Data Processing Addendum (EU/UK/CH)

Parties

(1) Xpometer (as identified in the Order Form) ("Company", "Processor"); and

(2) Client ("Client", "Controller").

This Data Processing Addendum ("DPA") forms part of the Client agreement (including the Terms, Order Form(s), and policies referenced therein) (hereafter the “Agreement”). All definitions in this DPA shall have the same meaning as in the Agreement of the Company, unless specified herein.

1. Scope & Roles

1.1 Scope and Roles.

This DPA applies when personal data as contained in Client Data (hereafter “Client Personal Data”) is processed by Company under Applicable Data Protection Laws in performance of the Agreement, as further detailed in Schedule 1. Where Applicable Data Protection Laws provide for the roles of "controller" and "processor," Client is the controller of the Client Personal Data covered by this DPA, and Company shall be a processor processing Client Personal Data on behalf of Client, and this DPA shall apply accordingly.

1.2 Purpose.

The purpose of the processing under the DPA is the provision of the Services by Company to Client as specified in the Agreement.

2. Client Instructions

2.1 Documented Instructions.

Company will Process Client Personal Data only on documented instructions from Client as set out in the Agreement, this DPA, and Order Forms. The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Company’s processing of Client Personal Data (“Documented Instruction(s)”). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Company and Client including agreement on any additional fees payable by Client to Company for carrying out such instructions.

2.2 Compliance with Law.

Company will promptly inform Client if, in its opinion, a Documented Instruction infringes Applicable Data Protection Law. Client shall ensure that its Documented Instructions comply with all applicable laws, rules and regulations relating to the Client Personal Data, and that the processing of Client Personal Data according to Client's Documented Instructions will not cause Company to breach Applicable Data Protection Law. Client is solely responsible for the accuracy, quality, and legality of (a) the Client Personal Data provided to Company by or on behalf of Client, (b) the means by which Client acquired such Client Personal Data, and (c) the Documented Instructions it provides to Company. Client shall indemnify Company from all claims and losses arising from Client's breach of this Section 2.2.

3. Confidentiality

3.1 Company shall not access, use, or disclose to any third party, any Client Personal Data, except as necessary to maintain or provide the Services, or as required to comply with applicable law, a request from a public authority and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Company a demand for Client Personal Data, Company shall attempt to redirect such governmental body to request that data directly from Client. As part of this effort, Company may provide Client's basic contact information to the governmental body. If compelled to disclose Client Personal Data to a governmental body, Company shall give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so.

3.2 Company shall ensure that all persons authorized to process Client Personal Data on behalf of Company are made aware of the confidential nature of the Client Personal Data, and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and receive appropriate privacy and security training.

4. Security Measures

4.1 Company's provision of the Services will be consistent with the technical and organisational measures ("TOMs") described in Schedule 2. Company may update or modify the TOMs from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the term of this Agreement.

4.2 In assessing the appropriate level of security, Company considers the risks presented by processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data transmitted, stored or otherwise processed. While Client may review the implemented security measures, Company retains sole discretion in determining and implementing appropriate security measures based on its expertise and risk assessment methodology.

5. Subprocessors

5.1 Client hereby generally authorizes Company to engage subprocessors in accordance with this Section 5. Client approves the subprocessors currently disclosed in Schedule 3. Company may remove, replace, or appoint suitable and reliable subprocessors, provided that Company shall maintain an up-to-date list of its subprocessors available on Company website https://xpometer.com/terms.

5.2 Where Company engages a subprocessor, Company will: (a) restrict the subprocessor's access to Client Personal Data only to what is necessary to provide or maintain the Services in accordance with the Agreement; (b) enter into a written agreement with the subprocessor imposing data protection obligations no less protective than those in this DPA; and (c) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the subprocessor that cause Company to breach any of Company's obligations under this DPA.

5.3 Objections to Subprocessors. If Client reasonably objects to the engagement of a new subprocessor, Company may (at its discretion): (a) cancel its plans to use the subprocessor with regard to Client Personal Data; (b) take corrective steps requested by Client in its objection and proceed to use the subprocessor; (c) cease to provide or Client may agree not to use the particular aspect of the Services that would involve the use of such subprocessor; or (d) provide Client with a written description of commercially reasonable alternatives. If Company cannot provide any such alternatives, or if Client does not agree to any such alternatives if provided, either Party may terminate the affected Services with prior written notice.

6. Assistance to Client

6.1 Company will provide reasonable assistance to Client with: (a) security of processing; (b) data protection impact assessments; (c) consultation with supervisory authorities; and (d) data subject requests as set forth herein. Company shall promptly inform Client of any requests received directly from data subjects regarding Client's Personal Data. Client shall be responsible for handling and responding to all such data subject requests. Upon Client's written request, Company will provide reasonable assistance to Client in handling such data subject requests. Company may charge Client reasonable fees for providing such assistance, as agreed in writing before commencing the assistance.

7. Personal Data Breach

7.1 Company will notify Client without undue delay after becoming aware of a personal data breach affecting Client Personal Data, and will provide timely information reasonably necessary for Client to meet its breach notification obligations. Company’s notification is not an admission of fault or liability.

8. International Transfers

8.1 Client acknowledges and agrees that Company may transfer and process Client Personal Data from the United Kingdom or European Economic Area (EEA) to other regions where Company, its Affiliates, or its subprocessors maintain data processing operations. Company shall ensure that such transfers are made in compliance with Applicable Data Protection Law and this DPA.

8.2 Where applicable, Xpometer may rely on the EU‑US Data Privacy Framework (and UK Extension) or on Standard Contractual Clauses (SCCs) and other transfer mechanisms, as further detailed in Schedule 4. Client agrees to the Restricted Transfer of Client Personal Data to subprocessors, provided an appropriate mechanism is implemented.

8.3 Where other jurisdictions require additional steps before transfer, Company will cooperate with Client to comply with those Applicable Data Protection Laws.

8.4 Parties may reasonably amend this DPA to reflect changes in law, guidance, or transfer mechanisms; both Parties will negotiate in good faith.

8.5 Client bears responsibility for obtaining any required consents from End‑Users/data subjects for transfers where required by law, and will notify Company of any withdrawal of consent.

9. Audit & Compliance

9.1 Upon request (no more than once per calendar year), Company shall make available for Client's review a summary copy of audit report(s) demonstrating security compliance. Requests may be made to legal@xpometer.com. Reports constitute Company's Confidential Information.

9.2 Company shall provide, where shareable, third‑party subprocessor audit confirmations/reports. Certain subprocessors may require an NDA.

9.3 Where legally required by a Supervisory Authority, more frequent audits may be conducted as necessary.

10. Return & Deletion

10.1 During the Subscription Term and for 30 days thereafter, Client may export Client Personal Data via the Platform.

10.2 Upon Client’s written request at termination, Company will delete or return Client Personal Data and delete existing copies within 90 days, unless retention is required by law or backup policies. Deletion from backups occurs per standard retention cycles.

10.3 Upon request, Company will certify deletion.

11. Liability

11.1 Parties’ aggregate liability related to this DPA is subject to the limitations in the Agreement, with carve‑outs where prohibited by law and for data subject claims as specified herein.

12. Order of Precedence

12.1 If there is a conflict between this DPA and the Agreement, this DPA prevails regarding processing of personal data, except that liability provisions shall be read together with the Agreement. The SCCs (Schedule 4) prevail over this DPA and the Agreement to the extent of conflict.

13. Definitions

Key terms such as “Applicable Data Protection Laws,” “Data Privacy Framework,” “Restricted Transfer,” and “Standard Contractual Clauses” have the meanings commonly used under EU/UK data protection legislation and as further described in this DPA.

Schedule 1 — Details of Processing

• Subject matter & duration: Processing of Client Personal Data as necessary to provide the Platform during the Subscription Term and as otherwise permitted by the Agreement and this DPA.
• Nature & purpose: Hosting, storage, analysis, scoring, alerting, reporting, troubleshooting, security monitoring, and service improvement.
• Types of personal data: Identification data (names, role, contact details), online identifiers, publicly available profile data, content from public sources that may include personal data; Client‑uploaded files which may contain personal data. Client will not provide special categories unless explicitly agreed and safeguarded.
• Categories of data subjects: Client personnel/contractors (users), individuals about whom Client requests analysis (e.g., executives, public figures, related entities), and other individuals whose data appears in public sources.
• Special categories/criminal data: Not intentionally processed. If Client instructs processing of such data, Client ensures lawful basis and safeguards.

Schedule 2 — Technical & Organisational Measures (TOMs)

• Governance: Security policies, risk management, asset inventories, least‑privilege access.
• Access control: Unique IDs, MFA for privileged access, RBAC, access reviews, session management.
• Encryption: In transit (TLS) and at rest; key management.
• Physical & cloud security: Reputable data centres/cloud providers with certifications; tenant segregation.
• Vulnerability & patching: Secure SDLC, code review, dependency management, scanning, timely patching.
• Logging & monitoring: Centralised logging, admin audit trails, anomaly detection.
• Data integrity & backup: Regular backups, restoration tests, DR planning.
• Incident response: Documented IR plan, escalation paths, breach assessment/notification.
• Personnel security: Background checks where lawful, training, confidentiality undertakings.
• Vendor management: Subprocessor due diligence, contractual controls, monitoring.
• Testing: Penetration testing at least annually; remediation tracking.
• Customer controls: Admin console for user management, export tools, API access controls (where applicable).

Schedule 3 — Subprocessors (current list excerpt)

Company maintains an up‑to‑date full list of subprocessors and will notify Client of changes per Section 5.

Schedule 4 — International Transfer Mechanisms

Standard Contractual Clauses (EU SCCs / UK Addendum): EU SCCs (Module 2) apply, with governing law and forum as specified (Malta for EU SCCs). For UK transfers, the ICO International Data Transfer Addendum applies, with Tables populated per Agreement/Schedules. Switzerland (FDPIC) applies mutatis mutandis; references to GDPR include the Swiss FADP; competent authority is the FDPIC; governing law/forum: Switzerland (courts of Zurich), unless otherwise required.