This Data Processing Addendum (“DPA”) is an agreement between Dash Security Inc. (“Company” or “Data Processor”) and the Customer identified in the Services Agreement between the Company and the Customer governing the Company's provision of the Services to Customer (the "Services Agreement" and the “Customer” respectively). This DPA is incorporated by reference into, and forms part of, the Service Agreement. By accessing or using the Services, or by otherwise executing or accepting the Services Agreement (including electronically), Customer agrees to be bound by this DPA. Data Controller and Data Processor shall be collectively referred to as the “Parties”, and each a “Party”.

1. Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

   1. “Affiliate(s)” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

   2. “Applicable Laws” means any applicable law, including Data Protection Laws, to which Data Processor is subject with respect to any Personal Data;

   3. “Data Protection Laws” means all applicable laws, statutes, regulations, and regulatory requirements relating to the processing, protection, privacy, and security of personal data, as amended from time to time, including, without limitation: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); and (b) to the extent applicable, United States federal and state privacy, data protection, and data security laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), and other similar U.S. state privacy laws.  

   4. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), which is Processed by Data Processor or any of Data Processor’s Sub-processors on behalf of Data Controller as part of the performance of the Services under the Services Agreement;

   5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

   6. “Processing”  means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

   7. “Sub-processor” means any third party (but excluding any personnel member of Data Processor) appointed by or on behalf of Data Processor to Process Personal Data for the benefit of Data Controller as part of the performance of the Services under the Services Agreement;

   8. “Supervisory Authority” any applicable regulatory authority responsible for the enforcement of Data Protection Laws; and 

   9. “Term” shall have the meaning ascribed to it under Section ‎11 below. 

      
      

2. Processing of Personal Data.

   1. Data Processor, and any person acting under its authority, will carry out the Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services, in accordance with the Services Agreement and other reasonable documented instructions provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instruction(s)”); (ii) as permitted under this DPA; and (iii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest. 

   2. Data Controller instructs Data Processor (and authorizes Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller to the Data Processor for carrying out such instructions. 

   3. Data Controller hereby acknowledges that as part of the provision of the Services hereunder, Data Processor may collect, disclose, publish, share and otherwise use fully anonymized,  de-identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Personal Data Processed by the Data Processor as part of the provision of the Services, all as required for the Data Processor's legitimate purposes, including without limitation in order to provide, maintain, operate and improve the Services and for research purposes. Data Processor agrees not to use said anonymized data in a form that identifies the Customer or any Data Subject. The Data Controller hereby agrees and acknowledges that such processing activities (including the anonymization and de-identification of Personal Data) will not be considered as performed outside the scope of the Instructions provided by the Data Controller hereunder. 

   4. Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under the Services Agreement.

   5. Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that the Personal Data has been collected, Processed and transferred to the Data Processor in accordance with the laws applicable to Data Controller, including, if required by applicable Data Protection Laws, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor under this DPA and that the Data Subjects have been informed that their Personal Data could be transmitted to a third country outside of their jurisdiction.  

   6. To the extent the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act and implementing regulations (collectively, the “CCPA/CPRA”) applies to Personal Data processed under this DPA, the Parties agree that (in addition to other rights and obligations hereunder): (a) the Parties acknowledge and agree that, with respect to any Personal Data that constitutes “personal information” under the CCPA/CPRA, Customer is the “business” and Company is a “service provider”, as defined under the CCPA/CPRA; (b) Company shall Process such personal information solely for the “business purposes” specified in the Services Agreement and this DPA, and strictly in accordance with Customer’s documented Instructions, and shall not: (i) “sell” or “share” such personal information; (ii) retain, use, or disclose such personal information for any purpose other than for the specific purpose of performing the Services specified in the Services Agreement and this DPA, including retaining, using, or disclosing such personal information for a “commercial purpose” other than providing the Services; or (iii) retain, use, or disclose such personal information outside the direct business relationship between the Parties, except as permitted by the CCPA/CPRA; and (c) Company shall promptly notify Customer if Company determines that it can no longer meet its obligations under the CCPA/CPRA.

   7. Exhibit 1 of this DPA sets forth certain information regarding Data Processor’s Processing activities of the Personal Data.

      
      

3. Data Subjects. 

   1. Data Processor shall promptly notify Data Controller if Data Processor receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including without limitation the right of access, rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), and shall not respond to such request without Data Controller’s prior written consent, except to confirm that such request relates to Data Controller.

   2. Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to any Data Subject Request and agrees to provide reasonable assistance and comply with reasonable instructions from Data Controller related to any Data Subject Request. 

      
      

4. Supervising Authorities. Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities, as required by Data Protection Laws, in each case solely in relation to the Processing of Personal Data by Data Processor and all by taking into account the nature of the Processing and information available to the Data Processor. Data Controller acknowledges and agrees that assistance with data protection impact assessments and prior consultations by Data Processor may result in additional fees (which will be notified to Data Controller in advance). 

   
   

5. Security. 

   1. Data Processor shall treat Personal Data as confidential information and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA.

   2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor has implemented, and will maintain, adequate technical and organizational security measures in order to ensure a level of security of the Personal Data appropriate to that risk, including those measures stipulated in Exhibit 2 of this DPA. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing. 

   3. The technical and organizational security measures implemented by the Data Processor are subject to technical progress and development, and Data Processor may update or modify the technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services. 

      
      

6. Security Breach Notification.

   1. Data Processor shall notify Data Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.

   2. Data Processor shall provide Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Supervising Authorities and/or Data Subjects of the Personal Data Breach under the Data Protection Laws, taking into account the nature of Processing and the information available to Data Processor, including with the following information: (a)  a description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b)  the likely consequences of the Personal Data Breach; and (c) a description of the measures taken, or proposed to be taken, to address the Personal Data Breach, including measures to mitigate its possible adverse effects. To the extent Data Processor does not have full information about the Personal Data Breach at the time of the initial notification, Data Processor shall provide an initial notification and then supplement that with additional information as it becomes available.  

      
      

7. Audit.

   1. During the Term, Data Processor shall keep records of its Processing activities in accordance with applicable Data Protection Laws. 

   2. During the Term and upon request, Data Processor shall make available to Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in applicable Data Protection Laws and this DPA. As a first step and as Data Controller's primary means of assessing compliance, Data Processor shall (a) respond to Data Controller's reasonable written compliance questionnaires and (b) provide Data Controller with readily available documentation and audit reports (including, where applicable, independent third-party certifications, summaries of audit reports, or other similar materials) that Data Processor has prepared or obtained in the ordinary course of its business to demonstrate such compliance. Only if, after reviewing Data Processor's responses and materials, Data Controller reasonably determines that they are insufficient to demonstrate compliance, and only to the extent necessary to address the specific, documented insufficiencies, Data Processor shall allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller, all at Data Controller's sole expense and solely to verify Data Processor’s compliance with the obligations laid down in applicable Data Protection Laws and this DPA. If and to the extent Data Controller engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, Data Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that Data Controller shall be entitled to conduct such inspections at any time if it reasonably suspects Data Processor to be in material breach of its obligations under this DPA and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by applicable Data Protection Laws.

   3. Data Controller shall provide Data Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Data Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection. 

   4. Nothing in this DPA will require Data Processor either to disclose to Data Controller (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any Applicable Law or its obligations to any third party.

      
      

8. Sub-processing.

   1. Data Controller hereby (i) grants Data Processor a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Data Processor may be used as Sub-processors; and (iii) confirms that Data Processor may continue to use those Sub-processors already engaged by Data Processor as of the Effective Date of this DPA, which are detailed on Data Processor's Document (“Existing Sub-processors”). (“Existing Sub-processors”). 

   2. Data Processor can at any time and without justification appoint a new Sub-processor, provided that prior to engaging any Sub-processor: 

(a) Data Processor will provide a fourteen (14) days’ prior notice to Data Controller regarding the engagement of a new Sub-processor, and the Data Controller does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If Data Controller’s objection to an engagement of a Sub-processor is legitimate, Data Processor shall either refrain from using such Sub-processor in the context of the Processing of Personal Data, or shall notify Data Controller that it is unable to provide the Services without the use of such Sub-processor and therefore it will suspend or restrict the Services (or an applicable part thereof) with immediate effect. 

(b) Data Processor ensures that it has in place a sub-processing agreement between Data Processor and the Sub-processor, that is no less protective with respect to Data Controller’s interest and protection of Personal Data than this DPA. Data Processor shall maintain an up-to-date list of Sub-processors on its website. 

3. Where the Sub-processor fails to fulfil its personal data protection obligations with respect to the Personal Data, Data Processor shall remain fully liable to Data Controller for the performance of that Sub-processor’s obligations. 

9. Transfers. Data Controller hereby authorizes Data Processor to transfer Personal Data across international borders (including outside the European Economic Area (EEA), the United Kingdom and Switzerland) to the extent necessary to provide the Services. Where such transfer involves Personal Data protected by GDPR and/or UK GDPR and is to a country not subject to an adequacy decision (as applicable), the Parties agree that the transfer will be made only to the extent permitted under applicable Data Protection Laws and subject to appropriate safeguards, which may include, as applicable: (i) the European Commission Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914) (the "EU SCCs"); (ii) the UK International Data Transfer Agreement and/or the UK Addendum to the EU SCCs issued by the UK Information Commissioner (as may be amended or replaced) (the "UK Transfer Mechanism"); (iii) an applicable approved certification mechanism together with binding and enforceable commitments; or (iv) another lawful transfer mechanism recognized under applicable Data Protection Laws. To the extent the EU SCCs and/or the UK Transfer Mechanism apply: (a) Data Controller is the "data exporter" and Data Processor is the "data importer"; (b) Module Two (Controller to Processor) applies; (c) in Clause 9, Option 2 applies (general authorization) and the applicable notice and objection process is set out in Section 8 of this DPA; (d) in Clause 11, the optional language does not apply unless the Parties otherwise agree in writing; (e) in Clause 17, Option 1 applies and the governing law shall be the law of Ireland; (f) in Clause 18(b), disputes shall be resolved before the courts specified in Ireland, to the extent permitted by the EU SCCs; and (g) the Annexes to the EU SCCs shall be deemed completed using the information set out in Exhibit 1 (and Exhibit 2, as applicable) of this DPA. Data Processor will, upon Data Controller's reasonable request, provide information reasonably necessary for Data Controller to confirm the transfer mechanism relied upon for relevant transfers and to support any required transfer impact assessment, and will implement supplementary measures where required under applicable Data Protection Laws. 

   
   

10. Personnel. Data Processor will be responsible for using qualified personnel with data protection training to provide the Services and ensure that Data Processor’s access to the Personal Data is limited only to those personnel who require such access to perform the Services. Data Processor shall obligate its personnel to Process the relevant Personal Data only in accordance with this DPA. Data Processor will further ensure that its personnel authorised to Process the Personal Data on its behalf: (i) will do so only on a need-to-know basis; and (ii) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they will keep confidential and will not make available any Personal Data to any third party, other than as permitted herein.

    
    

11. Deletion and Return of Personal Data. Within thirty (30) calendar days following the termination of the Services Agreement and/or this DPA, Data Processor will delete and instruct its Sub-processors to delete, all existing copies of the Personal Data which are in its possession, unless instructed by the Data Controller, by way of a prior written notice, to return such data, in which case the Data Processor shall return a copy of the Personal Data to the Data Controller and delete all remaining copies of the Personal Data which are in its possession. Notwithstanding the foregoing, Data Processor may retain the Personal Data, to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.  

    
    

12. Term. This DPA shall become effective upon execution or acceptance of the Services Agreement (“Effective Date”) and shall remain in full force until the later of the date when Data Processor ceases to Process the Personal Data or termination of the Services Agreement (the “Term”). All provisions of this DPA, which by their language or nature should survive the termination of this DPA, will survive the termination of this DPA.

    
    

13. Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Services Agreement governing the Services.

    
    

14. Changes to this DPA. The Parties may amend this DPA from time to time by mutual agreement of both Parties.

    
    

15. Miscellaneous. (i) This DPA represents the complete agreement concerning the subject matter hereof; (ii) except where explicitly agreed otherwise in writing by the Parties, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Services Agreement and any other agreements which may be entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail; (iii) the Parties to this DPA hereby agree to the governing law and the choice of jurisdiction stipulated in the Services Agreement with respect to any disputes or claims arising under this DPA; (iv) nothing in this DPA reduces either Party’s obligations under the Services Agreement in relation to the protection of Personal Data; and (v) should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.

***

EXHIBIT 1

DETAILS OF PROCESSING OF PERSONAL DATA

1. Subject matter of the Processing: Processing of Personal Data as necessary to provide the Services to Customer under the Services Agreement, including access to, collection, storage, organization, use, disclosure (as instructed), transmission and deletion of such Personal Data.

2. Duration: For the Term of the Services Agreement and any period thereafter during which Company processes Personal Data on behalf of Customer in accordance with the DPA, including any limited retention period required by applicable law.

3. The purpose of the Processing: To provide, operate, support, maintain, secure and improve the Services; provide Customer support; perform troubleshooting and service-related communications; comply with Customer's documented instructions; and comply with applicable law.

4. Nature of the Processing: Processing operations may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available (as instructed), alignment or combination, restriction, erasure or destruction of Personal Data.

5. Type of Personal Data: Personal Data included in Customer Data (as defined in the Services Agreement).  

6. Categories of data subjects: Customer's authorized users, employees, contractors, agents, customers and other individuals whose Personal Data is included in or processed via the Services on behalf of Customer.

EXHIBIT 2 

TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational security measures implemented by Data Processor according to Section 5 of the DPA:

1. Security Program:

Data Processor implements and maintains a comprehensive information security program, including:

• alignment with SOC 2 Type II standards, audited annually by an independent third-party auditor;

• documented information security policies and procedures, reviewed and updated at least annually;

• designation of a qualified Chief Information Security Officer or equivalent senior security officer with appropriate authority and resources;

• regular risk assessments of systems and processes that handle customer data, conducted at least annually;

• annual third-party security audits and attestations by qualified independent auditors;

• provision of security attestation reports and certifications to Data Controller within thirty (30) days of written request.

2. Technical Security Measures:

Data Processor implements and maintains the following technical security measures with respect to Personal Data:

• encryption of all Personal Data at rest using AES-256 encryption or stronger;

• encryption of all Personal Data in transit using TLS 1.2 or higher;

• access controls based on the principle of least privilege;

• multi-factor authentication for all access to systems containing Personal Data;

• comprehensive logging and monitoring of all access to, use of, and modifications to Personal Data, with logs retained for a minimum of two (2) years;

• vulnerability management program including regular vulnerability scans and penetration testing conducted at least annually by qualified third parties;

• remediation of all critical and high severity security vulnerabilities within thirty (30) days of discovery.

3. Personnel Security:

Data Processor implements personnel security measures, including:

• background checks on all personnel who will have access to Personal Data, prior to such access being granted;

• mandatory security awareness training for all personnel with access to Personal Data, with annual refresher training;

• written confidentiality and non-disclosure agreements for all personnel with access to Personal Data, at least as protective as the confidentiality provisions in the Services Agreement;

• immediate revocation of access to Personal Data upon termination of any personnel, with written certification to Data Controller of such revocation within five (5) business days.