The physical security requirements, roles and responsibilities, as well as the security areas and controls to be implemented and maintained, are defined in the Physical and Environmental Security Standard.

There are four physical security levels, which are based on the type of information, assets, processes, and services managed within office areas.

Each security area has adequate physical security controls such as access control systems, CCTV surveillance, and environmental protection to safeguard information and other assets.

Access rights to security areas are provided based on the "need to know" and "least privilege" principles, and are reviewed, withdrawn, and audited accordingly. Rules have been defined for issuing, wearing, and returning physical access cards, as well as managing physical keys. Turnstiles, automated doors or other physical barriers are set, and may only be passed with the access cards & rights.

Specific instructions to provide visitors with access and accompany them in designated areas have been defined as well. An access log of visitors is kept in each location.

Physical security measures are be implemented to prevent or mitigate damage by fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters. The standard also covers security aspects regarding external areas, delivery and loading areas, and discontinued offices.

People-related processes (e.g. onboarding, assignment of responsibilities, disciplinary processes, remote working, and offboarding, etc.) must also integrate corporate security controls, in accordance with applicable legislation, as defined in the HR Security Standard.

Security responsibilities set out in corporate security policies and standards, are communicated by Corporate Security to the target audience. Contractual agreements must also include responsibilities related to confidentiality, non-disclosure, and intellectual property rights. Security responsibilities that remain after work hours, during remote working, and after the end of collaboration must also be communicated and acknowledged.

Security training courses and awareness campaigns are planned with the aim of informing the staff about the requirements and expectations related to security, the main threats and risks, while indicating the best ways to avoid, mitigate and report them to preserve the organization’s security posture.

Security courses are mandatory for all employees, with a renewal cycle of 3 years. This training is hosted on the organization’s corporate Learning Management System, managed by a dedicated team. Awareness campaigns are launched through a dedicated platform, on a bimonthly-basis, covering various interactive activities that deal with the main threats and risks (phishing, social media, secure passwords, remote working, etc.), helping staff stay alert, and providing them with ways to deal with such situations.

Completion rates are monitored by Corporate Security, striving to achieve set objectives, and following-up whenever necessary to engage staff in fulfilling the activities.

The Trust Center Syntphony main objective is to provide detailed information about the high levels of security and compliance present in its various Syntphony products. This Trust Center aims to ensure and transparently present that all offered solutions are always aligned with the main market standards, providing customers with the peace of mind that their information is protected and in compliance with current regulations.

At the Trust Center Syntphony, you will find a wide range of resources and documentation that demonstrate NTT DATA commitment to information security and data privacy. Among the main highlights are:

• Security Certifications: Information about the certifications obtained by NTT, which prove adherence to the most rigorous international security standards.

• Privacy Policies: Details about the policies implemented to ensure the protection of users' personal data.

• Regulatory Compliance: Documentation that evidences compliance with the main regulations and data protection laws, such as GDPR, among others.

The Trust Center Syntphony is a reflection of NTT's ongoing commitment to providing secure, reliable technological solutions that comply with the highest market standards. Explore our Trust Center and discover how NTT is working to protect your information and ensure compliance in all aspects.

The security risk framework, explained in the Security Risk Management Standard for NTT DATA EMEAL, defines the roles and responsibilities of all actors involved in risk management, as well as describes the various risk approaches and risk governance instances.

The steps for systematic risk management such as establishing the context, identifying and evaluating risks, treating risks, communicating, and reviewing are outlined based on the ISO 27005 standard.

The approach to security risk management is oriented both to protect work tools and products as well as to ensure business objectives, thus, two security risk dimensions are highlighted: asset-based risk assessment, and operational risk assessment.

Risk governing bodies at strategic and operational levels, and the communication and escalation mechanisms for risk owners and committees are also defined.

Risk treatment measures are implemented to maintain the risk levels below the established risk appetite set by the Top Management and monitoring actions are carried out to ensure they are completed in due time. The periodicity of assessments is stablished to be, at least, yearly.

Threat intelligence and security monitoring mechanisms and processes are executed to determine the threat landscape as accurately as possible, and feed information into other security processes.

A SIEM/UEBA solution is implemented to centralize data from various log sources, and events are correlated to detect anomalous activity. 24/7 monitoring is performed to spot malicious events and facilitate incident response.

Resources are allocated to manage security incidents throughout their lifecycle, including a dedicated Security Incident Response Team, dedicated SOC, and associated processes and tools. Internal and external communication procedures are activated to keep relevant stakeholders informed.

Evidence resulted from security incident investigation and handling actions is securely stored and preserved in accordance with applicable requirements.

Collaboration channels with various area experts within the business and, when necessary, external partners, are maintained for proper and effective response.

Fallback plans are defined and activated in case planned eradication and recovery take an unexpected turn.

Vulnerability management processes and technologies are implemented to enable the identification, analysis, and categorization of vulnerabilities across the infrastructure, and communication to relevant roles for remediation. Patching requirements are also defined, considering the criticality of vulnerabilities identified.

The roles and responsibilities related to identity and access management are defined for Corporate Security, System Administrator, System Owners and End Users in the Identity and Access Management Standard.

Security requirements for end user accounts, privileged user accounts, break-glass user accounts and service/application accounts are also established, including aspects such as account differentiation, uniqueness, traceability, validity, access rights, lockout policy, deactivation and deletion.

Access to corporate resources is only allowed via encrypted communication channels with multi-factor authentication. It also lists the accepted authentication methods, such as password, PIN and biometric factors. The security requirements for password and PIN creation, complexity, expiration and history are defined.

Access rights management processes are guided by the "need to know" and "least privilege" principles.

Privileged accounts and access rights go through a formal request and approval process.

All accounts and access rights are reviewed at least annually to determine if they are still needed or not.

A Standard has been developed to establish the security requirements for the acceptable use of corporate IT assets by all employees and third parties.

It focuses on transparency when it comes to the responsibilities assigned to all Asset Users in complying with the acceptable use rules and reporting security incidents.

IT assets are handed to users to carry out the professional activities required by NTT DATA EMEAL. It is prohibited to use NTT DATA EMEAL IT assets for activities that may violate company policies, laws, or cause damage to the company, its clients, or partners.

IT assets, such as digital devices, user accounts, email and messaging, internet, networks, applications and services, storage media, are protected at all times.

Requirements for the return of assets are also defined in this Standard.

Breaches of acceptable use rules are to be investigated and, when deemed necessary, disciplinary actions will be taken proportional to the damage caused.

Security requirements applicable to suppliers and supplier relationship management are defined, implemented and improved continuously in NTT DATA EMEAL.

A security homologation process is implemented to ensure suppliers are assessed and selected taking into consideration the applicable security requirements.

Security requirements applicable to suppliers are captured in contractual agreements, policies, procedures and other authoritative documents.

Risks originating from the supply chain are managed through the corporate security risk management process, and treatment measures are defined to reduce the risk impact on NTT DATA EMEAL’s operations.

Throughout their relationship with NTT DATA EMEAL, suppliers are expected to implement and improve the agreed security controls, and undergo audits as needed.

Assets to which the suppliers have access are handled in accordance with NTT DATA EMEAL’s requirements and returned in accordance with the established ownership.

A governing body has been established to manage information security on all layers – from Corporate to individual Countries: EMEAL Corporate Security.

The team is coordinated by the EMEAL CISO, and has 2 components: the CISO Forum – overseeing security matters in regions and countries; and the Cross-Operations – overseeing Security Governance, Business Security, Business Continuity and Security Operations.

The core of NTT DATA EMEAL Security Posture

NTT DATA EMEAL believes that the core of a strong security posture is formed by its People, so it aims at bringing together bright and competent minds, passionate about security, to develop, implement, monitor, and continuously improve the security measures within the organization.

The security posture is guided by strong security principles, such as the commitment and leadership of the management, security as a comprehensive process, security embedded in the business, resilience to cyberattacks, risk management, awareness and training, matching responsibilities with the right people, regulatory compliance, and continuous improvement.

Security requirements are integrated in all software development phases, as defined in the Secure Software Development Lifecycle standard. Approval gateways shall be established between relevant phases, to ensure the expect degree of quality and security.

Software is designed considering good practice security principles, such as security by design, zero trust, fail securely, as well as NTT DATA EMEAL’s security controls. Software must also be designed to reduce vulnerabilities and enhance maintainability and scalability.

Secure development guidelines are implemented and followed, to preserve the security of information. Development environments and source code are protected throughout the entire lifecycle, and access is controlled.

Test environments are controlled, and security code review and testing operations are carried out before release. Selected test data is carefully selected to be representative for the test scope.

Backup and recovery processes are planned to ensure effective fallback if needed.

Software migrated to the production environment is closely monitored to ensure it’s running properly. Regular maintenance and update activities is performed for current software.

NTT DATA EMEAL aims to bring information security closer and more accessible to its community by continuously fine-tuning the security requirements set in policies, standards, procedures and guidelines. On top of this, it develops and launches periodical security training courses & awareness campaigns to support easier absorption of these requirements and bring the most common and current threats into the spotlight.

The Information Security Policy is at the top of NTT DATA EMEAL’s governance approach. All statements cascade over lower tiers, where security controls take shape in standards, and are further developed in procedures, and guidelines.

These statements and controls reflect the commitment to meet the security requirements and expectations of stakeholders, and safeguard the confidentiality, integrity and availability of information.

They capture the security objectives, which are aligned with the organization's strategic direction and support its goal of leading the technology market by offering high-value services.

The security principles are based on the international standards and good practices related to information security to which the organization adheres.

The key outcomes expected for complying with this policy are a reduction of security incidents and their impact, strengthening of business resistance to cyber-attacks, increase of customers and business partners trust, demonstration of compliance with applicable legal and regulatory requirements and contractual obligations.

Management Commitment

NTT DATA EMEAL is a consulting and outsourcing company with more than 30 years of experience, positioned in all sectors of the economic field and with a presence in Europe and Latin America. As a regional unit of NTT DATA Inc., the organization demonstrates great capacity for adaptation and transformation.

NTT DATA EMEAL’s Top Management is committed to establishing, implementing, and keeping up to date an Information Security Management System that supports its strategic direction and enables the organization to:

• Satisfy the requirements and expectations of its clients and other stakeholders.

• Comply with the legal, regulatory, and normative requirements of application.

Security requirements related to IT Operations are defined and integrated in processes and technologies to protect information at rest, in transit, and in use, and ensure secure configuration of endpoints, networks, and cloud environments.

Endpoints are centrally managed and secured through next-gen malware detection & response, software installation controls, configuration management, and monitoring solutions. Systems are hardened to reduce the attack surface.

Strong authentication mechanisms are enforced, including automatic session termination in case of inactivity.

Corporate networks are protected by strict security mechanisms (e.g., access control, segregation, secure protocols and connection, firewalls, IDS, IPS, etc.). Suspicious connections are filtered. Access to cloud-based environments and services must comply with the identity and access management security requirements, including MFA.

IT resources are regularly backed up to support the continuity of business operations and information security.

Systems are be calibrated, maintained, and assessed regularly to ensure their availability, efficiency, and performance. Patch management processes are executed to remediate vulnerabilities.

Encryption controls using industry-accepted parameters are defined, and are implemented in accordance with the applicable legislation, considering the criticality of information and systems as well.

Industry compliance and certifications reinforce our operational excellence

At NTT DATA, we are committed to attaining top-tier industry accreditations in data center and security, providing our valued commercial clients with unwavering confidence in the security of their mission-critical IT systems hosted within our state-of-the-art colocation facilities.

When the time comes for your crucial audits and accreditation procedures, we stand prepared to support you with exclusive facility tours and interviews featuring our team of seasoned experts in IT security and physical security.

Explore our comprehensive list of certifications across various NTT DATA geographies, showcasing our dedication to maintaining the highest standards in the industry.

The certifications and regulations for the NTT DATA Syntphony assets are listed below:

SYNTPHONY CONVERSATIONAL AI is a solution developed by NTT DATA SPAIN S.L.U. belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed for for creating and managing virtual agents, uses artificial intelligence with Generative AI to understand and deliver hyper-personalized responses to users. Our tool is developed considering efficiency, security and compliance with the data protection regulations. To learn more, explore our webpage Syntphony.

Main Features:

• Improved Customer Experience.

• Personalized Brand Engagement.

• Reduced Operational Costs.

Syntphony Beyond Net Zero is designed to seamlessly collect, calculate, and report sustainability data, empowering organizations to seize sustainability opportunities and mitigate risks effectively, while ensuring compliance.​ To learn more, explore our webpage Syntphony.

Syntphony wants harmony in your business, to achieve that our Customer Support Policy provide scalable and flexible services built with your business needs at its core. Choose the service that sounds right for your organization and find its perfect rhythm with Value-Add Services.

Customer Support Plans:

• Standard: Standard plan is included for all Syntphony customers.

• Advanced: Minimum recommended tier if you have production workloads.

• Premier: Recommended if you have production and/or business critical workloads with fast response times and additional services to optimize your support experience.

• Platinum: Designed for enterprises with critical workloads, with the fastest response time, and dedicated Technical Account Manager.

In a business environment, a Technical Account Manager (TAM) service is often the primary point of contact for clients. They are responsible for understanding the client's business needs and coordinating with the company's technical team to ensure those needs are met. TAMs also monitor the client's usage of the product or service to identify opportunities for improvement or additional support.

• Service conditions: Only available for PLATINUM plan. Available during business days.

• Service agreement: Dedicated hours depending on agreement.

Back

Syntphony Industry Cloud accelerate sector-specific transformation through cloud-native, prebuilt components—bringing agility, composability and control to regulated industries where customisation, compliance and scalability are essential to competitive growth.​ To learn more, explore our webpage Syntphony.

Autonomous Supply Chain is a solution developed by NTT DATA SPAIN S.L.U. belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed to automate decisions that are made cognitively. Our tool is developed considering efficiency, security and compliance with the data protection regulations. To learn more, explore our webpage Syntphony.

Main Features:

- Multi-agent system.

- Customizable according to the client's needs.

Syntphony AI Factory operationalise Generative AI with prebuilt use cases, private LLMs and modular architecture—accelerating deployment, reducing complexity and ensuring secure, enterprise-grade scalability and governance by design. To learn more, explore our webpage Syntphony.

Syntphony Natural Capital is a digital tool that enables organizations to assess, value and manage their interactions with nature, supporting nature-positive strategies, regulatory alignment and science-based decisions through geospatial data and recognized sustainability frameworks.​To learn more, explore our webpage Syntphony.

Syntphony AI provides you with a common data layer and data management capabilities to build the foundation of your Data & AI platform, including technical capabilities, Gen Al features and packaged modules like Conversational AI Agents or intelligent search to just mix & match and deploy services into production to accelerate the most common vertical use cases. To learn more, explore our webpage Syntphony.

NTT DATA EMEAL’s business continuity framework is directed by the Business Continuity & Crisis Management Policy, and it covers key elements such as business processes, people, facilities, IT infrastructure and services, operations in scope of customer contracts, and security certifications.

The policy is based on the commitment of the top management to invest in and promote BC & CM within the organization, following industry good practices, ensuring the protection and safety of people, identifying and managing risks, defining and testing business continuity plans (BCPs), and reporting on the effectiveness of the BCMS.

Crisis Committees, comprised of relevant stakeholders and expert support roles from the business and support areas, shall be formed to navigate through disasters that may occur or to escalate to executives when their involvement is required.

The Business Continuity & Crisis Management framework supports the organization in:

• Providing the business operations after a significant disruption with the least possible impact

• Managing the resilience and recovery of business processes within the organization

• Implementing the required strategies to recover the critical functions

• Providing the tools and means for guaranteed and effective communication during crisis

End-to end carbon footprint calculation for devices, applications, cloud, data centres, networks and Real Estate, based on real-time data. Corporate carbon emissions reporting.​ To learn more, explore our webpage Syntphony.

NTT Data’s data deletion process is designed to ensure the secure and effective removal of sensitive and confidential information. Key guidelines include:

• Data Classification: Prior to deletion, information is assessed for sensitivity to determine appropriate deletion methods.

• Deletion Methods: Techniques such as data overwriting and physical destruction of media are employed to ensure irrecoverability.

• Regulatory Compliance: Deletion practices align with legal and industry standards.

• Documentation: Detailed logs of data deletion activities are maintained to support auditability and accountability.

• Employee Training: Staff are trained on proper data disposal procedures.

This approach ensures data security and maintains customer trust.

Depending on the support plan purchased, PREMIER or PLATINUM, there are some ways at client’s disposal to manage the priority of an already submitted non-P1 case but your situation changes to critical.

• Raise to P1: This option allows you to change the priority of a case to P1 on your support case management, notifying the support team of the urgency for the case.

• Contact the Technical Account Manager (TAM): Only available for PLATINUM plan. In case of help and guidance, TAM can provide information about the case, and the support process to achieve the solution as fast as possible. This option should be the first one to take in case of necessity, TAM will help the client to evaluate the best way to escalate the case.

Back

Syntphony Efficiency & Business empowers organizations to optimize operations, increase productivity and deliver tailored solutions with seamless integration of out-of-the-box capabilities for each industry and facilitates technological adoption with immersive learning. To learn more, explore our webpage Syntphony.

We will process claims within 45 days of receipt. If we determine that you have satisfied the customer obligations above and that none of the below limitations applies to your claim, we will grant you a Service Credit.

We will apply any Service Credit to a future invoice or payment for the Syntphony customer environment that experienced the Downtime. Service Credits will not be applied to fees for any other environments.

Service Credits are your exclusive remedy under this SLA.

Be Tuned

Products evolve in time: new security updates, features and benefits. Do not miss last updates for your products with Be tuned. We offer two plans designed to stay up to date:

• Basic: Basic plan is included for all Syntphony customers. You may be informed about products release reports and will be able to check the process to update your product at your own pace.

• Signature: PREMIER and PLATINUM tiers include Signature plan for Be tuned. Enjoy the benefits of the basic plan and providing proactively you with upcoming EOS/EOL dates that applies to you, and how to plan for those with time.

Syntphony Knowledge Search operates on a hybrid infrastructure comprising client-managed systems and Microsoft Azure's cloud platform. This combination offers the best of both worlds: the flexibility and scalability of Azure's advanced cloud services, along with the control and customization of client-specific infrastructure. By integrating these environments, Syntphony Knowledge Search delivers a seamless experience tailored to business needs. For more information about their security practices, see below:

To be eligible for a Service Credit:

1. You must have contracted a level of support eligible for Service Credits that ADVANCED, PREMIER and PLATINUM.

2. You must log a support ticket with our Support Team within 24 hours of first becoming aware of an event that impacts service availability.

3. You must submit your claim and all required information by the end of the month immediately following the month in which the Downtime occurred.

4. You must include all information necessary for to our Support Team to validate your claim, including:

   1. A detailed description of the events resulting in Downtime, including your request logs that document the errors and corroborate your claimed outage (with any confidential or sensitive information in the logs removed or replaced with asterisks).

   2. Information regarding the time and duration of the Downtime.

   3. The number and location(s) of affected users (if applicable).

5. You must reasonably assist the Support Team in investigating the cause of the Downtime and processing your claim.

6. You must be up-to-date with all payments and with all contractual documentation up to date and signed.

Syntphony Employee Communications operates within the Microsoft Azure cloud ecosystem, taking advantage of its cutting-edge security protocols, AI-powered analytics, and seamless integration capabilities. Azure’s infrastructure ensures that Syntphony Employee Communications benefits from end-to-end encryption, advanced threat detection, and compliance with industry-leading security standards. This enables businesses to trust Syntphony Employee Communications with sensitive data while ensuring uninterrupted service and optimal system reliability. For more information about their security practices, see below:

All backup data is automatically encrypted when stored in the cloud using Azure Storage Encryption, supporting compliance and security commitments. Data at rest is protected with 256-bit AES encryption, one of the most secure block cipher methods available, compliant with FIPS 140-2. Furthermore, all backup data in transit is securely transmitted over HTTPS, ensuring it remains within the Azure backbone network. For database storage, Transparent Data Encryption (TDE) is enabled by default in Azure, safeguarding sensitive information from unauthorized access—even at rest. This comprehensive encryption strategy ensures data security while facilitating compliance with data protection regulations and building trust in cloud-based information management. For detailed information on the types of encryption used by Microsoft Azure, visit the official Microsoft page:

Syntphony Immersive Experience is hosted on Microsoft Azure, a globally recognized cloud platform known for its security, scalability, and enterprise-grade services. By leveraging Azure’s robust infrastructure, Syntphony Immersive Experience ensures high availability, seamless performance, and compliance with international security standards. This cloud environment allows for flexible resource management, enabling organizations to scale operations efficiently while maintaining optimal performance and data integrity. For more information about their security practices, see below:

Syntphony Intelligent Automation in addition to the general certifications for our syntphony products, this asset meets the following certification:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

Syntphony uses Azure AD B2C, enabling federation with any Active Directory that complies with OIDC (OpenID Connect) standards. It supports secure and flexible identity management and login experiences. Azure AD B2C leverages authentication protocols such as OpenID Connect, OAuth 2.0, and SAML, allowing seamless integration with modern apps and enterprise software.

Benefits of Azure AD B2C:

• Scalability: Manages millions of user identities.

• Customization: Flexible login experiences.

• Security: Strong data protection and compliance.

For more details on Azure AD B2C and its capabilities, see the official Microsoft documentation:

Syntphony Conversational AI benefits from the combined capabilities of Google Cloud and Microsoft Azure, leveraging the best of both platforms. This dual-cloud strategy allows Syntphony Conversational AI to utilize the innovative AI and data analytics tools of Google Cloud alongside Azure's enterprise-grade infrastructure and global reach. This hybrid approach ensures flexibility, scalability, and a robust infrastructure to support the needs of diverse clients.

GCP and Azure employ industry-leading security controls and are extensively audited. Both hold multiple certifications, including SOC2 Type II, ISO 27001, and PCI. For more information about their security practices, see below:

Syntphony Immersive Experiences in addition to the general certifications for our syntphony products, this asset meets the following certification:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

Syntphony SaaS products service commitment guarantees a Monthly Uptime Percentage of at least 99.5% during any monthly billing cycle. If this commitment is not met, then you may be eligible for Service Credits.

Service Credits are structured as follows:

• For any software, hardware or other elements of the Customer environment not provided by NTT DATA.

• If Customer or a third party has altered or modified any portion of the Software.

• If Customer has not used the Software in accordance with Documentation or instructions provided by NTT DATA, including failure to follow implementation procedures.

Customer Support Model - Pricing

Proactive Business Monitoring can be used for every product covered by the PLATINUM Customer Support plan.

This service could monitor up to three business probes by the Product Support team to ensure the health of the business flows related with the Syntphony products solution.

• Service conditions: Only available for PLATINUM plan. Product Support team will monitor the products health and define proactively alerts and procedures if any issue is raised to support.

• Service agreement: Up to three business probes can be monitored. Availability depending on agreement.

Syntphony Conversational AI guarantees confidentiality, integrity and availability of information. In addition to the general certifications for our syntphony products, this asset meets the following certifications:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

• NTT DATA Syntphony Conversational AI has successfully obtained SOC 2 Type I security certification. The SOC2 report certifies that this product has implemented controls over the security, availability, and confidentiality of customer data. This encompasses controls related to data backup and recovery, network security, access control, and vulnerability management.

The subprocessors listed below support NTT DATA in the provision of maintenance and technical support services, common to Syntphony products listed in the scope of the . Please note that each Syntphony product may also rely on additional subprocessors for specific functionalities which are listed separately in each product’s individual Subprocessors section within this Trust Center.

Scope

Our support models are designed to ensure the reliability, efficiency, and accessibility of our services, providing the foundation for a seamless user experience. This section outlines the support models applicable to the products depicted in the image.

For information regarding support models for other Syntphony products not covered in this scope, please refer to the respective product's dedicated section within the Trust Center.

List of abbreviations

Syntphony Lifecycle Policy provides consistent and predictable guidelines for support throughout the life of a product, helping customers manage their IT investments and environments while strategically planning for the future.

All versions released by assets covered by Customer Support Plans have an associated support for 1 year. Most of the products will be able to update to newer versions in time, but in case EOS applies, NTT DATA will provide a minimum of 6 months notification prior to ending support for those versions.

Customer Support for PREMIER and PLATINUM plans can purchase Legacy support service depending on the scenario:

• EOS (End of Support): EOS is often the precursor to EOL. The product would announce an end date after which they no longer support a system or service. This applies before a migration of users to newer versions of the product. In this scenario Legacy support provides you with an extra 1 year of support.

Syntphony Immersive Experiences creates large-scale VR and immersive experiences.​ The enterprise extended reality platform.​ Customer and employee experiences that span a wide range of scenarios combining immersive, shared and customisable virtual spaces. To learn more, explore our webpage .

Syntphony Immersive Experiences is a solution developed by NTT DATA SPAIN S.L.U. belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed for immersive experiences that can be incorporated into a wide variety of business scenarios, from creating a learning path, displaying products in a virtual shop or visualizing floor plans to remote assistance. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Enterprise friendly and ready.

Syntphony Employee Communication connects and empowers every employee on a single digital platform. A digital workspace to boost employee experience and engagement, harnessing the full potential of Microsoft 365. To learn more, explore our webpage .

Syntphony Intelligent Automation is a platform to transforming business processes and maximising value.​ Intelligent automation that provides organisations with end-to-end business process transformation solutions aligned with the organisations' strategies and technology. To learn more, explore our webpage .

Syntphony Intelligent Automation is a solution developed by NTT DATA SPAIN S.L.U belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed to connect corporate strategy with operations transformation, maximizing the value of people, processes and technology. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Adapts to the needs and technological maturity of organizations

NTT Data incorporates security into all phases of the Software Development Life Cycle (SDLC). Key components include:

• Risk Assessment: Identification of potential software vulnerabilities prior to development.

• Security Requirements: Defined at project initiation to address data protection and access controls.

• Secure Development: Best coding practices including input validation, error handling, and protections against SQL injection and XSS.

• As used herein, "billing cycle" refers to a calendar month.

• "Applicable Monthly Service Fees" means the total fees paid by the customer for the given Syntphony subscriptions during the month in which Downtime occurred.

• "Downtime": A minute is considered unavailable if all of your continuous attempts to establish a connection to the Syntphony product customer environment within the minute fail. Downtime does not include scheduled downtime for maintenance and upgrades.

Syntphony Knowledge Search is the intelligent search engine that finds the most relevant and accurate information from your organization's data, both structured and unstructured, and provides valuable ontology-based information. To learn more, explore our webpage .

Syntphony Knowledge Search is a solution developed by NTT DATA SPAIN S.L.U. belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed to be the intelligent search engine for an organization. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Consolidation of information from multiple sources in unified profiles.

• Employee onboarding.

Downtime does not include, and you will not be eligible for a Service Credit for, any performance or availability issue that results from:

1. Factors outside our reasonable control, such as natural disaster, war, acts of terrorism, riots, government action, cyberattack, power outage, or a network or device failure at customer site or between customer site and NTT Data customer environment.

2. Services, hardware, or software provided by a third party, such as cloud platform services on which the customer environment runs.

3. Customer or any third party’s (a) improper use, scaling, or configuration of Syntphony product, or (b) failure to follow appropriate security practices.

Enviromental Markets is a secure and traceable blockchain system enabling ESG compliance and sustainable project funding through flexible environmental credit generation across carbon, water, energy and biodiversity assets.​ To learn more, explore our webpage .

Syntphony Employee Communications in addition to the general certifications for our syntphony products, this asset meets the following certification:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

Syntphony Sales is a multi-channel solution for managing physical and virtual points of sale.​ We help supermarkets and retailers meet the challenges of the future with a scalable and customisable sales solution with advanced management logic. To learn more, explore our webpage .

Syntphony Sales is a solution developed by NTT DATA SPAIN S.L.U belonging to the NTT DATA Europe & Latam group (here in after NTT DATA) and designed as a business management tool. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Adaptable Sales Solutions

• Complete API Integration

Syntphony Payments leverages the power of Microsoft Azure, a cloud platform known for its global reach, reliability, and advanced security features. Azure provides a comprehensive suite of tools and services that enable Syntphony Payments to deliver high availability, scalability, and compliance with industry standards. With its focus on innovation and seamless integration, Azure ensures that Syntphony Payments can support modern business requirements and evolving customer needs. For more information about their security practices, see below:

Syntphony Learning Tech operates on AWS (Amazon Web Services), one of the most robust and flexible cloud platforms in the industry. AWS offers an extensive array of services, from compute and storage to advanced machine learning capabilities. With AWS, Syntphony Learning Tech benefits from a secure, scalable, and highly available infrastructure, ensuring optimal performance even under demanding workloads. The platform's emphasis on innovation and global scalability allows Syntphony Learning Tech to meet the needs of clients across industries. For more information about their security practices, see below:

Syntphony Payments is designed to provide a secure, reliable, and compliant payment processing experience, meeting the highest industry standards. Our product is certified with:

• ISO 20000 – Ensuring our 24x7 Team Operations follow best practices in IT service management, guaranteeing high availability and efficiency.

• ISAE 3402 (SOC1 & SOC2) Report – Validating our IT security checks, ensuring compliance with financial reporting controls (SOC 1) and robust security, availability, and confidentiality measures (SOC 2).

Syntphony Learning Tech in addition to the general certifications for our syntphony products, this asset meets the following certification:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

To learn more, explore our webpage .

NTT Data defines security standards for user accounts and sensitive data access. Highlights:

• Account Creation: Only authorized personnel can obtain access to critical systems.

• Password Requirements: Strong password policies (length, complexity, uniqueness).

• Password Changes: Periodic updates and secure reset procedures.

NTT Data’s continuity plan ensures business resilience during disruptive events. Key components:

• Risk Assessment: Identifying threats and vulnerabilities.

• Strategy Development: Creating plans to maintain critical operations.

• Resource Planning: Identifying necessary personnel, technology, and budget.

Syntphony Data Management unify customer data into a single Golden Record using real-time validation, enrichment and deduplication—ensuring accuracy, GDPR compliance and insight-driven decisions across B2B and B2C contexts.​ To learn more, explore our webpage .

The aggregate maximum number of Service Credits to be issued by NTT Data to the Customer, for any and all downtime periods that occur in a single billing month, will not exceed the amount due by the Customer for the Syntphony environment service, with a maximum annual amount equal to four months of billing.

Other contracted services will not be affected by the service credit.

Back

NTT Data’s DLP policy is a set of guidelines designed to protect sensitive and confidential information from unauthorized disclosure or access. Key strategic measures include:

• Data Classification: Categorizing data by sensitivity level for tailored protection controls.

• Access Controls: Role-based access ensures that only authorized personnel can access sensitive data.

• Monitoring & Detection: Tools detect unusual or unauthorized data handling activities.

• Encryption: Data in transit and at rest is encrypted to prevent interception and unauthorized access.

• Training & Awareness: Employees receive training on data security best practices.

• Incident Response: In the event of a data breach, defined procedures address impact assessment, containment, and stakeholder notification. This policy supports legal and industry compliance while promoting a culture of security across the organization.

To prevent security incidents, NTT Data utilizes corporate vulnerability management agents that are continuously monitored by the corporate security team. This proactive approach enables the identification and mitigation of risks before they evolve into real threats.

In addition, Syntphony undergoes periodic security audits—annually—carried out by a specialized ethical hacking team. These audits evaluate the infrastructure and Baseline, based on recognized industry standards such as OWASP, OSINT, OSSTMM, and T-REC-X.509.

Vulnerability management encompasses not only identifying system flaws but also prioritizing them based on the risks they pose. A continuous cycle of discovery, assessment, and remediation is implemented, which includes:

• Identification: Use of automated and manual tools to detect vulnerabilities across systems, applications, and networks.

• Classification: Evaluation of each vulnerability’s severity using criteria such as the Common Vulnerability Scoring System (CVSS).

• Remediation: Application of patches or configuration changes to mitigate identified vulnerabilities.

• Verification: Testing to ensure that vulnerabilities have been effectively mitigated.

• Reporting & Tracking: Documenting and communicating findings to management and stakeholders, maintaining a clear security status record.

This comprehensive approach not only strengthens NTT Data’s infrastructure security but also fosters a security-oriented organizational culture where all employees are aware of the importance of vulnerability management.

Syntphony Learning Tech is a digital training and learning platform​ that adapts to every organisation and motivates learning​. It transforms learning in organisations and equips teams with the skills they need to meet challenges by providing an easy, fast and continuous training experience. To learn more, explore our webpage Syntphony.

Syntphony Learning Tech is a solution developed by NTT DATA SPAIN S.L.U. belonging to the NTT DATA Europe & Latam group (hereinafter NTT DATA) and designed to increase the learnability and employability of teams through personalized plans that it generates after detecting the needs. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Personalized training itineraries: Assesses each professional to map out a tailored learning pathway.

• Facilitates the reskilling and upskilling of professionals.

• Increases the learnability of your employees.

NTT Data’s contract termination policy ensures proper handling and protection of client data. Key practices include:

• Data Return: Upon contract termination, all client data is returned in a pre-agreed format.

• Secure Deletion: After return, data is securely deleted in accordance with company policy.

• Regulatory Compliance: Aligns with applicable data protection laws such as GDPR.

• Documentation: Activities are recorded to ensure audit readiness and accountability.

• Client Notification: Clients are informed of the data handling process post-contract.

This policy reinforces NTT Data’s commitment to data privacy and security, even after contractual obligations end.

SYNTPHONY PAYMENTS is a payment solution to manage all means of payment and channels with full control and flexibility​. An omni-channel payment platform offering advanced solutions for payment terminals, mobile devices, cryptocurrencies, and digital commerce. To learn more, explore our webpage Syntphony.

SYNTPHONY PAYMENTS is a solution developed by NTT DATA SPAIN S.L.U belonging to the NTT DATA Europe & Latam group (here in after NTT DATA) and designed as a business management tool. Our tool is developed considering efficiency, security and compliance with the data protection regulations.

Main Features:

• Comprehensive Payment Gateway

• With Syntphony Payments' Financial Hub, businesses gain access to a centralized platform for financial operations

• Highly innovative application framework

• Modular design that ensures flexibility and customization

NTT Data’s data retention policy complies with the General Data Protection Regulation (GDPR). Core principles include:

• Purpose Limitation: Data is collected for specific purposes and retained only as long as necessary.

• Retention Periods: Defined for each data category based on legal and business needs.

• Periodic Review: Stored data is regularly evaluated for continued relevance and deleted when no longer needed.

• Regulatory Compliance: Supports data subjects’ rights, including the right to erasure.

• Documentation & Auditing: Activities related to retention and deletion are logged for transparency and accountability.

This policy promotes responsible data management and regulatory compliance.

In the Syntphony Intelligent Automation environment, secure and industry-evaluated protocols are used to protect data and ensure reliable communication:

• HTTPS: Encrypts data during web transmission to preserve confidentiality and integrity.

• TLS 1.2: Provides secure communications over networks, encrypting and authenticating data.

• SFTP / FTPS: Ensure secure file transfers using SSH (SFTP) or TLS/SSL (FTPS).

These protocols ensure regulatory compliance and minimize risks from cyber threats and data leaks.

Corporate BC & Crisis Management Policy

Objective

Enable the organization to continue operating at a minimum acceptable level, recovery business processes and keep a resilient approach

Scope

It applies to all NTT DATA Europe & LATAM entities to ensure the continuity of the core and support processes as well as the critical business services and projects

Key policy statement

Our Top Management is committed to embrace the BC & CM within the organisation.

People safety is our priority in a normal situation as well as during a crisis

We provide the financial and non-financial resources required to ensure the BC & CM objectives.

Our Business Continuity Management System (BCMS) follows a unified framework aligned with ISO 22301 and industry best practices.

We update BC & CM framework documents regularly.

Our BC & CM management involves three layers with defined roles for handling contingencies.

We maintain a clear and effective communication process to inform our stakeholders during a disruption.

We integrate BC & CM into our culture, engaging all employees in supporting and improving our BCMS through targeted training.

Our BCMS undergoes continuous improvement supported by the Exercise & Testing program

Corporate BCP

At NTT DATA we are committed to the development of a Business Continuity Plan (BCP) that allows the company to be prepared to respond to an incident, minimizing its impact on business processes and guaranteeing the availability of our services in all levels involved until normal operating levels are recovered.

The corporative BCP covers these unavailability scenarios:

• People

• Facilities

• Systems

• Suppliers

Key points

Protect and guarantee the safety of our employees, external personnel, collaborators, and any other person in our facilities, as a fundamental priority.

Be able to respond and recover from incidents that may seriously impact our results, our image in the market, or that may even threaten the existence of our company.

Maintain the level of service to which our business support areas are committed and have the necessary resources to continue the operations of our fundamental structure, to allow recovery with the least possible damage after a crisis.

Safeguard the reputation and brand image of the NTT DATA Group.

Organisational model

Types of crisis

Communication channels

Training

The Corporate Business Continuity Plan Training is mandatory for Noggin team members, and it is necessary to repeat it every two years.

Tests

Tests will be performed at least once a year, alternating different types as necessary

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

Designed for maximum flexibility and efficiency, Syntphony Intelligent Automation runs on Microsoft Azure, a cloud platform that enables businesses to adapt quickly to evolving market demands. Azure’s extensive suite of services—including AI, automation, and data analytics—empowers Syntphony Intelligent Automation to deliver superior performance, intelligent automation, and a seamless user experience. With global data centers and a strong focus on business continuity, Azure provides Syntphony Intelligent Automation with the foundation to support mission-critical operations securely and reliably. For more information about their security practices, see below:

Syntphony Intelligent Automation operates on AWS (Amazon Web Services), one of the most robust and flexible cloud platforms in the industry. AWS offers an extensive array of services, from compute and storage to advanced machine learning capabilities. With AWS, Syntphony Intelligent Automation benefits from a secure, scalable, and highly available infrastructure, ensuring optimal performance even under demanding workloads. The platform's emphasis on innovation and global scalability allows Syntphony Intelligent Automation to meet the needs of clients across industries. For more information about their security practices, see below:

Syntphony Intelligent Automation is also hosted on a client-specific cloud infrastructure, providing a tailored environment to align with the organization's unique IT strategies and security policies. This approach ensures that Syntphony Intelligent Automation can seamlessly integrate with existing systems while adhering to the client's data governance requirements. By leveraging a client-managed infrastructure, Syntphony Intelligent Automation delivers performance and flexibility designed to suit the precise needs of each business.

In the cloud security domain, NTT Data implements advanced solutions to safeguard infrastructure and data. Azure Firewall functions as an Intrusion Detection and Prevention System (IDS/IPS), monitoring and analyzing network traffic in real time to detect and mitigate threats. It provides Layer 4 (network) and Layer 7 (application) protection. We also use an Application Gateway with an integrated Web Application Firewall (WAF) to protect web applications from common attacks, ensuring that sensitive information and critical operations remain secure. This technology stack delivers a robust and effective defense, reinforcing our commitment to cloud data integrity and security.

For more information, see:

• Azure Firewall: https://docs.microsoft.com/es-es/azure/firewall/

• Azure Web Application Firewall (WAF): https://docs.microsoft.com/es-es/azure/web-application-firewall/

• Azure Application Gateway:

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

At NTT DATA, we value your privacy and are committed to protecting your personal data. This Privacy Notice aims to provide you with transparent and understandable information regarding how we process your personal data in relation to the use of NAKA application that you have downloaded through Meta Horizon. It also explains your rights under current regulations and how you can exercise them. Please read it carefully.

• Contact details of the Data Controller

  • Controller: NTT DATA Europe & Latam, S.L.U.

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

Customer Support Plans are incorporated into and form a part of your agreement with NTT DATA with respect to your use of the products. These plans are designed for B2B contexts as part of the relation between the customer integrator and NTT DATA.

Customer Support Plan

At NTT DATA, we value your privacy and are committed to protecting your personal data. This Privacy Notice aims to provide you with transparent and understandable information regarding how we process your personal data in relation to the use of Syntphony Immersive Experience application that you have downloaded through Meta Horizon. It also explains your rights under current regulations and how you can exercise them. Please read it carefully.

• Contact details of the Data Controller

  • Controller: NTT DATA Europe & Latam, S.L.U.

  • Address: Camino Fuente de la Mora, 1, Madrid, 28050, Spain.

  • Email address: [email protected]

• Means of obtaining personal data All the personal data may be obtained directly from you to the extent requested by NTT DATA during your interaction with us.

  In case you are using Syntphony Immersive Experiences application as an employee of your company, your company may act as data controller and could facilitate you with the corresponding privacy notice regarding how your personal data is being processed. To this extent, we are not responsible for obtaining your consent to use the application, nor to inform you about how your personal data will be processed. However, and in an informative way, you can continue reading this Privacy Notice in order to know how Syntphony Immersive Experiences application could process personal data.

• Personal data obtained We could collect and process the following data: name, surname, password, email address, voice and usage data. IP address and/or other device identifiers could be also processed. We may also collect personal information that you give us during your communication with us regarding our services, such as for technical support. In addition to the above, we may need to use your personal information for compliance with our legal obligations under applicable law.

• Legal basis and purpose of processing Our legal basis for collecting and using your personal information, as described in this Privacy Notice, depends on the information we collect and the specific context in which we collect it. We may process your personal information:

  • When running the application. You will be requested to grant your consent for this processing of personal data. In this event, you may withdraw your consent at any time.

  • For our legitimate interest in measuring user interactions with Syntphonhy Immersive Experiences application, as well as the number of downloads made through Meta Horizon.

• Recipients of personal data and international data transfers Your data may be transferred to other entities within the NTT DATA group identified at https://es.nttdata.com/group-companies to the extent necessary to achieve the purposes described in this policy, as well as to third parties that are engaged for the right functioning of Syntphony Immersive Experiences application as cloud providers and/or voice transmission providers. These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

  We will process your personal data primarily within the European Economic Area (EEA). However, for the correct functioning of Syntphony Immersive Experiences application, your personal data could be transferred to, or access it in, jurisdictions outside the European Economic Area. All the steps have been taken to ensure that your personal data receive an adequate level of protection in the jurisdictions in which they are processed. Adequate protection for the transfers of your personal data to countries outside of the European Economic Area is granted through a series of agreements based on the Standard Contractual Clauses or through other appropriate safeguards as available under applicable law from time to time.

  More information regarding the transfers of personal data may be obtained by contacting us on the address indicated in this Privacy Notice.

• Duration of processing Your data will be processed only for the time necessary to execute the purposes defined in this policy, as well as throughout the duration of your relationship with NTT DATA, if you ultimately decide to use Syntphony Immersive Experiences application. After this period, we may retain your data, duly blocked, for the time required to comply with our legal obligations and/or while responsibilities from the aforementioned processing may arise. Finally, we will proceed with the deletion of your personal data that NTT DATA or its sub-processors have processed during our relationship with you.

• Rights of the data subjects Under data protection law, you have the following rights:

  • Right to access: You can request copies of your personal data.

  • Right to rectification: You can ask us to correct personal data you consider inaccurate or incomplete.

  • Right to erasure: You can ask us to delete your personal data from our systems.

Please contact us at [email protected] if you wish to exercise any of your rights.

If you do not receive a response from us, even after sending reminders, you can file a complaint within the competent Supervisory Authority in your country of residence.

• Technical and organizational measures We take appropriate technical measures for keeping your personal information confidential and protected against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. Finally, our sub-contractors are contractually bound to keep your personal information secure and confidential, consistent with this Privacy Notice, and are kept up-to-date on our security and privacy practices. The security of your personal information also depends on your protection of your user account. Please use a unique and strong password, and keep your login credentials secret.

• Changes to this privacy policy If we make material changes and/or update this privacy policy, we may notify you on our website, by a blog post, by email, or by any method we determine. Your continued use of this website or our service and/or continued provision of information to us will be subject to the terms of the then-current Privacy Notice.

• Additional information You can find additional information regarding Syntphony Immersive Experiences

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

How SYNTPHONY KNOWLEDGE SEARCH manages privacy?

1. Do we take privacy into account in the development of SYNTPHONY KNOWLEDGE SEARCH?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

Introduction

At NTT DATA, we recognize that the use of Artificial Intelligence in our Global Assets must be followed by a strong sense of responsibility. As a trusted partner, we are upholding the highest standards of compliance, governance, and ethical AI practices, guided by our NTT Group AI chapter.

We align with a broad range of global frameworks and standards, including ISO/IEC 27001, GDPR, and the EU AI Act, as well as recent legislative proposals from South Korea (AI Basic Act, 2025) and California, USA (Bill SB420 & 243). These regulations embed rigorous controls into every stage of our AI lifecycle. We also invest in training and ethical responsibility programs to empower our teams to design, deploy, and operate AI systems responsibly.

In addition, NTT DATA Spain, where many of our AI-based Global Assets are allocated, is currently in the process of obtaining ISO/IEC 42001 certification, the first international standard for AI Management Systems, which provides a structured approach to managing AI risks and ensuring responsible innovation.

This Shared Responsibility Model defines how responsibilities are distributed across all actors involved in the lifecycle of AI-based components within our Global Assets, from model builders to end-users. This model ensures that AI systems are used in a legal, safe, ethical, and compliant manner.

By clearly delineating roles and obligations, this Model helps mitigate risks related to bias, misinformation, data privacy, intellectual property, regulatory compliance, and misuse. It promotes transparency, accountability, and trust across the AI lifecycle.

The Shared Responsibility Model — key roles

AI System Providers

Entities that develop an AI system and make it available on the market or put it into service under their own name or trademark (e.g. OpenAI or Google).

Responsibilities

• Ensure foundational integrity of the AI model (legality, safety, transparency).

• Ensure compliance with intellectual property and data protection laws.

• Address bias and publish documentation to support downstream actors’ risk management.

Platform Providers

Cloud or infrastructure providers that enable the hosting, deployment, and operation of AI systems (e.g., Azure OpenAI Service, Vertex AI).

Responsibilities

• Provide secure and compliant infrastructure for AI deployment.

• Implement data protection measures and maintain audit trails.

• Support multi-tenant environments and regulatory reporting.

Deployers

Entities that embed AI systems into their business applications or integrate them in a product/service under their control.

Responsibilities

• Implement safeguards to prevent misuse and monitor model quality.

• Put in place input/output filtering and human-in-the-loop oversight.

• Ensure safe configuration, continuous monitoring and incident response.

Customers

Organizations that adopt and use AI-enabled solutions.

Responsibilities

• Define intended uses and integrate AI into their environments.

• Provide accurate input data, manage integrations, and ensure ethical/legal use.

• Enforce internal AI policies and monitor deployments.

End-Users

Users that interact directly with AI systems.

Responsibilities

• Understand system limitations and follow usage guidelines.

• Avoid misuse and report harmful outputs through governance channels.

NTT DATA role when licensing Global Assets embedding AI

NTT DATA acts primarily as a Deployer, focused on developing and integrating AI-driven components into our Global Assets. We design and deliver end-to-end solutions that integrate trusted AI Systems (e.g., OpenAI, Azure OpenAI, Google Gemini, Amazon Bedrock).

Core AI integration activities:

• LLM integration (selection, configuration, API orchestration).

• Prompt execution and optimization (prompt engineering).

• Retrieval-Augmented Generation (RAG) and embedding generation to improve context accuracy.

• AI Agent orchestration for complex multi-agent workflows.

Customers using these AI systems must comply with the AI System Provider’s terms, obligations and acceptable-use policies. NTT DATA acts as an intermediary and facilitator of such terms (“pass-through model”), ensuring the contractual framework reflects the respective roles and responsibilities.

Roles according to the EU AI Act

NTT DATA’s Shared Responsibility Model aligns with the EU Artificial Intelligence Act (Regulation 2024/1689) and internal governance practices. The EU AI Act defines roles such as Provider, Deployer, Importer, Distributor, and User with specific regulatory obligations depending on control and position in the AI value chain.

• Providers (EU AI Act): legally responsible for ensuring the AI system complies with regulatory requirements before placing it on the market. NTT DATA would become a Provider only in exceptional circumstances (e.g., when substantially modifying an LLM or AI System used in a Global Asset such that its performance, purpose, or risk profile changes). In such cases NTT DATA would assume Provider-level obligations.

• Deployers (EU AI Act): entities that use AI systems under their authority for professional purposes. This is the primary role of NTT DATA in most cases, integrating third‑party LLMs or AI Systems into our Global Assets.

  As a Deployer, NTT DATA’s practices include:

  • Input and output filtering to prevent harmful prompts/outputs.

NTT DATA maintains internal procedures and governance bodies to supervise AI legislation compliance. However, Customers must assess the risk level of specific use-cases and inform NTT DATA so that corresponding obligations can be determined.

Reference Links

Microsoft Azure

Google Cloud

AWS

How SYNTPHONY IMMERSIVE EXPERIENCES manages privacy?

1. Do we take privacy into account in the development of SYNTPHONY IMMERSIVE EXPERIENCES?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.

1. What does NTT DATA do to comply with privacy regulations?

The personal data protection is a NTT DATA priority. We ensure that SYNTPHONY IMMERSIVE EXPERIENCES complies with all requirements stipulated by data protection regulations.

We have therefore implemented security and privacy protocols to guarantee personal data protection in accordance with the highest standards established by European regulations. As a result, our customers can be sure that their personal data is protected while benefiting from an integrated and efficient technological solution that boosts their businesses.

1. What types of data does SYNTPHONY IMMERSIVE EXPERIENCES process?

The personal data that are processed as a result of the commercialization of the product will depend on the specific functionalities and/or modules that the customer chooses to use. It is important to note that only categories of data explicitly authorized by the client in accordance with the specific instructions provided will be processed by us, and we will ensure that any personal data processing is carried out strictly in accordance with the client's purposes and instructions, thereby ensuring transparency and compliance at all times.

In this particular case, for the use of SYNTPHONY IMMERSIVE EXPERIENCES, we will process the following items specified below:

• Categories of Personal Data:

  • Account name or nickname

  • Email address

  • Name and surname

1. Which suppliers does SYNTPHONY IMMERSIVE EXPERIENCES use?

SYNTPHONY IMMERSIVE EXPERIENCES may rely on the collaboration of suppliers that provide specific software complementing the capabilities of the Product or provide cloud hosting related to both the data hosting in the cloud and the provision of additional services as required (infrastructure maintenance and management, support, etc.).

These suppliers can be either companies within the NTT DATA group or external companies, and may change depending on technical and/or commercial developments. The corresponding data processing agreement signed with the Client will specify the suppliers that may process personal data as sub-processors. For more information about the subprocessors involved see

NTT DATA is diligent in choosing its suppliers or service providers and in evaluating the guarantees they can demonstrate regarding compliance with applicable data protection laws, with a view to the protection of data subjects.

Any provider acting under the authority of an NTT DATA entity and having access to personal data processes said data following NTT DATA entity’s instructions, or those of its data controller (e.g., its customers), securely and adopts the technical and organizational measures needed to guarantee compliance with applicable data protection laws.

NTT DATA processors and sub-processors are required to sign appropriate agreements that govern the processing and protection of personal data. These agreements include requirements to ensure that the same obligations are passed to any further processors who may process personal data.

In addition, NTT DATA has policies and supporting procedures to ensure that information assets are protected when NTT DATA engages third party service providers and/or processors. This includes requirements for data privacy, information security due diligence and information security risk assessments to be performed, in order to ensure:

1. Information security requirements are clearly articulated and documented in agreements in accordance with NTT DATA’s information security standards.

2. NTT DATA service providers and processors implement the same level of protection and control as NTT DATA;

3. Service providers and processors are required to report any suspected or actual information security incidents to NTT DATA in a timely manner.

4. Do we transfer personal data outside the EEA?

In most cases, we will process personal data within the European Economic Area (EEA) or in a country that has an adequacy decision issued by the European Commission (Switzerland, Canada, etc.). However, we may use providers that process personal data from locations outside the EEA, including our NTT DATA Group companies.

In any case, we will take all measures to ensure that our suppliers provide adequate guarantees to protect the personal data processed on behalf of our clients, and we contractually require that such personal data are processed in compliance with applicable data protection laws. In particular, with those suppliers that involve an international data transfer, we do:

• Risk Assessment: Before any international data transfer, we conduct a detailed risk assessment to identify and mitigate potential risks to the security and privacy of personal data.

• Standard Contractual Clauses (SCCs): SCCs are incorporated into our contracts with our suppliers outside the EEA to ensure an adequate level of personal data protection.

• Data Protection Agreement (DPA): Our DPA specifies our obligations and commitments, including security, confidentiality, limitations on international data transfers, cooperation with data subjects' rights, and notification of security incidents.

1. Do we have a Data Protection Officer (DPO)?

To comply with the overarching accountability concept, NTT DATA has implemented procure and avail itself of tools to document and showing compliance with the privacy principles and well as with the applicable data protection laws requirement.

Each company of the NTT DATA dedicates adequate resources to comply with applicable data protection laws, considering different applicable legal requirements of the jurisdictions where NTT DATA operates.

To NTT DATA Group better compliance and to ensure an elevate level of protection of data subjects’ rights and freedoms, which is consistent and harmonised among the various jurisdictions, NTT DATA Group has adopted a hybrid DPO organization model. This model is halfway between a centralized single DPO for the whole group and separate DPOs, and also, Privacy Teams, for each entity in the various jurisdictions.

Therefore, each NTT DATA company has a Data Protection Officer (DPO) in compliance with the applicable laws and regulations, as well as a Local Data Protection Office. The DPO is responsible for the supervision of the data protection strategy and its implementation in order to ensure compliance with legal requirements, as well as acting as a point of contact for any privacy and data protection law related queries. The local Data Protection Office implements and executes the data protection strategy to ensure compliance.

1. How do we protect personal data?

At NTT DATA we understand the relevance of protecting our clients' personal data. We have therefore implemented a holistic combination of technical and organisational measures designed to guarantee privacy at all phases of the personal data lifecycle, preventing any unauthorised or unlawful processing as well as against any accidental loss, destruction or damage of personal data. In addition, we conduct periodic review processes to assess the compliance and effectiveness of these measures, with the continuous objective of improving security and privacy.

In addition, NTT DATA SPAIN S.L.U. has various certifications that support our commitment to security and privacy, including:

• ISO/IEC 27001:2022

• the HIGH category in the “Esquema Nacional de Seguridad” (ENS)

• ISO 9001:2015

• ISO 14001:2015

1. How does NTT DATA help customers comply with regulations in the use of SYNTPHONY IMMERSIVE EXPERIENCES?

   1. Fairness and transparency At NTT DATA we understand the importance of compliance with the principles of transparency and fair processing, so we have created this template to facilitate the identification of processing operations and sub-processors so that the Client, as the data controller, can comply with its obligations with respect to these principles.ç

   2. Data Protection Rights NTT DATA Group has implemented policies, procedures, forms, and tools to enable the data subjects to exercise their rights (“DSR”) considering the visibility, accessibility, and simplicity of the applicable DSR system. All this allows us to efficiently assist in the management of rights requests such as access, rectification, objection, portability, erasure, restriction of processing and other rights established by the regulations. NTT DATA Group makes available to its employees, clients, users, contractors, or any other data subjects who own the personal data in the databases, systems or other means of information owned by the entities of NTT DATA Group, appropriate channels to receive and respond to requests, inquiries, and claims from their owners so that they can exercise their rights. NTT DATA Group maintains a record of all data subject requests received and the actions taken to respond to these requests. We are diligent in notifying the client of the rights requests we receive and following the procedures established by the applicable regulations to guarantee the protection and privacy of personal data, safeguarding the rights and freedoms of data subjects.

We reserve the right to modify this document to reflect changes in privacy practices or legal updates.

1. Additional information

Please, refer to our Privacy Policies and our website for additional Information about SYNTPHONY IMMERSIVE EXPERIENCES.

How AUTONOMOUS SUPPLY CHAIN manages privacy?

1. Do we take privacy into account in the development of Autonomous Supply Chain?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.

1. What does NTT DATA do to comply with privacy regulations?

The personal data protection is a NTT DATA priority. We ensure that AUTONOMOUS SUPPLY CHAIN complies with all requirements stipulated by data protection regulations.

We have therefore implemented security and privacy protocols to guarantee personal data protection in accordance with the highest standards established by European regulations. As a result, our customers can be sure that their personal data is protected while benefiting from an integrated and efficient technological solution that boosts their businesses.

1. What types of data does AUTONOMOUS SUPPLY CHAIN process?

The personal data that are processed as a result of the commercialization of the product will depend on the specific functionalities and/or modules that the customer chooses to use. It is important to note that only categories of data explicitly authorized by the client in accordance with the specific instructions provided will be processed by us, and we will ensure that any personal data processing is carried out strictly in accordance with the client's purposes and instructions, thereby ensuring transparency and compliance at all times.

Due to the natures of AUTONOMOUS SUPPLY CHAIN, any type of data and data subjects may be processed and any type of processing operations may be carried out, amongst which we highlight the following aspects specified below:

• Categories of Personal Data:

  • Identification details

  • Personal Characteristics

  • Economic data

1. Which suppliers does AUTONOMOUS SUPPLY CHAIN use?

AUTONOMOUS SUPPLY CHAIN may rely on the collaboration of external suppliers to provide software or functionalities complementing the capabilities of the Product, as well as on the collaboration of other NTT DATA group companies for any additional services to be contracted, such as support and maintenance.

NTT DATA is diligent in choosing its suppliers or service providers and in evaluating the guarantees they can demonstrate regarding compliance with applicable data protection laws, with a view to the protection of data subjects.

Any provider acting under the authority of an NTT DATA entity and having access to personal data processes said data following NTT DATA entity’s instructions, or those of its data controller (e.g., its customers), securely and adopts the technical and organizational measures needed to guarantee compliance with applicable data protection laws.

NTT DATA processors and sub-processors are required to sign appropriate agreements that govern the processing and protection of personal data. These agreements include requirements to ensure that the same obligations are passed to any further processors who may process personal data.

In addition, NTT DATA has policies and supporting procedures to ensure that information assets are protected when NTT DATA engages third party service providers and/or processors. This includes requirements for data privacy, information security due diligence and information security risk assessments to be performed, in order to ensure:

a. Information security requirements are clearly articulated and documented in agreements in accordance with NTT DATA’s information security standards.

b. NTT DATA service providers and processors implement the same level of protection and control as NTT DATA;

c. Service providers and processors are required to report any suspected or actual information security incidents to NTT DATA in a timely manner.

1. Do we transfer personal data outside the EEA?

In most cases, we will process personal data within the European Economic Area (EEA) or in a country that has an adequacy decision issued by the European Commission (Switzerland, Canada, etc.). However, we may use providers that process personal data from locations outside the EEA, including our NTT DATA Group companies.

In any case, we will take all measures to ensure that our suppliers provide adequate guarantees to protect the personal data processed on behalf of our clients, and we contractually require that such personal data are processed in compliance with applicable data protection laws. In particular, with those suppliers that involve an international data transfer, we do:

• Risk Assessment: Before any international data transfer, we conduct a detailed risk assessment to identify and mitigate potential risks to the security and privacy of personal data.

• Standard Contractual Clauses (SCCs): SCCs are incorporated into our contracts with our suppliers outside the EEA to ensure an adequate level of personal data protection.

• Data Protection Agreement (DPA): Our DPA specifies our obligations and commitments, including security, confidentiality, limitations on international data transfers, cooperation with data subjects' rights, and notification of security incidents.

1. Do we have a Data Protection Officer (DPO)?

To comply with the overarching accountability concept, NTT DATA has implemented procure and avail itself of tools to document and showing compliance with the privacy principles and well as with the applicable data protection laws requirement.

Each company of the NTT DATA dedicates adequate resources to comply with applicable data protection laws, considering different applicable legal requirements of the jurisdictions where NTT DATA operates.

To NTT DATA Group better compliance and to ensure an elevate level of protection of data subjects’ rights and freedoms, which is consistent and harmonised among the various jurisdictions, NTT DATA Group has adopted a hybrid DPO organization model. This model is halfway between a centralized single DPO for the whole group and separate DPOs, and also, Privacy Teams, for each entity in the various jurisdictions.

Therefore, each NTT DATA company has a Data Protection Officer (DPO) in compliance with the applicable laws and regulations, as well as a Local Data Protection Office. The DPO is responsible for the supervision of the data protection strategy and its implementation in order to ensure compliance with legal requirements, as well as acting as a point of contact for any privacy and data protection law related queries. The local Data Protection Office implements and executes the data protection strategy to ensure compliance.

1. How do we protect personal data?

At NTT DATA we understand the relevance of protecting our clients' personal data. We have therefore implemented a holistic combination of technical and organisational measures designed to guarantee privacy at all phases of the personal data lifecycle, preventing any unauthorised or unlawful processing as well as against any accidental loss, destruction or damage of personal data. In addition, we conduct periodic review processes to assess the compliance and effectiveness of these measures, with the continuous objective of improving security and privacy.

In addition, NTT DATA SPAIN S.L.U. has various certifications that support our commitment to security and privacy, including:

• ISO/IEC 27001:2022

• the HIGH category in the “Esquema Nacional de Seguridad” (ENS)

• ISO 9001:2015

• ISO 14001:2015

1. Updates and Modifications

We reserve the right to modify this document to reflect changes in privacy practices or legal updates.

Syntphony Knowledge Search in addition to the general certifications for our syntphony products, this asset meets the following certification:

• Spanish National Security Scheme (ENS) certification, ensuring the protection of citizen data in electronic procedures. Backed by the ENS, it demonstrates absolute commitment to privacy and user confidence in secure and efficient electronic processes.

How SYNTPHONY LEARNING TECH manages privacy?

1. Do we take privacy into account in the development of SYNTPHONY LEARNING TECH?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.

1. What does NTT DATA do to comply with privacy regulations?

The personal data protection is a NTT DATA priority. We ensure that SYNTPHONY LEARNING TECH complies with all requirements stipulated by data protection regulations.

We have therefore implemented security and privacy protocols to guarantee personal data protection in accordance with the highest standards established by European regulations. As a result, our customers can be sure that their personal data is protected while benefiting from an integrated and efficient technological solution that boosts their businesses.

1. What types of data does SYNTPHONY LEARNING TECH process?

The personal data that are processed as a result of the commercialization of the product will depend on the specific functionalities and/or modules that the customer chooses to use. It is important to note that only categories of data explicitly authorized by the client in accordance with the specific instructions provided will be processed by us, and we will ensure that any personal data processing is carried out strictly in accordance with the client's purposes and instructions, thereby ensuring transparency and compliance at all times.

In this particular case, for the use of SYNTPHONY LEARNING TECH, we will process the following items specified below:

• Categories of Personal Data:

  • Identification and contact data

  • Employment details

  • Personal Characteristics

1. Which suppliers does SYNTPHONY LEARNING TECH use?

SYNTPHONY LEARNING TECH may rely on the collaboration of suppliers that provide specific software complementing the capabilities of the Product or provide cloud hosting related to both the data hosting in the cloud and the provision of additional services as required (infrastructure maintenance and management, support, etc.).

These suppliers can be either companies within the NTT DATA group or external companies, and may change depending on technical and/or commercial developments. The corresponding data processing agreement signed with the Client will specify the suppliers that may process personal data as sub-processors. For more information about the subprocessors involved see

NTT DATA is diligent in choosing its suppliers or service providers and in evaluating the guarantees they can demonstrate regarding compliance with applicable data protection laws, with a view to the protection of data subjects.

Any provider acting under the authority of an NTT DATA entity and having access to personal data processes said data following NTT DATA entity’s instructions, or those of its data controller (e.g., its customers), securely and adopts the technical and organizational measures needed to guarantee compliance with applicable data protection laws.

NTT DATA processors and sub-processors are required to sign appropriate agreements that govern the processing and protection of personal data. These agreements include requirements to ensure that the same obligations are passed to any further processors who may process personal data.

In addition, NTT DATA has policies and supporting procedures to ensure that information assets are protected when NTT DATA engages third party service providers and/or processors. This includes requirements for data privacy, information security due diligence and information security risk assessments to be performed, in order to ensure:

1. Information security requirements are clearly articulated and documented in agreements in accordance with NTT DATA’s information security standards.

2. NTT DATA service providers and processors implement the same level of protection and control as NTT DATA;

3. Service providers and processors are required to report any suspected or actual information security incidents to NTT DATA in a timely manner.

4. Do we transfer personal data outside the EEA?

In most cases, we will process personal data within the European Economic Area (EEA) or in a country that has an adequacy decision issued by the European Commission (Switzerland, Canada, etc.). However, we may use providers that process personal data from locations outside the EEA, including our NTT DATA Group companies.

In any case, we will take all measures to ensure that our suppliers provide adequate guarantees to protect the personal data processed on behalf of our clients, and we contractually require that such personal data are processed in compliance with applicable data protection laws. In particular, with those suppliers that involve an international data transfer, we do:

• Risk Assessment: Before any international data transfer, we conduct a detailed risk assessment to identify and mitigate potential risks to the security and privacy of personal data.

• Standard Contractual Clauses (SCCs): SCCs are incorporated into our contracts with our suppliers outside the EEA to ensure an adequate level of personal data protection.

• Data Protection Agreement (DPA): Our DPA specifies our obligations and commitments, including security, confidentiality, limitations on international data transfers, cooperation with data subjects' rights, and notification of security incidents.

1. Do we have a Data Protection Officer (DPO)?

To comply with the overarching accountability concept, NTT DATA has implemented procure and avail itself of tools to document and showing compliance with the privacy principles and well as with the applicable data protection laws requirement.

Each company of the NTT DATA dedicates adequate resources to comply with applicable data protection laws, considering different applicable legal requirements of the jurisdictions where NTT DATA operates.

To NTT DATA Group better compliance and to ensure an elevate level of protection of data subjects’ rights and freedoms, which is consistent and harmonised among the various jurisdictions, NTT DATA Group has adopted a hybrid DPO organization model. This model is halfway between a centralized single DPO for the whole group and separate DPOs, and also, Privacy Teams, for each entity in the various jurisdictions.

Therefore, each NTT DATA company has a Data Protection Officer (DPO) in compliance with the applicable laws and regulations, as well as a Local Data Protection Office. The DPO is responsible for the supervision of the data protection strategy and its implementation in order to ensure compliance with legal requirements, as well as acting as a point of contact for any privacy and data protection law related queries. The local Data Protection Office implements and executes the data protection strategy to ensure compliance.

1. How do we protect personal data?

At NTT DATA we understand the relevance of protecting our clients' personal data. We have therefore implemented a holistic combination of technical and organisational measures designed to guarantee privacy at all phases of the personal data lifecycle, preventing any unauthorised or unlawful processing as well as against any accidental loss, destruction or damage of personal data. In addition, we conduct periodic review processes to assess the compliance and effectiveness of these measures, with the continuous objective of improving security and privacy.

In addition, NTT DATA SPAIN S.L.U has various certifications that support our commitment to security and privacy, including:

• ISO/IEC 27001:2022

• the HIGH category in the “Esquema Nacional de Seguridad” (ENS)

• ISO 9001:2015

• ISO 14001:2015

1. How does NTT DATA help customers comply with regulations in the use of SYNTPHONY LEARNING TECH?

Fairness and transparency

At NTT DATA we understand the importance of compliance with the principles of transparency and fair processing, so we have created this template to facilitate the identification of processing operations and sub-processors so that the Client, as the data controller, can comply with its obligations with respect to these principles.

In addition, SYNTPHONY LEARNING TECH has the following mechanisms in place to facilitate compliance by the Client as data controller:

• Ability to display a privacy notice at onboarding.

• Enabling a checkbox to accept the privacy notice.

Data Protection Rights

NTT DATA Group has implemented policies, procedures, forms, and tools to enable the data subjects to exercise their rights (“DSR”) considering the visibility, accessibility, and simplicity of the applicable DSR system. All this allows us to efficiently assist in the management of rights requests such as access, rectification, objection, portability, erasure, restriction of processing and other rights established by the regulations.

NTT DATA Group makes available to its employees, clients, users, contractors, or any other data subjects who own the personal data in the databases, systems or other means of information owned by the entities of NTT DATA Group, appropriate channels to receive and respond to requests, inquiries, and claims from their owners so that they can exercise their rights.

NTT DATA Group maintains a record of all data subject requests received and the actions taken to respond to these requests.

We are diligent in notifying the client of the rights requests we receive and following the procedures established by the applicable regulations to guarantee the protection and privacy of personal data, safeguarding the rights and freedoms of data subjects.

Personal Data Breaches

At NTT DATA we effectively manage our clients' data breaches through internal protocols. In this way, we are constantly monitoring our systems to prevent security incidents and/or breaches affecting personal data.

Therefore, in the event of a breach, in accordance with established protocols, research plans will be undertaken to determine whether the confidentiality, integrity and availability of personal data has been compromised. In addition, the client will be notified without undue delay of any data breaches of which we become aware.

This communication will always include the relevant aspects of the incident, such as the nature of the breach, the number of individuals affected, the actions taken, etc. In the event that all information cannot be provided immediately, it will be provided in a gradual way without undue delay. In addition, we have established clear procedures for the ongoing monitoring of reported breaches, ensuring a quick and adequate response to mitigate any potential impact on the security of personal data.

Deletion and/or Return of Personal Data at the end of the provision of services

NTT DATA has protocols for the return and/or deletion of information at the end of the contract with the client, strictly following the instructions received by the client. Our commitment is to ensure that any personal data collected or processed is handled with the utmost security and in accordance with the principles of data protection, while respecting confidentiality and privacy throughout the entire lifecycle of personal data.

1. Updates and Modifications

We reserve the right to modify this document to reflect changes in privacy practices or legal updates.

1. Additional information

Please, refer to our Privacy Policies and our website for additional Information about SYNTPHONY LEARNING TECH.

NTT DATA may engage carefully selected subprocessors that support the delivery, maintenance, or operation of this product and its related services.

Intelligent Automation

Process Management

Intelligent Document Processing

How SYNTPHONY CONVERSATIONAL AI manages privacy?

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.

1. What does NTT DATA do to comply with privacy regulations?

The personal data protection is a NTT DATA priority. We ensure that SYNTPHONY CONVERSATIONAL AI complies with all requirements stipulated by data protection regulations.

We have therefore implemented security and privacy protocols to guarantee personal data protection in accordance with the highest standards established by European regulations. As a

result, our customers can be sure that their personal data is protected while benefiting from an integrated and efficient technological solution that boosts their businesses.

1. What types of data does SYNTPHONY CONVERSATIONAL AI process?

The personal data that are processed as a result of the commercialization of the product will depend on the specific functionalities and/or modules that the customer chooses to use. It is important to note that only categories of data explicitly authorized by the client in accordance with the specific instructions provided will be processed by us, and we will ensure that any personal data processing is carried out strictly in accordance with the client's purposes and instructions, thereby ensuring transparency and compliance at all times.

Due to the natures of SYNTPHONY CONVERSATIONAL AI, any type of data and data subjects may be processed and any type of processing operations may be carried out, amongst which we highlight the following aspects specified below:

• Categories of Personal Data:

  • Identification and voice data

  • Contact data

  • Connection data

1. Which suppliers does SYNTPHONY CONVERSATIONAL AI use?

SYNTPHONY CONVERSATIONAL AI may rely on the collaboration of suppliers that provide specific software complementing the capabilities of the Product or provide cloud hosting related to both the data hosting in the cloud and the provision of additional services as required (infrastructure maintenance and management, support, etc.).

These suppliers can be either companies within the NTT DATA group or external companies, and may change depending on technical and/or commercial developments. The corresponding data processing agreement signed with the Client will specify the suppliers that may process personal data as sub-processors. For more information about the subprocessors involved see

NTT DATA is diligent in choosing its suppliers or service providers and in evaluating the guarantees they can demonstrate regarding compliance with applicable data protection laws, with a view to the protection of data subjects.

Any provider acting under the authority of an NTT DATA entity and having access to personal data processes said data following NTT DATA entity’s instructions, or those of its data controller (e.g., its customers), securely and adopts the technical and organizational measures needed to guarantee compliance with applicable data protection laws.

NTT DATA processors and sub-processors are required to sign appropriate agreements that govern the processing and protection of personal data. These agreements include requirements to ensure that the same obligations are passed to any further processors who may process personal data.

In addition, NTT DATA has policies and supporting procedures to ensure that information assets are protected when NTT DATA engages third party service providers and/or processors. This includes requirements for data privacy, information security due diligence and information security risk assessments to be performed, in order to ensure:

a. Information security requirements are clearly articulated and documented in agreements in accordance with NTT DATA’s information security standards.

b. NTT DATA service providers and processors implement the same level of protection and control as NTT DATA;

c. Service providers and processors are required to report any suspected or actual information security incidents to NTT DATA in a timely manner.

1. Do we transfer personal data outside the EEA?

In most cases, we will process personal data within the European Economic Area (EEA) or in a country that has an adequacy decision issued by the European Commission (Switzerland, Canada, etc.). However, we may use providers that process personal data from locations outside the EEA, including our NTT DATA Group companies.

In any case, we will take all measures to ensure that our suppliers provide adequate guarantees to protect the personal data processed on behalf of our clients, and we contractually require that such personal data are processed in compliance with applicable data protection laws. In particular, with those suppliers that involve an international data transfer, we do:

• Risk Assessment: Before any international data transfer, we conduct a detailed risk assessment to identify and mitigate potential risks to the security and privacy of personal data.

• Standard Contractual Clauses (SCCs): SCCs are incorporated into our contracts with our suppliers outside the EEA to ensure an adequate level of personal data protection.

• Data Protection Agreement (DPA): Our DPA specifies our obligations and commitments, including security, confidentiality, limitations on international data transfers, cooperation with data subjects' rights, and notification of security incidents.

1. Do we have a Data Protection Officer (DPO)?

To comply with the overarching accountability concept, NTT DATA has implemented procure and avail itself of tools to document and showing compliance with the privacy principles and well as with the applicable data protection laws requirement.

Each company of the NTT DATA dedicates adequate resources to comply with applicable data protection laws, considering different applicable legal requirements of the jurisdictions where NTT DATA operates.

To NTT DATA Group better compliance and to ensure an elevate level of protection of data subjects’ rights and freedoms, which is consistent and harmonised among the various jurisdictions, NTT DATA Group has adopted a hybrid DPO organization model. This model is halfway between a centralized single DPO for the whole group and separate DPOs, and also, Privacy Teams, for each entity in the various jurisdictions.

Therefore, each NTT DATA company has a Data Protection Officer (DPO) in compliance with the applicable laws and regulations, as well as a Local Data Protection Office. The DPO is responsible for the supervision of the data protection strategy and its implementation in order to ensure compliance with legal requirements, as well as acting as a point of contact for any privacy and data protection law related queries. The local Data Protection Office implements and executes the data protection strategy to ensure compliance.

1. How do we protect personal data?

At NTT DATA we understand the relevance of protecting our clients' personal data. We have therefore implemented a holistic combination of technical and organisational measures designed to guarantee privacy at all phases of the personal data lifecycle, preventing any unauthorised or unlawful processing as well as against any accidental loss, destruction or damage of personal data. In addition, we conduct periodic review processes to assess the compliance and effectiveness of these measures, with the continuous objective of improving security and privacy.

In addition, NTT DATA SPAIN S.L.U. has various certifications that support our commitment to security and privacy, including:

• ISO/IEC 27001:2022

• the HIGH category in the “Esquema Nacional de Seguridad” (ENS)

• ISO 9001:2015

• ISO 14001:2015

1. How does NTT DATA help customers comply with regulations in the use of SYNTPHONY CONVERSATIONAL AI?

a) Fairness and transparency

At NTT DATA we understand the importance of compliance with the principles of transparency and fair processing, so we have created this template to facilitate the identification of processing operations and sub-processors so that the Client, as the data controller, can comply with its obligations with respect to these principles.

b) Data Protection Rights

NTT DATA Group has implemented policies, procedures, forms, and tools to enable the data subjects to exercise their rights (“DSR”) considering the visibility, accessibility, and simplicity of the applicable DSR system. All this allows us to efficiently assist in the management of rights requests such as access, rectification, objection, portability, erasure, restriction of processing and other rights established by the regulations.

NTT DATA Group makes available to its employees, clients, users, contractors, or any other data subjects who own the personal data in the databases, systems or other means of information owned by the entities of NTT DATA Group, appropriate channels to receive and respond to requests, inquiries, and claims from their owners so that they can exercise their rights.

NTT DATA Group maintains a record of all data subject requests received and the actions taken to respond to these requests.

We are diligent in notifying the client of the rights requests we receive and following the procedures established by the applicable regulations to guarantee the protection and privacy of personal data, safeguarding the rights and freedoms of data subjects.

c) Personal Data Breaches

At NTT DATA we effectively manage our clients' data breaches through internal protocols. In this way, we are constantly monitoring our systems to prevent security incidents and/or breaches affecting personal data.

Therefore, in the event of a breach, in accordance with established protocols, research plans will be undertaken to determine whether the confidentiality, integrity and availability of personal data has been compromised. In addition, the client will be notified without undue delay of any data breaches of which we become aware.

This communication will always include the relevant aspects of the incident, such as the nature of the breach, the number of individuals affected, the actions taken, etc. In the event that all information cannot be provided immediately, it will be provided in a gradual way without undue delay. In addition, we have established clear procedures for the ongoing monitoring of reported

breaches, ensuring a quick and adequate response to mitigate any potential impact on the security of personal data.

d) Deletion and/or Return of Personal Data at the end of the provision of services

NTT DATA has protocols for the return and/or deletion of information at the end of the contract with the client, strictly following the instructions received by the client. Our commitment is to ensure that any personal data collected or processed is handled with the utmost security and in accordance with the principles of data protection, while respecting confidentiality and privacy throughout the entire lifecycle of personal data.

1. Updates and Modifications

We reserve the right to modify this document to reflect changes in privacy practices or legal updates.

1. Additional information

Please, refer to our Privacy Policies and our website for additional Information about SYNTPHONY CONVERSATIONAL AI.

How SYNTPHONY INTELLIGENT AUTOMATION manages privacy?

1. Do we take privacy into account in the development of SYNTPHONY INTELLIGENT AUTOMATION?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

How SYNTPHONY SALES manages privacy?

Do we take privacy into account in the development of SYNTPHONY SALES?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.

What does NTT DATA do to comply with privacy regulations?

The personal data protection is a NTT DATA priority. We ensure that SYNTPHONY SALES complies with all requirements stipulated by data protection regulations.

We have therefore implemented security and privacy protocols to guarantee personal data protection in accordance with the highest standards established by European regulations. As a result, our customers can be sure that their personal data is protected while benefiting from an integrated and efficient technological solution that boosts their businesses.

What types of data does SYNTPHONY SALES process?

The personal data that are processed as a result of the commercialization of the product will depend on the specific functionalities and/or modules that the customer chooses to use. It is important to note that only categories of data explicitly authorized by the client in accordance with the specific instructions provided will be processed by us, and we will ensure that any personal data processing is carried out strictly in accordance with the client's purposes and instructions, thereby ensuring transparency and compliance at all times.

In this particular case, for the use of SYNTPHONY SALES, we will process the following items specified below:

• Categories of Personal Data:

  • Identification and contact data

  • Transactional data

  • Bank details and credit data

Which suppliers does SYNTPHONY SALES use?

SYNTPHONY SALES may rely on the collaboration of suppliers that provide specific software complementing the capabilities of the Product or provide cloud hosting related to both the data hosting in the cloud and the provision of additional services as required (infrastructure maintenance and management, support, etc.).

These suppliers can be either companies within the NTT DATA group or external companies, and may change depending on technical and/or commercial developments. The corresponding data processing agreement signed with the Client will specify the suppliers that may process personal data as sub-processors. For more information about the subprocessors involved see

NTT DATA is diligent in choosing its suppliers or service providers and in evaluating the guarantees they can demonstrate regarding compliance with applicable data protection laws, with a view to the protection of data subjects.

Any provider acting under the authority of an NTT DATA entity and having access to personal data processes said data following NTT DATA entity’s instructions, or those of its data controller (e.g., its customers), securely and adopts the technical and organizational measures needed to guarantee compliance with applicable data protection laws.

NTT DATA processors and sub-processors are required to sign appropriate agreements that govern the processing and protection of personal data. These agreements include requirements to ensure that the same obligations are passed to any further processors who may process personal data.

In addition, NTT DATA has policies and supporting procedures to ensure that information assets are protected when NTT DATA engages third party service providers and/or processors. This includes requirements for data privacy, information security due diligence and information security risk assessments to be performed, in order to ensure:

a. Information security requirements are clearly articulated and documented in agreements in accordance with NTT DATA’s information security standards.

b. NTT DATA service providers and processors implement the same level of protection and control as NTT DATA;

c. Service providers and processors are required to report any suspected or actual information security incidents to NTT DATA in a timely manner.

Do we transfer personal data outside the EEA?

In most cases, we will process personal data within the European Economic Area (EEA) or in a country that has an adequacy decision issued by the European Commission (Switzerland, Canada, etc.). However, we may use providers that process personal data from locations outside the EEA, including our NTT DATA Group companies.

In any case, we will take all measures to ensure that our suppliers provide adequate guarantees to protect the personal data processed on behalf of our clients, and we contractually require that such personal data are processed in compliance with applicable data protection laws. In particular, with those suppliers that involve an international data transfer, we do:

• Risk Assessment: Before any international data transfer, we conduct a detailed risk assessment to identify and mitigate potential risks to the security and privacy of personal data.

• Standard Contractual Clauses (SCCs): SCCs are incorporated into our contracts with our suppliers outside the EEA to ensure an adequate level of personal data protection.

• Data Protection Agreement (DPA): Our DPA specifies our obligations and commitments, including security, confidentiality, limitations on international data transfers, cooperation with data subjects' rights, and notification of security incidents.

Do we have a Data Protection Officer (DPO)?

To comply with the overarching accountability concept, NTT DATA has implemented procure and avail itself of tools to document and showing compliance with the privacy principles and well as with the applicable data protection laws requirement.

Each company of the NTT DATA dedicates adequate resources to comply with applicable data protection laws, considering different applicable legal requirements of the jurisdictions where NTT DATA operates.

To NTT DATA Group better compliance and to ensure an elevate level of protection of data subjects’ rights and freedoms, which is consistent and harmonised among the various jurisdictions, NTT DATA Group has adopted a hybrid DPO organization model. This model is halfway between a centralized single DPO for the whole group and separate DPOs, and also, Privacy Teams, for each entity in the various jurisdictions.

Therefore, each NTT DATA company has a Data Protection Officer (DPO) in compliance with the applicable laws and regulations, as well as a Local Data Protection Office. The DPO is responsible for the supervision of the data protection strategy and its implementation in order to ensure compliance with legal requirements, as well as acting as a point of contact for any privacy and data protection law related queries. The local Data Protection Office implements and executes the data protection strategy to ensure compliance.

How do we protect personal data?

At NTT DATA we understand the relevance of protecting our clients' personal data. We have therefore implemented a holistic combination of technical and organisational measures designed to guarantee privacy at all phases of the personal data lifecycle, preventing any unauthorised or unlawful processing as well as against any accidental loss, destruction or damage of personal data. In addition, we conduct periodic review processes to assess the compliance and effectiveness of these measures, with the continuous objective of improving security and privacy.

In addition, NTT DATA SPAIN S.L.U has various certifications that support our commitment to security and privacy, including:

• ISO/IEC 27001:2022

• the HIGH category in the “Esquema Nacional de Seguridad” (ENS)

• ISO 9001:2015

• ISO 14001:2015

How does NTT DATA help customers comply with regulations in the use of SYNTPHONY SALES?

a) Fairness and transparency

At NTT DATA we understand the importance of compliance with the principles of transparency and fair processing, so we have created this template to facilitate the identification of processing operations and sub-processors so that the Client, as the data controller, can comply with its obligations with respect to these principles.

b) Data Protection Rights

NTT DATA Group has implemented policies, procedures, forms, and tools to enable the data subjects to exercise their rights (“DSR”) considering the visibility, accessibility, and simplicity of the applicable DSR system. All this allows us to efficiently assist in the management of rights requests such as access, rectification, objection, portability, erasure, restriction of processing and other rights established by the regulations.

NTT DATA Group makes available to its employees, clients, users, contractors, or any other data subjects who own the personal data in the databases, systems or other means of information owned by the entities of NTT DATA Group, appropriate channels to receive and respond to requests, inquiries, and claims from their owners so that they can exercise their rights.

NTT DATA Group maintains a record of all data subject requests received and the actions taken to respond to these requests.

We are diligent in notifying the client of the rights requests we receive and following the procedures established by the applicable regulations to guarantee the protection and privacy of personal data, safeguarding the rights and freedoms of data subjects.

c) Personal Data Breaches

At NTT DATA we effectively manage our clients' data breaches through internal protocols. In this way, we are constantly monitoring our systems to prevent security incidents and/or breaches affecting personal data.

Therefore, in the event of a breach, in accordance with established protocols, research plans will be undertaken to determine whether the confidentiality, integrity and availability of personal data has been compromised. In addition, the client will be notified without undue delay of any data breaches of which we become aware.

This communication will always include the relevant aspects of the incident, such as the nature of the breach, the number of individuals affected, the actions taken, etc. In the event that all information cannot be provided immediately, it will be provided in a gradual way without undue delay. In addition, we have established clear procedures for the ongoing monitoring of reported breaches, ensuring a quick and adequate response to mitigate any potential impact on the security of personal data.

d) Deletion and/or Return of Personal Data at the end of the provision of services

NTT DATA has protocols for the return and/or deletion of information at the end of the contract with the client, strictly following the instructions received by the client. Our commitment is to ensure that any personal data collected or processed is handled with the utmost security and in accordance with the principles of data protection, while respecting confidentiality and privacy throughout the entire lifecycle of personal data.

Updates and Modifications

We reserve the right to modify this document to reflect changes in privacy practices or legal updates.

Additional information Please, refer to our Privacy Policies and our website Syntphony - Home for additional Information about SYNTPHONY SALES.

How SYNTPHONY PAYMENTS manages privacy?

Do we take privacy into account in the development of SYNTPHONY PAYMENTS?

In our technological development process, we integrate from the beginning the principles of privacy by design and comply with the applicable data protection regulations. This means that every stage of the conception, design and deployment of our solutions is carried out with privacy as a central element. We apply proactive measures to guarantee personal data protection, ensuring that our technologies not only comply with relevant legal and regulatory standards, such as the General Data Protection Regulation (GDPR), but also promote trust and security for our customers.

At NTT DATA, we help our clients fulfil current and future business needs by developing products and assets that work together to multiply business value. In doing so, we constantly track the global picture of privacy and align our technology to comply with data protection regulations, ensuring that our customers can operate with confidence and security in the personal data processing when they use our products.