# Data Processing Agreement (SaaS)

Updated June 5th, 2026

**DATA PROCESSING AGREEMENT — CONDUKTOR IVY HOSTED (SAAS) PLATFORM**

This Data Processing Agreement ("**DPA**") sets out the terms and conditions under which Conduktor Inc. ("**Processor**" or "**Conduktor**") Processes Personal Data on behalf of the Customer ("**Controller**") in connection with Conduktor's hosted, cloud-based "Ivy" platform and related services (the "SaaS Services" as defined in the Agreement, referred to in this DPA as the "Services"), as governed by the [End User License Agreement: SaaS Services](https://www.conduktor.io/legal/eula-saas) or other applicable agreement between the parties (the "Agreement"). Unless otherwise defined in this DPA, capitalized terms have the meanings given to them in the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA prevail with respect to the Processing of Personal Data.

**1\. DEFINITIONS**

Capitalized terms used but not defined within this DPA have the meaning set forth in the Agreement. The following terms used in this DPA are defined as follows:

"**Applicable Data Protection Laws**" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, including the GDPR, the UK GDPR, Swiss Data Protection Laws, and US State Privacy Laws, as they may be amended or updated from time to time.

"**Controller Affiliate**" means an affiliate of Controller who is a beneficiary to the Agreement.

"**Covered Data**" means Personal Data that is: (a) provided by or on behalf of Controller to Processor in connection with the Services; or (b) obtained, developed, produced, or otherwise Processed by Processor, or its agents or Sub-processors, for purposes of providing the Services.

"**Data Subject**" means a natural person (or, where protected under Applicable Data Protection Laws, a household or consumer) whose Personal Data is Processed.

"**Deidentified Data**" means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

"**EEA**" means the European Economic Area, including the European Union ("EU").

"**GDPR**" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, or, where applicable, the equivalent provision under Swiss Data Protection Laws.

"**Member State**" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.

"**Personal Data**" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data under Applicable Data Protection Laws.

"**Processing**" means any operation or set of operations performed on Personal Data, whether or not by automated means. "Process," "Processes," and "Processed" are interpreted accordingly.

"**Security Incident**" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to) Covered Data.

"**Services**" means the SaaS Services (as defined in the Agreement), being the hosted Ivy platform and related services provided by Processor pursuant to the Agreement.

"**Standard Contractual Clauses**" or "**SCCs**" means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

"**Sub-processor**" means an entity appointed by Processor to Process Covered Data on its behalf.

"**UK**" means the United Kingdom.

"**US State Privacy Laws**" means, to the extent applicable, US state laws relating to data protection, privacy, and the Processing of Personal Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA/CPRA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other comparable US state privacy laws in force from time to time.

**2\. INTERACTION WITH THE AGREEMENT**

2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

2.2 Any Processing operation as described in clause 4 (Details of Data Processing) and Schedule 1 to this DPA will be subject to this DPA.

2.3 Controller Affiliates will be beneficiaries under this DPA and, through Controller, be entitled to enforce all rights in relation to Covered Data provided by the respective Affiliate. Controller will ensure that all obligations under this DPA are passed on to the respective Controller Affiliate.

2.4 Controller warrants that it is duly mandated by any Controller Affiliates on whose behalf Processor Processes Covered Data to: (a) enforce the terms of this DPA on behalf of Controller Affiliates and act on their behalf in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on their behalf.

2.5 Controller will be the only point of contact for all communication between Controller Affiliates and Processor.

**3\. ROLE OF THE PARTIES**

The parties acknowledge and agree that, in respect of the hosted Services:

(a) for the purposes of the GDPR, UK GDPR, and Swiss Data Protection Laws, Processor acts as "processor" or "sub-processor," determined by the function of Controller: where Controller acts as a controller, Processor acts as a processor; where Controller acts as a processor on behalf of another controller, Processor acts as a sub-processor;

(b) for the purposes of the US State Privacy Laws, Processor acts as a "service provider" or "processor" (as defined in the applicable US State Privacy Laws) in performing its obligations under the Agreement and this DPA; and

(c) Controller is the controller (or business) with respect to Covered Data it submits to or Processes through the Services, and is responsible for the accuracy, quality, and legality of Covered Data and the means by which it was acquired, and for establishing a lawful basis for the Processing.

**Hosted Processing acknowledgement.** Controller acknowledges that, unlike Conduktor's on-premises offering, the Services are hosted by Processor and that Processor will Process Covered Data submitted to the Services on Controller's behalf as described in Schedule 1. Controller has full control over what Personal Data it inputs into or uploads to the Services.

**4\. DETAILS OF DATA PROCESSING**

4.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.

4.2 Covered Data will only be Processed on behalf of and under the documented instructions of Controller and in accordance with Applicable Data Protection Laws. Processor shall Process Covered Data only as necessary to perform the Services. The Agreement and this DPA generally constitute Controller's instructions for the Processing of Covered Data. Controller may issue further written instructions in accordance with this DPA. Processor will inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws. Without limiting the foregoing, Processor is prohibited from:

- selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
- sharing Covered Data with any third party for cross-context behavioral advertising;
- retaining, using, or disclosing Covered Data for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
- retaining, using, or disclosing Covered Data outside of the direct business relationship between the parties; and
- except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Processor receives from or on behalf of another person, or collects from its own interaction with the Data Subject.

4.3 Processor certifies that it understands the restrictions in clause 4.2 and will comply with them.

4.4 Processor will limit access to Covered Data to personnel who have a business need to access it, and will ensure that such personnel are subject to obligations of confidentiality at least as protective of the Covered Data as the terms of this DPA and the Agreement.

4.5 Processor may, without prejudice to clause 11, Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to clause 5 of this DPA. The Services are hosted in the EEA (Ireland) as described in Schedule 1; certain Sub-processors are located in the United States as described in Schedule 5.

4.6 Processor will provide Controller with information reasonably necessary to enable Controller to conduct and document any data protection impact assessments or transfer impact assessments required under Applicable Data Protection Laws. Processor will notify Controller promptly if it determines that it can no longer meet its obligations under Applicable Data Protection Laws.

4.7 Controller has the right to take reasonable and appropriate steps to ensure that Processor uses Covered Data in a manner consistent with Controller's obligations under Applicable Data Protection Laws, and to stop and remediate unauthorized use of Covered Data.

**5\. SUB-PROCESSORS**

5.1 Controller grants Processor general authorization to engage Sub-processors, subject to clause 5.2, as well as Processor's current Sub-processors listed in Schedule 5.

5.2 Processor will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor's obligations under this DPA. Processor remains fully liable to Controller for the performance of each Sub-processor's obligations to the same extent as if performed by Processor itself. Engagement of any Sub-processor does not relieve Processor of any of its obligations under this DPA.

5.3 Processor will provide Controller with at least fifteen (15) days' notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Controller may object to a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs, if applicable) by providing written notice within ten (10) days after Processor's notice (an "Objection"). If Controller does not object within the Objection period, consent will be assumed. If Controller objects, the parties will work together in good faith to find a mutually acceptable resolution. If no resolution is reached within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the affected Services by written notice. During any such Objection period, Processor may suspend the affected portion of the Services.

**6\. DATA SUBJECT RIGHTS REQUESTS**

6.1 As between the parties, Controller has sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").

6.2 Processor will promptly forward to Controller, without undue delay, any Data Subject Request it or any Sub-processor receives, and may advise the individual to submit the request directly to Controller.

6.3 Processor will provide Controller with reasonable assistance, taking into account the nature of the Processing, as necessary for Controller to fulfil its obligation to respond to Data Subject Requests, including requests to access, correct, delete, or port Covered Data, or to opt out of its sale or sharing.

**7\. SECURITY AND AUDITS**

7.1 Processor will implement and maintain appropriate technical, administrative, and organizational measures designed to ensure the security of Covered Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. When assessing the appropriate level of security, account will be taken of the nature, scope, context, and purpose of the Processing and the risks presented, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

7.2 Processor will implement and maintain, as a minimum standard, the measures set out in Schedule 2. Processor shall regularly review and update its technical and organizational measures to ensure they remain effective and appropriate in light of technological developments, evolving industry standards, and changes in the nature, scope, context, and purposes of Processing, and will notify Controller of any material adverse changes to such measures.

7.3 Controller has the right to audit Processor's compliance with this DPA. The parties agree that all such audits will be conducted: (a) upon reasonable written notice to Processor; (b) only once per year (except where required by a supervisory authority or following a Security Incident); and (c) only during Processor's normal business hours.

7.4 To conduct such audits, Controller may engage a third-party auditor who is suitably qualified, independent, and bound by appropriate confidentiality obligations. Controller must submit a detailed proposed audit plan at least two weeks in advance, and the parties will work cooperatively to agree a final audit plan. Audits must be conducted subject to the agreed plan and Processor's health, safety, security, and other relevant policies. Controller will promptly notify Processor of any non-compliance discovered.

7.5 Controller bears the costs of any audit it initiates, unless the audit reveals material non-compliance with this DPA. Upon request, Processor will provide documentation reasonably evidencing implementation of its technical and organizational measures. If the requested audit scope is addressed in a certification or third-party audit report (such as SOC 2 or ISO 27001) produced within twelve (12) months of the request, and Processor confirms no known material changes in the controls covered, Controller agrees to accept those findings in lieu of an on-site audit of the covered controls.

7.6 Processor will audit its Sub-processors on a regular basis and will, upon Controller's request, confirm their compliance with Applicable Data Protection Laws and their contractual obligations.

**8\. SECURITY INCIDENTS**

8.1 Processor will notify Controller in writing without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of any Security Incident, and will reasonably cooperate in any obligation of Controller under Applicable Data Protection Laws to make notifications to individuals or supervisory authorities. Processor will take reasonable steps to contain, investigate, and mitigate the Security Incident, and will provide Controller with timely information including the nature of the Security Incident, the measures taken to mitigate or contain it, and the status of the investigation. Processor's notification of or response to a Security Incident will not be construed as an acknowledgement of fault or liability.

8.2 Processor will provide reasonable assistance with Controller's investigation of a Security Incident and with any notification obligation of Controller under Applicable Data Protection Laws.

**9\. DELETION AND RETURN**

9.1 Processor will, within thirty (30) days of the termination or expiry of the Agreement: (a) if requested by Controller within that period, return a copy of all Covered Data or provide self-service functionality allowing Controller to do the same; and (b) delete all other copies of Covered Data Processed by Processor or any Sub-processor, except to the extent retention is required by applicable law, in which case Processor will protect the confidentiality of such Covered Data and Process it only as necessary for the purpose of such required retention. Covered Data submitted to the Services is otherwise subject to the default and maximum retention periods described in Schedule 1.

**10\. CONTRACT PERIOD**

10.1 This DPA becomes effective in parallel with the Agreement and, notwithstanding any termination of the Agreement, remains in effect until, and automatically expires upon, Processor's deletion of all Covered Data as described in this DPA.

**11\. STANDARD CONTRACTUAL CLAUSES AND INTERNATIONAL TRANSFERS**

11.1 The parties agree that the terms of the SCCs, Module Two (controller to processor) and Module Three (processor to processor), as further specified in Schedule 3, are incorporated by reference and deemed executed by the parties, and apply to any transfers of Covered Data falling within the scope of the GDPR from Controller (as data exporter) to Processor (as data importer).

11.2 To the extent applicable, the jurisdiction-specific addenda set out in Schedule 3 (including the UK Addendum and Swiss Addendum) are also incorporated by reference and deemed executed by the parties, and apply to transfers of Covered Data falling within the scope of Applicable Data Protection Laws in the listed jurisdiction(s).

11.3 Processor will provide Controller reasonable support to enable Controller's compliance with the requirements imposed on international transfers of Covered Data, and will, upon request, provide information reasonably necessary for Controller to complete a transfer impact assessment ("TIA").

11.4 Processor agrees to implement the supplementary measures set forth in Schedule 4 in order to enable Controller's compliance with requirements imposed on international transfers of Covered Data under Applicable Data Protection Laws.

11.5 Where Processor relies on the EU-US Data Privacy Framework (or its UK Extension or Swiss-US framework) as a transfer mechanism for any onward transfer to a US Sub-processor, it will maintain such certification or ensure an alternative valid transfer mechanism applies.

**12\. US STATE PRIVACY LAW TERMS**

12.1 This clause applies to Processing of Covered Data subject to US State Privacy Laws. Processor acts as a "service provider" or "processor" and Processes Covered Data solely on Controller's behalf for the limited and specified business purposes set out in the Agreement and Schedule 1.

12.2 Processor will not: (a) sell or share Covered Data (as "sell" and "share" are defined under the CCPA/CPRA); (b) retain, use, or disclose Covered Data for any purpose other than the business purposes specified, including outside the direct business relationship between the parties; or (c) combine Covered Data with Personal Data received from or on behalf of another person, or collected from Processor's own interaction with the Data Subject, except as permitted by US State Privacy Laws.

12.3 Processor certifies that it understands and will comply with the restrictions in this clause 12. Controller may take reasonable and appropriate steps to ensure that Processor uses Covered Data consistently with Controller's obligations under US State Privacy Laws, and to stop and remediate any unauthorized use.

12.4 Processor will notify Controller if it determines it can no longer meet its obligations under US State Privacy Laws, and will assist Controller in responding to verifiable consumer rights requests as set out in clause 6.

**13\. DEIDENTIFIED DATA**

If Processor receives Deidentified Data from or on behalf of Controller, then Processor will:

- take reasonable measures to ensure the information cannot be associated with a Data Subject;
- publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and
- contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.

**14\. GENERAL**

14.1 The parties certify that they understand the requirements in this DPA and will comply with them.

14.2 The parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

14.3 This DPA and the Agreement set forth the entire agreement between the parties with respect to the subject matter hereof.

**SCHEDULE 1: DETAILS OF PROCESSING**

**A. List of Parties**

The parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of the GDPR from Controller to Processor, additional information regarding the data exporter and data importer is set out below.

**Data Exporter:** each of the Controller and/or Controller Affiliates operating in the countries comprising the EEA, UK, and/or Switzerland and/or, to the extent agreed by the parties, Controller and/or Controller Affiliates in any other country to the extent the GDPR applies. The data exporter's contact person, position, and contact details (and, if appointed, its data protection officer and/or representative) are included in the Agreement or will be disclosed to Processor upon request. The activities relevant to the data transfer are defined by the Agreement, and the data exporter decides on the scope of the Processing in connection with the Services as further described in section B below.

**Data Importer:** Conduktor Inc., the Processor. The data importer's activities relevant to the data transfer are: hosting, storing, and Processing Personal Data submitted by the data exporter through the Ivy platform on behalf of the data exporter in connection with providing the Services, as further described in section B below and in the Agreement. The data importer's contact details are included in the Agreement or will be disclosed to Controller upon request.

**B. Description of Processing**

**Hosting model.** The Services are hosted on Amazon Web Services in the eu-west-1 (Ireland) region. The Controller has full control over what Personal Data it submits to the Services. Personal Data is held in a managed PostgreSQL database with tenant isolation enforced at the application layer.

**Categories of Data Subjects:** Authorized Users and other personnel of Controller and Controller Affiliates; and, to the extent Controller submits such data, Controller's customers and their personnel, and other individuals whose Personal Data is contained in data submitted to the Services.

**Categories of Personal Data:**

- **Account and identity data:** email address, first and last name, profile picture, organization name, authentication identifiers, and session data.
- **Access and audit data:** audit-log records of mutations, including actor email address, request identifier, user agent, requested path, status code, and duration; and last-seen timestamps.
- **Customer-submitted data:** any Personal Data contained within streams, catalog entries, projects, schema versions, expositions, and associated metrics that Controller chooses to submit to the Services. Conduktor does not control and has limited visibility into the content of customer-submitted payload data.

**Special categories of Personal Data:** None are required by the Services. Controller must not submit special-category Personal Data unless separately agreed in writing; if Controller chooses to submit such data, Controller is solely responsible for ensuring an appropriate lawful basis and any additional safeguards.

**Nature and purpose of Processing:** hosting, storage, transmission, access management, authentication, audit logging, and maintenance of the data Controller submits to the Services, in order to provide the Services.

**Frequency of Processing:** continuous, for the duration of the Agreement.

**Retention / Storage limitation:**

- Audit-log records: per workspace, default seven (7) days, maximum two (2) years (configurable per workspace).
- Customer-submitted payload data (streams): default seven (7) days, maximum one (1) year (configurable per stream).
- Sessions, invitation links, and device codes: short-lived; auto-expire.
- Operational logs (used to diagnose incidents, not customer data): retained two (2) to four (4) weeks, then automatically deleted.
- Otherwise, where Personal Data is not deleted on Controller's request during the term, the duration of Processing corresponds to the duration of this DPA as defined in clause 10.

**Competent Supervisory Authority:** where the data exporter is established in an EU Member State, the supervisory authority of that Member State; where the data exporter is not established in an EU Member State but falls within the territorial scope of Article 3(2) GDPR and has appointed a representative under Article 27(1), the supervisory authority of the Member State where the representative is established; otherwise, the supervisory authority of Ireland (the Data Protection Commission).

**SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL MEASURES**

Processor has implemented the following technical and organizational measures (including relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the Processing and the risks to the rights and freedoms of natural persons. These measures reflect the hosted Ivy architecture.

- **Encryption at rest:** Customer data is stored in a managed relational database encrypted at rest. Production environments use a customer-managed encryption key to support key rotation, revocation, and audit drills.
- **Encryption in transit:** TLS is enforced for all network traffic to and within the Services, using certificates managed by the cloud provider's certificate manager.
- **Session and credential security:** Application sessions use sealed cookies (authenticated encryption: AES-256-GCM with HKDF), marked httpOnly and Secure, with origin-binding prefixes on administrative surfaces. API and machine tokens are stored only in hashed form and never in clear text. Secrets are held in a dedicated secrets manager and never in client-side storage.
- **Access controls:** Logical access to systems and data is granted on a least-privilege, need-to-know basis using unique identifiers, with periodic review and prompt revocation on role change or termination. Cloud access uses short-lived, federated credentials (OIDC) with no long-lived static credentials in continuous integration.
- **Tenant isolation:** Every query enforces a tenant identifier at the application layer, and bearer tokens cannot reach internal-only administrative interfaces.
- **Audit logging and monitoring:** System and application event logging records user access and system activity for routine review, including an immutable per-tenant audit log of mutations.
- **Vulnerability and patch management:** Vulnerability assessment, patch management, and threat-protection processes are used to identify, assess, mitigate, and protect against security threats and malicious code.
- **Change management:** Documented procedures are used to test, approve, and monitor changes to technology and information assets, including infrastructure-as-code review.
- **Network security:** Network controls (including load-balancer, firewall, and traffic-inspection mechanisms) protect systems from intrusion and limit the scope of any successful attack.
- **Incident management:** Documented incident and problem-management procedures allow Processor to investigate, respond to, mitigate, and notify of events affecting its technology and information assets.
- **Physical and environmental security:** Hosting is provided by a major cloud infrastructure provider whose data centers implement physical and environmental safeguards, including access control, monitoring, and protection against environmental hazards.
- **Governance:** Organizational management and dedicated staff are responsible for the development, implementation, and maintenance of Processor's information security program, including periodic risk assessment and review.
- **Resilience and recovery:** Business-continuity and disaster-recovery procedures are designed to maintain or restore the Services following foreseeable emergency situations.
- **Secure disposal:** Operational procedures provide for secure disposal of systems and media so that information is rendered undecipherable or unrecoverable prior to disposal or release from Processor's possession.

**SCHEDULE 3: STANDARD CONTRACTUAL CLAUSES AND ADDENDA**

**Part A: EU Standard Contractual Clauses**

The SCCs apply to any Processing of Covered Data subject to the EU GDPR. For the purposes of the SCCs:

- Module Two applies to Processing under clause 3(a) of this DPA where Controller is a controller, and Module Three applies where Controller is a processor on behalf of another controller.
- Clause 7 of the SCCs (Docking Clause) does not apply.
- Clause 9(a), Option 2 (General written authorization) is selected; the time period to be specified is determined in clause 5.3 of this DPA.
- The option in Clause 11(a) of the SCCs (Independent dispute resolution body) does not apply.
- With regard to Clause 17 (Governing law), Option 1 applies and the governing law is the law of the Republic of Ireland.
- In Clause 18 (Choice of forum and jurisdiction), the parties submit to the jurisdiction of the courts of the Republic of Ireland.
- For Annex I of the SCCs, Schedule 1 of this DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
- For Annex II of the SCCs, Schedule 2 of this DPA contains the technical and organizational measures.
- For Annex III of the SCCs, the list of Sub-processors is determined by clause 5.1 and Schedule 5 of this DPA.

**Part B: UK Addendum**

This UK Addendum applies to any Processing of Covered Data subject to the UK GDPR or to both the UK GDPR and the EU GDPR. As used herein, "Approved Addendum" means the template addendum, version B.1.0, issued by the UK Information Commissioner under s.119A(1) of the Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised under Section 18 of the Mandatory Clauses; and "Mandatory Clauses" means Part 2 of the Approved Addendum.

With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Controller (as data exporter) to Processor (as data importer): (a) the Approved Addendum forms part of this DPA and the SCCs are read and interpreted in light of its provisions; (b) the parties are as specified in Schedule 1; (c) the selected Modules and Clauses are as specified in Part A above as amended by the Mandatory Clauses; (d) Tables 1 to 3 of the Approved Addendum are completed by reference to Schedules 1, 2, and 5 of this DPA; (e) Processor (as data importer) may end the DPA, to the extent the Approved Addendum applies, in accordance with Clause 19 of the Mandatory Clauses; and (f) Clause 16 of the Mandatory Clauses does not apply.

**Part C: Swiss Addendum**

This Swiss Addendum applies to any Processing of Covered Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR. "Swiss Data Protection Laws" means the Swiss Federal Act on Data Protection and its implementing ordinance, as revised from time to time.

This Addendum is read and interpreted in light of Swiss Data Protection Laws so that it provides the appropriate safeguards required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as applicable, and will not be interpreted in a way that conflicts with rights and obligations under Swiss Data Protection Laws. In the event of conflict between this Addendum and the SCCs or related agreements, the provisions providing the most protection to Data Subjects prevail.

To the extent Processing is exclusively subject to Swiss Data Protection Laws, the SCCs are amended so that: (a) references to the GDPR are replaced by references to Swiss Data Protection Laws; (b) references to the "EU," "Union," and "Member State" are replaced with "Switzerland"; (c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; (d) Clause 17 is replaced so the SCCs are governed by the laws of Switzerland; (e) Clause 18 is replaced so disputes are resolved by the courts of Switzerland and a Data Subject may bring proceedings in the place of habitual residence; and (f) until the entry into force of the revised Swiss Data Protection Laws, the SCCs also protect the data of legal entities. Where Processing is subject to both Swiss Data Protection Laws and the GDPR, the DPA and SCCs apply as-is and additionally as amended above, except that Clause 17 is not replaced. Controller warrants that it and/or Controller Affiliates have made any notifications to the Commissioner required under Swiss Data Protection Laws.

**Part D: US Transfers**

For onward transfers of Covered Data to Sub-processors located in the United States, the parties rely on one or more of the following, as applicable: the EU-US Data Privacy Framework (and its UK Extension and Swiss-US framework) where the relevant Sub-processor is certified; the SCCs together with the supplementary measures in Schedule 4; or another valid transfer mechanism under Applicable Data Protection Laws.

**SCHEDULE 4: ADDITIONAL SUPPLEMENTARY MEASURES**

Processor commits to implementing the following supplementary measures, based on guidance from EU supervisory authorities, to enhance the protection of Covered Data in connection with Processing in a third country.

**Technical measures**

- **Encryption in transit.** Personal Data transmitted between the parties, between Processor data centers, and to and from Sub-processors uses strong, state-of-the-art transport encryption with trustworthy public-key infrastructure and protections against active and passive attacks, including testing for software vulnerabilities. Where transport encryption alone is insufficient, application-layer encryption is applied.
- **Encryption at rest.** Personal Data at rest is stored using strong encryption. Encryption algorithms and parameters conform to the state of the art and are robust against cryptanalysis, taking into account the resources available to public authorities and the period during which confidentiality must be preserved. Keys are reliably generated, administered, stored, and revoked by Processor or a trusted entity.

**Organizational measures**

- Adoption of internal policies for the governance of transfers, with clear allocation of responsibilities, reporting channels, and standard operating procedures for handling formal or informal requests from public authorities to access data, including notification to senior legal management and to Controller, and procedural steps to challenge disproportionate or unlawful requests.
- Specific, periodically updated training for personnel responsible for managing public-authority access requests, including the requirements of EU law as to such access.
- Publication of transparency reports or summaries regarding governmental access requests, insofar as permitted by local law.
- Strict, granular, need-to-know access and confidentiality policies, data minimization (including restricted rather than full access for support cases), regular audits, and disciplinary enforcement.
- Regular review of the suitability of the implemented measures and identification of additional or alternative solutions to maintain an essentially equivalent level of protection.

**Contractual measures**

- Processor declares that it has not purposefully created back doors or similar programming, has not purposefully changed its business processes to facilitate access to Personal Data or systems, and is not required by national law or government policy to create or maintain back doors, facilitate access, or hand over encryption keys.
- Processor will verify the validity of the information provided for any TIA questionnaire on a regular basis and notify Controller of any changes without delay; Clause 14(e) of the SCCs remains unaffected.
- In case of any order to disclose or grant access to Personal Data, Processor will inform the requesting public authority of the incompatibility of the order with the safeguards in the Article 46 GDPR transfer tool and the resulting conflict of obligations, and will challenge the order where lawful grounds exist.
- The parties commit to reasonably assist Data Subjects in exercising their rights and seeking redress, and Processor commits to fairly compensate Data Subjects for material and non-material damage suffered because of a disclosure of their Personal Data in violation of these commitments.

**SCHEDULE 5: SUB-PROCESSORS**

Processor engages the following Sub-processors to Process Covered Data in connection with the hosted Ivy Services. Conduktor affiliates are listed for completeness.

| Sub-processor | Location | Description of Processing | Data location |
|---|---|---|---|
| Amazon Web Services | United States (entity); hosting in eu-west-1 (Ireland) | Cloud hosting and infrastructure: compute, managed PostgreSQL database, load balancing, secrets management, object storage, container registry, DNS, and monitoring | Ireland (EEA) |
| Vercel Inc. | United States | Hosting of the frontend application and documentation site; proxies API and authentication traffic server-side (HTTP traffic only, no persistent storage) | United States |
| WorkOS, Inc. | United States | Authentication: login, sessions, organizations, and directory (email, name, profile picture, organization name) | United States |
| Plus Five Five, Inc. (Resend) | United States | Transactional email, including workspace invitations (recipient email, invitation link) | United States |
| Twilio Inc. (Segment) | United States | Product analytics (event names and properties); consent-gated browser analytics and server-side events | United States |
| GitHub, Inc. | United States | Source code management and CI/CD (OIDC federation into hosting; no long-lived credentials) | United States |
| Conduktor Inc. | 224 W 35th St Ste 500, #2947, New York, NY 10001, US | Conduktor affiliate, operation and support of the Services | United States |
| Conduktor UK Ltd | 9th Floor, 107 Cheapside, London, EC2V 6DN, UK | Conduktor affiliate, operation and support of the Services | United Kingdom |
| Conduktor France SAS | 3 Boulevard de Sebastopol, 75001 Paris, France | Conduktor affiliate, operation and support of the Services | France (EEA) |

*The current list of Sub-processors, including any updates, is maintained by Processor and made available to Controller in accordance with clause 5.3.*