Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Master Subscription Agreement or other written or electronic agreement between DELINE8.AI LIMITED and Customer for the purchase of services from deline8 (the "Agreement").

This DPA is entered into between DELINE8.AI LIMITED, a private limited company registered in Ireland with company number 790770 and registered address at Troyswood, Kilkenny, R95 H7Y0, Ireland ("deline8"), and the customer entity identified in the Agreement ("Customer").

This DPA will become legally binding upon the effective date of the Agreement. In the event of any conflict between the terms of this DPA, the Agreement, and any applicable Standard Contractual Clauses, the order of precedence shall be: (i) the Standard Contractual Clauses (as applicable), then (ii) this DPA, and then (iii) the Agreement, but only with regard to the subject matter of data protection.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

1.1 "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party, where control means ownership of more than 50% of the voting interests.

1.2 "Aggregated/Deidentified Data" means data derived from the Freemium tier that has undergone an anonymization/de-identification process consistent with EDPB/ICO guidance so that it does not relate to an identified or identifiable natural person, and deline8 implements technical and organizational safeguards prohibiting re-identification or singling out. deline8 will not attempt to re-identify such data.

1.3 "Customer Data" means electronic data, configurations, metadata, logs, and other information submitted by or for Customer to the Services, or collected by the Services from Customer’s designated technology environments in connection with the provision of the Services. Customer Data may include Personal Data.

1.4 "Data Protection Laws" means all applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and the California Privacy Rights Act ("CPRA"), in each case as amended or superseded.

1.5 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

1.6 "EEA" means the European Economic Area.

1.7 "Personal Data" means any information relating to a Data Subject that is processed by deline8 on behalf of Customer as a Processor in the course of providing the Services under the Agreement.

1.8 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise Processed.

1.9 "Processing", "Process", and "Processed" mean any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.10 "Processor" and "Controller" shall have the meanings given to them in the GDPR.

1.11 "Services" means the subscription-based services provided by deline8 via its AI-powered platform as identified in the Agreement and any applicable Order Form.

1.12 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.13 "Sub-processor" means any third party engaged by deline8 or its Affiliates to Process Personal Data in connection with the Services.

1.14 "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR.

1.15 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018.

2. Roles and Scope of Processing

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and deline8 is the Processor.5 All rights in and to Customer Data remain with Customer; deline8 acquires no rights other than those necessary to provide the Services.

2.2 Purpose Limitation. deline8 shall Process Personal Data only for the purposes of providing, maintaining, and supporting the Services as described in the Agreement and this DPA.11 The Agreement and this DPA constitute Customer's complete and final documented instructions to deline8 for the Processing of Personal Data. Customer may provide additional reasonable written instructions during the term; if such instructions materially deviate from the Agreement, the parties will agree on any resulting fees or timelines in writing. deline8 shall immediately inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

2.3 Customer's Obligations. Customer represents and warrants that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Personal Data and any processing instructions it issues to deline8; and (ii) it has provided notice and obtained all necessary consents, permissions, and rights required under Data Protection Laws for deline8 to lawfully Process Personal Data for the purposes contemplated by the Agreement.4

2.4 Data Use Limitation for Paid Tiers. deline8 shall not use Customer Data from any paid subscription tier (including but not limited to the Scout, Deep Dive, and Enterprise/PE Portfolio Tiers) to train deline8's AI models. Any use of Customer Data from paid subscription tiers is strictly limited to the purposes of providing, maintaining, and supporting the Services for that Customer as described in the Agreement. Notwithstanding the foregoing, deline8 may Process limited technical telemetry derived from Customer’s use of the Services solely for security, fraud prevention, service reliability, and billing, without using such data to train general-purpose models.

2.5 deline8's Use of Aggregated/Deidentified Data. Notwithstanding anything to the contrary in the Agreement or this DPA, deline8 may create, use, and disclose Aggregated/Deidentified Data for its legitimate business purposes, including but not limited to operating, analyzing, improving, and marketing the Services and for developing industry benchmarks. For the avoidance of doubt, Aggregated/Deidentified Data is not considered Customer Data or Personal Data.

2.6 Data Processing Locations. deline8 will store and process Customer Data solely within the selected region, except (i) for limited remote access by authorized support personnel on a temporary, as-needed basis subject to the international transfer mechanisms in Section 5 and the access controls in Annex II, and (ii) for encrypted backups and disaster recovery copies that remain in-region. deline8 will not replicate Customer Data to another region for continuous operation without Customer’s prior written consent. Unless otherwise agreed by the parties in an Order Form, the region will be determined as follows:

1. For Customers with a billing address in the United States, Customer Data will be primarily Processed and stored in the United States.

2. For Customers with a billing address in the European Economic Area or Switzerland, Customer Data will be primarily Processed and stored within the European Union.

3. For Customers with a billing address in the United Kingdom, Customer Data will be primarily Processed and stored within the United Kingdom.

4. For Customers with a billing address outside of the regions specified above, Customer Data will be routed to and Processed in the geographically closest available regional instance as determined by deline8. Customer acknowledges that this may result in the transfer of Personal Data to a country other than Customer's own. Such transfers will be governed by the mechanisms set forth in Section 5 of this DPA. In such scenarios, Customer remains the Controller and data exporter, and deline8 acts as the Processor and data importer.

2.7 Prohibition of Sensitive Data. The Services are not intended to Process special categories of personal data (as defined in GDPR Article 9) or children’s data. Customer shall not submit such data unless expressly agreed in an Order Form specifying applicable additional safeguards.

3. Security of Processing

3.1 Technical and Organizational Measures. deline8 shall implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect the security, confidentiality, and integrity of Customer Data, and to protect against a Personal Data Breach. Such measures are further described in Annex II to this DPA.

3.2 Confidentiality. deline8 shall ensure that its personnel authorized to Process Customer Data are subject to binding and enforceable confidentiality obligations, and that access to Customer Data is limited to those personnel who require such access to perform deline8's obligations under the Agreement.

3.3 Updates to Security Measures. deline8 may update or modify the TOMs from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services purchased by Customer during a subscription term.

4. Sub-processing

4.1 General Authorization. Customer grants deline8 a general written authorization to engage Sub-processors to Process Personal Data on Customer's behalf, including those listed in Annex III to this DPA.

4.2 New Sub-processors and Right to Object. deline8 shall maintain an up-to-date list of its Sub-processors, which shall be made available to Customer upon request or via a designated website with an email subscription mechanism for updates. deline8 shall provide Customer with at least thirty (30) days' prior written notice of any intended changes concerning the addition or replacement of a Sub-processor. Customer may object to a new Sub-processor within fifteen (15) days of such notice on reasonable grounds relating to data protection. If Customer objects, the parties shall negotiate in good faith to find a commercially reasonable resolution. If no such resolution can be reached, deline8 may, at its discretion, (i) not appoint the new Sub-processor, or (ii) permit Customer to terminate the affected Services in accordance with the terms of the Agreement.

4.3 Sub-processor Obligations. deline8 shall enter into a written agreement with each Sub-processor imposing data protection obligations that are at least as protective of Customer Data as those set out in this DPA. deline8 shall remain fully liable to Customer for the performance of the Sub-processor's data protection obligations.

5. International Transfers and Schrems II Compliance

5.1 Transfer Mechanism. To the extent that the Processing of Personal Data by deline8 involves a transfer of Personal Data to a country outside the EEA not recognized by the European Commission as providing an adequate level of data protection (a "Restricted Transfer"), the parties agree that the Standard Contractual Clauses shall apply and are incorporated by reference into this DPA.

5.2 Incorporation of SCCs. For such transfers, the SCCs shall be deemed completed as follows:

1. Where Customer is the data exporter and deline8 is the data importer, Module Two (Controller to Processor) of the SCCs will apply.

2. Where deline8 is the data exporter and a Sub-processor is the data importer, Module Three (Processor to Processor) of the SCCs will apply.

3. The details required by the Annexes of the SCCs are set forth in the Annexes to this DPA.

4. The optional docking clause in Clause 7 will apply.

5. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 4.2 of this DPA.

6. The optional language in Clause 11(a) shall be omitted.

7. In Clauses 17 and 18, the governing law and jurisdiction shall be that of Ireland.

5.3 UK Transfers. For Restricted Transfers subject to the UK GDPR, the UK Addendum is incorporated by reference and shall apply. The UK Addendum will be deemed completed with the information set out in the Annexes of this DPA.

5.4 Swiss Transfers. For Restricted Transfers subject to the FADP, the SCCs shall apply with the following modifications: (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the FADP; (ii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iii) references to the "Member State" shall be interpreted as references to Switzerland.

5.5 Transfer Impact Assessments and Supplementary Measures. deline8 will conduct and maintain transfer impact assessments for restricted transfers and implement supplementary measures where required (e.g., robust encryption in transit and at rest, strict access controls, data minimization). Upon request, deline8 will provide a high-level summary of its TIA conclusions to Customer under a non-disclosure agreement.

6. Data Subject Rights and Assistance

6.1 Assistance. Taking into account the nature of the Processing, deline8 shall provide reasonable assistance to Customer, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws ("Data Subject Requests").

6.2 Notification. If deline8 receives a Data Subject Request directly from a Data Subject, it shall, to the extent legally permitted, promptly notify Customer and shall not respond to the request itself, except to advise the Data Subject to submit their request to Customer.

7. Security Incident Management

7.1 Incident Notification. Upon becoming aware of a Personal Data Breach affecting Customer Data, deline8 shall notify Customer without undue delay, and in any event within forty-eight (48) hours.

7.2 Details and Cooperation. The notification shall, at a minimum, describe the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and Personal Data records concerned, and the contact point for more information. deline8 shall provide reasonable cooperation and assistance to Customer in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Assistance with Data Protection Obligations

8.1 Taking into account the nature of Processing and the information available to deline8, deline8 shall assist Customer in ensuring compliance with Customer’s obligations under Articles 32 to 36 of the GDPR, including breach notification to supervisory authorities and communication to data subjects, security of processing, Data Protection Impact Assessments (DPIAs) and prior consultations.

9. Return and Deletion of Data

9.1 Deletion on Termination. Unless otherwise specified in an Order Form, upon termination or expiration of the Agreement, deline8 shall, at Customer's choice, delete or return all Customer Data in its possession or control. deline8 retains Customer Data for up to 90 days after termination solely for account closure, billing, and dispute resolution, after which it is deleted from active systems; backups are overwritten within 90 days thereafter. For the ‘Zero Retention’ option, if purchased, Customer Data is deleted from active systems within a contractually agreed timeframe after report generation, and backups are excluded or purged on an accelerated schedule, as confirmed in the Order Form. This requirement shall not apply to the extent deline8 is required by applicable law to retain some or all of the Customer Data. deline8 shall certify to Customer that it has deleted the Customer Data upon request.

10. Audit and Verification

10.1 Audit Rights. deline8 shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

10.2 Audit Mechanism. To satisfy this right, deline8 shall provide Customer, upon reasonable request, with copies of its most recent third-party audit reports (e.g., SOC 2 Type 2, ISO/IEC 27001) or other similar certifications. Onsite audits are permitted no more than once per 12-month period unless (i) required by a competent authority, (ii) following a material Personal Data Breach, or (iii) a material change to the Services’ security posture. Customer bears its own audit costs; deline8 bears its own internal costs. Any direct audit shall be subject to reasonable prior notice, a mutually agreed-upon scope, and strict confidentiality obligations.

11. Government Access Requests

11.1 If deline8 receives a legally binding request from a public authority for access to Customer Data, deline8 will (i) promptly notify Customer unless legally prohibited, (ii) challenge requests it considers unlawful or disproportionate, (iii) disclose only the minimum information required, and (iv) keep a record of the request and its response.

12. US State Privacy Laws

12.1 CPRA/CCPA.For purposes of the California Consumer Privacy Act, as amended by the CPRA, and other Applicable State Privacy Laws, Customer is a ‘Business’/‘Controller’ and deline8 is a ‘Service Provider’/‘Processor.’ deline8: (i) shall Process Personal Information only to perform the Services for Customer’s business purposes and in accordance with Customer’s instructions; (ii) shall not Sell or Share Personal Information, or use or disclose Personal Information for Cross‑Context Behavioral Advertising or for any purpose other than the Services; (iii) shall not combine Personal Information it receives from or on behalf of Customer with Personal Information it receives from another person or collects from its own interaction with a Consumer, except as permitted by Applicable State Privacy Laws (e.g., for detecting security incidents, protecting against illegal activity, debugging, or improving the Services without profiling for advertising); (iv) shall provide reasonable assistance to enable Customer to respond to Consumer requests; (v) shall delete or return Personal Information at termination upon Customer’s direction; (vi) shall ensure any subcontractor is bound by a written agreement with obligations at least as protective as these; and (vii) certifies that it understands and will comply with these restrictions.

Annex I: Details of Processing

This Annex forms part of the DPA and describes the Processing of Personal Data.

A. List of Parties

Data Exporter (Controller):

• Name: The Customer, as defined in the Agreement.

• Address: The Customer's address, as set out in the Agreement.

• Contact Person: The Customer's contact person, as set out in the Agreement.

• Activities Relevant to the Data Transferred: Obtaining technology due diligence and cloud infrastructure intelligence services from the Data Importer.

Data Importer (Processor):

• Name: DELINE8.AI LIMITED

• Address: Troyswood, Kilkenny, R95 H7Y0, Ireland.

• Contact Person: Data Protection Officer, privacy@deline8.ai

• Activities Relevant to the Data Transferred: Provision of the Services pursuant to the Agreement.

B. Description of Transfer

• Subject Matter: The subject matter of the Processing is the provision of the Services by deline8 to Customer.

• Nature and Purpose of Processing: The purpose of the Processing is to analyze Customer's cloud environment configurations, metadata, source code, and compliance documentation to identify and report on security risks, cost inefficiencies, scalability bottlenecks, and compliance gaps for technology due diligence purposes, as further detailed in the Agreement.

• Duration of Processing: For the duration of the Agreement, and until all Customer Data is deleted or returned in accordance with Section 9 of this DPA.

• Anticipated Retention Period: As specified in Section 9.1 of this DPA.

• Frequency of Transfer: Continuous, as required for the provision of the Services.

• Categories of Personal Data: Identification and contact data (e.g., names, email addresses), professional life data (e.g., developer roles), and IT data (e.g., user IDs, IP addresses, data in logs and source code comments).

• Categories of Data Subjects: Customer's employees, contractors, system administrators, software developers, and compliance officers.

• Sensitive Data Processed: No sensitive categories of data are intended to be processed, as per Section 2.7 of this DPA.

C. Competent Supervisory Authority

The competent supervisory authority shall be the Irish Data Protection Commission, in accordance with Clause 13 of the SCCs. For transfers subject to the UK GDPR, the competent authority is the UK Information Commissioner's Office. For transfers subject to the FADP, the competent authority is the Swiss FDPIC.

Annex II: Technical and Organizational Measures (TOMs)

deline8 is committed to maintaining its ISO 27001 and SOC 2 Type II certifications. The following technical and organizational measures are implemented to ensure an appropriate level of security for Customer Data.

Control Domain - Specific Measure

• Data Encryption - Customer Data is encrypted in transit using TLS 1.3 or higher and at rest using AES-256 or a comparable strong algorithm.

• Key Management - Cryptographic keys are managed using a centralized Key Management Service (KMS). Key rotation is performed on a defined schedule, and duties related to key management are strictly segregated. Enterprise Tier customers may have the option for customer-managed keys (BYOK/CSEK) as specified in an Order Form.

• Access Control - Access to production environments is governed by role-based access control (RBAC) on a "least privilege" and "need-to-know" basis. Multi-factor authentication (MFA) is mandatory for all personnel. Support access is granted on a just-in-time (JIT), time-bounded basis through an approval workflow, with all access recorded and audited.

• Network Security - Logically isolated Virtual Private Clouds (VPCs) are used to segregate customer environments. Firewalls and other network security controls are in place to protect against unauthorized access. Regular network vulnerability scanning is performed.

• Vulnerability Management - Regular vulnerability scanning is conducted. Patching SLAs are enforced based on severity (e.g., Critical: 7 days, High: 14 days). An annual penetration test is conducted by a CREST/OSCP-qualified third party, with summary reports available under NDA.

• Logging & Monitoring - Centralized, immutable audit logs are maintained for all systems processing Customer Data. Logs are retained for a defined period, and access is reviewed regularly. Automated alerting is configured for security events.

• Data Segregation - A logical tenant isolation model is enforced at the application and infrastructure layers to prevent data leakage between customers. Secrets are managed via a secure vault.

• Secure Development (SDLC) - A secure SDLC is followed, incorporating security-by-design, threat modeling, and regular static/dynamic application security testing (SAST/DAST). A two-person code review is required for changes to sensitive services.

• Supply Chain Security - A Software Bill of Materials (SBOM) is maintained. Dependencies are scanned for vulnerabilities, and builds are verified to ensure integrity.

• Personnel Security - All personnel undergo background checks (where permitted) and receive regular security and data protection training. All personnel are bound by strict confidentiality agreements.

• Incident Response - A documented Security Incident Response Plan is maintained, regularly reviewed, and tested. A 24/7 on-call security team responds to automated alerts.

• Business Continuity & Disaster Recovery (BCDR) - Backups are encrypted and stored in-region. RPO/RTO targets are defined and tested regularly.

• Physical Security - Production systems are hosted in data centers managed by major cloud providers (e.g., AWS, GCP, Azure) that maintain high physical security standards (e.g., SOC 2, ISO 27001).

Annex III: List of Sub-processors

Customer has authorized the use of the following Sub-processors. An up-to-date list is maintained at deline8.ai/legal.

Annex IV: Standard Contractual Clauses (SCCs)

For the purposes of the Standard Contractual Clauses, the parties agree that the information contained in Annex I and Annex II of this DPA shall serve as the corresponding information for Annex I and Annex II of the SCCs, respectively. The list of Sub-processors in Annex III of this DPA serves as the information for Annex III of the SCCs.