Data Processing Addendum

1. Definitions

• "Applicable Data Protection Laws" means all worldwide privacy and data protection laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation (GDPR), the UK GDPR, and US State Privacy Laws (including the California Consumer Privacy Act/CPRA), each as amended or replaced from time to time.
• "Customer Personal Data" means any Personal Data processed by Company on behalf of Customer pursuant to or in connection with the Agreement.
• "Data Subject", "Controller", "Processor", and "Processing" shall have the meanings given to them under Applicable Data Protection Laws. If formal terminology varies across jurisdictions (e.g., "Consumer", "Business", "Service Provider" under the CCPA), the corresponding equivalents shall apply.
• "Security Incident" means any confirmed accidental, unauthorized, or unlawful acquisition, disclosure, alteration, loss, or destruction of Customer Personal Data within the possession or direct control of Company, which results in material harm to the security, confidentiality, or integrity of such data.

2. Scope and role of the parties

2.1 Relationship: The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Data Controller (or Business) and Company is the Data Processor (or Service Provider).

2.2 Customer Instructions: Company shall Process Customer Personal Data only in accordance with Customer's documented instructions, including with respect to transfers of Personal Data outside the European Economic Area (EEA) or the United Kingdom, unless required to do so by applicable law. The Agreement and this DPA constitute Customer's complete instructions to Company.

2.3 Compliance with Laws: Each party will comply with its respective obligations under Applicable Data Protection Laws. Company will promptly inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.

3. US specific provisions (CCPA/CPRA)

To the extent the Customer Personal Data is subject to US State Privacy Laws (including the CCPA), Company explicitly agrees:

• Service Provider Role: Company acts strictly as a Service Provider / Processor. Company will not "Sell" or "Share" (as those terms are defined under the CCPA) Customer Personal Data.
• Purpose Limitation: Company will not retain, use, or disclose Customer Personal Data for any purpose other than for the business purposes specified in the Agreement, or as otherwise permitted by law.
• Data Combination: Company will not combine Customer Personal Data with personal data received from, or on behalf of, other sources, except to the extent expressly permitted under Applicable Data Protection Laws.

4. Confidentiality and personnel

Company shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are bound by statutory or contractual obligations of confidentiality that survive the termination of employment.

5. Security measures

Company shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, as detailed in Schedule 2 of this DPA. Company regularly tests, assesses, and evaluates the effectiveness of these security measures.

6. Subprocessors

6.1 Authorization: Customer grants Company general written authorization to engage subprocessors to provide aspects of the SaaS Services.

6.2 Liability: Company remains fully liable to the Customer for the performance of each subprocessor's data protection obligations to the same extent as if performed by Company directly.

7. Data subject rights and cooperation

7.1 Data Subject Requests: Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights (e.g., access, deletion, correction, or portability). Company will not respond to such request directly except on Customer's documented instructions or as required by law.

7.2 Assistance: Company will provide reasonable assistance and cooperation to Customer to enable Customer to respond to Data Subject requests, and to conduct Data Protection Impact Assessments (DPIAs) or prior consultations with supervisory authorities as required by law.

8. Security incident management

8.1 Notification: Company shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a confirmed Security Incident affecting Customer Personal Data.

8.2 Details of Notification: The notification will contain, at a minimum, a description of the nature of the incident, the categories and approximate number of data subjects and records affected, and the mitigation measures taken or planned. Company will cooperate with Customer's reasonable requests for updates.

8.3 Mitigation: Company will take immediate, commercially reasonable steps to mitigate the effects of and remediate any Security Incident.

9. International data transfers

To the extent that Customer Personal Data originates from the EEA, United Kingdom, or Switzerland and is transferred to Company in a country not recognized as providing an adequate level of protection, the parties agree to rely on the EU Standard Contractual Clauses (SCCs) (Module Two: Controller-to-Processor) and/or the UK International Data Transfer Addendum, which are hereby incorporated by reference as if fully set forth herein.

10. Audit rights

Company shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. No more than once per calendar year, Customer may audit Company's compliance by requesting a copy of Company's latest independent security certifications or third-party audit reports.

11. Return or deletion of data

Upon termination or expiration of the Agreement, Company shall, at Customer's written choice, delete or return all Customer Personal Data in its possession or control, unless applicable law requires continued storage of the data. If deletion is chosen, it shall be performed in accordance with secure industry standards.

Schedule 1: Details of processing

Categories of Data Subjects: Customer's employees and contractors, whose information is submitted to the Processor platform.

Categories of Personal Data: Name, professional email address, work account identifiers, team/role tags, device and application metadata, application telemetry, and free-form content (comments, notes, etc) authored by Customer's employees in connected systems.

Special Categories of Data (if applicable): None anticipated, unless expressly configured or uploaded by Customer in accordance with the primary Agreement.

Frequency of Processing: Continuous and automated for the duration of the Agreement.

Nature and Purpose of Processing: To provide, maintain, host, support, optimize, and improve the SaaS Services as explicitly described in the primary Agreement.

Schedule 2: Technical and organizational security measures

Company maintains at minimum the following comprehensive technical, physical, and administrative safeguards:

• Data Encryption: All Customer Personal Data is encrypted in transit using Transport Layer Security (TLS 1.2 or higher) and at rest using Advanced Encryption Standard (AES-256).
• Access Management: Strict role-based access control (RBAC) enforced according to the principle of least privilege. Multi-Factor Authentication (MFA) is strictly mandatory for all administrative and production infrastructure access.
• Network Security: Deployment of next-generation firewalls, intrusion detection/prevention systems (IDS/IPS), centralized logging, and continuous automated vulnerability scanning.
• Physical and Infrastructure Safeguards: Services are hosted within secure, Tier-3 data centers provided by certified cloud infrastructure leaders (e.g., AWS, GCP, or Azure) maintaining SOC 2 Type II and ISO 27001 certifications.
• Business Continuity: Regular automated data backups, and fully tested disaster recovery plans to ensure persistent availability.