Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Octelligence Inc. ("Octelligence", "we", "us", or "our") and the customer identified in the applicable Order or click-through acceptance ("Customer") for the use of the Octelligence Service (the "Agreement"). This DPA governs the processing of Personal Information by Octelligence on behalf of Customer in connection with the Service. Where there is a conflict between this DPA and the rest of the Agreement, this DPA controls with respect to the processing of Personal Information.

1. Definitions

Capitalized terms used and not defined in this DPA have the meanings given in the Agreement. The following terms have the meanings set out below:

• "Applicable Data Protection Laws" means all data-protection and privacy laws applicable to the processing of Personal Information under the Agreement, including the GDPR, the UK GDPR, the CCPA/CPRA, other U.S. state privacy laws, PIPEDA, and equivalent laws.
• "Personal Information" means information relating to an identified or identifiable individual that is processed by Octelligence on behalf of Customer in connection with the Service, including "personal data" under the GDPR/UK GDPR and "personal information" under the CCPA/CPRA. Personal Information is a subset of Customer Data.
• "Controller", "Processor", "Data Subject", "Processing", and "Personal Data Breach" have the meanings given in the GDPR (and, with respect to CCPA, the equivalent terms "Business," "Service Provider," and "Consumer").
• "Sub-Processor" means any third party engaged by Octelligence to process Personal Information on behalf of Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, approved by the European Commission Implementing Decision (EU) 2021/914.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner.

2. Roles & Scope

For purposes of this DPA, with respect to Personal Information that Customer or its Authorized Users upload to, generate in, or transmit through the Service ("Customer-Submitted Personal Information"):

• Customer is the Controller (or, under CCPA, the Business), or acts on behalf of another Controller.
• Octelligence is the Processor (or, under CCPA, the Service Provider).

For Personal Information that Octelligence collects directly about Customer's account administrators, billing contacts, support personnel, and website visitors, Octelligence acts as a Controller and the processing is governed by the Octelligence Privacy Policy, not this DPA.

3. Details of Processing

The subject matter, duration, nature and purpose of processing, types of Personal Information, and categories of Data Subjects are described in Annex A.

4. Customer Obligations & Instructions

Customer:

• Represents and warrants that it has all rights, consents, notices, and lawful bases necessary for Octelligence to process the Customer-Submitted Personal Information as contemplated by the Agreement and this DPA.
• Is solely responsible for the accuracy, quality, and legality of the Customer-Submitted Personal Information and the means by which it acquired such information.
• Will not instruct Octelligence to process Personal Information in a manner that would violate Applicable Data Protection Laws.
• Will provide reasonable assistance to Octelligence in responding to inquiries from Data Subjects, regulators, or other competent authorities relating to processing under the Agreement.

Octelligence will process Customer-Submitted Personal Information only (a) on the documented instructions of Customer (including as set out in the Agreement, this DPA, and the configuration and use of the Service by Customer), (b) as necessary to provide and support the Service, prevent or address technical or security issues, and comply with applicable law, and (c) as otherwise required by law (in which case Octelligence will, where legally permitted, inform Customer of the requirement before processing).

5. Octelligence Obligations

Octelligence will:

• Process Customer-Submitted Personal Information only as described in Section 4.
• Implement appropriate technical and organizational measures as described in Annex B to protect the security, confidentiality, and integrity of Personal Information.
• Ensure that personnel authorized to process Personal Information are bound by appropriate confidentiality obligations.
• Make available to Customer, in reasonable form, the information necessary to demonstrate compliance with this DPA.
• Promptly inform Customer if, in Octelligence's reasonable opinion, an instruction from Customer infringes Applicable Data Protection Laws.

6. Personnel Confidentiality

Octelligence limits access to Personal Information to personnel who need access to perform their duties under the Agreement, and binds those personnel to written confidentiality obligations that survive termination of their engagement.

7. Security Measures

Octelligence has implemented and will maintain appropriate technical and organizational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These measures are summarized in Annex B. Octelligence may update the measures from time to time, provided that the updated measures will provide at least an equivalent level of protection.

8. Sub-Processors

Customer authorizes Octelligence to engage Sub-Processors to process Personal Information on Customer's behalf, subject to the following:

• Octelligence will impose data-protection obligations on each Sub-Processor that are no less protective than those set out in this DPA.
• Octelligence will remain responsible for the acts and omissions of its Sub-Processors with respect to Personal Information.
• Octelligence maintains a current list of Sub-Processors at /global/en/subprocessors/ (also incorporated as Annex C).
• Octelligence will provide at least thirty (30) days' advance notice before adding or replacing a Sub-Processor that processes Customer-Submitted Personal Information.
• Customer may object in writing to a new Sub-Processor on reasonable, documented data-protection grounds within thirty (30) days of notice. The parties will work in good faith to address the objection. If the objection cannot be resolved, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid, unused fees for the remaining Subscription Term as its sole remedy.

9. International Data Transfers

Octelligence may transfer Personal Information to jurisdictions outside the country in which Customer is established, including the United States, in connection with the operation of the Service. Where Customer-Submitted Personal Information originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision under Applicable Data Protection Laws:

• The parties incorporate by reference the Standard Contractual Clauses (Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable to the parties' roles).
• For transfers subject to the UK GDPR, the UK Addendum is incorporated by reference, with the SCCs as the "Approved EU SCCs" and this DPA completing the required tables (Customer is the Data Exporter; Octelligence is the Data Importer; the Annexes to the SCCs are Annexes A through C of this DPA; the optional docking clause applies; and the optional language for redress is selected).
• For transfers subject to Swiss data protection law, references to the GDPR in the SCCs are deemed to include references to the Swiss Federal Act on Data Protection, and the supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

Octelligence implements supplementary technical, organizational, and contractual measures, where appropriate, to address any risk that the laws or practices of the recipient country may impinge on the protection afforded by the SCCs.

10. Personal Data Breach

Octelligence will notify Customer of a confirmed Personal Data Breach affecting Customer-Submitted Personal Information without undue delay after becoming aware of it, and in any event within seventy-two (72) hours where required by Applicable Data Protection Laws. The notice will include the information reasonably available to Octelligence at the time, and will be supplemented as additional information becomes available, including:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
• The contact point for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach and to mitigate possible adverse effects.

Octelligence's notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement by Octelligence of any fault or liability.

11. Data Subject Rights

Octelligence will provide reasonable assistance to Customer, taking into account the nature of the processing and the information available to Octelligence, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising rights under Applicable Data Protection Laws (such as access, rectification, deletion, restriction, portability, and objection). If Octelligence receives a request from a Data Subject relating to Customer-Submitted Personal Information, Octelligence will, unless prohibited by law, promptly forward the request to Customer and will not respond to the Data Subject directly except to confirm that the request has been forwarded.

12. Audits & Records

Octelligence will make available to Customer, on reasonable request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA, including:

• Then-current third-party audit reports or certifications (such as SOC 2 reports, if and when available).
• Summaries of security policies and procedures relevant to the Service.
• Responses to reasonable written security or privacy questionnaires.

Where the information described above is insufficient for Customer to demonstrate compliance with Applicable Data Protection Laws, Customer (or an independent third-party auditor that is not a competitor of Octelligence and that is subject to obligations of confidentiality) may, on at least sixty (60) days' written notice and not more than once per twelve (12) month period (except where required by a competent authority or following a confirmed Personal Data Breach affecting Customer), conduct an audit limited to records, policies, and procedures relevant to compliance with this DPA. Audits will be conducted during regular business hours, will not unreasonably interfere with Octelligence's operations, and will be at Customer's expense. The parties will agree the scope and timing in advance and in good faith.

13. Return & Deletion of Personal Information

On termination or expiration of the Agreement, Octelligence will, at Customer's choice and within a reasonable period (not to exceed ninety (90) days unless otherwise agreed), make Customer-Submitted Personal Information available for export in standard, machine-readable formats made available by the Service, after which Octelligence will delete or de-identify Customer-Submitted Personal Information in accordance with the Octelligence retention practices described in the Privacy Policy, except as required by Applicable Data Protection Laws or other applicable law.

14. California-Specific Terms

To the extent Octelligence processes Personal Information that constitutes "personal information" under the CCPA/CPRA on behalf of a Customer that is a "Business":

• Octelligence is a "Service Provider" with respect to such Personal Information.
• Octelligence will not (a) "sell" or "share" such Personal Information, (b) retain, use, or disclose it for any purpose other than the "business purposes" specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA, (c) retain, use, or disclose it outside the direct business relationship between Customer and Octelligence, or (d) combine such Personal Information with personal information received from other sources, except as permitted by the CCPA/CPRA.
• Octelligence will provide the same level of privacy protection to such Personal Information as is required of Businesses by the CCPA/CPRA, and will notify Customer if it determines it can no longer meet this obligation.
• Customer has the right, on reasonable notice, to take reasonable and appropriate steps to ensure Octelligence uses the Personal Information in a manner consistent with Customer's obligations under the CCPA/CPRA, and to stop and remediate unauthorized use of Personal Information.

15. GDPR / UK GDPR Terms

With respect to processing subject to the GDPR or the UK GDPR, the parties incorporate the obligations set out in Article 28 of the GDPR (as applied by the UK GDPR) through this DPA, including the provisions on processing only on instructions, confidentiality, security, sub-processors, data subject rights, breach notification, assistance, deletion or return, and audits. References in this DPA to specific Articles of the GDPR are deemed to include references to the corresponding provisions of the UK GDPR.

16. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited or excluded under Applicable Data Protection Laws.

17. Term & Termination

This DPA becomes effective on the effective date of the Agreement and remains in effect for the duration of the Agreement and as long as Octelligence processes Customer-Submitted Personal Information. Termination of the Agreement automatically terminates this DPA, except for provisions that by their nature should survive (including Sections 7, 10, 13, 16, and 18).

18. General

This DPA is governed by the law and subject to the venue specified in the Agreement, except where Applicable Data Protection Laws require otherwise. If any provision is held unenforceable, the remaining provisions remain in full force. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

Annex A: Processing Description

A.1 Subject matter

Processing of Personal Information as necessary to provide the Octelligence corporate record management Service to Customer, including hosting, storing, organizing, retrieving, and transmitting Customer Data.

A.2 Duration

For the duration of the Agreement and any post-termination periods described in the Agreement or this DPA.

A.3 Nature and purpose

Storage, processing, transmission, and management of corporate records, governance documents, share registers, cap tables, and related metadata to enable the functionality of the Service.

A.4 Categories of Data Subjects

• Customer's account administrators and Authorized Users.
• Directors, officers, shareholders, members, partners, beneficial owners, employees, advisors, and other individuals identified in the corporate records managed by Customer in the Service.

A.5 Categories of Personal Information

• Identifiers (name, email address, postal address, telephone number, account credentials, user identifiers).
• Professional and employment information (role, title, signing authority).
• Equity-related information (share class, number of shares, certificate numbers, dates of issuance and transfer).
• Records and documents uploaded by Customer that may incidentally contain Personal Information.
• Technical data (IP address, browser, device identifiers, log data).

A.6 Sensitive or special-category data

The Service is not designed to process special categories of personal data (as defined in Article 9 GDPR) or sensitive personal information (as defined under the CCPA/CPRA), and Customer should not upload such information unless expressly agreed in writing.

A.7 Frequency of transfer

Continuous, for the duration of the Agreement.

A.8 Retention

As described in the Octelligence Privacy Policy and, where applicable, the Agreement.

Annex B: Security Measures

Octelligence has implemented and will maintain the following technical and organizational measures designed to protect Personal Information. The specific measures may evolve as the Service and threat landscape change, provided that updated measures will provide at least an equivalent level of protection.

B.1 Access controls

• Role-based access controls within the Service.
• Principle of least privilege for administrative and operational access.
• Multi-factor authentication for personnel access to production systems where supported.
• Logical separation of customer data.

B.2 Encryption

• Encryption in transit using TLS for connections between users and the Service.
• Encryption at rest within hosting infrastructure for production data stores.
• Secure credential and secret management practices for application secrets.

B.3 Operational security

• Activity audit logging within the Service.
• Network segmentation and security-group controls within the hosting environment.
• Vulnerability scanning and patch management for application and infrastructure components.
• Backup and disaster-recovery practices for production data.
• Documented incident response procedures.

B.4 Organizational measures

• Written confidentiality obligations for personnel with access to Personal Information.
• Security awareness training for personnel.
• Vendor risk review for Sub-Processors with access to Personal Information.
• Periodic review of security policies and controls.

Annex C: Sub-Processors

The current list of Sub-Processors is maintained at /global/en/subprocessors/ and is incorporated into this DPA by reference. Octelligence will provide notice of changes as described in Section 8.