Data Processing Agreement

1. Background Information

1.1. In consideration that Yuanli Jinzhi and the developer using the FinDocx AI Open Platform (hereinafter referred to as the "Customer") have entered into a cooperation agreement (hereinafter referred to as the "Master Contract") with respect to the purchase and provision of the FinDocx service (hereinafter referred to as "Yuanli Jinzhi Service" or "Service"), this Data Processing Agreement is incorporated into and constitutes an integral part of the terms of the Master Contract.

1.2. Scope and effectiveness. This Data Processing Agreement applies to the data processing (hereinafter referred to as "Data Processing") by Yuanli Jinzhi, including its Sub-trustees (if any), in connection with the provision of Yuanli Jinzhi Service. No separate signature of this Data Processing Agreement is required. By executing the Master Contract, both parties acknowledge and agree to be bound by relevant provisions of this Data Processing Agreement.

1.3. Structure. The appendices hereto are incorporated into and constitute a part of this Data Processing Agreement. Among them, Appendix 1 sets out the nature, instructions and purpose of processing, the Personal Information involved, the categories of data subjects and the time limits; Appendix 2 specifies the technical and organizational security measures provided by Yuanli Jinzhi hereunder.

1.4. Management. Under this Data Processing Agreement, the Customer is the principal of the Personal Information processed hereunder, and Yuanli Jinzhi is the Trustee of the Personal Information processed hereunder. The Customer shall be solely responsible for obtaining the approval, authorization and permission required for the Data Processing activities to be carried out by Yuanli Jinzhi.

1.5. 1.5. Terms and definitions.。

1) "Applicable Data Protection Laws" mean the laws and regulations of China governing Personal Information, privacy protection, network security and communications, which contain provisions on data protection, including but not limited to the Personal Information Protection Law, the Data Security Law, the Cybersecurity Law and the Civil Code.

2) “Personal Information” means various information recorded electronically or otherwise about identified or identifiable natural persons, excluding anonymized information.

3) “Data Subject” means the natural person identified by or associated with the Personal Information.

4) “Processor” means the entity that determines the purposes and/or means of the Data Processing individually or in combination with others, and for the purpose of this Agreement, means the Customer.

5) "Trustee" means the entity that carries out Data Processing in the name of the Processor as entrusted by the Processor.

6) “Data Protection Authority” means the agency that is legally responsible for the data protection supervision under Applicable Data Protection Laws.

7) If Applicable Data Protection Laws have special provisions on the specific meaning and expression of the terms including Personal Information, Data Subject, Processor, Trustee and Data Protection Authority, the terms hereunder shall also have the specific meanings given in Applicable Data Protection Laws.

2. Processing Safety

2.1. Technical and organizational measures.

1) Based on the current state of technology, Yuanli Jinzhi has implemented the technical measures and organizational measures applicable to the services under the Master Contract to protect the security of Data Processing, as detailed in Appendix 2 to Data Processing Agreement – Security Measures.

2) The Customer has reviewed such measures and agrees that the ongoing measures taken by Yuanli Jinzhi are appropriate taking into account the current state of technology, the cost of implementation, and the nature, scope, context and purpose of Data Processing.

2.2. Change. Yuanli Jinzhi shall not adjust or change, without authorization, the technical and organizational measures taken, especially when such adjustment or change may reduce the level of security protection provided during the Data Processing hereunder; Yuanli Jinzhi may make such change without further notice to the Customer if an equivalent or higher level of security protection is maintained.

3. General Liabilities of Both Parties

3.1. The Customer undertakes and warrants that:

1) The processing activities that the Customer intends to delegate to Yuanli Jinzhi hereunder are in line with the principles of legality, legitimacy, necessity and good faith, supported by a legitimate basis; when obtaining an individual consent is taken as the basis of legitimacy hereunder, the Customer further undertakes and warrants that it has fully explained to the Data Subject (i.e. the end user of the products and/or services provided by the Customer) the purpose, scope and method of Personal Information collection and use, and that the Customer has stated the authorized content in the corresponding documents and obtained the written consent and authorization from the Data Subject, including but not limited to: a) The Data Subject understands and agrees to the Customer’s collection of the Personal Information required for its use of the Service, including name, ID card number, photo and other ID information, audio, video, document, application, equipment and network information, and the Customer shall make the foregoing Personal Information available to Yuanli Jinzhi; b) The Data Subject understands and agrees that Yuanli Jinzhi has the right to obtain its Personal Information for the services stated in the Master Contract and return the identification results to the Customer. c) When necessary, Yuanli Jinzhi has the right to disclose the Personal Information of the Data Subject to necessary service providers for the services set out in the Master Contract.

2) If the Customer gives the foregoing notice using standard terms and obtains the authorization and consent from the Data Subject, the Customer shall ensure that the standard terms of the authorization used conform to the requirements of Applicable Data Protection Laws, safeguard the legitimate rights and interests of the Data Subject, and ensure that legal, valid, complete and sufficient authorization and consent has been obtained.

3.2. Yuanli Jinzhi undertakes and warrants that when processing the Personal Information on behalf of the Customer:

1) The Yuanli Jinzhi Service provided to the Customer conforms the requirements in the laws and regulations of China; if Personal Information is involved, such Service conforms to the requirements of Applicable Data Protection Laws.

2) It will process the Personal Information as instructed by the Customer in writing and strictly implement the technical and organizational measures stated in Article 2.1 hereof.

3) It will ensure, in order that Yuanli Jinzhi fulfills its obligations hereunder, that relevant employees of Yuanli Jinzhi are bound in writing (such as non-disclosure agreement) to strictly perform relevant Data Processing as provided for herein.

4) It will comply with the mandatory obligations and requirements imposed on the Trustee under Applicable Data Protection Laws.

4. Instruction

4.1. The Data Processing instructions to be performed by Yuanli Jinzhi hereunder as explicitly authorized by the Customer are as shown in Appendix 1 to Data Processing Agreement - Instructions on the Processing of Personal Information. Unless otherwise required by law, Yuanli Jinzhi shall and shall only process the Personal Information on behalf of the Customer in accordance with this Data Processing Agreement.

4.2. As long as this Data Processing Agreement is in force and effect, the Customer may change the instructions set out in Article 4.1 hereof by giving a written notice to Yuanli Jinzhi. In addition to other notification obligations set forth herein, if any instruction is believed by Yuanli Jinzhi to contravene Applicable Data Protection Laws ("Challenged Instruction"), Yuanli Jinzhi may send a written notice to the Customer within three business days upon the receipt of the written notice issued by the Customer according to this clause, and specify in the notice the requirements of Applicable Data Protection Laws that may be violated; Yuanli Jinzhi is not required to execute the Challenged Instruction until the Customer confirms the Challenged Instruction.

5. Data Security Incident

5.1. In case of a data security incident (including Personal Information leakage), Yuanli Jinzhi shall, upon the request of the Customer, promptly provide the Customer with the necessary information in accordance with Applicable Data Protection Laws, unless expressly prohibited by laws, regulations or effective judicial enforcement instructions.

5.2. Upon the occurrence of a data security incident, Yuanli Jinzhi may make its commercially reasonable efforts to assist the Customer, at the request of the Customer, in fulfilling its obligations to send a notice to the Data Subject and file a report with the Data Protection Authority under Applicable Data Protection Laws.

5.3. All the reasonable expenses incurred by Yuanli Jinzhi in rendering the assistance in Article 5.2 to the Customer shall be borne by the Customer. If the Customer has any questions about such expenses, the Customer shall send a written notice to Yuanli Jinzhi and consult with Yuanli Jinzhi.

6. Response to Data Subject Request

6.1. If required by the Customer, Yuanli Jinzhi will assist the Customer in responding to the request of the Data Subject to the extent technically feasible and reasonable in accordance with Applicable Data Protection Laws. The Customer shall be responsible for confirming whether the Data Subject has the right to exercise any such rights and shall clarify in writing to Yuanli Jinzhi the scope and form of assistance required.

6.2. The reasonable expenses incurred by Yuanli Jinzhi in rendering the assistance in Article 6.1 to the Customer shall be borne by the Customer. If the Customer has any questions about such expenses, the Customer shall send a written notice to Yuanli Jinzhi and consult with Yuanli Jinzhi; provided, however that, the Customer shall not defer the payment of such expenses to Yuanli Jinzhi on this basis; if the Customer withholds or defers the payment of such expenses, Yuanli Jinzhi may, at its sole discretion, suspend or terminate the assistance provided for the Customer under Article 6.1, as appropriate.

7. Sharing and Global Processing

7.1. Without obtaining the prior written consent from the Customer and taking necessary compliance measures under Applicable Data Protection Laws, Yuanli Jinzhi shall not share any Personal Information under the Master Contract with other third parties.

7.2. The Customer agrees and acknowledges that Yuanli Jinzhi will provide the Yuanli Jinzhi Service and carry out Data Processing hereunder at its globally distributed infrastructure; Yuanli Jinzhi may reasonably adjust the distribution of such infrastructure, as appropriate, without further notice to the Customer; provided, however, that if Yuanli Jinzhi's adjustment of the infrastructure imposes an impact on the normal use of the Yuanli Jinzhi Service by the Customer, Yuanli Jinzhi shall promptly send a notice to the Customer and consult with the Customer. The current infrastructure of Yuanli Jinzhi around the world is as follows:

1) FinDocx platform and relevant services: Servers are located in China and Singapore.

7.3. The Customer explicitly agrees and acknowledges that Yuanli Jinzhi shall proceed with the Data Processing hereunder in relevant regions as follows:

1) Personal Information collected and generated in China will, in principle, be processed at the infrastructure located in China;

2) With respect to the Yuanli Jinzhi Service provided outside of China, the Customer will determine, at its discretion, the supporting infrastructure of Yuanli Jinzhi, and Yuanli Jinzhi will process the data locally based on the choice of the Customer.

7.4. Unless otherwise provided by law or required in writing by the Customer, once the region where Data Processing will be carried out is determined in accordance with the rules set out in Article 7.3, Yuanli Jinzhi shall not transfer the Personal Information hereunder to other countries and/or regions which are not authorized and agreed to by the Customer.

7.5. The Customer shall be responsible for complying with any restrictions on cross-border data transfer (if any) that are effectively implemented and/or updated from time to time under Applicable Data Protection Laws and shall ensure that appropriate preventive measures are in place. If necessary, upon the written request of the Customer, Yuanli Jinzhi may provide the Customer with necessary assistance, as appropriate, to enable the Customer to comply with Applicable Data Protection Laws, at the reasonable expense of the Customer.

8. Sub-processing

8.1. The Customer hereby agrees in writing that Yuanli Jinzhi may, where necessary, delegate the Data Processing set out hereunder, as a whole or in part, to other third parties (including affiliates of Yuanli Jinzhi and other partners explicitly authorized in writing by Yuanli Jinzhi, hereinafter referred to as "Sub-trustee").

8.2. Subject to the satisfaction of other conditions, Yuanli Jinzhi shall make commercially reasonable efforts in selecting the Sub-trustee and shall pay particular attention to its reputation and experience in performing the Data Processing business and the appropriateness of its technical and organizational measures.

8.3. Yuanli Jinzhi shall enter into an agreement with the Sub-trustee, which shall (i) describe the sub-contracted services in which the Sub-trustee is required to process the Personal Information (including type of Personal Information processed and purpose of processing); and (ii) describe the technical and organizational measures to be implemented by the Sub-trustee that are applicable to the sub-contracted services.

9. Notice

9.1. Unless expressly prohibited by Applicable Data Protection Laws, Yuanli Jinzhi shall promptly notify the Customer of:

1) (i) Any violation of any terms hereof; and/or (ii) any violation of any instructions issued by the Customer hereunder during the processing of Personal Information by Yuanli Jinzhi;

2) Any formal regulatory enforcement proceeding against Yuanli Jinzhi by the Data Protection Authority in relation to the processing of data by Yuanli Jinzhi and, where required by the Customer, the support and cooperation that may be required by the Data Protection Authority from Yuanli Jinzhi in its review and/or proceedings against the Customer;

3) Legal or factual circumstances that prevent Yuanli Jinzhi from processing any Personal Information according to the purpose, method and scope set out in this Data Processing Agreement and the instructions; and

4) Any significant change that affects the technical and organizational security measures implemented by Yuanli Jinzhi, which would render the technical and organizational security measures implemented by Yuanli Jinzhi to be unable to meet the Personal Information security obligations of Yuanli Jinzhi hereunder.

9.2. Yuanli Jinzhi shall give a written notice to the Customer after finding out or proving that:

1) Personal Information that Yuanli Jinzhi processes on behalf of the Customer has been illegally transferred;

2) A third party has unlawfully gained access to such Personal Information; and/or

3) The integrity or confidentiality of the Personal Information is materially compromised in any other way.

9.3. If Yuanli Jinzhi receives a complaint and/or a request for specific information about the Data Processing from the Data Subject or a third party, Yuanli Jinzhi shall promptly forward such complaint and/or inquiry and relevant materials in writing to the Customer.

Appendix 1 to Data Processing Agreement - Instructions on the Processing of Personal Information

Processor

Customer.

Trustee

Yuanli Jinzhi and its Sub-trustees (including affiliates of Yuanli Jinzhi and other partners explicitly authorized in writing by Yuanli Jinzhi, if applicable).

Data Subject

Means the party whose Personal Information is collected when the Customer uses the Yuanli Jinzhi Service where necessary, including end users and/or employees of the Customer.

Data Category

The types of data involved include, without limitation: identity information (such as name and gender); certificate information (such as identity document and relevant information); picture, audio, video and document information; application, device and network information; and other types of data explicitly requested by the Customer under specific projects.

Processing Operation/Purpose

The Data Processing operations that Yuanli Jinzhi is instructed to carry out include Data Processing activities necessary to provide the Yuanli Jinzhi Service under the Master Contract or a specific order, as well as Data Processing activities carried out by Yuanli Jinzhi to perform the legal obligations and contractual stipulations under the Master Contract;

The Data Processing operations carried out by Yuanli Jinzhi shall be limited to the purposes set out under the Master Contract, in particular: 1) where necessary to provide the Yuanli Jinzhi Service; 2) for security prevention and anti-fraud; 3) where necessary to fulfill the obligations prescribed by the laws and regulations; 4) directly in connection with national security and national defense security; 5) directly in connection with public security, public health, and major public interests; 6) directly in connection with criminal investigation, prosecution, trial and execution of judgments; 7) where necessary to maintain the safe and stable operation of the Yuanli Jinzhi Service; and 8) where necessary to optimize and upgrade the Yuanli Jinzhi Service under legal conditions.

Duration of Processing

The period during which Yuanli Jinzhi, as entrusted by the Customer, carries out the Data Processing operations involved herein shall be limited to the period during which Yuanli Jinzhi performs all the obligations under the Master Contract (including annexes such as specific orders and this Data Processing Agreement);

Regardless of whether Yuanli Jinzhi fully fulfills its obligations under the Master Contract, the obligations of Yuanli Jinzhi as the Trustee hereunder will continue to be in force and effect until the data involved herein is properly deleted and/or returned to the Customer (upon the request of the Customer), but the foregoing obligations of Yuanli Jinzhi shall be in force and effect for no more than 6 months after Yuanli Jinzhi fully fulfills its obligations under the Master Contract.

Appendix 2 to Data Processing Agreement – Security Measures

A. Physical Access Control.

Measures:

Appropriate measures will be taken to protect the assets and facilities of Yuanli Jinzhi based on its Security Policy.

The security of the building where the office is located will be safeguarded, such as by adopting the smart card access control system.

Depending on the security level, additional measures may be used to further secure access to the premises, including video surveillance and biometric identification access control systems.

Access will be granted to authorized individuals in accordance with system and data access controls. These measures also apply to access by visitors.

Employees and external staff of Yuanli Jinzhi should wear their identification badges in all the premises of Yuanli Jinzhi.

Additional measures for data centers/servers:

All data centers/servers should follow strict security procedures such as installing guards and surveillance cameras.

Only authorized representatives will be granted access to the systems and infrastructure in the data center/server facilities.

To ensure the normal operation of the data center/server, physical security equipment (such as mobile sensors and cameras) will be maintained regularly.

B. System Access Control.

Measures:

Different permissions will be set up for accessing sensitive systems which will be managed according to the policy of Yuanli Jinzhi.

All the personnel will use a unique ID (user ID) to access the system of Yuanli Jinzhi.

Appropriate procedures will be established to control the changes in permissions in accordance with the policy of Yuanli Jinzhi. If a person is dismissed from the company, his/her access will be revoked.

No person is allowed to share passwords with others. The passwords should be changed regularly and default passwords should be changed.

The corporate network will be isolated from the public network through technical solutions such as firewalls.

C. Data Access Control.

Measures:

As a part of the policy of Yuanli Jinzhi, Personal Information must be protected by using the same degree of care, but in no event less than the degree of care, as used to protect the confidential information as defined in the data classification and grading standards of Yuanli Jinzhi.

The permission concept will be adopted to explain the granting process and the role (user ID) assigned to each account, and the permission to access Personal Information will be granted to the extent minimally necessary.

The security measures will be regularly reviewed to protect the applications that process Personal Information.

The destruction mechanism of data and data carriers has been stipulated in the policy of Yuanli Jinzhi.

D. Data Transfer Control.

Measures:

Yuanli Jinzhi and the Customer will agree on the protection measures for the Personal Information transferred during the data transfer between them. Likewise, this measure applies to physical data transfer and network data transfer.

Yuanli Jinzhi shall be responsible for any data transfer within the control system of Yuanli Jinzhi.

E. Operation Control.

Measures:

Yuanli Jinzhi will adopt controls and processes to ensure compliance with the contracts between Yuanli Jinzhi and its Customers, Sub-trustees and other entities.

All the employees, Sub-trustees and/or other service providers of Yuanli Jinzhi are contractually bound to maintain the confidentiality of all sensitive information, including trade secrets of Yuanli Jinzhi, its Customers and partners.

F. Integrity and Availability Control.

Measures:

Yuanli Jinzhi will adopt a regular backup process to ensure that critical business systems can be quickly restored when necessary.

Yuanli Jinzhi will develop and test from time to time business contingency plans for critical business processes and put in place disaster recovery strategies for critical business services.

G. Data Segregation Control.

Measures:

Yuanli Jinzhi will use existing technologies available to achieve isolated storage of the Personal Information of the Customer.

The Customer may only access its own data.