Data Processing Addendum

1. Definitions

1.1. Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:



1.2. The terms “controller”, “processor”, “business” and “service provider” have the meanings given to them in the Applicable Data Protection Laws.

2. Interaction With the Agreement

2.1. This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

3. Role of the Parties

3.1. The Parties acknowledge and agree that:



4. Details of Data Processing

4.1. The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Part 1 (Processing Details) to this DPA.

4.2. Tracecast shall comply with its obligations under Applicable Data Protection Laws. Save with respect to any Processing of Usage Data for the Controller Purposes, Tracecast shall only Process Covered Data on behalf of and under the instructions of Controller and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall constitute Customer's instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Tracecast is prohibited from:

1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
2. sharing Covered Data with any third party for cross-context behavioral advertising;
3. retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
4. retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and
5. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Tracecast receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

4.3. Tracecast will:

1. provide Customer with information to enable Customer (or, where applicable, Customer's Controller) to conduct and document any data protection assessments required under Applicable Data Protection Laws; and
2. promptly inform Customer if, in its opinion, an instruction from Customer (or, where applicable, Customer’s Controller) infringes the Applicable Data Protection Laws.

5. Compliance

5.1. Customer shall comply with its obligations under Applicable Data Protection Laws and shall:

1. provide (or ensure that the Customer's Controller provides) such information to Data Subjects regarding the Processing of their Covered Data in connection with Customer's use of the Services as required under Applicable Data Protection Laws;
2. to the extent required for the lawful Processing of Covered Data under Applicable Data Protection Laws, obtain (or ensure that the Customer's Controller obtains) valid consents from Data Subjects for such Processing in the form required under Applicable Data Protection Laws; and
3. implement appropriate technical and organizational measures to give effect to Data Subject rights under Applicable Data Protection Laws, and shall comply with requests from Data Subjects (or, where applicable, Customer's Controller) to exercise their rights under Applicable Data Protection Laws within the timeframe and subject to any exemptions prescribed in the Applicable Data Protection Laws.

6. Confidentiality and Disclosure

6.1. Tracecast shall:

1. limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
2. ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

7. Sub-Processors

7.1. Tracecast may Process Covered Data anywhere that Tracecast or its Sub-processors maintain facilities, subject to the remainder of this clause 7.

7.2. Where Customer directs Tracecast to Process Covered Data in a specific geographical region, Tracecast shall ensure that such Covered Data is stored and primarily Processed in that region unless otherwise required to comply with Customer's additional instructions, applicable law or as necessary to provide Services requested by Customer. Customer shall not direct Tracecast to process Covered Data in a specific region to the extent such instruction violates applicable law, and shall indemnify, defend and hold Tracecast harmless with regard to any liability arising out of any such violation.

7.3. Customer grants Tracecast general authorization (or, where applicable, has Customer's Controller's general authorization) to engage any of the Sub-processors listed in Schedule 3, as amended in accordance with clause 7.4 (the "Authorized Sub-processors"), to Process Covered Data.

7.4. Tracecast shall:

1. enter into a written agreement with each Authorized Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Tracecast’s obligations under this DPA; and
2. remain liable for each Authorized Sub-processor’s compliance with the obligations under this DPA.

7.5. Tracecast will provide Customer (or, where applicable, Customer's Controller) with at least fourteen (14) days’ notice of any proposed changes to the Tracecast’s Sub-processors. Customer shall notify Tracecast if it or Customer's Controller objects to the proposed change to the Authorized Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing Tracecast with written notice of the objection within Five (5) days after Tracecast has provided notice to Customer (or, where applicable, Customer's Controller) of such proposed change (an “Objection").

7.6. In the event Customer (or, where applicable, Customer's Controller) submits an Objection to Tracecast, Tracecast and Customer (and, where applicable, Customer's Controller) shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Tracecast and Customer (and, where applicable, Customer's Controller) are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed fourteen (14) days, Customer may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Tracecast.

8. Data Subject Rights Requests

8.1. Tracecast will promptly notify Customer and, where applicable, Customer's Controller of any request received by Tracecast or any Authorized Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a "Data Subject Request”).

8.2. Other than with respect to any Processing of Usage Data for the Controller Purposes, as between the Parties, Customer will have sole discretion in responding to the Data Subject Request, and Tracecast shall not respond to the Data Subject Request, save that Tracecast may advise the Data Subject that their request has been forwarded to Customer or, where applicable, Customer's Controller.

8.3. Tracecast will provide Customer with reasonable assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

9. Security

9.1. Tracecast will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.

9.2. When assessing the appropriate level of security, Tracecast shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

9.3. Tracecast will implement and maintain as a minimum standard the measures set out in Schedule 2.

10. Information and Audits

10.1. Tracecast shall notify Customer promptly if Tracecast determines that it can no longer meet its obligations under Applicable Data Protection Laws.

10.2. Customer may take reasonable and appropriate steps to:

1. ensure that Tracecast uses Covered Data in a manner consistent with Customer's obligations under Applicable Data Protection Laws; and
2. upon reasonable notice, stop and remediate unauthorized use of Covered Data.

10.3. Customer may audit Tracecast’s compliance with this DPA at least annually. The Parties agree that all such audits will be conducted:

1. upon reasonable written notice to Tracecast;
2. only during Tracecast’s normal business hours; and
3. in a manner that does not materially dispute Tracecast’s business or operations.

10.4. With respect to any audits conducted in accordance with clause 10.3:

1. Customer may engage a third-party auditor to conduct the audit on its behalf; and
2. Tracecast shall not be required to facilitate any such audit unless and until the parties have agreed in writing the scope and timing of such audit.

10.5. Customer shall promptly notify Tracecast of any non-compliance discovered during an audit.

10.6. The results of the audit shall be Tracecast’s Confidential Information.

10.7. Upon request, Tracecast shall provide to Customer:

1. data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
2. such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards

10.8. If an audit requested by Customer is addressed in the documents or certification provided by Tracecast in accordance with clause 10.7, and:

1. the certification or documentation is dated within twelve (12) months of Customer's audit request; and
2. Tracecast confirms that there are no known material changes to the controls audited,
3. Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

11. Security Incidents

11.1. Tracecast shall notify Customer in writing without undue delay, and in any event within forty-eight (48) hours, after becoming aware of any Security Incident.

11.2. Tracecast shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.

11.3. Tracecast shall provide reasonable assistance with Customer's and, where applicable, Customer's Controller's investigation of any Security Incidents and any of Customer's and, where applicable, Customer's Controller's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.

11.4. Tracecast’s notification of or response to a Security Incident under this clause 11 shall not be construed as an acknowledgement by Tracecast of any fault or liability with respect to the Security Incident.

12. Term, Deletion, and Return

12.1. This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Tracecast’s deletion of all Covered Data as described in this DPA.

12.2. Tracecast shall:

1. if requested to do so by Customer within thirty (30) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Covered Data; and
2. on expiry of the Retention Period, delete all copies of Covered Data Processed by Tracecast or any Authorized Sub-processors.

13. Standard Contractual Clauses

13.1. The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to the transfer of any Covered Data from Customer to Tracecast, and form part of this DPA, to the extent that:

1. the GDPR or Swiss Data Protection Law applies to the Customer when making that transfer; or
2. the Applicable Data Protection Laws that apply to the Customer when making that transfer (the "Exporter Data Protection Laws") prohibit the transfer of Covered Data to the Tracecast under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
1. the relevant authority with jurisdiction over the Customer's transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
2. such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
3. established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
3. the transfer is an "onward transfer" (as defined in the applicable module of the SCCs).

13.2. The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.

14. Deidentified Data

14.1. If Tracecast receives Deidentified Data from or on behalf of Customer, Tracecast shall:

1. take reasonable measures to ensure the information cannot be associated with a Data Subject;
2. publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and
3. contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.

15. General

15.1. The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

15.2. The Parties agree that the total liability of each Party, whether in contract, tort (including negligence) or under any other theory of liability, arising out of or related to this DPA (including the Standard Contractual Clauses, if and as they apply) will not exceed, in the aggregate, the total fees paid or payable by Customer under the Agreement in the twelve (12) months immediately preceding the event giving rise to such liability. Nothing in this Section 15 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the Standard Contractual Clauses (if and as they apply).

15.3. The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

All notices to be provided by Tracecast to Customer under this DPA shall be sent to the contact details identified in Part 1 of this DPA, unless the Parties agree otherwise in writing. If no details are specified in Part 1 of this DPA, Tracecast shall send any notices under this DPA to the email address registered to the Customer's account on the Services.





Introduction

Tracecast employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure, or destruction.

Governance and policies

Tracecast:

1. follows secure configurations for systems and software, considering security measures during project initiation and throughout development.
2. reviews its security posture regularly to ensure it remains appropriate as the business evolves, and makes improvements as needed.

Breach response

Tracecast maintains reasonable internal monitoring capabilities designed to detect potential service disruptions or suspicious activity.

Tracecast has a documented incident response plan tailored to its scale and operations, which outlines how we identify, investigate, contain, and respond to potential security incidents affecting personal data. We periodically review and refine this plan as our business evolves.

Access controls

Tracecast limits access to personal data by implementing appropriate access controls, including the following:

1. Access to infrastructure and internal resources is managed on the basis of the Principle of Least Privilege: individuals are granted only the privileges they require to execute their business duties, and said privilege is revoked when it is no longer needed.
2. Access management is centralized to identity providers, and wherever feasible, internal service delegate both authentication and authorization to these providers. This ensures that off-boarding and privilege revocation can be handled in a timely fashion.
3. User Authentication for Tracecast internal resources is protected with both a strong password policy, as well as mandatory 2FA that disallows the use of SMS-based 2FA.
4. Tracecast never knowingly stores plaintext passwords; if necessary, we stores hashed, salted results of authentication material, as appropriate for the use-case.
5. Tracecast devices that are used for accessing internal resources enforce strong security measures, including strong passwords, use of anti-virus software, and full-disk encryption.
6. Audit trails are retained of user actions performed within Tracecast infrastructure. Tracecast retains audit logs of all interactions with its internal services and all interactions with Customer projects.
7. Traffic flow logs are retained that enable retroactive analysis of all connections to our infrastructure if needed.
8. Only pre-approved and secure means of communicating with Tracecast services are exposed by Tracecast’s firewalls.
9. All communication—including transmission of credentials—is conducted over connections protected by TLS configured with a set of modern ciphersuites.

Segmentation

1. Production services are deployed in isolated environments with appropriate network controls.
2. Observability data and logs are automatically segregated from customer data.
3. Network isolation is enforced through our cloud infrastructure providers.

Encryption

1. Stored data is encrypted at rest where appropriate using industry-standard encryption (AES-256), including any backup copies of the data.
2. Sensitive configuration values and API keys are secured using Supabase Vault.
3. All network communication is conducted over encrypted links protected by modern security standards (TLS 1.2, modern ciphersuites) to preserve confidentiality and integrity of the data.

Testing

Tracecast uses reasonable and appropriate security and compliance monitoring systems across its infrastructure, in order to detect any violations of its security policies.

Tracecast employs commercially reasonable security testing procedures appropriate to the size and nature of its business, which may include periodic external reviews or penetration tests by qualified third parties. Tracecast promptly addresses any material findings from such reviews.





1. EU SCCS

With respect to any transfers referred to in clause 13, the Standard Contractual Clauses shall be completed as follows:

1.1. The following modules of the SCCs will apply:

1. where the Customer act as a controller and Tracecast acts as a processor, Module Two (controller to processor) shall apply; and
2. to the extent that Customer acts as a processor and Tracecast acts as a subprocessor, Module Three (processor to processor) shall apply.

1.2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

1.3. Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in clause 7.4 of the DPA.

1.4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

1.5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.

1.6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.

1.7. For the Purpose of Annex I of the Standard Contractual Clauses:

1. Part 1 (Processing Details) of this DPA sets out the details of the Customer and the competent supervisory authority;
2. The description of the transfer is set out in Part 1 (Processing Details) and includes the processing of contact information and access credentials relating to, and support requests submitted by, Authorized Users for the purposes of granting Authorized Users access to the Services and providing support in relation to the Services;
3. the data importer is Tracecast, Inc whose offices located at 9169 Madison Ave STE 15106, New York, NY 10016 US and whose contact details are privacy@tracecast.co

1.8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 1 of the DPA contains the technical and organizational measures.

2. UK Addendum

2.1. This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Customer (as data exporter) to Tracecast (as data importer), to the extent that:

1. the UK Data Protection Laws apply to Customer when making that transfer; or
2. the transfer is an "onward transfer" as defined in the Approved Addendum.

2.2. As used in this paragraph 2:

1. "Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
2. "UK Data Protection Laws" means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

2.3. The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.

2.4. The Approved Addendum shall be deemed completed as follows:

1. the "Addendum EU SCCs" shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 2;
2. Table 1 of the Approved Addendum shall be completed as set out in paragraph 1.7 of this Schedule 2;
3. the "Appendix Information" shall refer to the information referred to in paragraph 1.7 of this Schedule 2 and set out in Schedule 1;
4. for the purposes of Table 4 of the Approved Addendum, neither party may terminate the Approved Addendum in accordance with Section 19 of the Approved Addendum; and
5. Section 16 of the Approved Addendum does not apply.

3. Swiss Addendum

3.1. This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.

3.2. Interpretation of this Addendum

1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
1. “Addendum" means this addendum to the Clauses;
2. "Clauses" means the Standard Contractual Clauses as incorporated into this DPA in accordance with clause 12 and as further specified in this Schedule 3; and
3. "FDPIC" means the Federal Data Protection and Information Commissioner.
2. This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfills the Parties' obligation to provide appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
5. In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
2. to provide appropriate safeguards for the transfers in accordance with Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

3.3. Hierarchy

(a) In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

3.4. Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws. To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this paragraph 3.4 the following amendments are made to the Clauses:

1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
2. References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
3. References to Regulation (EU) 2018/1725 are removed.
4. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with “Switzerland".
5. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;
6. Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland”.
7. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
8. Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

3.5. Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws

4. Transfers Under the Laws of Other Jurisdictions

4.1. With respect to any transfers of Personal Data referred to in clause 13.1(b) (each a "Global Transfer"), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.

4.2. For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:

1. for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter's Processing when making that transfer; and
2. to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws

4.3. The amendments referred to in clause paragraph 4.2 include (without limitation) the following:

1. references to the "GDPR" and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
2. reference to the "Union", "EU" and "EU Member State" are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the "Exporter Jurisdiction”);
3. the "competent supervisory authority" shall be the applicable supervisory in the Exporter Jurisdiction; and
4. Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.

4.4. Where, at any time during the Tracecast’s Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by Customer to Tracecast, the Parties shall promptly enter into a supplementary agreement that:

1. incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;
2. incorporates the details of Processing set out in Schedule 1;
3. shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.

4.5. Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into in accordance with paragraph 4.4 with the relevant national authority.



SCHEDULE 3

Sub-Processors