JupiterOne Policies, Standards, and Procedures

GDPR Data Processing Agreement/Addendum (“DPA”)

Data Protection Addendum

This Data Protection Addendum (this “Addendum”) is made and entered into as of the date appearing on the signature page hereto (the “Effective Date”) by and between JupiterOne, Inc. (“Company”) and the Supplier named on the signature page hereto, and upon execution shall be incorporated by reference into each agreement for services (“Services Agreement”) pursuant to which Supplier may Process (as defined below) Personal Data (as defined below) for, from, or on behalf of Company.

A. Personal Data Protection

For the purposes of this Addendum, the terms “Controller”, “Data Subjects”, “Personal Data”,“Processor” and “Process” shall have the meaning as defined in the General Data ProtectionRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016(“GDPR”) or any successor European Union data protection framework; and “Data ProtectionLaws” means the GDPR and any applicable European data protection laws and regulations andany other applicable data protection and privacy laws and regulations.

The parties agree that to the extent Supplier, in the context of performing the agreed services,processes any Personal Data of Company, Supplier shall be the Processor and Company shall bethe Controller of such Personal Data. Further details of the Processing activities to be performedby Processor are described on the attached Exhibit 1 (Description of Processing), incorporatedherein by reference.

  1. Supplier Obligations. With respect to the Processing of Personal Data, Supplier undertakesthe following as Processor:

(a) to process Personal Data only as reasonably necessary for the provision of Services and consistent with the Services Agreement, in accordance with the terms of this Addendum andany other documented and agreed-upon lawful instructions provided by Company, unless (i) Company has given its express prior consent, or (ii) Supplier is required to do so underapplicable European Data Protection Law (as defined below); in such a case, Supplier shallto the extent permitted by applicable law inform Company of that legal requirement before Processing.

(b) to ensure that any person who is authorized by Company to Process Personal Data (including its staff, agents, and subcontractors) are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

(c) to engage Sub-processors, including affiliated companies, to Process Personal Data on Supplier’s behalf, including any Sub-processor currently engaged by Supplier. Supplier shall enter into a written agreement with the Sub-Processor which requires the Sub-Processor to protect the Personal Data to the same standard required by this Addendum. Supplier shall take commercially reasonable measures to ensure that Sub-Processors have the requisite capabilities to Process Personal Data in accordance with this Addendum.

Supplier shall remain responsible for its compliance with the obligations in this Addendum and for any acts or omissions of the Sub-processor that cause Company to breach any of its obligations under this Addendum. Supplier will notify Company in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant tothis Addendum, which may be done by email or posting on a website identified by Supplier to Company. Company must raise any objection to posted Sub-processors within five (5) calendar days of the posted update. Company’s objection shall only be effective if submitted to Supplier in writing, specifically describing Company’s reasonable belief that Supplier’s proposed use of the Sub-processor(s) will materially, adversely affect Company’s compliance with GDPR. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Company’s concern cannot be resolved, Supplier may terminate the Services Agreement with no penalty and Company shall immediately pay all fees and costs then owing and incurred by Supplier as a result of termination.

(d) at Company’s written direction and to the extent to required by Data Protection Laws, to provide reasonable assistance to Company to facilitate such actions in response to any commercially reasonable request by Company to correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, taking into account the information available to Supplier. Supplier shall, to the extent legally permitted, promptly notify Company if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Supplier shall provide Company with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Company does not have the ability to address the request independently.

(e) to provide commercially reasonable cooperation to assist Company in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Services Agreement. In the event that any such request is made directly to Supplier, Supplier shall not respond to such communication directly without Company’s prior authorization, unless legally compelled to do so. If Supplier is required to respond to such a request, Supplier shall promptly notify Company and provide it with a copy of the request unless legally prohibited from doing so.

(f) upon Company’s written request, to provide Company with reasonable cooperation and assistance as needed to fulfill Company’s obligation under GDPR to carry out a data protection impact assessment related to Company’s use of the Services, to the extent Company does not otherwise have access to the relevant information, and to the extent such information is available to Supplier. Supplier shall further provide reasonable assistance to Company in the cooperation or prior consultation with the supervisory authority in the performance of its tasks, to the extent required under GDPR.

(g) to notify Company without undue delay after becoming aware of any Data Breach. Supplier shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Supplier deems necessary and reasonable to remediate the cause of such Data Breach. Supplier shall provide information related to the Data Breach to Company in a timely fashion and as reasonably necessary for Supplier to maintain compliance with Data Protection Laws. As used herein, “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Supplier or a Sub-processor.

(h) to provide written responses (on a confidential basis) to all reasonable requests for information made by Company regarding Processing of Personal Data, including responses to information security reviews that are necessary to confirm Supplier’s compliance with this Addendum. To the extent Supplier’s responses are not sufficient to enable Company to satisfy its obligations under applicable Data Protection Laws, Supplier shall cooperate with audits and inspections performed by Company or a vendor of Company reasonably acceptable to Supplier, provided however, that any audit or inspection: (i) may not beperformed unless necessary to determine Supplier’s compliance with this Addendum and Company reasonably believes that Company is not complying with this Addendum, or as otherwise specifically required by applicable Data Protection Laws; (ii) must be conducted at Company’s sole expense and subject to reasonable fees and costs charged by Supplier; (iii) may be conducted on no less than thirty (30) days prior written notice from Company, at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to Supplier’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Supplier will not be required to disclose any proprietary or privileged information to Company or an agent or vendor of Company in connection with any audit or inspection undertaken pursuant to this Addendum.

  1. Law Enforcement Requests. If a law enforcement or other governmental agency sends Supplier a request or other lawful process for Personal Data (for example, a subpoena or court order), Supplier may attempt to redirect the agency to request that data directly from Company. As part of this effort, Supplier may provide Company’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Supplier shall give Company reasonable notice of the demand to allow Company to seek a protective order or other appropriate remedy unless Supplier is legally prohibited from doing so.

  2. Data Security. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Supplier shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, including the security measures described on Exhibit 1 to this Addendum. Company agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Services Agreement.

  3. Company Obligations. Company agrees that (i) it shall comply with its obligations as a Data Controller under the Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Suppliers; and (ii) it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Supplier to Process Personal Dataand provide the Services as described in the Services Agreement. Company shall immediately notify Supplier and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.

Company shall ensure that Company is entitled to transfer the relevant Personal Data to Supplier so that Supplier may lawfully use, process, and transfer the Personal Data in accordance with the Services Agreement on the Company’s behalf. Supplier will not be liable for any claim brought against Supplier arising from any action or omission by Company to the extent that such action or omission resulted directly from Company’s instructions and/or any failure of Company to comply with this Addendum.

  1. International Transfers. Supplier may Process Personal Data anywhere in the world where Supplier or its Sub-processors maintain data Processing operations. Supplier shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws. To the extent Supplier’s performance of the Services requires the transfer of Personal Data from within the EEA to a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR), the Standard Contractual Clauses will apply to the transfer and are incorporated by reference herein.

B. Termination. In the event of Supplier’s violation of any obligation under Data Protection Laws or this Addendum, Company, without prejudice to any other rights which it may have, shall be entitled to terminate any Services Agreement forthwith. Any terms of this Addendum that by their nature extend beyond the termination of the Services Agreement, including without limitation this Addendum, Section A(i), shall remain in effect. Upon expiration or termination of the Services Agreement, Supplier shall (at Company’s election) delete or return, if feasible, to Company all Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Supplier is required by applicable law to retain some or all of the Personal Data; or (ii) to Personal Data Supplier has archived on back-up systems. In all such cases, Supplier shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this Addendum shall survive for so long as Supplier continues to retain any Personal Data.

C. Precedence. In the event of a conflict between this Addendum and other provisions of the Services Agreement, this Addendum shall prevail. Any claims brought under or in connection with this Addendum shall be subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Services Agreement.

D. Miscellaneous. Except as may be otherwise provided pursuant to the Standard Contractual Clauses, no one other than a party to this Addendum, its successors and permitted assignees shall have any right to enforce any of its terms. Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this Addendum will be subject to the governing law identified in the Services Agreement without giving effect to conflict of laws principles.

[Signature page follows.]

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed as of ________, ___, 20___ by their respective officers thereunto duly authorized.

COMPANY: JupiterOne, Inc.

By: Name: Title:

SUPPLIER: ________________________

By: Name: Title:

Exhibit 1 to Data Protection Addendum

Description of Processing

A. Subject-matter, nature and purpose of the Processing

Supplier provides certain services to Company, including its software platform for asset discovery, configuration management, cybersecurity and compliance, as further specified in the Services Agreement.

In the context of performing the obligations under the Services Agreement, Supplier may Process certain of Company’s Personal Data as necessary for the purposes as specified in the Services Agreement. Such processing may include: hosting the data provided by the Company in its software platform and providing access to the authorized users of the Company for data analysis.

B. Duration of the Processing

The agreed Processing of Personal Data shall commence upon the effective date of the Services Agreement and be carried out for the term of the Services Agreement. The services relating to Processing of Personal Data shall automatically end in case the Services Agreement is effectively terminated or expires, in which case the Personal Data shall be handled in accordance with Section B of the Services Agreement. To the extent the Processing of Personal Data by Supplier is necessary for the winding-up of the Services Agreement, e.g. with respect to returning the Personal Data, the provisions of Section B of the Services Agreement shall continue to apply until the completion of the winding-up.

C. Categories of Data Subjects

The Processing will concern the following categories of Data Subjects:

a. Managers, employees, agents or other contact persons at business partners

D. Types of Personal Data

The Processing will concern the following types of Personal Data:

Managers, employees, agents or other contact persons at business partners: contact details (name,address, phone number and direct line, e-mail address).

The Processing will not include any special categories of data.

The Processing will not include Personal Data relating criminal convictions and offenses.

E. Technical and Organizational Security

Supplier has implemented and will maintain the following technical and organizational security measures for the Processing of Personal Data:

Supplier’s software-as-a-service platform services are hosted by Amazon Web Services (AWS), with its security program implemented according to AWS’s Shared Security Model. Personal Data through the platform is encrypted at rest using AES cryptographic algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys, and data in transit through the platform isencrypted via 256-bit AES session keys for TLS encryption. Supplier employs 24 x 7 monitoring systems at the application and infrastructure layers to monitor performance, availability, capacity, and security of the cloud-native platform. Supplier’s in-house cybersecurity team manages security, risk-management and compliance services. Additionally, 3rd-party cybersecurity firms may be used to provide specialized services like penetration testing. Supplier maintains compliance with SOC2 Security compliance framework.

Exhibit 2 to Data Processing Addendum

Standard Contractual Clauses (procesessors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

The entity identified as “Company” in the Addendum (the “data exporter”)

and

JupiterOne, Inc. 2701 Aerial Center Pkwy, Suite 120, Morrisville, NC 27560, United States (the “data importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduceadequate safeguards with respect to the protection of privacy and fundamental rights andfreedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’,’processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in the Processing Appendix which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to(i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or byoperation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where boththe data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  1. The parties do not object to a data subject being represented by an association orother body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only onthe data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out inaccordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, (ii) any accidental or unauthorised access, and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent; (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

  2. If a data subject is not able to bring a claim for compensation in accordance withparagraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contractor by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a)to refer the dispute to mediation, by an independent person or, where applicable,by the supervisory authority; (b)to refer the dispute to the courts in the Member State in which the data exporter isestablished.

  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable dataprotection law.

  2. The parties agree that the supervisory authority has the right to conduct an auditof the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreementthe data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

Data exporter

The data exporter is the entity identified as “Company” in the Addendum, and uses the data importer’s software-as-a-service platform in connection with the management and monitoring of security configuration and events in its IT environments.

Data importer

The data importer is a provider of a software-as-a-service platform and associated professional services used in connection with managing and monitoring of security configuration and events in its customers’ IT environments.

Data subjects

Data subjects are defined in Section A.1(a) of the Addendum.

Categories of data

The categories of Personal Data are defined in Section A.1(a) of the Addendum.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Special categories of data are not required or contemplated under the service.

Processingoperations

The personal data transferred will be subject to the following basic processing activities (please specify):

The nature of the Processing of Personal Data is providing the Services as described in the Services Agreement.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer shall implement and maintain the technical and organizational security measures described on Exhibit 1 of the Addendum.