Data Sharing Agreement

Document version: 1.0 · Effective date: 9 April 2026

This Data Sharing Agreement ("Agreement") is entered into between:

1. NHM Global Advisory (Pty) Ltd, trading as ClearComply, registration number 2026/175933/07, with its registered address at First Floor, 61 Katherine Street, Sandton, 2196 ("ClearComply" or "Provider"); and
2. The Enterprise subscriber who accepts this Agreement through the ClearComply platform ("Recipient" or "Subscriber").

1. Background

1. ClearComply operates a compliance intelligence platform that monitors and reports on CIPC compliance obligations for South African companies.
2. ClearComply's Lead Intelligence feature provides Enterprise subscribers with enriched contact details and compliance classifications for companies flagged as non-compliant by the CIPC, enabling accounting firms and compliance professionals to offer remediation services.
3. This Agreement governs the sharing and use of Lead Intelligence data between ClearComply and the Recipient in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African data protection legislation.

2. Definitions

• "Shared Data" means the Lead Intelligence data made available to the Recipient, including company names, registration numbers, contact email addresses, telephone numbers, websites, registered addresses, and compliance classifications.
• "Data Subject" means any natural or juristic person to whom the Shared Data relates, including company directors and key contacts.
• "Permitted Purpose" means the use of Shared Data solely for legitimate business development — specifically, contacting CIPC-flagged companies to offer compliance remediation services (such as beneficial ownership filings, annual return submissions, and company reinstatements).
• "POPIA" means the Protection of Personal Information Act 4 of 2013.
• "Responsible Party" has the meaning given in Section 1 of POPIA — the party that determines the purpose and means of processing personal information.
• "Processing" has the meaning given in Section 1 of POPIA and includes any operation performed on personal information.
• "Claimed Lead" means a lead that the Recipient has claimed through the ClearComply platform and for which they have an active exclusivity window.
• "Qualified Lead" means a Claimed Lead where the Recipient has made meaningful contact and the lead has expressed interest in remediation services.

3. Nature of the Relationship

ClearComply and the Recipient are independent Responsible Parties under POPIA. Each party independently determines the purposes and means of any personal information processing it undertakes. This Agreement does not create a joint controller, operator, or principal-agent relationship between the parties.

ClearComply is the Responsible Party for the collection, enrichment, and initial processing of Lead Intelligence data. The Recipient becomes a Responsible Party for any personal information processing it undertakes after receiving Shared Data, including all outreach and communications with Data Subjects.

4. Lawful Basis for Sharing

The sharing of Lead Intelligence data under this Agreement is based on legitimate interest under Section 11(1)(f) of POPIA. The parties acknowledge that:

1. The Shared Data relates to companies that have been publicly flagged by the CIPC for non-compliance with statutory obligations (such as beneficial ownership filings, annual returns, or deregistration proceedings).
2. The Permitted Purpose — enabling compliance professionals to offer remediation services to non-compliant companies — serves a legitimate interest that does not override the rights and freedoms of the Data Subjects.
3. The Shared Data is sourced from publicly available CIPC records, Government Gazette publications, and commercial business directory services.

5. Permitted Use

The Recipient may use Shared Data solely for the Permitted Purpose. Without limitation, the Recipient shall not:

• Use Shared Data for unsolicited bulk communications or spam.
• Use Shared Data for purposes unrelated to compliance remediation services.
• Use Shared Data to compile competing databases or data products.
• Use Shared Data for credit scoring, profiling, or automated decision-making about Data Subjects.
• Contact Data Subjects regarding any products or services other than compliance remediation directly related to the flagged non-compliance issue.
• Combine Shared Data with other data sources to create enriched profiles of Data Subjects beyond the scope of the Permitted Purpose.

6. Data Minimisation

ClearComply applies the principle of data minimisation under Section 10 of POPIA. Shared Data is limited to the minimum information reasonably necessary for the Recipient to identify and contact CIPC-flagged companies for the Permitted Purpose. ClearComply does not share identity numbers, financial information, or any special personal information (as defined in Section 26 of POPIA).

7. Retention and Deletion

The Recipient shall retain Shared Data for no longer than 12 months from the date of receipt, unless a longer retention period is required by law or the Data Subject has become a client of the Recipient.

The Recipient must delete Shared Data within 30 days of any of the following:

• The 12-month retention period expires and the lead has not become a client.
• The Recipient's subscription to ClearComply is terminated or cancelled.
• This Agreement is terminated for any reason.
• A Data Subject exercises their right to deletion under Section 24 of POPIA.
• ClearComply requests deletion due to a Data Subject opt-out.

8. Security Obligations

Both parties shall comply with the security requirements of Section 19 of POPIA and implement appropriate technical and organisational measures to protect Shared Data against loss, damage, unauthorised access, or unlawful processing.

Minimum security requirements for the Recipient:

• Access to Shared Data must be restricted to authorised personnel on a need-to-know basis.
• Shared Data must not be stored on unencrypted devices or transmitted via unencrypted channels.
• The Recipient must maintain reasonable access controls and audit logs for systems containing Shared Data.
• The Recipient must notify ClearComply within 72 hours of becoming aware of any security breach affecting Shared Data.

9. Data Subject Rights

Both parties must honour Data Subject rights under Sections 23 to 25 of POPIA, including the rights of access, correction, and deletion. If the Recipient receives a request from a Data Subject relating to Shared Data, it must:

1. Respond to the request within 30 days as required by POPIA.
2. Notify ClearComply at privacy@clearcomply.co.za within 5 business days so that ClearComply can process any corresponding updates (e.g. opt-out from the Lead Intelligence pool).

10. Opt-Out Mechanism

ClearComply maintains a public opt-out mechanism at www.clearcomply.co.za/opt-out. When a Data Subject opts out, ClearComply will remove their data from the Lead Intelligence pool and notify all Recipients who have claimed that lead. The Recipient must cease all contact with opted-out Data Subjects within 5 business days of receiving such notification.

11. No Resale or Transfer

The Recipient shall not sell, licence, sublicence, distribute, disclose, or otherwise transfer Shared Data to any third party, whether for commercial gain or otherwise. Shared Data is provided exclusively for the Recipient's internal use in accordance with the Permitted Purpose.

12. Warranties and Representations

12.1 ClearComply warrants that:

• It has a lawful basis under POPIA for collecting and sharing the Shared Data.
• The Shared Data is sourced from publicly available records and reputable commercial enrichment providers.
• It maintains appropriate security measures to protect the Shared Data in its custody.
• It maintains an opt-out mechanism and honours all Data Subject objections.

12.2 The Recipient warrants that:

• It will use Shared Data solely for the Permitted Purpose and in compliance with POPIA.
• It will comply with Section 69 of POPIA (direct marketing) and the Consumer Protection Act when contacting Data Subjects.
• It will honour all opt-out and objection requests from Data Subjects.
• It has the technical and organisational capacity to protect Shared Data in accordance with Section 19 of POPIA.
• The person accepting this Agreement has the authority to bind the Recipient.

13. Indemnity

The Recipient indemnifies and holds ClearComply harmless against any claims, losses, damages, fines, or expenses (including reasonable legal fees) arising from the Recipient's breach of this Agreement, misuse of Shared Data, or non-compliance with POPIA in relation to the Recipient's processing of Shared Data.

14. Limitation of Liability

To the maximum extent permitted by law, ClearComply's total liability under or in connection with this Agreement shall not exceed the fees paid by the Recipient to ClearComply in the 3 months immediately preceding the event giving rise to the claim. ClearComply shall not be liable for any indirect, consequential, special, or punitive damages, including loss of profit, loss of business, or loss of data.

ClearComply provides Shared Data on an "as is" basis and does not warrant the accuracy, completeness, or currentness of the data. The Recipient acknowledges that contact details may change and that ClearComply is not liable for any failed communications arising from outdated information.

15. Term and Termination

This Agreement commences on the date the Recipient accepts it through the ClearComply platform and continues for as long as the Recipient maintains an active Enterprise subscription with the Lead Intelligence add-on enabled.

Either party may terminate this Agreement:

• By the Recipient cancelling their Lead Intelligence add-on or Enterprise subscription.
• By ClearComply, with 30 days' written notice, if the Recipient breaches any material term of this Agreement and fails to remedy such breach within 14 days of receiving notice.
• Immediately by either party if the other party becomes insolvent or is placed under business rescue.

Upon termination, the Recipient's obligations regarding data deletion (Section 7), security (Section 8), and non-transfer (Section 11) shall survive.

16. Governing Law and Disputes

This Agreement is governed by and construed in accordance with the laws of the Republic of South Africa.

In the event of any dispute arising from or in connection with this Agreement, the parties shall first attempt to resolve the dispute through good-faith negotiation for a period of 21 days. If the dispute is not resolved within that period, either party may refer the matter to the appropriate court of competent jurisdiction in Johannesburg, South Africa.

17. General

• Entire agreement: This Agreement constitutes the entire agreement between the parties regarding the sharing and use of Lead Intelligence data and supersedes all prior negotiations, representations, and agreements relating to its subject matter.
• Amendment: ClearComply may amend this Agreement by providing the Recipient with 30 days' written notice. Continued use of the Lead Intelligence feature after the notice period constitutes acceptance of the amended terms.
• Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
• No waiver: The failure of either party to enforce any right under this Agreement shall not constitute a waiver of that right.
• Notices: All notices under this Agreement shall be sent to privacy@clearcomply.co.za (for ClearComply) or to the email address associated with the Recipient's ClearComply account.
• Clickwrap execution: The Recipient agrees that acceptance of this Agreement through the ClearComply platform (by clicking "I Accept" or similar mechanism) constitutes a valid electronic signature and binding agreement under the Electronic Communications and Transactions Act 25 of 2002 ("ECTA").