SCC Annex - International Personal Data Transfers

Annex to Vora DPA version 3.2.0 Version: 3.2.0 Effective Date: 13 May 2026 Last Updated: 26 May 2026 Authoritative Language: Italian. Courtesy English translation of dpa-annex-sccs.it.md.

This Annex constitutes an integral and substantial part of Vora DPA 3.1.0 (dpa.en.md) and governs the mechanisms for international personal-data transfer from Vora S.r.l. (EU processor) to sub-processors established outside the European Economic Area, under the various applicable laws depending on the data subject's jurisdiction of origin.

1. EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)

For flows of personal data of EU/EEA data subjects from the Company to extra-EU sub-processors, the Parties incorporate by reference Module 3 (processor-to-processor) of the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The full text of the SCCs is available at the official address eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914 and is made available to the Customer upon request at privacy@voiceofthenewera.com.

1.1 Annex I.A - List of Parties

Data Exporter: - Vora S.r.l., registered office [REGISTERED OFFICE ADDRESS], Italy - Role: data processor on behalf of the Customer - Contact: privacy@voiceofthenewera.com - Processing activity: technical provision of the Vora Platform

Data Importers: each of the following sub-processors, individually:

Each importer acts as a further processor / sub-processor on behalf of the Company, which in turn acts on behalf of the Customer-Controller.

1.2 Annex I.B - Description of the Transfer

Categories of data subjects: End Users of the Vora Platform (Participants, voters, idea authors, reward winners) resident in EU/EEA.

Categories of personal data transferred: email, name (optional), language preferences, IP address, user-agent, submitted idea content, votes cast (as metadata, never vote content in clear), comments, participations, interaction timestamps.

Sensitive or special data: none (see DPA Article 3.3).

Frequency of transfer: continuous / on-demand for service provision.

Nature of processing: storage, communication, email delivery, authentication, AI modelling (if activated) - see DPA Article 2.4.

Purpose: technical provision of the Vora Platform on behalf of the Customer-Controller; see DPA Article 2.4.

Retention period: for the duration necessary for service provision and per the retention terms of DPA Article 11.

For onward sub-processors: importers' onward sub-processors (e.g., AWS data centres, network backbone providers) are indicated in the respective public DPAs of individual importers.

1.3 Annex I.C - Competent Supervisory Authority

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Rome, Italy. Email: garante@gpdp.it. PEC: protocollo@pec.gpdp.it. Site: www.gpdp.it.

The Company, as principal EU establishment (Italian registered office), identifies the Italian DPA as lead supervisory authority under Article 56 GDPR.

1.4 Annex II - Supplementary Technical and Organisational Measures

The measures set out in DPA Article 6 (TOMs) integrally constitute the technical and organisational measures of Annex II of the EU SCCs 2021/914. In summary:

• At-rest encryption AES-256 at AWS level + application-layer AES-256-GCM for images and sensitive vote data;
• In-transit encryption TLS 1.2+ mandatory;
• Access control IAM least-privilege + MFA + network segregation;
• Audit log structured JSON with CloudWatch + CloudTrail;
• Backup Aurora snapshots + DLM EC2;
• Resilience multi-AZ + rate limiting;
• Organisational measures NDA, need-to-know access, periodic training.

1.5 Annex III - List of Sub-Processors

The up-to-date list of sub-processors is the one published in privacy-policy.en.md § 6 (and replicated in section 1.1 supra).

1.6 Module and Specific Clauses

For the Company → AWS / Resend / Google / Anthropic transfers, the Parties apply Module 3 (P2P) of the SCCs. Optional clauses are completed as follows:

• Clause 7 (Docking Clause): applied - additional parties may accede to the SCC mechanism by signing the relevant addendum;
• Clause 9 (Sub-processors): Option 2 - general authorisation with 30-day notice (see DPA Article 7.4);
• Clause 11 (Complaints): without independent mediation option; complaints may be addressed to the competent supervisory authority or to the Italian judicial authority;
• Clause 17 (Governing law): Italian law;
• Clause 18 (Forum): exclusive forum of Milan for disputes with EU/EEA/UK/CH data subjects; CAM Milan arbitration for disputes with non-EU/EEA/UK/CH data subjects (see main Contract Article 13).

1.7 Schrems II Supplementary Measures (C-311/18)

The Company has conducted a Transfer Impact Assessment (TIA) for each extra-EU importer at the v3.1.0 date, assessing:

a) the destination country's law (in particular 50 U.S. Code § 1881a - FISA 702 - and Executive Order 12333 for US importers);

b) the nature of transferred data (exclusion of sensitive data; content minimisation);

c) supplementary technical safeguards (at-rest encryption under EU-Processor key; in-transit encryption; pseudonymisation where possible);

d) additional contractual commitments by importers to challenge disproportionate requests (Clauses 14 and 15 EU SCC);

e) Trump-era and Biden-era Executive Orders on personal-data surveillance (in particular Executive Order 14086 of 7 October 2022 underlying the EU-US Data Privacy Framework).

The TIA outcome is available upon request at privacy@voiceofthenewera.com.

1.8 EU-US Data Privacy Framework (DPF)

For US importers certified in the EU-US Data Privacy Framework at the v3.1.0 date (AWS Inc., Google LLC - verification at publish; Anthropic PBC and Resend Inc. - verification at publish), the transfer also benefits from the adequacy decision of the European Commission of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), as an alternative and additional transfer mechanism to the SCCs. DPF certification is verified case by case at https://www.dataprivacyframework.gov/list.

2. UK International Data Transfer Addendum (UK IDTA)

For flows of personal data of UK data subjects from the Company to extra-UK sub-processors, the Parties incorporate by reference the UK International Data Transfer Addendum B1.0 of 21 March 2022, issued by the Information Commissioner's Office (ICO) under section 119A of the Data Protection Act 2018.

The UK IDTA applies as an addendum to the EU SCCs of section 1, with the following adaptations:

• Reference to UK GDPR and the DPA 2018 in lieu of the EU GDPR;
• Competent supervisory authority: Information Commissioner's Office (ICO) - Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom - ico.org.uk;
• Forum: depending on the data subject's status as consumer vs. professional (see main Contract Article 13);
• Substantive law: Italian law (in line with the DPA), subject to the mandatory protections of the UK Consumer Rights Act 2015.

For US importers certified in the UK Extension to the EU-US DPF, the transfer also benefits from the UK adequacy recognition (UK Adequacy Regulations 2023).

3. Transfers from Switzerland (FADP)

For flows of personal data of data subjects resident in the Swiss Confederation, the Parties incorporate the EU SCCs 2021/914 as adapted for Switzerland, under the declaration of the Federal Data Protection and Information Commissioner (FDPIC) of 27 August 2021 and the revFADP (revised Federal Act on Data Protection) of 25 September 2020, in force since 1 September 2023.

Main adaptations:

• Reference to Swiss revFADP in lieu of the EU GDPR for the substantive law applicable to Swiss data subjects;
• Competent supervisory authority: Federal Data Protection and Information Commissioner (FDPIC) - Feldeggweg 1, 3003 Bern, Switzerland - edoeb.admin.ch;
• Recognition of the right to file complaint with the FDPIC.

4. Transfers from Brazil (LGPD)

For flows of personal data of Brazilian data subjects, the Parties incorporate the specific contractual clauses under Article 33 of Lei 13.709/2018 (LGPD), as integrated into the EU SCCs 2021/914 with Brazilian adaptation. These clauses provide:

a) compliance with LGPD legal bases (Articles 7, 11) by the importer;

b) recognition of LGPD data-subject rights (Article 18) - including access, rectification, anonymisation/deletion, portability, consent revocation;

c) cooperation with the Autoridade Nacional de Proteção de Dados (ANPD) - gov.br/anpd - for any rights-exercise request or inspection;

d) LGPD breach-notification deadlines (tempo razoável) under Article 48 LGPD;

e) controlador / operador liability allocation consistent with LGPD.

5. California Data Subjects (CCPA / CPRA)

For personal data of data subjects resident in California (USA) under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

5.1 Non-sale / non-share declaration. The Company declares that it does NOT sell or share personal information within the meaning of Cal. Civ. Code § 1798.140(ad) ("sale") and (ah) ("sharing"), nor has it done so in the 12 months preceding this v3.1.0, nor does it intend to do so. All transfers to sub-processors (Resend, Google, Anthropic) occur within service provider / processor relationships under Cal. Civ. Code § 1798.140(ag) and do not constitute sale or sharing.

5.2 Service Provider Agreement. Processing agreements with sub-processors contain the mandatory clauses under Cal. Civ. Code § 1798.140(ag)(1), including:

a) prohibition on the sub-processor selling, sharing, retaining, using or disclosing the personal data for purposes other than the specified service purposes;

b) prohibition on retaining, using or disclosing the data outside the contractual relationship;

c) prohibition on combining the received data with data from other sources to build individual profiles;

d) certification of understanding and compliance with CCPA limitations.

5.3 CCPA/CPRA rights of data subjects. The Company, as business + service provider, supports the Customer in the exercise of the following CCPA/CPRA rights of California data subjects:

• right to know (Cal. Civ. Code § 1798.110);
• right to delete (Cal. Civ. Code § 1798.105);
• right to correct (Cal. Civ. Code § 1798.106);
• right to opt-out of sale / sharing (Cal. Civ. Code § 1798.120) - not applicable since the Company does not sell or share;
• right to limit use of sensitive personal information (Cal. Civ. Code § 1798.121) - not applicable since the Company does not process SPI;
• right to non-discrimination (Cal. Civ. Code § 1798.125).

5.4 Supervisory authority: California Privacy Protection Agency (CPPA) - cppa.ca.gov.

6. Other Jurisdictions

For transfers concerning data subjects resident in jurisdictions not governed in sections 1-5 (Canada - PIPEDA; Australia - Privacy Act 1988; Japan - APPI; Singapore - PDPA; South Africa - POPIA; etc.), the Company applies as baseline the EU SCCs 2021/914 of section 1 and, where local law requires additional mechanisms, integrates them concurrently. Specific documentation is made available upon request at privacy@voiceofthenewera.com.

7. Updates of This Annex

The Company may update this Annex (in particular the sub-processor list in section 1.1, the DPF status in section 1.8, the TIA documentation in section 1.7) without renegotiation, with 30 days' notice to the Customer under DPA Article 7.4.

Structural changes to this Annex (addition of new SCC modules, modification of destination jurisdictions, modification of the arbitral forum) constitute material modification of the DPA and follow the versioning and acceptance procedure of the main Contract (see customer-tos.en.md Article 15).

Vora S.r.l. - [REGISTERED OFFICE ADDRESS] - VAT: [VAT: ____] - privacy@voiceofthenewera.com

Source document in markdown: docs/legal/dpa-annex-sccs.en.md (v3.1.0 - 13 May 2026).