Compliance with the Data Act

Last updated: November 4, 2025

The purpose of this page is to fulfill the requirements set out in Art. 28(1) of the Regulation (EU) 2023/2854 (the Data Act). This page provides information on the jurisdiction over Vercom S.A.'s infrastructure and the specific measures taken by Vercom S.A. to prevent unauthorized international access to or transfer of data.

Jurisdiction over ICT Infrastructure

Vercom S.A. operates in accordance with European Union law and is subject to the jurisdiction of Polish courts. Customer data is always processed within the European Economic Area (EEA). Depending on the type of service, data may be processed in various locations within the EEA, as detailed in the table below:

*In the case of Cloudflare Inc., which is a CDN provider, the exact location of data processing cannot be specified. However, Vercom S.A. has entered into a Data Localization Suite agreement that restricts processing to the EEA.

Measures to Prevent Unauthorized Access

Vercom S.A. has implemented a comprehensive set of technical, organizational, and contractual measures designed to protect customer data from unauthorized access by non-EU authorities and from illegal data transfers.

Technical Measures

To protect customer data, Vercom S.A. applies a range of technical measures, in particular:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2).

• Logging, correlating, and alerting of security events by various security systems (SIEM/SOAR) for early anomaly detection.

• Identity and access controls (MFA), key rotation, and secrets management (KMS/Secret Manager).

• Processing of customer data exclusively within the European Economic Area (EEA), ensuring its protection in line with the high security and privacy standards of EU Member States.

Organizational Measures

Vercom S.A. has implemented a "Policy on Sharing Data with Third Parties," which mandates a legal assessment of every request for customer data disclosure from non-EU state authorities. This policy, developed in accordance with the Data Act, defines, among other things, the principles for assessing such requests and the obligation to inform the customer about the request, where permitted by law. If disclosure is required, Vercom S.A. will only disclose the minimum scope of data necessary to fulfill the request.

Contractual Measures

Vercom S.A. enters into agreements with its providers that:

• Restrict data processing to the EU territory.

• Require notification of data access requests from third-country authorities.

• Prohibit the use of data for any purpose other than providing services to Vercom S.A.

Other Vercom S.A. Initiatives

Vercom S.A.'s actions in implementing the Data Act are part of a broader strategy for responsible data governance. Throughout the Vercom Group, we are building a technological environment based on:

• Customer Autonomy: Vercom S.A. does not use artificial barriers in its contracts that would hinder switching providers or prevent the simultaneous use of competing services. Our agreements do not contain non-standard notice periods or punitive retention clauses. This ensures that organizations working with Vercom maintain full autonomy in shaping their technology architecture.

• Interoperability: Our systems allow for data export in a wide range of standard formats (including CSV, JSON, XML). All exported data retains its complete relational structure, enabling lossless transfer to other platforms.

Vercom S.A.'s commitment to implementing the principles of the Data Act confirms our dedication to building an open and secure data market based on trust and transparency.