This Data Processing Agreement ("DPA") forms part of the Terms of Service between Broby Pte. Ltd. (operating the BrobyVets product at brobyvets.com; "Broby", "we", "us") and the Customer ("Customer", "you") that governs the Customer's use of the Service (as defined in the Terms of Service).

This DPA sets out the terms on which Broby processes Personal Data on the Customer's behalf in connection with the Service, in compliance with the Singapore Personal Data Protection Act 2012 ("PDPA-SG") and the Malaysia Personal Data Protection Act 2010 (as amended by the Personal Data Protection (Amendment) Act 2024) ("PDPA-MY").

This DPA is incorporated into the Terms of Service by reference. In the event of a conflict between this DPA and the Terms of Service on matters of data protection, processing, or De-identified Data rights, this DPA prevails (per Section 17.2 of the Terms of Service).

0. Definitions

Capitalised terms used in this DPA have the meanings given in the Terms of Service. The following terms have the meanings set out below; where defined here and in the Terms of Service, the Terms of Service definition prevails unless this DPA expressly says otherwise.

• "Customer Personal Data" — Personal Data that Broby processes on the Customer's behalf in connection with the Service, including: voice recordings of consultations; clinical notes and SOAP records; pet owner contact details (when entered by the Customer); Authorised User account information used in the course of clinical work.
• "Data Controller", "Data Intermediary" — as defined in the PDPA-SG.
• "Data Controller", "Data Processor" — as defined in the PDPA-MY (post-2024 amendment).
• "De-identified Data" — data derived from Customer Personal Data from which all direct and indirect identifiers of pet owners and Authorised Users have been irreversibly removed in accordance with the De-identification Standard in Annex D, such that there is no serious possibility of re-identification of any identifiable individual.
• "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
• "Processing" — any operation performed on Customer Personal Data, including collection, recording, storage, use, disclosure, transmission, and deletion.
• "Standard Contractual Clauses" or "SCCs" — the EU Standard Contractual Clauses adopted by the European Commission and any equivalent contractual clauses approved or recognised by the Personal Data Protection Commission of Singapore ("PDPC") or the Personal Data Protection Commissioner of Malaysia ("PDP MY"), including the ASEAN Model Contractual Clauses ("ASEAN MCCs").
• "Sub-processor" — a third party engaged by Broby to process Customer Personal Data on Broby's behalf.
• "Sensitive Personal Data" — has the meaning given under Section 4 PDPA-MY (as amended), including biometric data such as voice patterns.

1. Roles and Scope

1.1 Roles

For the purposes of this DPA:

• The Customer is the Data Controller of Customer Personal Data.
• Broby is the Data Intermediary under PDPA-SG and the Data Processor under PDPA-MY.

1.2 Subject matter, duration, nature, and purpose of Processing

Broby will process Customer Personal Data:

• Subject matter: Customer Personal Data uploaded to or generated through the Service in the course of veterinary consultations.
• Duration: for the duration of the Subscription Term, plus any retention period set out in this DPA or the Terms of Service.
• Nature and purpose: to deliver the Service to the Customer, including transcription of voice recordings, generation of SOAP note drafts, image analysis, differential-diagnosis suggestions, storage and retrieval of clinical records, related operational support, and (where applicable) the production of De-identified Data per Section 10 — all in accordance with the Customer's instructions.
• Categories of data subjects: Authorised Users (veterinarians, technicians, clinic staff); pet owners (when their contact details or voice are processed via the Service).
• Categories of Personal Data: account and contact information; voice recordings (which constitute Sensitive Personal Data in Malaysia under PDPA-MY s.4); clinical notes and SOAP records; diagnostic image uploads; usage and log data.

2. Customer's Instructions and Warranties

2.1 Documented instructions

Broby will process Customer Personal Data only on the Customer's documented instructions. The Customer's instructions are set out in: (a) this DPA; (b) the Terms of Service; (c) the Order Form; (d) the Customer's use of the Service through its Authorised Users; and (e) any further written instructions given by the Customer.

2.2 Customer warranties

The Customer represents and warrants that:

• It has all necessary rights, lawful basis, and consents required under PDPA-SG, PDPA-MY, and any other applicable law to provide Customer Personal Data to Broby for Processing under this DPA, including consents specifically required for Sensitive Personal Data (such as voice biometric data in Malaysia under PDPA-MY s.40);
• It has provided all required notices to data subjects (including pet owners and Authorised Users) about the Processing carried out through the Service;
• Its Processing instructions to Broby comply with applicable law and the relevant veterinary professional codes (including the Singapore Veterinary Association's Code of Ethics for Veterinarians, the Animal & Veterinary Service requirements in Singapore, the Malaysian Veterinary Council's Veterinary Surgeons (Guide to Professional Conduct and Ethics) 2015, and the Veterinary Surgeons Act 1974 (Malaysia)); and
• It will respond to data subject requests, regulator inquiries, and other communications in respect of Customer Personal Data as required by applicable law.

2.3 Notice of unlawful instruction

Broby will notify the Customer if, in Broby's reasonable opinion, an instruction infringes applicable data protection law. Broby may suspend the Processing concerned (without liability to the Customer) until the instruction is amended or confirmed.

3. Broby's Obligations

3.1 Compliance with Customer's instructions

Broby will process Customer Personal Data only on the Customer's documented instructions (which include, for the avoidance of doubt, processing for the purpose of producing De-identified Data as set out in Section 10), except where Broby is required to do otherwise by law, in which case Broby will (where lawful) inform the Customer before Processing.

3.2 Confidentiality of personnel

Broby will ensure that personnel authorised to process Customer Personal Data are bound by appropriate written confidentiality obligations, which obligations survive the termination of the personnel's engagement with Broby.

3.3 Security measures

Broby will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against Personal Data Breach, as set out in Annex B. Broby will keep Annex B under review and may update it from time to time; any update will maintain or improve the level of security commensurate with industry-standard practice for B2B SaaS providers in healthcare-adjacent sectors.

3.4 Cooperation with regulators

Broby will cooperate with the PDPC, PDP MY, and any other competent supervisory authority in the performance of this DPA, to the extent required by applicable law.

3.5 Records of Processing

Broby will maintain a written record of its Processing activities in respect of Customer Personal Data, as required by PDPA-SG, PDPA-MY (post-2024 amendment), and PDPC's Guide to Accountability. On the Customer's reasonable written request (or on a competent regulator's request), Broby will make relevant extracts of those records available to the Customer or the regulator, subject to confidentiality.

4. Sub-processors

4.1 General authorisation

The Customer authorises Broby to engage Sub-processors to process Customer Personal Data on the terms of this DPA, including the Sub-processors listed in Annex A.

4.2 Sub-processor terms

Broby will impose on each Sub-processor written data protection obligations no less protective than those set out in this DPA, commercially reasonable for the Sub-processor's role and the nature of Customer Personal Data the Sub-processor will process (recognising that for some hyperscale infrastructure Sub-processors, those obligations are auto-incorporated through the Sub-processor's standard service terms and standard data-processing addendum).

4.3 New Sub-processors and right to object

Broby will give the Customer's admin contact at least 30 days' written notice before engaging any new Sub-processor that processes Customer Personal Data, except where a shorter period is required to address a security or operational emergency. The Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of notice. If the Customer objects and the parties cannot agree a resolution within a further 30 days, the Customer may terminate the affected portion of the Service on written notice with a pro-rata refund of unused prepaid fees.

4.4 Sub-processor list maintained

The Sub-processor list (Annex A) will be kept current. The most recent version is available on request from the DPO contact in Section 15 below and is intended to be made available at brobyvets.com/subprocessors when published.

4.5 Liability for Sub-processors

Broby remains responsible to the Customer for the acts and omissions of its Sub-processors to the same extent that Broby is responsible for its own acts and omissions under this DPA. For the avoidance of doubt, Broby's aggregate liability for the acts and omissions of its Sub-processors is subject to the caps and carve-outs in Section 12 of the Terms of Service.

5. Data Subject Rights Cooperation

5.1 Customer responsibility

The Customer is responsible for responding to data subject requests (including access, correction, withdrawal of consent, data portability under PDPA-MY, and any other rights under PDPA-SG, PDPA-MY, or other applicable law).

5.2 Broby assistance

Broby will provide reasonable assistance to the Customer (taking into account the nature of the Processing and the information available to Broby) to enable the Customer to respond to data subject requests within the timeframes required by applicable law (30 days for SG; 21 days for MY). If a data subject contacts Broby directly with a request relating to Customer Personal Data, Broby will (where reasonably possible) forward the request to the Customer without delay.

6. Personal Data Breach

6.1 Notification to Customer

Broby will notify the Customer without undue delay (and in any case within 24 hours) of becoming aware of a confirmed or reasonably suspected Personal Data Breach affecting Customer Personal Data.

6.2 Information provided

Broby's notification will include (to the extent reasonably available at the time):

• A description of the nature of the Personal Data Breach;
• The categories and approximate number of data subjects and records affected;
• The likely consequences of the Personal Data Breach;
• Measures taken or proposed to address the Personal Data Breach and mitigate its effects.

Broby will provide further information as it becomes available, in stages where necessary.

6.3 Customer's notification obligations

The Customer is responsible for notifying the PDPC, PDP MY, affected data subjects, and any other competent authority as required by applicable law, including: (a) in Singapore, PDPA-SG s.26C / s.26D and the Personal Data Protection (Notification of Data Breaches) Regulations 2021; and (b) in Malaysia, section 12B of Act 709 (as inserted by Act A1727) as the binding statutory source, read together with the Personal Data Breach Notification Guidelines, Version 1.0 (25 February 2025) and Commissioner's Circular No. 2/2025 as operational guidance.

6.4 Cooperation

Broby will cooperate with the Customer in good faith in connection with the investigation, mitigation, and (where applicable) notification of a Personal Data Breach.

7. Data Protection Impact Assessments

Broby will provide the Customer with reasonable assistance (taking into account the nature of the Processing and the information available to Broby) with any data protection impact assessment, prior consultation with a regulator, or similar exercise required by applicable law in connection with the Processing.

8. International Data Transfers

8.1 Authorised transfers

The Customer authorises Broby to transfer Customer Personal Data outside Singapore and Malaysia to the extent necessary to deliver the Service through the Sub-processors listed in Annex A. The principal recipient countries are set out in Annex A.

8.2 Singapore transfers (PDPA-SG s.26)

For transfers from Singapore, Broby relies on Section 26 PDPA-SG safeguards. Each Sub-processor is bound by enforceable contractual obligations of a comparable standard to PDPA-SG, in line with Personal Data Protection Regulations 2021 reg.10. Where a Sub-processor is also subject to the EU GDPR, the relevant EU SCCs apply. Where ASEAN MCCs are available with the Sub-processor, Broby will use them in line with the PDPC's Guidance for Use of ASEAN MCCs in Singapore.

8.3 Malaysia transfers (PDPA-MY s.129)

For transfers from Malaysia, Broby relies on Section 129(3)(f) PDPA-MY safeguards (reasonable precautions and due diligence) as set out in the Cross-Border Personal Data Transfer Guidelines, Version 1.0, dated 29 April 2025, comprising (a) the Customer's authorisation under §8.1 above (which constitutes the documented basis for the transfer); (b) reasonable precautions and due diligence evidenced by contractual clauses with each Sub-processor; and (c) where required, a Transfer Impact Assessment which Broby will document and refresh at least every three years.

8.4 Sensitive Personal Data — Malaysia

Where Customer Personal Data includes Sensitive Personal Data (in particular, voice biometric data captured in Malaysian consultations), the Customer is responsible for obtaining the explicit consent required under PDPA-MY s.40 from each affected data subject before initiating the Processing.

9. Audits and Inspections

9.1 Audit reports

On the Customer's reasonable written request, no more than once per twelve-month period, Broby will provide the Customer with a then-current copy of Broby's SOC 2 Type II report (when available) or, where such a report is not available, complete a reasonable customer-supplied security questionnaire — in each case subject to confidentiality and reasonable scoping.

9.2 On-site audits

Where the Customer reasonably requires further audit information beyond what is available under §9.1 (for example, in response to a regulator-initiated request, or where the Customer reasonably believes a Personal Data Breach has occurred), Broby will permit a focused, on-site audit by the Customer or its independent third-party auditor, subject to: (a) at least 30 days' prior written notice; (b) execution of a confidentiality agreement; (c) conduct during normal Singapore business hours and in a manner that does not unreasonably disrupt Broby's operations; (d) the Customer's agreement to bear Broby's reasonable costs of cooperation; and (e) the auditor not being a competitor of Broby.

9.3 Frequency

Audits under §9.2 are limited to once per twelve-month period unless required by a competent regulator.

10. De-identified Data

This Section 10 is the keystone provision governing De-identified Data. The substantive parameters of Broby's rights to De-identified Data are also set out (in summary form) in the Terms of Service §7.3. In the event of a conflict between this Section 10 and the Terms of Service §7.3, this Section 10 prevails.

10.1 De-identification standard

Where Broby de-identifies Customer Personal Data, the de-identification will be performed in accordance with the De-identification Standard set out in Annex D, which incorporates the U.S. Department of Health and Human Services HIPAA Safe Harbor methodology (45 CFR §164.514(b)(2)) and a k-anonymity threshold of at least 5 for any combination of quasi-identifiers in De-identified Data made available to third parties. Broby may update Annex D from time to time, provided no update reduces the strength of the de-identification standard.

10.2 Status of De-identified Data

The parties agree that, once data has been de-identified in accordance with §10.1 and Annex D, it ceases to be Personal Data under PDPA-SG and PDPA-MY (consistent with the PDPC's Guide to Basic Anonymisation) and falls outside the scope of this DPA except as expressly set out in this Section 10.

10.2A Plain-language summary

Plain-language summary of this licence. This box explains, in plain language, why the four-word licence in §10.3 is structured as it is. It does not vary or limit any of the substantive obligations in §10.1, §10.3, §10.5, §10.6, §10.7, or Annex D.

What the licence covers. Once Customer Personal Data has been de-identified to the standard set out in Annex D (HIPAA Safe Harbor + k-anonymity ≥ 5 + motivated-intruder risk assessment), it is no longer Personal Data and cannot trace back to any pet owner, Veterinarian, clinic staff member, or other Authorised User. The licence in §10.3 lets Broby use the de-identified product to (a) train and improve the Service and Broby's machine-learning models, (b) generate aggregated benchmarks and research insights, (c) participate in public-health, regulatory, surveillance, and One Health partnerships, (d) conduct and publish veterinary research, and (e) license to animal-health, veterinary, life-sciences, and pharmaceutical organisations under contracts that prohibit re-identification.

Why "perpetual". Once an anonymised dataset is incorporated into a trained AI model, the model cannot be un-trained on that data. The licence therefore has to outlast termination of this DPA for the data already incorporated — without that survival, Broby could not rely on its own datasets for ongoing model performance.

Why "irrevocable", "royalty-free", "worldwide", and "sublicensable". These are standard SaaS data-improvement terms. They are needed so that Broby can plan around the dataset for model improvement and for contracts with animal-health and pharma research partners under §10.3(e). Without "sublicensable", Broby could not enter the research-partner contracts contemplated in §10.3(e).

What Broby will never do. Broby will not attempt to re-identify De-identified Data and will contractually require the same promise from every recipient (§10.5).

What stays in the Customer's control.

• The Customer can opt out at any time for future data by giving written notice to the DPO (§10.6); the opt-out takes effect within 30 days of receipt and applies prospectively across all of the Customer's Authorised Users and Clinics.
• The de-identification standard in Annex D cannot be weakened by Broby (§10.1, Annex D.3).
• Voice recordings are not included in De-identified Data made available to third parties (Annex D.1(c)).

10.3 Licence to Broby

The Customer grants Broby a perpetual, irrevocable, royalty-free, worldwide, sublicensable licence to use De-identified Data for any lawful purpose, including without limitation:

(a) developing, training, evaluating, and improving Broby's current and future products, services, machine-learning models, and AI features; (b) generating aggregated analytics, benchmarks, statistics, and research insights; (c) participating in public health, regulatory, surveillance, and One Health partnerships; (d) conducting and publishing veterinary research; and (e) licensing De-identified Data, alone or combined with other data, to third parties — including animal-health, veterinary, life-sciences, and pharmaceutical organisations — for purposes including: (i) animal-health, veterinary, or zoonotic-disease research; (ii) regulatory analytics and public-health surveillance; (iii) academic research and publication; (iv) development and improvement of veterinary or animal-health products and services; and (v) related research, analytics, and product-development purposes consistent with (i)-(iv).

10.4 Customer benefit

Broby may, at its discretion, make aggregated benchmarking and insights derived from De-identified Data available to the Customer through the Service or as a separate offering. The Customer may use any such benchmarking or insights it receives from Broby in connection with the Customer's veterinary practice.

10.5 No re-identification

Broby will not attempt, and will require by written agreement that any third party to whom Broby licenses or sublicenses De-identified Data will not attempt, to re-identify De-identified Data or to combine De-identified Data with other data sets in a manner that creates a serious possibility of re-identification. Broby will include a no-re-identification flow-down obligation in each licence or sublicence of De-identified Data to a third party.

10.6 Customer opt-out

The Customer may opt out of having its Customer Personal Data de-identified for use under this Section 10 by giving written notice to Broby's DPO at the address in Section 15. The opt-out will take effect within 30 days of Broby's receipt of the notice and will apply prospectively to Customer Personal Data created or received after the effective date of the opt-out, across all of the Customer's Authorised Users and Clinics. An opt-out does not affect De-identified Data already incorporated into Broby's datasets prior to the effective date of the opt-out (which Broby may continue to use under the licence in §10.3).

10.7 Survival

The licence in §10.3 and Broby's rights to De-identified Data already incorporated into Broby's datasets survive termination or expiration of this DPA, the Terms of Service, and any Order Form. This provision is a material term and the Customer acknowledges that without it Broby would not enter into the Terms of Service or this DPA.

11. Return or Destruction of Customer Personal Data

11.1 On termination

On termination or expiration of the Subscription Term:

• The Customer may, within 30 days of termination, request that Broby return Customer Personal Data in a commonly used machine-readable format (such as CSV or JSON) or destroy it. Where the Customer makes no such request within 30 days, Broby may destroy the Customer Personal Data.
• Broby will complete return or destruction within 90 days of termination, except for backups (which will be deleted in accordance with Broby's standard rolling-deletion schedule, no later than 30 days after the production deletion).

11.2 De-identified Data carve-out

For the avoidance of doubt, Broby is not required to return or destroy De-identified Data produced by Broby in the ordinary course of operating the Service prior to the effective date of termination. The licence in §10.3 continues in respect of such De-identified Data.

11.3 Legal retention

Where Broby is required by law to retain Customer Personal Data beyond the periods set out in §11.1, it will continue to apply the security measures in §3.3 and Annex B for the duration of any such retention.

11.4 Certification

On the Customer's written request, Broby will provide written confirmation of completion of return or destruction within 14 days of completion.

12. Term and Survival

12.1 Term

This DPA takes effect on the Effective Date set out at the top and continues for as long as Broby processes Customer Personal Data on the Customer's behalf.

12.2 Survival

Sections 0 (Definitions), 2.2 (Customer warranties), 3.2 (in respect of personnel confidentiality), 3.5 (in respect of records relating to the term), 6 (in respect of Personal Data Breaches occurring during the term), 9 (in respect of audits relating to the term), 10 (De-identified Data), 11 (Return or destruction), 12 (Term and survival), 13 (Liability), 14 (Governing Law), and 15 (Contact) survive termination or expiration of this DPA.

13. Liability

The liability of each party under or in connection with this DPA is subject to, and forms part of, the limitations and exclusions in Section 12 of the Terms of Service. For the avoidance of doubt, breaches of data protection obligations under this DPA are subject to the increased cap set out in Section 12.3 of the Terms of Service.

14. Governing Law

This DPA is governed by the laws of Singapore. The dispute resolution provisions in Section 18 of the Terms of Service apply.

15. Data Protection Officer Contact

For all matters under this DPA, including data subject right requests forwarded by Broby, Personal Data Breach notifications, opt-out notices under §10.6, and audit requests under §9:

• Data Protection Officer: Caleb Yap Keane Yang
• Email: calebyky@gmail.com (DPO email registered with PDPC)
• Phone: +65 8825 5472
• Postal address: Broby Pte. Ltd., 68 Circular Road #02-01, Singapore 049422

Annex A — Sub-processors

Broby engages the following Sub-processors to process Customer Personal Data on the terms of this DPA. The current version of this list is also available on request from the DPO contact in Section 15.

Each Sub-processor is bound by a written data-processing agreement (or equivalent contractual obligations auto-incorporated through the Sub-processor's standard service terms) requiring it to process Customer Personal Data only on Broby's instructions and to apply security measures of a comparable standard to those set out in Annex B.

Annex B — Security Measures

Broby implements the following technical and organisational measures to protect Customer Personal Data:

Encryption

• Encryption in transit (TLS 1.2 or higher; TLS 1.3 where supported)
• Encryption at rest as configured by Broby's managed-infrastructure provider (Railway), which encrypts all customer data at rest by default

Access controls

• Role-based access controls limiting access to authorised personnel
• Authentication via JSON Web Tokens (JWT) with regular refresh
• Bcrypt-hashed passwords (no plain-text credential storage)
• Audit logging for sensitive operations

Operational security

• Server-side data scrubbing for error monitoring (Sentry) before any potentially sensitive content reaches the monitoring service
• Regular review of security configurations and infrastructure
• Personnel confidentiality obligations
• Secure software development practices

Planned controls (to be implemented per Broby's security roadmap)

• Multi-factor authentication for administrative accounts
• SOC 2 Type II certification
• Annual penetration testing by an independent third party
• Formal incident response runbook drills

Broby will update this Annex from time to time as security measures evolve, provided that any such update will maintain or improve the level of security commensurate with industry-standard practice for B2B SaaS providers in healthcare-adjacent sectors.

Annex C — Description of Processing

Annex D — De-identification Standard

The De-identification Standard governs the methodology by which Broby produces De-identified Data from Customer Personal Data.

D.1 Methodology

Broby applies the methodology set out in this Annex to remove direct and indirect identifiers from Customer Personal Data such that there is no serious possibility of re-identification of any identifiable individual, consistent with the PDPC's Guide to Basic Anonymisation (updated 24 July 2024).

The methodology incorporates:

(a) HIPAA Safe Harbor (45 CFR §164.514(b)(2)) as the contractual benchmark — the following identifiers (where present) are removed or transformed before any data leaves the Customer's logical scope:

• Names
• Geographic subdivisions smaller than a state (postal codes generalised to first two digits)
• All elements of dates (other than year) directly related to an individual; ages over 89 generalised to a single category
• Telephone numbers
• Vehicle identifiers and serial numbers
• Fax numbers
• Device identifiers and serial numbers
• Email addresses
• Web URLs
• Social security / national identification numbers (e.g., NRIC, MyKad)
• Internet Protocol (IP) addresses
• Medical record numbers
• Biometric identifiers (including voiceprints used as identifiers, where extractable)
• Health plan beneficiary numbers
• Full-face photographs and comparable images
• Account numbers
• Any other unique identifying number, characteristic, or code
• Certificate / licence numbers

(b) K-anonymity ≥ 5 — for any De-identified Data made available to third parties (including under the licence in §10.3(e)), Broby will apply a k-anonymity threshold of at least 5: no combination of quasi-identifiers (such as species, breed, age band, geographic district, and consultation date generalised to week) will identify fewer than 5 records in the data set. Before any external release of De-identified Data, Broby will assess re-identification risk against a motivated-intruder model — that is, taking into account the likely motivation, resources, and capabilities of a third party who might attempt re-identification — consistent with the PDPC's Guide to Basic Anonymisation.

(c) Voice biometric handling — voice recordings are not included in De-identified Data made available to third parties. Where transcripts derived from voice recordings are used, the transcripts are stripped of identifiers and quasi-identifiers per the above before inclusion.

(d) No re-identification — Broby will not attempt, and will contractually prohibit any third-party recipient from attempting, to re-identify De-identified Data or to combine it with other data sets in a manner that creates a serious possibility of re-identification.

D.2 Documentation

Broby maintains internal documentation of the de-identification methodology, including the specific transformations applied to each identifier category and the k-anonymity threshold enforcement logic. This documentation is available to the Customer on reasonable request, subject to confidentiality.

D.3 Updates

Broby may update this Annex D from time to time to reflect evolving de-identification best practice, regulator guidance, or technical improvements, provided that no update reduces the strength of the de-identification standard.

A Bahasa Malaysia translation of this DPA will be made available before the first Malaysian Customer is onboarded, in compliance with Section 7(3) PDPA-MY where this DPA includes personal-data notice content.