Data Processing Addendum (“DPA”)

This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the Services and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.

  1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.

Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time.

EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC;

(c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

Personal Data” means any information SignalOne processes on behalf of Customer to provide the Services that is defined as “personal data” or “personal information” under any Privacy Law.

Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re- enacted or replaced from time to time.

Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area (in the case of transfers of Personal Data subject to the GDPR) or the UK (in the case of transfers of Personal Data subject to the UK GDPR), as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.

US Privacy Laws” means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act.

  1. Amendments. The Parties agree to negotiate in good faith modifications to this DPA if changes are required for SignalOne to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws.
  1. Roles of the Parties. The Parties acknowledge that for purposes of Privacy Laws, Customer is the “service recipient,” “controller,” “business,” or any similar term provided under Privacy Laws, and SignalOne is the “service provider,” “processor,” “contractor,” or any similar term provided under Privacy Laws.
  1. Details of Processing. The Parties agree that the details of processing are as described in Annex 1.
  1. Customer Obligations. Customer shall comply with all Privacy Laws in providing Personal Data to SignalOne in connection with the Services. Customer represents and warrants that:

(a) the Privacy Laws applicable to Customer do not prevent SignalOne from fulfilling the instructions received from Customer and performing SignalOne’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to SignalOne and enabling SignalOne to process the Personal Data as set out in this DPA. Customer shall notify SignalOne without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, SignalOne shall not be required to continue processing such Personal Data.

  1. Processing of Personal Data. In processing Personal Data under the Agreement, SignalOne shall, to the extent required under applicable Privacy Laws:
  1. only process Personal Data on documented instructions from Customer, for the limited and specific purpose of performing the Services, and at all times in compliance with Privacy Laws, unless required to process such Personal Data by applicable law to which SignalOne is subject; in such a case, SignalOne shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  1. notify Customer (i) without undue delay if it makes a determination that it can no longer meet its obligations under applicable US Privacy Laws, and (ii) immediately if SignalOne, in its opinion, on the instruction of Customer, infringes applicable EU/UK Privacy Laws;
  1. to the extent required by US Privacy Laws, and upon reasonable written notice that Customer reasonably believes SignalOne is using Personal Data in violation of Privacy Laws or this DPA, grant Customer the right to take reasonable and appropriate steps to help ensure that SignalOne uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and
  1. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data in accordance with the Provisions of this Agreement.
  1. Prohibitions. To the extent required by applicable US Privacy Laws, SignalOne is prohibited from:
  1. selling the Personal Data;
  1. sharing the Personal Data for cross-context behavioral advertising purposes;
  1. retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the Services;
  1. retaining, using, or disclosing the Personal Data outside of the direct business relationship between SignalOne and Customer; and
  1. combining the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from SignalOne’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to perform a business purpose or as otherwise permitted by Privacy Laws.
  1. Use of Subcontractors. To the extent SignalOne engages any subcontractors to process Personal Data on its behalf and as required by applicable Privacy Laws:
  1. Customer hereby grants SignalOne general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 8.
  1. If SignalOne appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with 7 business days’ prior written notice, during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy Laws (and if Customer does not so object, SignalOne may proceed with the appointment or replacement).
  1. SignalOne shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on SignalOne under this DPA.
  1. In the event SignalOne engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, SignalOne shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.
  1. Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, SignalOne shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in:
  1. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;
  1. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure;
  1. notifying relevant competent authorities and/or affected individuals of Personal Data breaches;
  1. conducting any mandatory data protection impact assessments where required under applicable EU/UK Privacy Laws and, if required, prior consultation with relevant competent authorities; and
  1. entering into this DPA.
  1. Security Measures. To the extent required under applicable Privacy Laws, SignalOne shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement, and ensure that its authorized personnel comply with, appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and SignalOne from time to time. To the extent required by Privacy Laws, SignalOne shall without undue delay notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.
  1. Access and Audits. To the extent required under applicable Privacy Laws and upon reasonable request of Customer, SignalOne shall make available to Customer such information in its possession as is reasonably necessary to demonstrate SignalOne’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by SignalOne. Customer shall be permitted to conduct such an assessment, during normal business hours, no more than once every 12 months, upon 30 days’ advance written notice to SignalOne, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. Customer shall be responsible for any reasonable costs raising from audits under this Section 11. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, SignalOne may arrange for a qualified and independent auditor to conduct, at Customer’s expense, an assessment of SignalOne’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall SignalOne be required to give Customer access to information, facilities or systems to the extent doing so would cause SignalOne to be in violation of confidentiality obligations owed to other customers or its legal obligations.
  1. Deletion of Personal Data. To the extent required under applicable Privacy Laws and at Customer’s written direction, SignalOne shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.
  1. Data Transfers. Customer authorizes SignalOne and its subcontractors to make international data transfers of Personal Data in accordance with this DPA and in compliance with Privacy Laws applicable to the transfer. To the extent SignalOne processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, SignalOne shall comply with the data importer’s obligations and Customer shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:
  1. for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, Customer is a controller and SignalOne is a processor, and the parties, contact

person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement, and the signature(s) (in any form) given in connection with the execution of this Agreement by a party and the dates of such signature(s) shall apply as the dated signature required from that party;;

  1. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 13;
  1. for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organizational security measures, and the technical and organizational measures taken by SignalOne to assist Customer, as each are set out in Annex 3, shall apply;
  1. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 8 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the Irish Data Protection Commission; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be the courts of Ireland; (vi) Part 1, SignalOne as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.

Customer acknowledges and agrees that SignalOne may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, SignalOne shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

ANNEX 1

Details of Processing

Nature of the processing

For purposes of fulfilling SignalOne’s obligations to Customer under the Agreement and the DPA

Purpose(s) of the processing

For SignalOne to provide the Services to Customer pursuant to the Agreement

Categories of individuals whose Personal Data is processed

Data subjects include the individuals about whom Personal Data is collected by SignalOne on Customer’s behalf or otherwise provided to SignalOne by Customer

Categories of Personal Data processed

Data relating to individuals collected by SignalOne on Customer’s behalf or otherwise provided to SignalOne by Customer

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

N/A

Frequency (e.g. one-off or continuous) and duration of the processing

Continuously, for the length of the Agreement between the parties

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 8 is as set out in this Annex 1 [and in Annex 2]

ANNEX 2

Authorized Sub-Processors

Name of Sub-Processor Type of Service Location of Processing Activity
Github Data platform United States
Posthog Customer data platform United States
Google Analytics Customer data platform United States
Supabase Data platform United States
SupaBase – Postgres Data platform United States
AWS Cloud computing United States
PayPal Payment platform United States
Stripe Payment platform United States
Slack (configurable) Messaging platform United States
OpenAI (configurable) API United States

ANNEX 3

Security Measures

This Information Security Addendum (“Addendum”) describes the technical and organizational measures implemented by SignalOne to ensure an appropriate level of security. In the event of a conflict between the terms of the DPA and this Addendum, the terms of the DPA will apply. Capitalized terms used but not defined herein have the meaning set forth in the DPA.

At a minimum, SignalOne will implement and maintain the following security measures in connection with the Services to be provided under the Agreement:

  1. ISMS. SignalOne will implement and maintain an information security management system (“ISMS”) that includes reasonable management of security controls and continuous improvement.
  2. Background Checks. SignalOne will conduct background checks on all employees and contractors that have access to Personal Data that is provided by or on behalf of Customer to SignalOne and is accessed, stored, or otherwise processed by SignalOne pursuant to the Agreement (“Customer Data”).
  3. Access Controls. SignalOne will implement and maintain appropriate access controls to prevent unauthorized access to Customer Data, including, without limitation, segregation of duties in its assignment of all critical job functions related to the Services involving Customer Data and appropriate two-factor authentication.
  4. Training. SignalOne will require all employees and contractors who assist in the performance of the Services for Customer to complete an annual security and privacy awareness training.
  5. Passwords. SignalOne will implement and maintain strong password configuration requirements.
  6. Encryption. SignalOne will encrypt Customer Data both in transit and at rest using industry best standards.
  7. Network and Host Security. SignalOne will implement and maintain reasonable network and host security controls, including without limitation firewalls, intrusion detection and/or intrusion prevention systems and patching of servers.
  8. Physical Security. SignalOne will ensure the physical security of servers where Customer Data will be stored, and of laptops and other devices, such as mobile devices, where Customer Data will be accessed.
  9. Security Assessments. SignalOne will conduct an annual SOC2 Type II audit covering a period of 3-6 months at SignalOne’s sole cost and expense.
  10. Security Logs. SignalOne will implement and maintain security log monitoring.
  11. Subcontracting. SignalOne will ensure that any and all subcontractors that assist in the performance of the Services have completed a security assessment to confirm that the provider can maintain appropriate security and privacy controls.
  12. Data Retention/Deletion. SignalOne will retain Customer Data only for as long as required by terms of the DPA or otherwise permitted under the Agreement. Within ninety (90) calendar days of termination of the Agreement for any reason or of the expiry of its term, SignalOne will

permanently delete or, if directed in writing by Customer, return and not retain, the Customer Data, including any backups in its possession or control, except that such backups may be maintained solely to comply with legal requirements, and promptly provide written proof of such deletion to Customer.

  1. Backup and Recovery. SignalOne will implement and maintain standard back up processes for recovering Customer Data in the event Services are disrupted.