Nevermined AG — Data Policy

(Privacy Policy, Data Processing Terms, and Technical Measures)

This Data Policy explains how Nevermined AG (“Nevermined,” “we,” “our”) collects, uses, stores, shares, and protects Personal Data in connection with the Nevermined platform and services (the “Service”). It serves as both our public privacy notice and the foundation for our data processing commitments to customers.

This Data Policy is designed to comply with the Swiss Federal Act on Data Protection (FADP/nDSG, in force since 1 September 2023) and the associated Data Protection Ordinance (DPO). Where our services also fall within the scope of the EU General Data Protection Regulation (GDPR) or the UK GDPR, we apply the relevant requirements concurrently. This document forms an integral part of our Terms of Service.

PART A: PRIVACY POLICY

1. Data Controller

The entity responsible for the processing described in this Data Policy is:

Nevermined AG

Registered in the Canton of Zug, Switzerland

Email: privacy@nevermined.ai

Under Swiss law, the appointment of a data protection officer is optional. Nevermined designates a privacy contact who is available at the address above to handle all data subject enquiries and regulatory communications.

2. Categories of Personal Data We Process

2.1 Account and Identity Data

Name, email address, company name, job title, billing address, account credentials, and authentication records collected during registration and account management.

2.2 Payment and Transaction Data

Tokenised card credentials (processed via our PCI-compliant vault partner), transaction amounts, currency, merchant identifiers, mandate parameters, settlement records, and chargeback data. Nevermined does not store raw cardholder data on its own systems; card data is vaulted and tokenised by our infrastructure partner before reaching the Nevermined environment.

2.3 Agentic Token and Mandate Data

Policy rules, delegation parameters, spending limits, merchant category restrictions, temporal boundaries, agent identifiers, device binding records, and revocation history associated with Agentic Tokens issued through the platform.

2.4 Usage and Technical Data

API call logs, IP addresses, browser and device information, session identifiers, dashboard activity, CLI usage telemetry, webhook delivery metadata, error logs, and performance metrics.

2.5 Audit Logs

Timestamped records of all actions performed under Agentic Tokens, including the agent identity, action type, amounts, merchant, policy evaluation results, and outcome status. Audit logs are retained for compliance, dispute resolution, and security purposes.

2.6 Communications Data

Content of support tickets, emails, in-app messages, and other communications between you and Nevermined, including metadata such as timestamps and sender information.

3. Purposes of Processing and Legal Basis

Under the FADP, the processing of Personal Data is permissible provided it does not unlawfully violate the personality rights of the data subject. The FADP does not require an explicit legal basis for every processing activity in the manner of the GDPR; however, we identify our justifications for each purpose to ensure transparency and to satisfy the requirements of any concurrently applicable jurisdiction:

4. Data Sharing and Recipients

Nevermined discloses Personal Data only to the extent necessary for the purposes described above and to the following categories of recipients:

Payment and token infrastructure partners: Including our cardholder data vault provider, card network token services, and payment processors. Depending on the specific data flow, these partners may act as independent controllers (for their own compliance obligations) or as processors on our behalf.

Cloud and hosting providers: Infrastructure services located in the European Economic Area or Switzerland, bound by data processing agreements with appropriate security commitments.

Professional advisors: Auditors, legal counsel, tax advisors, and compliance consultants engaged under contractual confidentiality obligations.

Regulatory and public authorities: Where disclosure is required by law, including the Federal Data Protection and Information Commissioner (FDPIC), financial regulators, and law enforcement agencies acting under valid legal process.

Affiliated entities: Current or future subsidiaries, parent companies, or affiliates of Nevermined, subject to data protection obligations equivalent to those in this Data Policy.

Nevermined does not sell Personal Data. We do not share Personal Data with third parties for their own independent marketing or advertising purposes.

5. Cross-Border Data Transfers

Nevermined is incorporated in Switzerland. Some of our infrastructure partners and sub-processors operate in countries outside Switzerland and the European Economic Area. Where Personal Data is transferred to a country that is not recognised as providing an adequate level of data protection by the Swiss Federal Council or the European Commission, we implement one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as recognised under Swiss data protection law, including Module 2 (Controller to Processor) and Module 3 (Processor to Processor) as applicable

• The UK International Data Transfer Addendum where transfers are subject to the UK GDPR

• Data Processing Agreements incorporating FADP-compliant transfer provisions

• A documented Transfer Impact Assessment evaluating the legal regime of the recipient country and any supplementary measures required

The current list of countries recognised as providing adequate data protection is maintained by the FDPIC. You may request a copy of the applicable transfer mechanism for any specific sub-processor by contacting privacy@nevermined.ai.

6. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:

Account Data: Retained for the duration of the contractual relationship and for ten (10) years thereafter, in accordance with Swiss commercial record-keeping obligations under Art. 958f of the Swiss Code of Obligations.

Transaction and Payment Data: Retained for ten (10) years from the date of the transaction, as required by Art. 958f CO and applicable anti-money laundering regulations.

Audit Logs: Retained for a minimum of five (5) years from the date of creation, or longer where required for an ongoing compliance investigation, regulatory proceeding, or dispute resolution.

Usage and Technical Data: Retained in identifiable form for up to twenty-four (24) months, after which it is aggregated or irreversibly anonymised.

Communications Data: Retained for three (3) years after the last interaction, unless a longer period is required for dispute resolution, legal proceedings, or regulatory obligations.

Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised so that it can no longer be attributed to an identifiable individual.

7. Aggregation and Anonymisation

Nevermined may aggregate, de-identify, or anonymise Personal Data such that the resulting data no longer constitutes Personal Data within the meaning of the FADP or any other applicable data protection law. Anonymised data is not subject to the restrictions of this Data Policy and may be used by Nevermined for any lawful purpose, including product development, benchmarking, analytics, and the creation of aggregate industry insights.

Where Nevermined creates de-identified data, it will: (a) take commercially reasonable technical and organisational measures to prevent re-identification; (b) not attempt to re-identify the data or combine it with other data sets in a manner that would re-identify individuals; and (c) contractually require any third party receiving such data to maintain its de-identified status.

8. Technical and Organisational Measures

Nevermined implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, alteration, disclosure, or destruction, as required by Art. 8 of the FADP. The measures described below represent our current security posture and are reviewed and updated on an ongoing basis.

8.1 Encryption

• Data in transit is protected using TLS 1.2 or higher for all connections

• Data at rest is encrypted using AES-256 or equivalent symmetric encryption

• Encryption keys are managed through a dedicated key management service with automatic rotation

8.2 Cardholder Data Isolation

• Raw cardholder data (CHD) never enters the Nevermined processing environment; it is intercepted, vaulted, and tokenised by our PCI DSS-compliant infrastructure partner before reaching our systems

• This architecture reduces Nevermined’s PCI scope to SAQ-D level and eliminates the risk of CHD exposure from a compromise of Nevermined’s own systems

8.3 Authentication and Access Control

• FIDO2/WebAuthn-based authentication is available for sensitive operations, including administrative access and high-value mandate configuration

• Role-based access control (RBAC) enforces the principle of least privilege across all internal systems

• Administrative access to production systems requires multi-factor authentication and is logged and auditable

• Access rights are reviewed at least quarterly

8.4 Infrastructure Security

• Regular vulnerability assessments and penetration testing conducted by independent third parties

• Network segmentation isolating production, staging, and development environments

• Intrusion detection and monitoring systems operating continuously

• Automated patch management for operating systems and dependencies

8.5 Compliance Certifications

• ISO/IEC 27001:2022 certification programme in progress (Stage 1 audit complete; Stage 2 scheduled)

• Continuous compliance monitoring and evidence collection through an automated platform

• PCI DSS scope reduction achieved through vault-based tokenisation architecture

8.6 Incident Response

• Documented incident response plan with defined roles, escalation paths, and communication procedures

• Post-incident review process with root cause analysis and remediation tracking

8.7 Privacy by Design

• Privacy by Design and Privacy by Default principles are embedded in the product development lifecycle, in accordance with Art. 7 of the FADP

• Data minimisation is applied at the design stage: the Service collects only the Personal Data necessary for the specified processing purposes

9. Your Rights

Under the FADP (and, where applicable, the GDPR and UK GDPR), you have the following rights in relation to your Personal Data:

Right of access (Art. 25 FADP): You may request confirmation of whether we process your Personal Data and, if so, obtain a copy together with information about the purposes, categories, recipients, and retention periods.

Right to rectification (Art. 32(1) FADP): You may request correction of inaccurate Personal Data or completion of incomplete data.

Right to deletion: You may request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, subject to mandatory statutory retention requirements.

Right to data portability (Art. 28 FADP): You may request that your Personal Data be provided in a structured, commonly used, machine-readable format, or that it be transmitted directly to another controller where technically feasible.

Right to object: You may object to processing based on our legitimate interests. We will cease such processing unless we can demonstrate compelling grounds that override your interests, rights, and freedoms.

Right to restriction: In certain circumstances, you may request that processing be restricted, for example while we verify the accuracy of disputed data or assess an objection.

Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@nevermined.ai. We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days. We may request verification of your identity before processing your request. Requests that are manifestly unfounded, excessive, or repetitive may be subject to a reasonable administrative fee.

If you believe that our processing of your Personal Data infringes applicable data protection law, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch, or, where applicable, with the relevant supervisory authority in the EEA or the UK.

10. Profiling and Automated Decision-Making

The Service involves automated processing of transaction and mandate data to enforce the policy constraints encoded in Agentic Tokens, such as spending limits, merchant category restrictions, and temporal boundaries. This automated processing is integral to the contractual service and does not constitute profiling for marketing, behavioural analysis, or credit scoring purposes.

Nevermined does not use Personal Data for automated decision-making that produces legal effects or similarly significant effects on individuals without human oversight, except where automated enforcement of mandate constraints that you have configured is an inherent part of the Service functionality.

11. Cookies and Tracking Technologies

The Nevermined website and dashboard may use cookies and similar technologies for the following purposes:

Strictly necessary cookies: Required for the operation of the Service, including session management, authentication state, and security tokens. These cookies do not require consent under any applicable law.

Analytics cookies: Used to understand aggregate usage patterns and improve the platform. We use privacy-respecting analytics tools that do not create individual behavioural profiles. These cookies are deployed only with your consent where required by applicable law.

Under Swiss law, consent for cookies is generally not required unless the processing involves particularly sensitive data. Where the website is accessed by visitors located in the EU or UK, we apply the consent requirements of the ePrivacy Directive and GDPR for non-essential cookies.

You may manage cookie preferences through your browser settings or, where available, through the cookie consent mechanism on our website.

11.1 Marketing and Product Communications

Nevermined may send you communications about product updates, new features, service changes, and related offerings that we believe are relevant to your use of the Service. These communications are based on your existing relationship with Nevermined and our legitimate interest in keeping you informed about the platform you use. You may opt out of marketing communications at any time by using the unsubscribe mechanism included in each communication or by contacting privacy@nevermined.ai. Opting out of marketing communications does not affect transactional or operational notices (such as service alerts, security notifications, billing communications, or mandatory legal notices), which will continue to be sent as necessary.

12. Children’s Data

The Service is not directed at individuals under the age of 18. We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently processed Personal Data from a person under 18, we will take prompt steps to delete such data and terminate any associated account.

PART B: DATA PROCESSING TERMS

The following terms apply where Nevermined processes Personal Data on behalf of a Customer (the “Controller”) in the course of providing the Service, and where such processing falls within the scope of the FADP, the GDPR, the UK GDPR, or any other applicable data protection law. These Data Processing Terms (“DPT”) form part of the Terms of Service and this Data Policy. In the event of a conflict between these DPT and any other part of this Data Policy, these DPT shall prevail with respect to the processing of Personal Data on behalf of the Controller.

13. Roles and Relationship

For the purposes of the processing described in these DPT, the Customer is the controller (or equivalent designation under applicable law) and Nevermined is the processor (or equivalent designation). The specific details of the processing — including subject matter, nature, purpose, duration, categories of data subjects, and types of Personal Data — are set out in Annex A to this Data Policy.

Nevermined shall process Personal Data only on the documented instructions of the Controller, as set out in the Terms of Service, this Data Policy, and any applicable Order Form, unless processing is required by a law to which Nevermined is subject, in which case Nevermined shall (where legally permissible) inform the Controller of that legal requirement before carrying out the processing.

14. Personnel and Confidentiality

Nevermined shall ensure that every person who is authorised to process Personal Data on its behalf is bound by an appropriate obligation of confidentiality, whether by contract or by operation of law. Access to Personal Data is limited to personnel whose roles require it and is governed by the access control measures described in Section 8.

15. Sub-Processors

15.1 General Authorisation

The Controller grants Nevermined general written authorisation to engage sub-processors for the processing of Personal Data in connection with the Service. The current list of sub-processors is set out in Annex B to this Data Policy and is also maintained at a location that Nevermined will communicate to the Controller.

15.2 Notification and Objection

Before engaging a new sub-processor or replacing an existing one, Nevermined will notify the Controller by updating the sub-processor list and sending written notice (which may be by email) at least sixty (60) days before the new sub-processor begins processing Personal Data. During a period of fifteen (15) business days following such notice, the Controller may object to the appointment on reasonable and documented grounds relating to the confidentiality or security of Personal Data or the sub-processor’s ability to comply with applicable data protection law.

If the Controller raises a timely objection: (a) Nevermined will use commercially reasonable efforts to make available an alternative sub-processor arrangement or to modify the Service to avoid the use of the objected-to sub-processor; (b) if no resolution is reached within thirty (30) days of the objection, either party may terminate the affected portion of the Service (or, if the affected processing is integral to the entire Service, these Terms) upon written notice, and Nevermined will refund any prepaid fees for the terminated portion covering the period after termination. This termination right is the Controller’s sole and exclusive remedy for an unresolved sub-processor objection.

15.3 Sub-Processor Obligations

Nevermined shall enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in these DPT. Nevermined remains liable to the Controller for the acts and omissions of its sub-processors to the same extent it would be liable if performing the relevant processing directly, subject to the limitations of liability in the Terms of Service.

16. Cooperation and Assistance

Taking into account the nature of the processing and the information available to Nevermined, Nevermined shall provide reasonable assistance to the Controller, through appropriate technical and organisational measures, in:

• Responding to requests from data subjects exercising their rights under the FADP, GDPR, or UK GDPR, including requests for access, rectification, deletion, portability, and restriction of processing

• Fulfilling the Controller’s obligations in respect of data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities

• Providing information reasonably necessary for the Controller to demonstrate compliance with its data protection obligations

Where Nevermined receives a data subject request directly that relates to the Controller’s data, Nevermined will promptly redirect the request to the Controller unless legally required to respond directly.

17. Data Breach Notification

In the event of a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed on behalf of the Controller (a “Personal Data Breach”), Nevermined will:

• Notify the Controller without undue delay after becoming aware of the breach, and in any event within seventy-two (72) hours, providing initial information about the nature and scope of the breach

• Provide supplementary information in phases as it becomes available, including the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach

• Cooperate with the Controller and any supervisory authority in investigating and resolving the breach

• Document the breach, its effects, and all remedial actions in an internal breach register

The notification of a Personal Data Breach to the Controller shall not be construed as an admission of fault or liability by Nevermined.

Where the breach involves Personal Data for which Nevermined acts as controller in its own right (e.g., account data of direct users), Nevermined will notify the FDPIC as soon as possible and inform affected data subjects where the breach is likely to result in a high risk to their rights, in accordance with Art. 24 of the FADP.

18. Audit Rights

18.1 Information and Reporting

Upon reasonable written request, Nevermined shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with the obligations set out in these DPT. This may include summaries of audit reports, certification status, penetration test findings (in redacted form where necessary to protect confidential information of other customers), and completed security questionnaires.

18.2 Third-Party Audit Reports

As an alternative to a direct audit, Nevermined may satisfy audit requests by providing the Controller with: (a) a current ISO/IEC 27001 certificate or SOC 2 Type II report issued by a qualified independent auditor; or (b) a summary of findings from Nevermined’s most recent independent security assessment, subject to reasonable confidentiality protections. Where such reports are available, they shall be the primary mechanism for demonstrating compliance.

18.3 On-Site Audits

Where the Controller reasonably determines that the information and reports provided under Sections 18.1 and 18.2 are insufficient to verify compliance, the Controller may conduct or commission an audit of Nevermined’s relevant processing activities, subject to the following conditions:

• The Controller shall provide at least thirty (30) days’ advance written notice

• Audits shall be limited to no more than once per twelve (12) month period, unless a specific data breach or material compliance concern has been identified

• The scope, methodology, and timing of the audit shall be agreed in advance between the parties

• The auditor (whether the Controller or a third party engaged by the Controller) must be bound by appropriate confidentiality obligations and must be reasonably acceptable to Nevermined

• The audit shall be conducted during normal business hours and in a manner that minimises disruption to Nevermined’s operations and does not compromise the security or confidentiality of other customers’ data

• The Controller shall bear the costs of any on-site audit, unless the audit reveals a material non-compliance by Nevermined, in which case Nevermined shall bear reasonable audit costs

19. Data Return and Deletion

Upon termination or expiry of the Terms of Service, and upon written instruction from the Controller, Nevermined shall either return all Personal Data to the Controller in a standard, machine-readable format or securely delete such Personal Data, at the Controller’s election. Nevermined shall confirm deletion in writing upon request.

Nevermined may retain Personal Data beyond termination only to the extent required by applicable law (e.g., statutory retention periods under Swiss commercial law or anti-money laundering regulations). Such retained data shall continue to be protected in accordance with this Data Policy and shall be deleted or anonymised once the legal retention obligation expires.

20. International Data Transfer Mechanisms

Where the processing under these DPT involves the transfer of Personal Data to a country that does not benefit from an adequacy decision by the Swiss Federal Council or the European Commission, the following transfer mechanisms apply:

Controller-to-Processor transfers: The Standard Contractual Clauses (Module 2) approved by Commission Implementing Decision (EU) 2021/914, as recognised under Swiss law, are hereby incorporated by reference. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum is additionally incorporated.

Processor-to-Sub-Processor transfers: The Standard Contractual Clauses (Module 3) are incorporated by reference and shall be executed between Nevermined and each relevant sub-processor.

For the purposes of the incorporated SCCs: (a) Nevermined is the data importer and the Controller is the data exporter; (b) the processing details are as set out in Annex A; (c) the technical and organisational measures are as set out in Section 8 and Annex C; (d) the competent supervisory authority is the FDPIC or, where required by the GDPR, the authority determined under Clause 13 of the SCCs; and (e) the governing law and jurisdiction for the SCCs shall be Switzerland and the courts of the Canton of Zug, except where the GDPR or UK GDPR requires an EEA or UK governing law.

21. Changes to This Data Policy

We may update this Data Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated at least thirty (30) days before they take effect via email or a prominent notice on the dashboard. Changes to the Data Processing Terms in Part B that materially reduce the level of data protection will not apply retroactively to existing processing arrangements without the Controller’s consent.

22. Contact Information

For questions, concerns, or requests regarding this Data Policy or our data protection practices:

Nevermined AG — Privacy Contact

Email: privacy@nevermined.ai

Registered Office: Zug, Switzerland

Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch

ANNEXES

Annex A: Details of Processing

Annex B: Sub-Processors

The following sub-processors are currently authorised by Nevermined to process Personal Data in connection with the Service:

This list is updated when sub-processors are added or replaced. Notification and objection procedures are set out in Section 15.

Annex C: Technical and Organisational Measures

This annex provides a structured summary of the security measures referenced in Section 8 of the Data Policy, organised by control objective. These measures are subject to ongoing review and improvement.

C.1 Physical Access Controls

Measures to prevent unauthorised physical access to facilities where Personal Data is processed:

• Production infrastructure is hosted in professionally managed data centres with 24/7 physical security, biometric access controls, and CCTV surveillance

• Nevermined personnel do not have unescorted physical access to data centre hardware; all infrastructure management is performed remotely through authenticated and encrypted channels

C.2 System Access Controls

Measures to prevent unauthorised access to data processing systems:

• Unique user authentication with strong password requirements and multi-factor authentication for all administrative and production access

• FIDO2/WebAuthn available as a phishing-resistant second factor

• Centralised identity management with single sign-on where applicable

• Automated session timeouts for idle sessions

• Network firewalls and intrusion detection systems protecting all externally facing services

C.3 Data Access Controls

Measures to ensure that authorised persons access only the Personal Data they need:

• Role-based access control (RBAC) enforcing least-privilege principles

• Segregation of duties for sensitive operations (e.g., production deployments, key management)

• Access rights reviewed quarterly; stale accounts deactivated automatically

• All access to Personal Data logged with user identity, timestamp, and action performed

C.4 Transmission Controls

Measures to protect Personal Data during electronic transmission:

• TLS 1.2+ for all data in transit, including API calls, webhook deliveries, and internal service communication

• Cardholder data intercepted and tokenised before entering the Nevermined environment, ensuring that raw CHD is never transmitted to or from Nevermined systems

• Encrypted email and secure file transfer available for sensitive communications

C.5 Input Controls

Measures to ensure that it is possible to verify who has entered, modified, or deleted Personal Data:

• Comprehensive audit logging of all data modifications, including user identity, action, timestamp, and affected records

• Immutable audit logs for Agentic Token actions, stored separately from operational databases

• Log retention aligned with the periods set out in Section 6

C.6 Availability Controls

Measures to protect Personal Data against accidental destruction or loss:

• Automated backups with geographic redundancy

• Documented disaster recovery plan with defined recovery time and recovery point objectives

• Regular backup restoration testing

• Redundant infrastructure components to eliminate single points of failure

C.7 Separation Controls

Measures to ensure that Personal Data collected for different purposes or different controllers is processed separately:

• Logical separation of customer data through tenant isolation at the application and database layer

• Separate encryption keys per customer where architecturally appropriate

• Environment segregation between production, staging, and development

Annex D: Technology Partners Register

In accordance with the transparency obligations of the Swiss Federal Act on Data Protection (Art. 19 FADP), Nevermined maintains this register of technology partners whose services are integrated into or connected with the Nevermined platform. This annex identifies each partner, describes the nature of the relationship and data flows, provides links to their publicly available legal and privacy documentation, notes compliance strengths, and highlights specific provisions in those documents that warrant attention from a Swiss legal perspective.

This register is updated when partners are added or removed. The commentary below reflects Nevermined’s assessment at the time of publication and does not constitute legal advice. Customers should review the linked documents independently and assess their own compliance obligations.

D.1 Very Good Security, Inc. (VGS)

Relationship: Infrastructure service provider (processor)

Role: Cardholder data vault and tokenisation. VGS intercepts, vaults, and tokenises raw payment card data before it reaches the Nevermined environment, reducing Nevermined’s PCI scope.

Data flows: Nevermined → VGS (card credentials for vaulting); VGS → Nevermined (tokens only). Raw cardholder data does not enter Nevermined’s systems.

Jurisdiction: United States. Certified under the Swiss-U.S. Data Privacy Framework. Standard Contractual Clauses (Module 2/3) additionally in place.

Documentation links

• Privacy Notice: https://www.verygoodsecurity.com/privacy-notice

• Terms and Conditions: https://www.verygoodsecurity.com/terms-and-conditions

Compliance strengths: VGS is PCI DSS Level 1 certified and operates a purpose-built vault architecture specifically designed to isolate sensitive cardholder data from client environments. The Swiss-U.S. DPF certification provides a recognised transfer mechanism under Swiss law, supplemented by Nevermined’s SCCs.

Swiss-law commentary

• Liability cap: VGS’s Terms (Section 10) contain a broad disclaimer of all warranties and cap aggregate liability at the greater of $100 or fees paid in the preceding 6 months. Under Swiss mandatory law (Art. 100 CO), liability for wilful misconduct or gross negligence cannot be excluded by contract. A $100 floor is exceptionally low for a financial infrastructure provider that vaults payment card data, and would likely be regarded as disproportionate by a Swiss court.

• Limitation period: VGS imposes a one-year limitation for all claims (Section 13.1). Swiss law prescribes a 10-year limitation for contractual claims (Art. 127 CO) and one year for tort claims (Art. 60 CO). The contractual shortening may not be enforceable to the extent it conflicts with mandatory Swiss limitation periods that cannot be contractually reduced.

• Termination without transition: VGS reserves the right to terminate service immediately and without notice in several scenarios, with no data export or transition obligation. This presents a business continuity risk: if VGS were to terminate without notice, Nevermined would need to migrate its card vaulting infrastructure to an alternative provider without a contractual transition window. Nevermined mitigates this risk by maintaining contingency planning for vault migration.

• Privacy framework: VGS’s Privacy Notice references the U.S. Data Privacy Framework and U.S. state-level privacy laws but does not specifically address the FADP. This is common among U.S. infrastructure providers and does not indicate non-compliance — the Swiss-U.S. DPF certification and Nevermined’s SCCs serve as the transfer safeguards. Swiss data subjects wishing to exercise rights under Art. 25 FADP in relation to vaulted data should direct requests to Nevermined, which will coordinate with VGS as necessary.

D.2 Exa Labs, Inc.

Relationship: Client / integration partner (independent controller for its own users)

Role: Exa provides AI-powered web search API services. Exa is a customer of Nevermined, purchasing Agentic Token-mediated access to services via the Nevermined payment infrastructure. In the Nevermined-Exa integration, Nevermined processes the payment and credential delegation; Exa provisions API keys and handles search queries. Although Exa is a customer rather than an infrastructure dependency, the integration is included in this register for transparency about cross-system data flows and for the benefit of Nevermined customers whose agents transact with Exa.

Data flows: Nevermined → Exa (webhook notifications upon purchase, containing plan metadata and provisioning instructions); Exa → Nevermined (confirmation of provisioned access). End-user query data flows directly from the agent to Exa and does not transit Nevermined.

Jurisdiction: United States (San Francisco, CA). No Swiss-U.S. DPF certification identified. SCCs not currently required as Nevermined does not transfer Personal Data to Exa; the data flow is limited to commercial transaction metadata.

Documentation links

• Privacy Policy: https://exa.ai/privacy-policy

• Terms of Service: https://exa.ai/assets/Exa_Labs_Terms_of_Service.pdf

• Data Processing Agreement: https://www.exa.ai/dpa

Compliance strengths: Exa is SOC 2 Type II certified and has built its search engine from scratch (no reliance on third-party search providers such as Google under the hood), which enables it to offer genuine Zero Data Retention (ZDR) as an enterprise option. ZDR ensures that no query data is stored by Exa or any sub-processor after the search response is delivered.

Swiss-law commentary

• Arbitration and class action waiver: Exa’s ToS (Section 9) imposes mandatory binding arbitration with JAMS in San Francisco and a class action waiver. These provisions are standard under U.S. law but are generally unenforceable in Switzerland, where both businesses and consumers retain the right to access state courts. A Swiss court would be unlikely to give effect to these clauses in proceedings brought by a Swiss party.

• Liability cap: Exa’s ToS (Section 8.3) caps aggregate liability at the greater of $100 or fees paid in the prior 6 months. The same Swiss mandatory law concerns apply as with VGS — exclusion of liability for wilful misconduct or gross negligence is impermissible under Art. 100 CO, and the $100 floor is very low relative to the potential consequences of search API failures in agentic commerce workflows.

• AI output disclaimer: Exa’s ToS (Section 7.1.2) broadly disclaims responsibility for the accuracy, completeness, or reliability of AI-generated search results. This is common in AI service terms and is not inherently problematic, but customers who route Exa search results into automated decision-making pipelines (e.g., agents making purchasing decisions based on search output) should evaluate whether this disclaimer is consistent with their own downstream obligations and risk tolerance.

• Query data used for model training: Exa’s Privacy Policy states that Query Data is used to improve products and technology, including training and fine-tuning models. If customers route queries through Exa that could contain personal data or commercially sensitive information, they should consider whether this default is compatible with their own purpose limitation obligations under Art. 6(3) FADP (processing must be compatible with the purpose communicated at collection). Exa offers Zero Data Retention as an enterprise option that eliminates this concern, but it is not enabled by default.

• Suspension and termination: Exa reserves broad rights to suspend or terminate service at any time, for any reason, with or without notice. There is no cure period and no data export obligation. This presents a continuity risk for customers who depend on Exa search results within their agent workflows.

D.3 Stripe, Inc.

Relationship: Infrastructure service provider (processor for payment processing)

Role: Stripe provides payment processing and settlement services. In the Nevermined architecture, Stripe handles charge creation, fund capture, and settlement via Standard Stripe Connect (OAuth).

Data flows: Nevermined → Stripe (transaction instructions, tokenised payment references, merchant/platform identifiers); Stripe → Nevermined (transaction outcomes, settlement confirmations, webhook events). Stripe also receives cardholder information directly from VGS-tokenised flows.

Jurisdiction: United States (Stripe, Inc.) and Ireland (Stripe Payments Europe, Ltd). Standard Contractual Clauses in place. Stripe participates in the EU-U.S. Data Privacy Framework.

Documentation links

• Privacy Policy: https://stripe.com/privacy

• Services Agreement: https://stripe.com/legal/ssa

• Data Processing Agreement: https://stripe.com/legal/dpa

• Privacy Centre: https://stripe.com/legal/privacy-center

Compliance strengths: Stripe is PCI DSS Level 1 certified, maintains a comprehensive DPA, and operates a dedicated Privacy Centre with detailed documentation of its data practices. Stripe Payments Europe, Ltd (Ireland) is a regulated Electronic Money Institution, providing an additional layer of regulatory oversight for European payment flows. Stripe’s DPF certification and SCCs provide robust transfer safeguards.

Swiss-law commentary

• Suspension rights: Stripe’s SSA grants broad rights to suspend or terminate service if Stripe reasonably believes the user’s activity degrades security, enables illegal transactions, or increases fraud rates. The threshold of “reasonable belief” is subjective and there is no cure period for most suspension scenarios. This could result in immediate disruption of Nevermined’s payment processing capability without prior notice. Nevermined mitigates this risk through compliance with Stripe’s acceptable use policies and ongoing monitoring of transaction patterns.

• Reserve and holdback rights: Stripe may withhold settlement funds and impose reserves against chargebacks, fines, or anticipated losses under its Connect platform terms. If Stripe imposes a reserve on Nevermined’s Connect account, this could delay settlement of funds to customers. Customers should be aware that settlement timing is subject to Stripe’s risk assessment in addition to Nevermined’s own processes.

• Unilateral term modifications: Stripe may modify its services agreement unilaterally with notice, and continued use constitutes acceptance. In a B2B context, Swiss courts generally afford more latitude for such modification clauses than in consumer relationships. However, under Art. 8 UWG (Unfair Competition Act), modification clauses that permit material changes to price, scope, or liability without meaningful opportunity to negotiate or exit may still be challenged, particularly where the customer has limited practical alternatives.

• Affiliate data sharing: Stripe’s Privacy Policy discloses data sharing with affiliates globally and with financial partners for purposes including fraud prevention, service provision, and regulatory compliance. This sharing is covered by DPF certification and SCCs, and is typical for global payment processors operating under card network rules. Customers should note that the scope of affiliate sharing is broader than in most non-financial SaaS relationships, reflecting the multi-party nature of payment processing.

• FADP-specific provisions: Stripe’s DPA incorporates CCPA-specific provisions (California) and GDPR provisions but does not contain FADP-specific language. This is not uncommon — the FADP is intentionally aligned with the GDPR and the DPF certification provides the Swiss-specific transfer mechanism. Swiss data subjects exercising rights under Art. 25 FADP should direct requests through Nevermined as controller, and Nevermined will coordinate with Stripe under the DPA’s cooperation obligations.

D.4 Visa, Inc. (Visa Intelligent Commerce Platform)

Relationship: Infrastructure service provider (independent controller / processor depending on data flow)

Role: Visa provides the token lifecycle management platform (VIC), including DPAN provisioning, device binding, DAVV cryptogram generation, and passkey-based authentication. Visa operates as an independent controller for data it processes in connection with its own network obligations and as a processor for mandate-specific data flows.

Data flows: Nevermined → Visa (mandate metadata, token lifecycle instructions, device binding records); Visa → Nevermined (provisioned DPANs, DAVVs, token status updates). Visa also receives cardholder data from issuing banks through its own network channels.

Jurisdiction: United States (Visa, Inc.) and EU (Visa Europe Ltd). Visa holds EU-U.S. DPF certification. Adequacy decision applies for Visa Europe.

Documentation links

• Global Privacy Notice: https://www.visa.com/privacy

• Visa Developer Terms: https://developer.visa.com/terms

Compliance strengths: Visa is one of the most heavily regulated financial infrastructure providers globally, subject to oversight by multiple financial regulators across jurisdictions. Visa’s DPF certification, comprehensive network security standards (including PCI DSS and Visa’s own security framework), and well-established dispute resolution mechanisms provide a mature compliance foundation.

Swiss-law commentary

• Independent controller status: Visa processes certain transaction data as an independent controller under its own Global Privacy Notice, for its own purposes including fraud prevention, network integrity, and regulatory compliance. This processing occurs independently of Nevermined’s instructions, meaning Visa’s own legal bases and data practices govern that data. Swiss data subjects should be aware that Visa’s handling of their network-level transaction data is not controlled by Nevermined’s Data Policy. This dual-controller arrangement is inherent to all businesses that participate in card payment networks and is not unique to Nevermined.

• Unilateral rule changes: Visa’s network rules (Visa Core Rules and Visa Product and Service Rules) are binding on all participants and may be amended unilaterally. Changes may affect how Agentic Tokens operate, what data must be included in transactions, and what fraud controls are required. These changes flow through to Nevermined’s customers via the Payment Network Rule change provisions in the Terms of Service. Nevermined will provide notice of any Visa rule changes that materially affect the Service.

• DAVV single-use constraint: Visa’s DAVV (Device Authentication Verification Value) is a one-time-use cryptogram locked to a specific merchant URL and transaction amount. Each agent-initiated transaction requires a fresh DAVV, which means that transaction authorisation involves a real-time cryptogram generation step. This introduces a dependency on Visa’s cryptogram service availability and may affect transaction latency in high-frequency agent workflows. If the DAVV service is unavailable, agent transactions that require fresh cryptograms will fail until the service is restored.

• Global data transfers: Visa’s Global Privacy Notice discloses broad international data transfers across Visa’s worldwide network, including sharing with issuing banks, acquirers, and other network participants in multiple jurisdictions. DPF certification and intra-group transfer agreements are in place. The scope of data sharing within the Visa network is wider than typical processor relationships, reflecting the multi-party architecture of global card payment systems rather than any deficiency in Visa’s data protection practices.

This register covers the primary technology partners integrated into the Nevermined platform as of the effective date. Additional partners may be engaged from time to time and will be reflected in updates to this annex and, where they process Personal Data, in Annex B (Sub-Processors). The notification and objection procedures set out in Section 15 of the Data Processing Terms apply to changes involving sub-processors.