Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Controller: The school, educational institution, health service provider, or other organisation ("you", "Controller") that has accepted Nestly's Terms of Service and uses the Nestly platform to process personal data on behalf of the children and families it serves.

Processor: Nestly (operated by The NDbourhood, a company registered in Ireland), which provides the Nestly platform and processes personal data solely on the Controller's documented instructions.

This DPA forms part of and is subject to Nestly's Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data processing matters.

Subject matter: Nestly processes personal data on behalf of the Controller to provide the Nestly platform services, including child profile management, school-parent communication, health and development tracking, and related features.

Duration: This DPA remains in force for as long as Nestly processes personal data on behalf of the Controller under the Terms of Service. Upon termination, Nestly will delete or return all personal data as described in Section 9.

Nature of processing: Collection, storage, retrieval, use, disclosure, erasure, and destruction of personal data via the Nestly platform.

Data subjects: - Children and young people enrolled at or supported by the Controller - Parents, guardians, and family members of those children - Staff members of the Controller (school staff, health professionals)

Categories of personal data processed: - Identity data: names, dates of birth, photographs, gender, pronouns - Contact data: email addresses, phone numbers - Special category data (Article 9 GDPR): health and medical information, neurodevelopmental diagnoses, disability information, educational needs assessments - Educational data: school year, support plans, learning profiles, transition reports - Health data: medical conditions, allergies, medications, vaccine records, fever logs, growth measurements - Communication data: messages between parents and school/health staff

Legal basis for special category data: Explicit consent of the data subject or their parent/guardian (Article 9(2)(a)), or substantial public interest in the provision of health or social care (Article 9(2)(h)), as applicable to each processing activity.

Nestly, as Processor, undertakes to:

4.1 Instructions: Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law.

4.2 Confidentiality: Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: - Encryption of personal data at rest and in transit (TLS 1.2+, AES-256) - Ongoing confidentiality, integrity, availability, and resilience of processing systems - Ability to restore availability and access to personal data in a timely manner following a physical or technical incident - Regular testing and evaluation of technical and organisational measures

4.4 Sub-processors: Not engage another processor without prior specific or general written authorisation of the Controller. See Section 6 for the list of authorised sub-processors.

4.5 Data subject rights: Assist the Controller in fulfilling its obligation to respond to requests for exercising data subjects' rights.

4.6 Assistance: Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation).

4.7 Deletion or return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.

4.8 Audit: Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller undertakes to:

• Ensure that it has a lawful basis for processing the personal data it instructs Nestly to process
• Obtain all necessary consents from data subjects (or their parents/guardians) before inputting special category data into the Nestly platform
• Provide data subjects with appropriate privacy notices explaining how their data is processed via Nestly
• Notify Nestly promptly of any data subject rights requests that require Nestly's assistance
• Ensure that only authorised staff members have access to the Nestly school or health specialist dashboard
• Comply with all applicable data protection laws in its use of the Nestly platform

Nestly uses the following sub-processors to deliver its services. All sub-processors are bound by data processing agreements that impose equivalent data protection obligations:

Nestly will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification.

Nestly stores all personal data within the European Union (Ireland). Where any sub-processor operates outside the EU/EEA, Nestly ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.

Nestly will not transfer personal data to any country that does not provide an adequate level of protection without first implementing appropriate safeguards and notifying the Controller.

Security measures: Nestly implements and maintains technical and organisational security measures including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, audit logging, regular security assessments, and staff training on data protection.

Breach notification: In the event of a personal data breach, Nestly will notify the Controller without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. The notification will include: - A description of the nature of the personal data breach - The categories and approximate number of data subjects concerned - The categories and approximate number of personal data records concerned - The likely consequences of the personal data breach - The measures taken or proposed to address the breach

The Controller is responsible for notifying the relevant supervisory authority and affected data subjects as required by Articles 33 and 34 GDPR.

Upon termination of the Terms of Service, or upon written request by the Controller:

• Nestly will provide the Controller with an export of all personal data held on its behalf in JSON format within 30 days
• After confirmation of successful export, Nestly will securely delete all personal data from its systems within 30 days
• Nestly will provide written confirmation of deletion upon request
• Nestly may retain anonymised, aggregated data that cannot be used to identify any individual

Individual users (parents) may exercise their right to erasure at any time through the "Delete My Account" function in their dashboard settings, which will delete all personal data associated with their account and their children's profiles.

The Controller has the right to audit Nestly's compliance with this DPA. Nestly will:

• Provide the Controller with all information reasonably necessary to demonstrate compliance with Article 28 GDPR
• Allow the Controller or its appointed auditor to conduct audits of Nestly's data processing activities, subject to reasonable notice (minimum 30 days) and confidentiality obligations
• Cooperate with inspections by the relevant supervisory authority

Nestly may satisfy audit requests by providing relevant certifications, third-party audit reports, or security assessments in lieu of on-site inspections where these adequately demonstrate compliance.

This DPA is governed by the laws of Ireland and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK GDPR and Data Protection Act 2018.

Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland, without prejudice to the right of any party to seek urgent injunctive relief in any competent jurisdiction.

For Controllers established in the United Kingdom, this DPA also incorporates the UK Addendum to the EU Standard Contractual Clauses as issued by the Information Commissioner's Office.

For all data protection enquiries, to exercise your rights under this DPA, or to report a suspected data breach, please contact:

Data Protection Contact The NDbourhood / Nestly Email: [email protected]

Nestly will respond to all data protection enquiries within 72 hours and will resolve substantive requests within 30 days.