been agreed in writing. Provisions that by their nature are intended to survive termination of the Agreement, including provisions on confidentiality, liability, intellectual property, data ownership and export obligations, shall survive termination, regardless of the reason thereof.

DATA PROCESSING AGREEMENT (DPA)

Effective date : 11 November 2025

GLBNXT B.V. incorporated in the Netherlands, located at Druivenstraat 5-7, 4816 KB Breda, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 95536779 (hereinafter: “Processor”)
and
Customer
(hereinafter: “Controller”)
jointly “Parties”.

1. SUBJECT AND DURATION
   This Data Processing Agreement (“DPA”) forms an integral part of the Agreement between the Parties and governs the processing of personal data by Processor on behalf of Controller in the context of the use of the AI Platform and associated Services of Processor. The DPA enters into force on the date the Agreement becomes effective and remains applicable as long as Processor processes personal data on behalf of Controller. Upon termination of the Agreement, the provisions of this DPA remain in effect as long as personal data is retained by Processor in accordance with this DPA.

   
   

2. ROLES OF THE PARTIES
   Controller determines the purpose and means of the processing of personal data and remains fully responsible at all times for the lawfulness of the processing, the accuracy of personal data, compliance with the General Data Protection Regulation (“GDPR”), and all obligations applicable thereto. Processor processes personal data solely on behalf of Controller and only to the extent necessary for the provision of the Services. Processor does not act as joint controller, provider of a high-risk AI system, or independent controller.

   
   

3. NATURE, PURPOSE, AND CATEGORIES OF PROCESSING
   Processing takes place in the context of the provision of the AI Platform and related Services. The nature of the processing includes, among other things, storage, transmission, access, generation of Output, technical logging, execution of prompts, configuration of workflows, and functionalities necessary for the performance of the Agreement.
   The purpose of the processing is to enable Controller to use the AI Platform for business purposes, including designing, testing, managing, and deploying AI agents and AI processes. Personal data may be processed as part of Customer Data.
   The categories of data subjects are determined by Controller and may include employees, customers, end users, employees of third parties, or other individuals appearing in Customer Data.
   The categories of personal data are also determined by Controller and may include identifying da-ta, contact data, transaction data, communication content, and other data uploaded or generated by Controller. Controller warrants that no special categories of personal data are processed without a valid legal basis.

   
   

4. INSTRUCTIONS FROM CONTROLLER
   Processor processes personal data only on the basis of written or electronic instructions from Controller. If an instruction conflicts with the GDPR or other applicable legislation, Processor will immediately inform Controller. Processor is not obliged to carry out processing that is unlawful or outside the scope of the Agreement.
   Controller is responsible for providing accurate and lawful instructions. The configuration of the AI Platform, the content of prompts, the structure of workflows and agents, and the resulting processing of personal data are considered instructions from Controller.

   
   

5. CONFIDENTIALITY
   Processor ensures that persons who have access to personal data observe confidentiality and are bound by contractual or statutory confidentiality obligations. Processor does not provide personal data to third parties, except to Sub-processors as described in Article 7 or if required by law.

   
   

6. SECURITY MEASURES
   Processor takes appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against loss, destruction, or damage. These measures include, among others, encryption, access management, logging, monitoring, segmentation of customer data, securing network connections, authentication and authorization controls, and incident response procedures. Processor continuously develops its security program.
   Controller is responsible for the security of its own systems, accounts, and access means.

   
   

7. SUB-PROCESSORS
   Processor may engage Sub-processors for the processing of personal data, provided these Sub-processors are located within the European Union and are bound by obligations at least equivalent to those incumbent on Processor under this DPA. The current Sub-processor List is published by Processor on its website.
   Processor will inform Controller thirty days in advance of changes to the Sub-processor List before new Sub-processors are engaged. Controller may object within this period if the engagement of the relevant Sub-processor presents demonstrable risks. If the Parties cannot reach a solution, Controller may terminate the Agreement with due observance of the notice period.
   Processor remains fully liable for the actions of Sub-processors.

   
   

8. TRANSFER TO THIRD COUNTRIES
   Processing of personal data takes place exclusively within the European Union. Processor will not transfer personal data to third countries unless Controller expressly instructs so in writing.

   
   

9. INCIDENT REPORTING
   If an incident occurs resulting in destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Processor will inform Controller without undue delay, stating the nature of the incident, the affected data, the probable cause, the measures taken or proposed, and the expected consequences.
   Processor will assist Controller in fulfilling notification obligations to regulators and data subjects, insofar as required by the GDPR. Processor is not responsible for assessments that are the exclusive responsibility of Controller.

   
   

10. ASSISTANCE TO CONTROLLER
    Processor will, as far as reasonably and proportionally possible, assist Controller with:
    • responding to requests from data subjects,
    • conducting data protection impact assessments (“DPIA”),
    • consultations with supervisory authorities,
    • technical information necessary for Controller to fulfill its obligations.
    Processor is entitled to charge reasonable costs if such requests go beyond what is necessary for Processor’s legal obligations.

    
    

11. DELETION AND RETURN OF DATA
    Upon termination of the Agreement, Processor will delete all personal data within thirty days. The processor will enable Controller to export personal data in a structured and machine-readable format. After deletion, Processor will confirm in writing that deletion has been completed, except for data that Processor is required to retain by law.

    
    

12. AUDIT RIGHTS
    Controller has the right to verify compliance with this DPA. Processor will make relevant documentation, certification reports, and summaries of security audits available. If this documentation is reasonably insufficient, Controller may conduct or have conducted an audit, provided that:
    • the audit is performed by an independent, trustworthy auditor,
    • the audit is limited to systems relevant to the Services,
    • the audit is announced in writing in advance,
    • the audit does not compromise the security or business operations of Processor.
    Processor may charge costs for audits that cause excessive burden.

    
    

13. PROCESSING FOR MODEL TRAINING
    Processor will never use personal data for model training, model improvement, or benchmarking of generative models without a separate, explicit, and written opt-in from Controller. If Controller grants opt-in, only the purposes and limits specified in the opt-in will be processed.

    
    

14. LIABILITY
    The liability provisions included in the Agreement also apply to this DPA and remain fully applicable to all obligations arising from this DPA, unless the GDPR or national legislation mandatorily provides otherwise.

    
    

15. APPLICABLE LAW AND JURISDICTION
    This DPA is governed exclusively by Dutch law. Disputes arising from or related to this DPA will be submitted exclusively to the competent court in the Netherlands.

PRIVACY & SECURITY STATEMENT

Effective Date : 30 November 2025

Version 1.0

GLBNXT B.V. (“GLBNXT”) is a Netherlands-based AI platform company that supports customers within the European Union in designing, developing, and managing AI-driven processes and AI agents. Transparency, privacy, and information security are essential components of our services. This document sets out how GLBNXT handles data processing, security, and compliance with relevant EU regulations, including the GDPR, the AI Act, and the Data Act.

1. Processing Exclusively Within the EU
   GLBNXT processes all data, including personal data, entirely within the European Union. All systems, infrastructures, hosting services, and sub-processors used by GLBNXT are located in the EU and comply with applicable European legislation. No transfers to third countries take place, and GLBNXT does not use suppliers who process personal data outside the EU. Our infrastructure and subprocessor list are continuously monitored to ensure compliance with this guarantee.

2. GLBNXT as Processor Under the GDPR
   GLBNXT acts as a processor within the meaning of the GDPR. Customers using the AI platform always remain the data controller. Customers determine which data they provide and for what purposes they use AI models and workflows. GLBNXT only processes data necessary to deliver the services and never acts outside the instructions of customers. All relevant arrangements are laid down in the Data Processing Agreement (DPA).
   GLBNXT does not use customer data for its own purposes and has no ownership rights to customer data or output. This applies to all parts of the platform, regardless of the nature of the data.

3. No Model Training or Improvement Without Consent
   GLBNXT never uses customer data for training, refining, or improving AI models unless a customer gives explicit written consent. Without opt-in, customer content, prompts, configurations, or output are in no way used for model improvement, benchmarking, or other forms of analysis. Only fully anonymized and aggregated technical metadata, which contains no personal data or customer content, may be used for operational optimization of the service.

4. Transparency Under the AI Act
   GLBNXT offers a generic, configurable AI platform and does not determine what type of AI application customers build or deploy. Customers remain independently responsible for classifying their application under the AI Act, for transparency towards end users, and for compliance with applicable obligations. GLBNXT ensures that the platform has the necessary technical mechanisms to enable customers to meet these obligations and is actively working on further integration of AI compliance functionalities.
   GLBNXT itself does not develop high-risk AI systems and is not designated as a provider of such systems under the AI Act.

5. Data Ownership, Portability, and the EU Data Act
   Customer data always remains the exclusive property of the customer. GLBNXT does not claim usage rights or intellectual property rights to customer data or generated output. Customers can export their data at any time in a structured and machine-readable format. GLBNXT complies with the transparency and portability principles of the EU Data Act and supports customers in switching to other providers if needed.
   GLBNXT deletes customer data upon termination of the service, in accordance with the DPA and with due regard for statutory retention obligations.

6. Security and Technical Measures
   GLBNXT maintains a comprehensive security program that aligns with modern security standards. The technical and organizational measures include, among others, securing data storage, networks, and access; control mechanisms for authentication and authorization; encryption of data during transmission; extensive logging and audit controls, monitoring of system behavior and vulnerabilities; periodic review of access rights, and strict separation of customer environments within the platform.
   GLBNXT is systematically working towards certifications under ISO 27001 and ISO 42001 and already applies the controls of these standards in substance, even before formal certification is completed.

7. Incident Response and Notification Obligations
   GLBNXT maintains a formal incident response process in which security incidents are immediately investigated and classified. If an incident leads to loss, alteration, or unauthorized access to personal data, GLBNXT will inform customers without undue delay, including details about the nature of the incident, the expected impact, and the measures taken. Customers remain responsible for any notifications to regulators and data subjects, in accordance with the GDPR.

8. Sub-processors Within the EU
   GLBNXT uses only sub-processors within the European Union. Each sub-processor is contractually bound to privacy and security obligations that are at least equivalent to those of GLBNXT. The current list of sub-processors is published and updated when changes occur. Customers are informed of additions or replacements in accordance with the DPA.

9. Supervision, Audits, and Compliance
   GLBNXT makes relevant documentation available to customers to demonstrate compliance with the DPA and the GDPR. Additional documentation can be provided upon request, including audit summaries or reports where available. Customers have the opportunity to conduct audits within reasonable limits and procedures, as described in the DPA.

10. Transparency and Support
    GLBNXT actively supports customers with privacy and security issues insofar as this falls within the scope of the platform. Although GLBNXT does not provide legal advice, it offers guidelines, documentation, and technical resources to help customers comply with GDPR, AI Act, and Data Act obligations. For specific advisory services, reference is made to specialized partners.
    GLBNXT publishes relevant security and privacy documentation, including this statement, the DPA, the sub-processor List, and additional guidelines.