Data Processing Addendum

1. DEFINITIONS
   1. “Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity. In this Section 1.1, “control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The terms “controlled” and “controlling” will be construed accordingly.
   2. “Agreement” means the written or electronic agreement between Customer and Salt Security for the provision of the Services to Customer.
   3. “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et. seq, and its implementing regulations, as may be amended from time to time.
   4. “Controller Affiliate” means any Affiliate of Customer: (a) (i) that is subject to applicable Data Protection Laws and (ii) permitted to use the Services pursuant to the Agreement between the Customer and Salt Security, but has not signed their own Order and is not a “Customer” as defined under the Agreement; and (b) if and to the extent Salt Security processes Customer Personal Data for which such Affiliate(s)qualify as the Controller, on behalf of such Affiliate(s). Except where otherwise indicated, the term “Customer” shall include Customer and Controller Affiliate(s), if any.
   5. “Customer Personal Data” means any Personal Data that Salt Security processes on behalf of Customer pursuant to the Agreement and this DPA while providing the Services.
   6. “Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
   7. “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Personal Data by Salt Security on behalf of Customer under the Agreement, including, where applicable, European Data Protection Laws or the CCPA.
   8. “Data Controller” means an entity that, alone or jointly with others,determines the purposes and means of the processing of Personal Data.
   9. “Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
   10. “European Data Protection Laws” means, as applicable: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) the UK GDPR which is part of UK law by virtue of the European Union Withdrawal Act 2018 and the UK Data Protection Act2018 (“UK Data Protection Law”); (c) the Federal Data Protection Act of 19 June1992 in Switzerland and the Swiss new Federal Act on Data Protection (“Swiss DPA”); and (d) the EU e-Privacy Directive (Directive 2002/58/EC), in each case together with all laws and regulations supplementing, implementing, amending or replacing the same in any EU Member State, the UK and Switzerland.
   11. “Group” means any and all Affiliates that are part of an entity’s corporate group.
   12. “Personal Data” has the meaning given to it in the Data Protection Laws (or where not defined in any applicable Data Protection Laws, shall have the meaning set forth in the GDPR).
   13. “Processing” has the meaning given to it in the GDPR and “process,”“processes,” and “processed” will be interpreted accordingly.
   14. “Restricted Transfer” means: (a) where the GDPR applies, a transfer of Customer Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (b) where the UK Data Protection Law applies, a transfer of Customer Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) where the Swiss DPA applies, a transfer of Customer Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
   15. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c)information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses; (d) Personal Data relating to children; and/or (e)account passwords in unhashed form.
   16. “Services” means any product or service provided by Salt Security to Customer pursuant to the Agreement, including, but not limited to,the Salt Security Platform, including as described in Annex 1-B - Nature of the processing.
   17. “Standard Contractual Clauses” or “SCCs” means (a) in respect of cross-border transfers of Customer Personal Data subject to the GDPR, the contractual clauses annexed to the European Commission’s Implementing Decisions 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) — as amended pursuant to clause 7.2(a) below; (b) in respect of cross-border data transfers of Customer Personal Data subject to the UK Data Protection Law, the UK Addendum (as defined below) and the EU SCCs — as amended pursuant to clause 7.2(b) below; and (c) in respect of cross-border transfers of Customer Personal Data subject to the Swiss DPA, the EU SCCs as amended pursuant to clause 7.2(c) below.
   18. “Subprocessor” means any Data Processor engaged by Salt Security that carries out Processing activities of Customer Personal Data under the instruction of Salt Security, who are either third parties or members of the Salt Security Group.
   19. “UK Addendum” means the UK International Data Transfer Addendum available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as amended or replaced from time to time and incorporating amendments to the Standard Contractual Clauses.

1. SCOPE OF THIS DPA
   1. Scope of DPA: This DPA applies where and only to the extent that Salt Security processes Customer Personal Data in the course of providing Services to Customer pursuant to the Agreement.
2. ROLES AND SCOPE OF PROCESSING
   1. Role of the Parties: As between Salt Security and Customer, Customer is the Data Controller of Customer Personal Data and Salt Security shall process Customer Personal Data only as a Data Processor acting on behalf of Customer. For other processing under the Agreement or related thereto, the parties agree and acknowledge that Salt Security and Customer will be independent Data Controllers.
   2. Customer Processing of Customer Personal Data: Customer agrees that: (a) it has complied and will continue to comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Personal Data, and any processing instructions it issues to Salt Security shall be in compliance with applicable law; (b) it has provided adequate notice and obtained all valid consents where required and rights necessary for Salt Security to process Customer Personal Data, including Sensitive Data (as applicable), pursuant to the Agreement and this DPA, and in compliance with Data Protection Laws; (c) it shall only disclose or otherwise make available to Salt Security, Customer Personal Data which is relevant and not excessive with regard to the provision of the Services by Salt Security;and (d) it will not, by act or omission, cause Salt Security to violate any Data Protection Laws, notices provided to, or any consents obtained from, data subjects, in each case, in connection with Salt Security’s processing of Customer Personal Data with regard to the provision of the Services.
   3. Salt Security Processing of Customer Personal Data: As a Data Processor, Salt Security (including by means of Salt Security’s Affiliates), will process Customer Personal Data only (a) in accordance with the Agreement and this DPA and with Customer’s documented lawful instructions as set forth in the Agreement and this DPA; (b) in connection with the provision of the Services; (c) where appropriate, to render Customer Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards; and/or (d) as required under the laws applicable to Salt Security,and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Salt Security shall notify Customer of the legal requirement in advance, unless such law or order prohibits such notification. The parties agree that Customer’s complete and final instructions with regard to the subject matter, duration, nature and purposes of the processing and the types of data subjects and Customer Personal Data to be processed under the Agreement, as well as the rights and obligations of Customer as Data Controller, are set out in this DPA. Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Salt Security on additional instructions for processing unless Salt Security is required to process Customer Personal Data to comply with applicable law. In the event that Customer discloses or otherwise makes available to Salt Security Deidentified Data (as defined by applicable Data Protection Laws),Salt Security shall (i)take reasonable measures to ensure such data cannot be associated with a natural person, and (ii) maintain and use such data without attempting to re-identify it.
      
      Salt Security shall inform Customer without undue delay if, in Salt Security’s opinion, an instruction for the processing of Customer Personal Data given by Customer infringes Data Protection Laws. To the extent that Salt Security cannot comply with an instruction from Customer, Salt Security (i) shall inform Customer, providing relevant details of the issue, and (ii) may, without liability to Customer, temporarily cease all processing of the affected Customer Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Services until the Parties can resolve the issue in good faith.
   4. Sensitive Data: The parties agree that the Services may process Sensitive Data only to the extent necessary to provide the Services in accordance with the Agreement and this DPA. Customer shall be responsible for configuring its chosen deployment of the Services, through use of the Services' privacy enhancing features, such that Sensitive Data (i) remains in the Customer's environment; and/or (ii) is subject to additional safeguards.
   5. CCPA Standard of Care: As may be applicable to the Services provided under the Agreement, Salt Security certifies that it understands the rules, requirements and definitions of the CCPA. Salt Security agrees and acknowledges:
      1. Salt Security shall refrain from selling or sharing (as such terms are defined in the CCPA) any Customer Personal Data processed hereunder, without Customer’s prior written consent or instruction, nor take any action that would cause any transfer of Customer Personal Data to or from Salt Security under the Agreement or this DPA to qualify as selling and/or sharing under the CCPA.
      2. Customer discloses Customer Personal Data to Salt Security only for limited and specified business purposes (as such term is defined in the CCPA) set out in this DPA and the Agreement. Salt Security shall process Customer Personal Data only (i) for such limited and specific business purpose(s), and (ii) in compliance with applicable sections of the CCPA, in a manner that provides the same or materially similar level of privacy protection as required of Customer considering the Customer Personal Data processed and industry standards.
      3. Salt Security shall not (i) retain, use, or disclose Customer Personal Data outside the direct business relationship of the parties, as described in the Agreement, or for any purpose other than for the specific business purpose of performing the Services or as otherwise permitted by the Agreement and/or this DPA, nor (ii) combine Customer Personal Data with Personal Data Salt Security processes on behalf of other parties unless expressly permitted under the CCPA and the Agreement between the parties.
      4. Subject to the audit provisions in the Agreement and Section 6 of this DPA, Customer has the right to take reasonable and appropriate steps to ensure that Salt Security uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA. In the event an audit or inspection under Section 6 of this DPA uncovers unauthorized processing of Customer Personal Data, Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate such unauthorized processing.

1. SUBPROCESSING
   1. Authorized Subprocessors: Customer agrees that in order to provide the Services set forth in the Agreement, Salt Security may engage Subprocessors to process Customer Personal Data. Information about Salt Security’s Subprocessors, including the type of service rendered by them and their registered location, shall be made available by Salt Security to Customer upon reasonable request, and is generally made available at: https://salt.security/subprocessors (as may be updated by Salt Security from time to time) or such other website address as Salt Security may provide to Customer from time to time (“Subprocessor Site”). The Subprocessors listed on the Subprocessor Site as of the date of first use of the Services by Customer are hereby deemed authorized.
   2. Subprocessor Obligations: Where Salt Security authorizes any Subprocessor as described in Section 4.1:
      1. Salt Security will restrict the Subprocessors’ access to Customer Personal Data only to what is necessary to assist Salt Security in providing or maintaining the Services, and will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
      2. Salt Security will enter into a written agreement with the Subprocessor imposing data protection terms materially similar to the terms of this DPA; and
      3. Salt Security will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Salt Security to breach any of its obligations under this DPA.
   3. Subprocessor Changes: When Salt Security engages any new Subprocessor after the Effective Date of the Agreement, Salt Security will update the Subprocessor Site (including the name and location of the relevant Subprocessor and the activities it will perform). Salt Security will make commercially reasonable efforts to notify Customer in advance of any such Subprocessor changes. Customer may object in writing to Salt Security’s appointment of a new Subprocessor, within 10 days following notification to Customer of the intended engagement with the new Subprocessor provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution and if this is not possible, Customer may suspend or terminate the Agreement, in which case Salt Security shall refund Customer the pro-rata, unused portion of any prepaid fees.

1. SECURITY MEASURES AND DATA BREACH RESPONSE
   1. Security Measures: Salt Security has implemented and will maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Data Breaches and to preserve the security and confidentiality of the Customer Personal Data (“Security Measures”). The Security Measures applicable to the Services are set forth in Annex II, as updated or replaced from time to time in accordance with Section 5.2.
   2. Updates to Security Measures: Customer acknowledges that the Security Measures are subject to technical progress and development and that Salt Security may update or modify the Security Measures from time to time, provided that such changes shall not degrade the overall security posture of the Services.
   3. Personnel: Salt Security restricts its personnel from processing Customer Personal Data without authorization by Salt Security as set forth in Annex II, and shall ensure that any person who is authorized by Salt Security to process Customer Personal Data is under an appropriate statutory or contractual obligation of confidentiality.
   4. Customer Responsibilities: Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, and for securing Customer Personal Data that is outside of Salt Security’s control, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services.
   5. Data Breach Response: To the extent required under applicable Data Protection Laws, Salt Security will notify Customer without undue delay after becoming aware of a Data Breach, and will provide information relating to the Data Breach as it becomes known or as is reasonably requested by Customer and available to Salt Security. Salt Security will also take reasonable steps to mitigate and, where possible, remedy the effects of, any Data Breach. The obligations herein shall not apply to Data Breaches that are caused by Customer or anyone who uses the Services on Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Breach which directly or indirectly identifies Salt Security (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Salt Security’s prior written approval,unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Salt Security with reasonable prior written notice to provide Salt Security with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required by such laws.

1. AUDIT
   1. Audit Reports: Salt Security audits its compliance against data protection and information security standards (such as a SOC 2 Type II audit) on a regular basis. Upon Customer’s request, Salt Security will provide Customer with details of the audits it conducts relevant to the Services it is providing to Customer and, if required, supply Customer with an accurate summary of its most recent relevant audit report (“Report”) so that Customer can verify Salt Security’s compliance with this DPA. Customer acknowledges that the Report will constitute Salt Security’s Confidential Information and will protect the Report in accordance with the confidentiality provisions of the Agreement.
   2. Inspection Rights: Only if the audit reports and information provided pursuant to Section 6.1 are in Customer’s discretion, acting reasonably, insufficient to reasonably demonstrate compliance with this DPA,Customer may, subject to the following requirements, inspect or audit the technical and organizational security measures of Salt Security. These requirements shall also apply to any audit provisions provided for in any applicable Standard Contractual Clauses entered into by both parties, to the extent permitted by applicable Data Protection Laws and where not in conflict with any provisions of the Standard Contractual Clauses. Customer shall provide any such audit reports to Salt Security and shall not use such reports for any purpose other than as necessary for Customer's own verification of Salt Security’s compliance with this DPA.
      
      Any such audit shall: (a) not occur more than once during any twelve month period; (b)occur during normal business hours, using the minimal Salt Security resources necessary, and conducted so as not to interfere with Salt Security’s business;(c) be at Customer’s sole expense; (d) not include any third party auditor that is not approved in writing by Salt Security; (e) be subject to the confidentiality provisions in the Agreement or a separate non-disclosure or confidentiality agreement executed by any third party auditors and Salt Security; and (f) occur only upon at least thirty days prior written notice from Customer.

1. TRANSFERS OF CUSTOMER PERSONAL DATA
   1. Transfers to Countries that Offer Adequate Level of Protection: The parties agree that Customer Personal Data may be transferred from the European Economic Area, Switzerland and the UK to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the European Economic Area, the European Union, the Member States or the European Commission, Switzerland, and/or the UK, as applicable, without any further safeguard being necessary.
   2. Restricted Transfers: The parties agree that when the transfer of Customer Personal Data under the Agreement from Customer (as “Data Exporter”) to Salt Security(as “Data Importer”) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, it shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated by reference into and form a part of this DPA, as follows:
      1. in relation to transfers of Customer Personal Data that are subject to the GDPR, the EU SCCs will apply, and shall be considered completed as follows:
         1. Module Two will apply;
         2. in Clause 7, the optional docking clause will not apply;
         3. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section4.3 of this DPA;
         4. in Clause 11, the optional language will not apply;
         5. in Clause 17, Option 1 will apply, and the EUSCCs will be governed by Irish law;
         6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
         7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
         8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
         9. Annex III of the EU SCCs does not apply.
      2. In relation to transfers of Customer Personal Data subject to the UK Data Protection Law, the EU SCCs and the UK Addendum will apply to such transfers and the UK Addendum shall be considered completed as follows:
         1. The parties’ details for Table 1 are as follows: the Data Exporter is the Customer whose contact details are set out in the Agreement and the Data Importer is Salt Security;
         2. For purposes of Table 2, it is the version of the Approved EU SCCs incorporated by reference into the DPA. The rest of the details for Table 2 are as set out in Annex I to this DPA;
         3. For purposes of Table 3, “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Standard Contractual Clauses (other than the Parties), and which is set out in Annex I and Annex II to this DPA;
         4. For purposes of Table 4 neither party may end the UK Addendum;
         5. The Module identified above for purposes of the EU SCCs shall also apply for purposes of the UK Addendum; and
         6. By executing the DPA, the Data Exporter and Data Importer shall be deemed to have executed the UK Addendum.
      3. In relation to transfers of Customer Personal Data protected by the Swiss DPA (as amended or replaced from time to time), the EUSCCs, as completed pursuant to paragraph (a) above, will also apply to such transfers subject to the following amendments:
         1. all references to “Regulation (EU) 2016/679”, “that Regulation” or “GDPR” shall be read as “Swiss DPA”;
         2. all references to specific Article(s) of“Regulation (EU) 2016/679” are replaced with the equivalent Article of the Swiss DPA;
         3. all references to “Regulation (EU) 2018/1725”are removed;
         4. Clause 13(a) and Part C of Annex II are not used and the competent supervisory authority for purposes of Clause 13 of the Standard Contractual Clauses shall be the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland;
         5. the governing law shall be that of Switzerland for purposes of Clause 17 of the Standard Contractual Clauses;
         6. all references to “Union”, “EU”, and “EU Member State” are to be replaced with “Switzerland”;
         7. Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts.”
         8. where the Clauses use terms that are defined in the EU General Data Protection Regulation 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the Swiss DPA; and
         9. the footnotes to the Clauses shall not apply.
      4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent such conflict relates to a Restricted Transfer to which the Standard Contractual Clauses apply.
   3. Alternative Data Transfer Solutions: Notwithstanding Section 7.1, the parties agree that in the event Salt Security adopts an alternative data transfer solution for the transfer of Customer Personal Data that is not described in this DPA (as recognized under European Data Protection Laws), such solution shall apply with effect from the date that Salt Security implements such new data transfer solution.
   4. Transfers from other countries: If the Processing of Customer Personal Data by Salt Security includes a transfer of Customer Personal Data by and/or mandated by Customer to Salt Security from any other jurisdiction which mandates a particular compliance mechanism for the lawful transfer of such data be established, Customer shall notify Salt Security of such applicable requirements, and the parties may seek to make any necessary amendments to this DPA accordingly.

1. RETURN OR DELETION OF DATA
   1. Following expiration of the Agreement, upon Customer request and to the extent it is technically feasible, Salt Security shall delete or return to Customer all Customer Personal Data in its possession in accordance with the terms of the Agreement and save to the extent Salt Security is required by applicable law to retain some or all of the Customer Personal Data.
2. COOPERATION
   1. The Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict processing of Customer Personal Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Services using the aforementioned tools offered by Salt Security, Salt Security shall provide reasonable cooperation to assist Customer to respond to any requests from individuals or data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any such request is made directly to Salt Security, Salt Security shall not respond to such communication directly without Customer's prior authorization (provided that Salt Security can readily ascertain that such request relates to Customer Personal Data), unless legally compelled to do so, however Salt Security may refer the person or authority initiating the communication to Customer (including Customer’s designated contacts and administrators for the Services) and/or advise them on using the aforementioned tools offered by Salt Security within the Services. If Salt Security is required to respond to such a request, Salt Security will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
   2. If a law enforcement agency sends Salt Security a demand for Customer Personal Data (for example, through a subpoena or court order), Salt Security will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Salt Security may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Salt Security will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Salt Security is legally prohibited from doing so.
   3. To the extent Salt Security is required under European Data Protection Laws, Salt Security will provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments and prior consultations with data protection authorities.
3. GENERAL
   1. Any liability with this DPA is subject to, and limited by, the limitation on liability set forth in Section12 of the Agreement.
   2. Any claims against Salt Security or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement.
   3. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
   4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
   5. Subject to clause 7.2(d) above, in the event of any conflict between this DPA and any privacy-related provisions set out in the Agreement or any other existing data protection terms agreed to between the parties, the terms of this DPA shall prevail.
   6. If Salt Security becomes aware or makes a determination that it can no longer meet its obligations under Data Protection Laws or this DPA, it shall promptly notify Customer.
   7. Execution of this DPA by either party shall be deemed acceptance and execution by that party of the Standard Contractual Clauses incorporated herein by reference.
   8. Section 15 (Miscellaneous) of the Agreement applies to the DPA.

ANNEX I

1. List of parties
   • Controller(s)/ data exporter(s): Customer, as identified in the Agreement.
   • Processor(s)/ data importer(s): Salt Security, as identified in the Agreement.
2. Description of the processing

   Categories of data subjects whose personal data is processed

   Employees, contractors, customers, clients, and others who may interact with Customer’s APIs.

   Categories of personal data processed

   Personal Data that may appear in the Customer’s monitored API environment (such as name, email address etc.), the extent of which is determined and controlled by Customer in its sole discretion.

   Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation,access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

   Sensitive Data that may appear in the Customer’s monitored API environment. Salt Security offers privacy-enhancing features such that, except where processing is necessary to provide the Services (for example, where the Services detect an API attack), Customers can configure their deployment of the Services to ensure Sensitive Data remains in the Customer environment or is otherwise masked and hashed by Salt Security. Applied safeguards are otherwise described in Annex II

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

   Continuous.

   Nature of the processing

   Provision of cloud-based security services as described in the Agreement.

   Purpose(s) for which the personal data is processed on behalf of the controller

   The Personal Data is processed in order to provide the Services as set forth in the Agreement and as set forth in Section 3.3 of the DPA.

   The period for which the personal data will be retained, or,if that is not possible, the criteria used to determine that period

   During the term of the Agreement and thereafter according to Section 8 of the DPA and Salt Security’s ordinary course data retention and backup procedures and in accordance with applicable law, unless otherwise agreed in the Agreement.

   For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

   The subject matter, nature and duration of the processing by Subprocessors are specified above and in the Agreement.

3. Competent Supervisory Authority
   
   Pursuant to Clause 13, the supervisory authority of the EEA country where (i) the data exporter is established; or where (ii) the EU representative of the data exporter is established; or where (iii) the data subjects whose personal data are transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.