Data Sharing Agreement

Document version: 1.1 · Effective date: 18 April 2026 · Supersedes v1.0

This Data Sharing Agreement ("Agreement") is entered into between:

1. NHM Global Advisory (Pty) Ltd, trading as ClearComply, registration number 2026/175933/07, with its registered address at First Floor, 61 Katherine Street, Sandton, 2196 ("ClearComply" or "Provider"); and
2. The Enterprise subscriberwho accepts this Agreement through the ClearComply platform ("Recipient" or "Subscriber").

1. Background

1. ClearComply operates a compliance intelligence platform that monitors and reports on CIPC compliance obligations for South African companies.
2. ClearComply's Lead Intelligence feature provides Enterprise subscribers with enriched contact details and compliance classifications for companies flagged as non-compliant by the CIPC, enabling accounting firms and compliance professionals to offer remediation services.
3. This Agreement governs the sharing and use of Lead Intelligence data between ClearComply and the Recipient in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African data protection legislation.

2. Definitions

• "Shared Data" means the Lead Intelligence data made available to the Recipient, including company names, registration numbers, contact email addresses, telephone numbers, websites, registered addresses, and compliance classifications.
• "Data Subject" means any natural or juristic person to whom the Shared Data relates, including company directors and key contacts.
• "Permitted Purpose" means the use of Shared Data solely for legitimate business development — specifically, contacting CIPC-flagged companies to offer compliance remediation services (such as beneficial ownership filings, annual return submissions, and company reinstatements).
• "POPIA" means the Protection of Personal Information Act 4 of 2013.
• "Responsible Party" has the meaning given in Section 1 of POPIA — the party that determines the purpose and means of processing personal information.
• "Processing" has the meaning given in Section 1 of POPIA and includes any operation performed on personal information.
• "Claimed Lead" means a lead that the Recipient has claimed through the ClearComply platform and for which they have an active exclusivity window.
• "Qualified Lead" means a Claimed Lead where the Recipient has made meaningful contact and the lead has expressed interest in remediation services.

3. Nature of the Relationship

ClearComply and the Recipient are independent Responsible Parties under POPIA. Each party independently determines the purposes and means of any personal information processing it undertakes. This Agreement does not create a joint controller, operator, or principal-agent relationship between the parties.

ClearComply is the Responsible Party for the collection, enrichment, and initial processing of Lead Intelligence data. The Recipient becomes a Responsible Party for any personal information processing it undertakes after receiving Shared Data, including all outreach and communications with Data Subjects.

4. Lawful Basis for Sharing

The sharing of Lead Intelligence data under this Agreement is based on legitimate interest under Section 11(1)(f) of POPIA. The parties acknowledge that:

1. The Shared Data relates to companies that have been publicly flagged by the CIPC for non-compliance with statutory obligations (such as beneficial ownership filings, annual returns, or deregistration proceedings).
2. The Permitted Purpose — enabling compliance professionals to offer remediation services to non-compliant companies — serves a legitimate interest that does not override the rights and freedoms of the Data Subjects.
3. The Shared Data is sourced from publicly available CIPC records, Government Gazette publications, and commercial business directory services.

5. Permitted Use

The Recipient may use Shared Data solely for the Permitted Purpose. Without limitation, the Recipient shall not:

• Use Shared Data for unsolicited bulk communications or spam.
• Use Shared Data for purposes unrelated to compliance remediation services.
• Use Shared Data to compile competing databases or data products.
• Use Shared Data for credit scoring, profiling, or automated decision-making about Data Subjects.
• Contact Data Subjects regarding any products or services other than compliance remediation directly related to the flagged non-compliance issue.
• Combine Shared Data with other data sources to create enriched profiles of Data Subjects beyond the scope of the Permitted Purpose.

6. Data Minimisation

ClearComply applies the principle of data minimisation under Section 10 of POPIA. Shared Data is limited to the minimum information reasonably necessary for the Recipient to identify and contact CIPC-flagged companies for the Permitted Purpose. ClearComply does not share identity numbers, financial information, or any special personal information (as defined in Section 26 of POPIA).

7. Retention and Deletion

The Recipient shall retain Shared Data for no longer than 12 months from the date of receipt, unless a longer retention period is required by law or the Data Subject has become a client of the Recipient.

The Recipient must delete Shared Data within 30 days of any of the following:

• The 12-month retention period expires and the lead has not become a client.
• The Recipient's subscription to ClearComply is terminated or cancelled.
• This Agreement is terminated for any reason.
• A Data Subject exercises their right to deletion under Section 24 of POPIA.
• ClearComply requests deletion due to a Data Subject opt-out.

8. Security Obligations

Both parties shall comply with the security requirements of Section 19 of POPIA and implement appropriate technical and organisational measures to protect Shared Data against loss, damage, unauthorised access, or unlawful processing.

Minimum security requirements for the Recipient:

• Access to Shared Data must be restricted to authorised personnel on a need-to-know basis.
• Shared Data must not be stored on unencrypted devices or transmitted via unencrypted channels.
• The Recipient must maintain reasonable access controls and audit logs for systems containing Shared Data.
• The Recipient must notify ClearComply within 72 hours of becoming aware of any security breach affecting Shared Data.

9. Data Subject Rights

Both parties must honour Data Subject rights under Sections 23 to 25 of POPIA, including the rights of access, correction, and deletion. If the Recipient receives a request from a Data Subject relating to Shared Data, it must:

1. Respond to the request within 30 days as required by POPIA.
2. Notify ClearComply at privacy@clearcomply.co.za within 5 business days so that ClearComply can process any corresponding updates (e.g. opt-out from the Lead Intelligence pool).

10. Opt-Out Mechanism

ClearComply maintains a public opt-out mechanism at www.clearcomply.co.za/opt-out. When a Data Subject opts out, ClearComply will remove their data from the Lead Intelligence pool and notify all Recipients who have claimed that lead. The Recipient must cease all contact with opted-out Data Subjects within 5 business days of receiving such notification.

11. No Resale or Transfer

The Recipient shall not sell, licence, sublicence, distribute, disclose, or otherwise transfer Shared Data to any third party, whether for commercial gain or otherwise. Shared Data is provided exclusively for the Recipient's internal use in accordance with the Permitted Purpose.

12. Warranties and Representations

12.1 ClearComply warrants that:

• It has a lawful basis under POPIA for collecting and sharing the Shared Data.
• The Shared Data is sourced from publicly available records and reputable commercial enrichment providers.
• It maintains appropriate security measures to protect the Shared Data in its custody.
• It maintains an opt-out mechanism and honours all Data Subject objections.

12.2 The Recipient warrants that:

• It will use Shared Data solely for the Permitted Purpose and in compliance with POPIA.
• It will comply with Section 69 of POPIA (direct marketing) and the Consumer Protection Act when contacting Data Subjects.
• It will honour all opt-out and objection requests from Data Subjects.
• It has the technical and organisational capacity to protect Shared Data in accordance with Section 19 of POPIA.
• The person accepting this Agreement has the authority to bind the Recipient.

13. Indemnity

The Recipient indemnifies and holds ClearComply harmless against any claims, losses, damages, fines, or expenses (including reasonable legal fees) arising from the Recipient's breach of this Agreement, misuse of Shared Data, or non-compliance with POPIA in relation to the Recipient's processing of Shared Data.

14. Limitation of Liability

To the maximum extent permitted by law, ClearComply's total liability under or in connection with this Agreement shall not exceed the fees paid by the Recipient to ClearComply in the 3 months immediately preceding the event giving rise to the claim. ClearComply shall not be liable for any indirect, consequential, special, or punitive damages, including loss of profit, loss of business, or loss of data.

ClearComply provides Shared Data on an "as is" basis and does not warrant the accuracy, completeness, or currentness of the data. The Recipient acknowledges that contact details may change and that ClearComply is not liable for any failed communications arising from outdated information.

15. Term and Termination

This Agreement commences on the date the Recipient accepts it through the ClearComply platform and continues for as long as the Recipient maintains an active Enterprise subscription with the Lead Intelligence add-on enabled.

Either party may terminate this Agreement:

• By the Recipient cancelling their Lead Intelligence add-on or Enterprise subscription.
• By ClearComply, with 30 days' written notice, if the Recipient breaches any material term of this Agreement and fails to remedy such breach within 14 days of receiving notice.
• Immediately by either party if the other party becomes insolvent or is placed under business rescue.

Upon termination, the Recipient's obligations regarding data deletion (Section 7), security (Section 8), and non-transfer (Section 11) shall survive.

16. Governing Law and Disputes

This Agreement is governed by and construed in accordance with the laws of the Republic of South Africa.

In the event of any dispute arising from or in connection with this Agreement, the parties shall first attempt to resolve the dispute through good-faith negotiation for a period of 21 days. If the dispute is not resolved within that period, either party may refer the matter to the appropriate court of competent jurisdiction in Johannesburg, South Africa.

18. Marketplace Engagements

From 18 April 2026, ClearComply offers a Marketplace Engagementfacility in addition to the Lead Intelligence feature covered above. Where the Recipient opts into the Marketplace and the Data Subject ("Client") chooses to engage the Recipient through the ClearComply platform to remediate a specific compliance issue, this Section 18 applies in addition toSections 1–17.

18.1 Nature of the relationship during an Engagement

For the narrow purpose of transmitting and temporarily storing documents and messages exchanged between the Client and the Recipient through the ClearComply platform during a Marketplace Engagement, ClearComply acts as an Operator of the Client as defined in Section 1 of POPIA. The Recipient remains an independent Responsible Party in respect of any personal information it receives and processes after download from the ClearComply platform, including any advice, filings, records, or communications it produces in the course of its professional services.

Nothing in this Section 18 creates a joint-controller or principal-agent relationship between ClearComply and the Recipient. Each party remains responsible for its own compliance with POPIA.

18.2 Documents and messages

During a Marketplace Engagement, the Client may upload documents ("Engagement Documents") and messages ("Engagement Messages") to the platform for transmission to the Recipient, and the Recipient may upload completed work to the platform for return to the Client. Each party acknowledges that:

• Engagement Documents and Messages may contain personal information, including identity numbers, contact details, financial information, and the personal information of third parties such as beneficial owners, directors, trustees, and employees.
• The Client is responsible for obtaining any necessary consents from third parties whose personal information is contained in an Engagement Document before upload.
• The Recipient must limit its access to Engagement Documents and Messages to authorised personnel on a need-to-know basis, and must not use them for any purpose other than the specific Engagement to which they relate.

18.3 Platform fee and payment

The price of each Engagement is the amount set by the Recipient in its Service Offering at the time the Client initiates the Engagement. ClearComply deducts a platform fee of 10%of the Engagement price. The balance is transferred to the Recipient's connected Stripe account. The Recipient is responsible for any VAT, income tax, or other taxes in respect of the fees it receives, and for issuing a VAT invoice to the Client where required.

Payments are processed by Stripe Payments Europe, Limited ("Stripe"). The Recipient must complete Stripe's Express onboarding and comply with Stripe's Connected Account Agreement before the Recipient can receive payments through the platform.

18.4 Retention and deletion of Engagement data

ClearComply will retain Engagement Documents and Messages on its platform for the duration of the Engagement plus a period of 90 days after the Engagement is marked completed, cancelled, or refunded, after which the data will be soft-deleted. Hard deletion (irreversible removal) will occur 365 days after soft-deletion, unless the Recipient or the Client has placed a legal hold on the data or retention is required by law.

After download, the Recipient must retain Engagement Documents only for as long as required by its professional obligations (including the rules of SAICA, SAIPA, ACCA, IAC, or the IRBA as applicable) and thereafter dispose of them securely.

18.5 Security obligations during Engagements

In addition to Section 8, during Marketplace Engagements:

• ClearComply will store Engagement Documents in an encrypted, access-controlled bucket accessible only via time-limited presigned URLs and only to the Client and the Recipient assigned to the Engagement.
• The Recipient must download Engagement Documents only to devices on which it maintains the minimum security controls referred to in Section 8.
• The Recipient must notify ClearComply within 72 hours of becoming aware of any compromise of its Stripe connected account, ClearComply account credentials, or any unauthorised access to Engagement Documents.

18.6 Consent and transparency

ClearComply will obtain explicit, granular consent from the Client at the point of each document upload, identifying the Recipient by name and the specific purpose of the Engagement. The Client may withdraw consent and delete an Engagement Document at any time before the Recipient has downloaded it. Once an Engagement Document has been downloaded, the Recipient's retention and deletion obligations in Section 18.4 apply.

18.7 Service quality and dispute resolution

The Recipient warrants that the services provided through a Marketplace Engagement will be performed with reasonable professional skill and care, in accordance with the standards of the Recipient's professional body. Where a Client reasonably disputes the quality or completion of an Engagement, the parties will engage in good faith to resolve the dispute, failing which ClearComply reserves the right to issue a full or partial refund to the Client from Engagement funds held by Stripe, without acknowledgement of liability on the part of either party.

18.8 Independent professional relationship

The provision of professional services during a Marketplace Engagement creates an independent professional relationship between the Recipient and the Client. ClearComply is not a party to that relationship, does not provide professional advice, and will not be joined as a party in any dispute arising from the Recipient's professional services.

19. General

• Entire agreement: This Agreement constitutes the entire agreement between the parties regarding the sharing and use of Lead Intelligence data and supersedes all prior negotiations, representations, and agreements relating to its subject matter.
• Amendment: ClearComply may amend this Agreement by providing the Recipient with 30 days' written notice. Continued use of the Lead Intelligence feature after the notice period constitutes acceptance of the amended terms.
• Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
• No waiver: The failure of either party to enforce any right under this Agreement shall not constitute a waiver of that right.
• Notices: All notices under this Agreement shall be sent to privacy@clearcomply.co.za(for ClearComply) or to the email address associated with the Recipient's ClearComply account.
• Clickwrap execution:The Recipient agrees that acceptance of this Agreement through the ClearComply platform (by clicking "I Accept" or similar mechanism) constitutes a valid electronic signature and binding agreement under the Electronic Communications and Transactions Act 25 of 2002 ("ECTA").