Operator Agreement

Document version: 1.0 · Effective date: 18 April 2026 · Applies per Marketplace Engagement

1. Parties

1. NHM Global Advisory (Pty) Ltd, trading as ClearComply, registration number 2026/175933/07, First Floor, 61 Katherine Street, Sandton, 2196 ("ClearComply", the "Operator"); and
2. The user who initiates a Marketplace Engagement through the ClearComply platform and uploads documents to it (the "Client", the "Responsible Party").

2. Scope of this Agreement

This Agreement applies only to the Engagement Data— documents, messages, and metadata that the Client uploads to, or the Client's accountant uploads through, a specific Marketplace Engagement on the ClearComply platform. It does not apply to any other personal information the Client provides to ClearComply, which is governed by the Privacy Policy.

3. Instructions

ClearComply will process Engagement Data solelyon the Client's instructions and for the following purposes:

• Transmitting the Engagement Data between the Client and the accountant assigned to the Engagement.
• Storing the Engagement Data for the duration of the Engagement plus the retention window in clause 6 below.
• Generating access logs, presigned download URLs, and security event records.
• Responding to a lawful request from a regulator or court, where ClearComply is required by law to disclose Engagement Data. ClearComply will notify the Client in advance where lawfully permitted.

ClearComply will not use Engagement Data to improve its services, train artificial intelligence models, or for any purpose unrelated to the Engagement.

4. Confidentiality

ClearComply will treat all Engagement Data as confidential. Access is restricted to the specific ClearComply personnel who require access for platform operation, incident response, or dispute handling, each of whom is bound by a written confidentiality obligation.

5. Security measures

As required by Section 19 of POPIA, ClearComply will implement appropriate technical and organisational measures to protect Engagement Data, including:

• Encryption in transit (TLS) and at rest (AES‑256).
• Storage in a private, access-controlled bucket. Downloads are only possible via presigned URLs that expire within five minutes and are scoped to the specific Engagement.
• Access controls limiting each Engagement to the Client and the accountant assigned.
• Audit logging of uploads, downloads, deletions, and access attempts.
• Automated malware scanning on upload. Files that fail the scan are quarantined and the Client is notified.

6. Retention and deletion

• Engagement Data is retained for the duration of the Engagement plus 90 days after the Engagement is marked completed, cancelled, or refunded. After that window, Engagement Data is soft-deleted.
• Soft-deleted Engagement Data is hard-deleted (irreversibly removed) 365 days after soft-deletion, unless the Client or ClearComply has a legal obligation to retain it for longer.
• The Client may request earlier deletion at any time by emailing privacy@clearcomply.co.za. ClearComply will action the request within 30 days, subject to any lawful retention obligation.

7. Sub-processors

ClearComply uses the following sub-processors to deliver the Marketplace. Each is bound by a written agreement that imposes substantially similar obligations to this Agreement:

• Supabase Inc.— document storage and database hosting (EU region).
• Vercel Inc. — platform hosting and delivery.
• Stripe Payments Europe, Limited— payment processing, payout disbursement, and Connect onboarding. Stripe does not receive Engagement Documents or Messages.
• Resend Inc.— transactional email notifications (does not receive Engagement Document contents).

ClearComply will notify the Client before adding or replacing a sub-processor that materially changes this list.

8. Security breach notification

In the event of a security compromise that reasonably appears to have resulted in unauthorised access to or acquisition of Engagement Data, ClearComply will notify the Client without undue delay and in any event within 72 hoursof becoming aware of the compromise, in accordance with Section 22 of POPIA. The notification will include the nature of the compromise, the Engagement Data affected, the measures taken in response, and the contact details of ClearComply's Information Officer.

9. Assistance with Data Subject rights

If the Client (or a third party whose personal information is contained in an Engagement Document) exercises a right under Sections 23 to 25 of POPIA in respect of Engagement Data, ClearComply will, on request, assist the Client in responding within 30 days. ClearComply will not respond independently to a Data Subject request that relates to the Client's Engagement Data without first notifying the Client.

10. Return or deletion on termination

On termination of the Engagement — whether through completion, cancellation, or refund — the Client may, within the 90-day retention window, either export the Engagement Data through the platform or request its earlier deletion. After the retention window closes, the deletion sequence in clause 6 applies automatically.

11. Relationship to the Data Sharing Agreement

The Data Sharing Agreement (v1.1, Section 18) governs the relationship between ClearComply and the accountant. This Operator Agreement governs the relationship between ClearComply and the Client during a Marketplace Engagement. Where the two agreements overlap, this Operator Agreement prevails in respect of the activities described in clause 3.

12. Acceptance

The Client accepts this Agreement by initiating a Marketplace Engagement on the ClearComply platform and by uploading the first document to that Engagement. The Client's acceptance, the Agreement version, the acceptance timestamp, and the Engagement identifier are recorded on the platform and are available to the Client on request.

13. Contact

• ClearComply Information Officer: privacy@clearcomply.co.za
• Post: NHM Global Advisory (Pty) Ltd, First Floor, 61 Katherine Street, Sandton, 2196