ConfidentialityPolicy

1. Purpose

This Confidentiality Policy (“Policy”) sets out the principles that govern the handling of confidential information by The Wake Up Movement, S.L. (trading as Dcycle, the “Company”) and all persons who have access to such information, including employees, contractors, partners, and customers.

This Policy is a high-level statement of Dcycle’s confidentiality principles. The binding confidentiality obligations between Dcycle and a counterparty are those set out in the applicable instrument: the Platform Terms and Conditions (Section 8), any executed Non-Disclosure Agreement, and – for personal data – the Data Processing Agreement. In the event of any conflict, those instruments prevail over this Policy.

Dcycle maintains the highest standards of information security. As an organisation certified to ISO/IEC 27001:2022 by TÜV Rheinland, confidentiality is a core pillar of our information security management system.

2. Definition of Confidential Information

“Confidential Information” means any information, regardless of format or medium, that:

• Is designated as confidential by the disclosing party.
• Is of a nature that a reasonable person would understand to be confidential given the circumstances of disclosure.
• Includes, without limitation: business plans, financial data, technical specifications, software code, customer lists, pricing information, personal data, non-financial datasets (including ESG and sustainability data), and trade secrets.

3. Obligations

All parties who have access to Confidential Information agree to:

• Protect: use the same degree of care to protect Confidential Information as they use for their own confidential information, and no less than reasonable care.
• Restrict access: disclose Confidential Information only to those individuals who have a legitimate need to know and who are bound by equivalent confidentiality obligations.
• Use limitations: use Confidential Information solely for the purpose for which it was disclosed and for no other purpose, including competitive advantage.
• No reverse engineering: not attempt to reverse engineer, decompile, or otherwise derive the source of any confidential technical information.
• Notify breaches: promptly notify the disclosing party of any actual or suspected unauthorised disclosure or use of Confidential Information.

4. Exceptions

Confidentiality obligations do not apply to information that:

• Is or becomes publicly available through no breach of this Policy.
• Was already known to the receiving party at the time of disclosure, as evidenced by written records.
• Is independently developed by the receiving party without use of or reference to the Confidential Information.
• Is received from a third party who is free to disclose it without restriction.
• Is required to be disclosed by applicable law, court order, or regulatory authority, provided the receiving party gives prompt written notice to the disclosing party (where legally permitted) so that the disclosing party may seek a protective order.

5. Duration

Confidentiality obligations under this Policy apply:

• During the relationship: for the full duration of any agreement between the parties.
• After termination: for a period of three (3) years following termination or expiry of the relationship, consistent with Section 8 of the Platform Terms and Conditions, unless a specific agreement stipulates a longer period.
• Personal data: obligations regarding the confidentiality of personal data are governed by our Privacy Policy and the Data Processing Agreement, in accordance with applicable data protection law, without time limitation.

6. Return or Destruction of Information

Upon termination of the relationship or at the request of the disclosing party, the receiving party agrees to promptly return or securely destroy all Confidential Information in its possession, and to certify in writing that it has done so.

7. Customer Data

Dcycle processes Customer Data (including non-financial data such as ESG and sustainability metrics) exclusively to provide the contracted Services, in accordance with the Data Processing Agreement. Dcycle personnel access Customer Data only where strictly necessary for service delivery, support, or system maintenance, and always subject to internal access controls and confidentiality obligations.

8. Employee and Contractor Obligations

All Dcycle employees, contractors, and collaborators are bound by confidentiality obligations as a condition of their engagement. These obligations extend to all information accessed during and after their relationship with Dcycle.

9. Data Security Measures

Dcycle implements appropriate technical and organisational measures to protect confidential information, including: encryption of data in transit (TLS) and at rest (AES-256); role-based access control on a least-privilege basis; multi-factor authentication for access to production systems; periodic security training for all personnel; regular penetration testing and security audits; and incident response and breach notification procedures. These measures form part of Dcycle’s ISO/IEC 27001:2022 information security management system.

10. Consequences of Breach

Unauthorised disclosure or misuse of Confidential Information may result in: termination of the commercial or employment relationship; civil and/or criminal liability under applicable law; and claims for damages arising from the breach.

11. Governing Law

This Policy is governed by the laws of Spain. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Madrid, Spain.

12. Contact

For any questions regarding confidentiality or to report a suspected breach:

The Wake Up Movement, S.L. (trading as Dcycle) Email: security@dcycle.io · Trust Center: security.dcycle.io