Data Processing Addendum

1. Definitions

• "Data Protection Laws" means GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, PDPA, Privacy Act 1988, POPIA, and all other applicable data protection legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Subprocessor" means any third party engaged by Processor to process Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for international data transfers.

2. Scope and Roles

2.1 Controller Role. Controller determines the purposes and means of Processing Personal Data. Controller is responsible for ensuring lawful bases for Processing and compliance with Data Protection Laws regarding its use of the Services.

2.2 Processor Role. Processor processes Personal Data only on behalf of and in accordance with Controller's documented instructions. Processor shall not process Personal Data for any purpose other than providing the Services.

2.3 Processing Details. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I to this DPA.

3. Processor Obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller, unless required by law
• Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 5)
• Assist Controller in responding to Data Subject requests
• Assist Controller with data protection impact assessments and prior consultations where required
• Delete or return Personal Data upon termination, at Controller's election
• Make available information necessary to demonstrate compliance and allow for audits
• Notify Controller without undue delay upon becoming aware of a Personal Data breach

4. Subprocessors

4.1 Authorization. Controller provides general authorization for Processor to engage Subprocessors listed at /legal/subprocessors.

4.2 Notice. Processor shall notify Controller at least 30 days before engaging new Subprocessors. Controller may object to new Subprocessors on reasonable grounds.

4.3 Subprocessor Agreements. Processor shall ensure Subprocessors are bound by data protection obligations no less protective than those in this DPA.

5. Security Measures

Processor implements the following technical and organizational measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access control (RBAC), multi-factor authentication, least privilege principle
• Tenant Isolation: Logical separation of customer data with tenant-specific encryption keys
• Audit Logging: Comprehensive audit trails with One-Record data lineage
• Network Security: Firewalls, intrusion detection, DDoS protection
• Physical Security: SOC 2 Type II-audited data centers (subprocessor reports available)
• Business Continuity: Regular backups, disaster recovery procedures
• Personnel: Background checks, security training, confidentiality agreements
• Vulnerability Management: Regular penetration testing, security assessments

6. International Data Transfers

6.1 Transfer Mechanisms. For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, Processor relies on:

• Standard Contractual Clauses (Module 2: Controller to Processor) as approved by European Commission Decision 2021/914
• UK International Data Transfer Agreement or UK Addendum to SCCs
• Swiss-specific amendments where applicable

6.2 Supplementary Measures. Processor implements supplementary technical and organizational measures as required by Schrems II guidance, including encryption, access controls, and transparency reporting.

6.3 Government Access. Processor shall notify Controller of government access requests unless legally prohibited, and shall challenge requests that are overbroad or unlawful.

7. Data Subject Rights

Processor shall assist Controller in fulfilling Data Subject rights requests, including access, rectification, erasure, restriction, portability, and objection. Processor shall notify Controller promptly of any requests received directly from Data Subjects and shall not respond directly unless authorized.

8. Data Breach Notification

8.1 Notification. Processor shall notify Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach.

8.2 Information. Notification shall include: (a) nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach.

9. Audits

Processor shall make available to Controller information necessary to demonstrate compliance with this DPA and allow for audits conducted by Controller or an independent auditor. Audits shall be conducted with reasonable notice, during normal business hours, and subject to confidentiality obligations. Controller may rely on Processor's SOC 2 Type II reports (where applicable) in lieu of on-site audits.

10. Data Retention and Deletion

Upon termination of the Agreement, Processor shall, at Controller's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. Processor shall certify deletion upon request.

11. CCPA/CPRA Specific Terms

For Personal Information subject to CCPA/CPRA, Processor is a "Service Provider" and shall:

• Not sell or share Personal Information
• Not retain, use, or disclose Personal Information except as necessary to perform the Services
• Not combine Personal Information with data from other sources except as permitted
• Comply with applicable CCPA/CPRA obligations and assist Controller with consumer rights requests
• Certify understanding of and compliance with these restrictions

Annex I: Processing Details