DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") forms part of the Terms of Use, Master Subscription Agreement, Order Form, or other written or electronic agreement addressing the same subject matter (the "Agreement") between Customer and Akto Io, Inc. ("Processor"), pursuant to which Processor provides software and related services (the "Services") to Customer.

This DPA governs the Processing of Personal Data by Processor on behalf of Customer in connection with the Services.

For purposes of this DPA, Customer shall act as Controller (or Processor, where applicable), and Akto Io, Inc. shall act as Processor (or Sub-processor, where applicable), solely to the extent Personal Data is Processed in connection with the Services.

Customer and Processor are each referred to herein as a "Party" and collectively as the "Parties".

1. DEFINITIONS

For purposes of this DPA:

• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by Processor to Process Personal Data on behalf of Customer in connection with provision of Services.
• "Personal Data" means information relating to an identified or identifiable natural person that is processed by Processor on behalf of Customer.
• "Security Incident" means the accidental, unauthorized, or unlawful acquisition, use, destruction, loss, alteration, disclosure of, or access to, Personal Data Processed by Processor.
• "Data Protection Laws" means all applicable privacy, security, and personal data protection laws governing Processing of Personal Data.
• "Processing" means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, analysis, transmission, and deletion.
• "Sell" or "Selling" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating Personal Data to a third party for monetary or other valuable consideration.
• "Share" or "Sharing" means sharing, releasing, disclosing, making available, transferring, or otherwise communicating Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary consideration, including transactions between a business and a third party for cross-contextual behavioral advertising for the benefit of a business in which no money is exchanged.
• "Sensitive Personal Information" has the meaning given under the California Privacy Rights Act (CPRA) and includes data revealing a consumer's Social Security number, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, or health data, among other categories specified under applicable law.

2. PURPOSE AND SCOPE

Processor shall Process Personal Data solely:

• to provide the Services under the Agreement;
• pursuant to documented instructions from Customer;
• to maintain security and integrity of the Services;
• to comply with applicable law; and
• for legitimate operational purposes including billing, fraud prevention, support, compliance, and internal service administration, using the minimum Personal Data necessary for such purpose;

Processor shall not:

• Sell Personal Data;
• Share Personal Data for cross-context behavioral advertising;
• retain, use, or disclose Personal Data outside the direct business relationship except as permitted under this DPA, the Agreement, or applicable law;
• combine Customer Personal Data with Personal Data collected from other sources, other businesses, or collected from its own interaction with data subjects, except as permitted under applicable law or as specifically authorized in writing by Customer.

Processor may generate aggregated and de-identified information that does not identify Customer or any natural person and may use such information for benchmarking, analytics, security enhancement, and service improvement.

Processor acknowledges that it processes Personal Data as a "service provider" as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), and shall not process Personal Data in a manner inconsistent with that designation.

3. CUSTOMER OBLIGATIONS

Customer represents and warrants that:

• it has all necessary rights and lawful basis to provide Personal Data to Processor;
• it has provided required privacy notices;
• it has obtained required consents where legally necessary;
• its instructions comply with applicable Data Protection Laws;
• it remains responsible for determining whether a Data Subject request is valid before instructing Processor to act; and
• it shall not submit Special Category Data or Sensitive Personal Information to the Services without prior written agreement with Processor, and shall implement appropriate technical controls (including data masking or redaction) to prevent inadvertent submission of such data.

Customer shall promptly notify Processor of:

• Data Subject requests relevant to Processor’s Processing;
• complaints alleging privacy violations involving Processor’s Services;
• regulatory inquiries relating to Personal Data processed under this DPA; and
• legal requests seeking disclosure of Personal Data where Processor assistance may be required.

4. PROCESSOR OBLIGATIONS

Processor shall:

• Process Personal Data only on documented instructions of Customer;
• ensure personnel are bound by confidentiality obligations;
• implement and maintain appropriate technical and organizational safeguards;
• provide commercially reasonable assistance with Data Subject requests within a commercially reasonable period sufficient to enable Customer to meet its statutory deadlines under applicable Data Protection Laws;
• assist with DPIAs and regulatory consultations where applicable in accordance with Section 4A of this DPA;
• notify Customer where Processor reasonably believes an instruction violates applicable law.

Where Customer’s requests for assistance are manifestly unfounded or excessive (in particular because of their repetitive character), Processor may charge a reasonable fee based on documented administrative costs, or may decline to act on such requests. Processor shall notify Customer in writing before imposing any such fee. This clause does not limit Processor’s obligation to assist with requests that are required as a result of Processor’s own breach of this DPA.

4A. DATA PROTECTION IMPACT ASSESSMENTS

Where Customer determines that a Data Protection Impact Assessment (DPIA) is required under applicable Data Protection Laws in connection with the Services, Processor shall, upon Customer's reasonable written request:

• provide a written description of the Processing activities performed under this DPA, including the categories of Personal Data Processed, the purposes of Processing, and the technical and organizational measures in place;
• make available relevant documentation and security information necessary for Customer to conduct the DPIA, including its most recent SOC 2 Type II report or equivalent certification;
• respond to Customer’s reasonable written questions related to the DPIA within a commercially reasonable period, taking into account the nature, scope, and complexity of the request; and
• cooperate with Customer in any related consultation with a supervisory authority, as required by applicable Data Protection Laws.

DPIA assistance requests shall be limited to one (1) per calendar year, except where legally required. Customer shall bear the costs of DPIA assistance, except where the DPIA is required primarily as a result of Processor's breach of this DPA, in which case Processor shall bear its own costs. All DPIA assistance is subject to the confidentiality obligations in Section 5.

5. CONFIDENTIALITY

Processor shall ensure that personnel authorized to Process Personal Data:

• are informed of the confidential nature of Personal Data;
• are subject to written confidentiality obligations;
• receive privacy and security training; and
• access Personal Data strictly on a least-privilege / need-to-know basis.

Confidentiality obligations survive termination of this DPA for as long as Personal Data is retained.

6. SECURITY MEASURES

Processor shall maintain appropriate administrative, technical, physical, and organizational safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.

Security measures include, where applicable:

• encryption in transit using TLS/HTTPS;
• encryption at rest where commercially reasonable;
• logical customer segregation;
• MFA / SSO for privileged access;
• access logging and monitoring;
• vulnerability management and patching;
• secure software development lifecycle controls;
• incident response procedures;
• backups and disaster recovery controls;
• vendor security diligence; and
• regular security awareness training.

Processor may update security measures from time to time, provided such updates do not materially diminish the overall security posture of the Services. Where Processor makes a material adverse change that materially diminishes such security posture, Processor shall provide commercially reasonable notice to Customer.

7. AUDIT RIGHTS

Processor shall provide its most recent SOC 2 Type II report (or ISO 27001 certification or equivalent third-party audit report) to Customer upon written request, subject to a mutual non-disclosure agreement. Provision of such report shall constitute primary satisfaction of Customer’s audit rights under this DPA absent a specific documented concern that such report does not address.

Upon reasonable written request not more than once annually (except where legally required following a verified security incident), Processor shall make available information reasonably necessary to demonstrate compliance with this DPA, including:

• security summaries;
• audit reports;
• certifications (including ISO 27001 or equivalent);
• compliance questionnaires;
• summaries of vulnerability remediation programs.

Processor shall provide documentary compliance information (including SOC 2 reports and security summaries) at no charge to Customer. Customer shall only be responsible for reimbursing Processor's reasonable internal costs for extraordinary onsite audit assistance as set out below.

Onsite audits shall only be permitted where legally required or where documentary information is reasonably insufficient. Any onsite audit shall:

• require at least thirty (30) days’ prior written notice;
• occur during normal business hours;
• be subject to confidentiality obligations;
• not unreasonably interfere with operations;
• not expose other customers’ confidential information;
• not include source code review, destructive testing, or penetration testing without written approval.

8. INTERNATIONAL DATA TRANSFERS

Where Processing involves transfer of Personal Data outside a jurisdiction that restricts such transfer, the Parties shall rely on lawful transfer mechanisms, including where applicable:

• EU Standard Contractual Clauses (2021/914);
• UK International Data Transfer Addendum / IDTA;
• Swiss approved transfer mechanisms;
• adequacy decisions; or
• any other lawful transfer mechanism recognized by applicable law.

Where the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, or any equivalent lawful transfer mechanism applies to a transfer of Personal Data under this DPA, such clauses are hereby incorporated by reference into this DPA and deemed executed by the Parties as of the effective date of the Agreement. Annex I, Annex II, and Annex III of this DPA shall serve as the corresponding Annex I, Annex II, and Annex III to such clauses, as applicable. In the event of any conflict between this DPA and the incorporated transfer clauses, the transfer clauses shall prevail with respect to the transfer to which they apply.

Processor shall maintain supplementary safeguards reasonably designed to support lawful transfers, including encryption, access controls, onward transfer restrictions, and risk review of governmental access obligations.

Processor shall promptly notify Customer if Processor determines it can no longer meet applicable transfer obligations.

9. SUB-PROCESSORS

Customer grants Processor general authorization to engage Sub-processors.

Processor shall:

• impose contractual privacy and security obligations on Sub-processors no less protective in any material respect than those imposed on Processor under this DPA;
• remain responsible for acts and omissions of Sub-processors to the same extent as if Processor performed the services directly, subject to the Agreement’s limitation of liability;
• provide commercially reasonable advance notice before adding any new material Sub-processors, except where earlier implementation is required for security, legal, operational, or service continuity reasons, in which case Processor shall provide notice as soon as reasonably practicable.

If Customer reasonably objects to a proposed Sub-processor on documented privacy or security grounds, the Parties shall work in good faith to resolve such objection. Processor may:

• provide an alternative configuration;
• replace the Sub-processor; or
• permit termination of affected Services portion without penalty as Customer’s sole remedy. In such case, Customer shall be entitled to a commercially reasonable wind-down period following written notice of termination, during which Processor shall make Customer’s Personal Data available for export. Processor shall not charge additional fees solely on account of such wind-down export.

10. GOVERNMENT REQUESTS

If Processor receives a subpoena, regulatory request, or lawful governmental request for Customer Personal Data, Processor shall, unless legally prohibited:

• promptly notify Customer;
• challenge overbroad requests where reasonable; and
• disclose only the minimum information legally required.

11. SECURITY INCIDENT

Processor shall maintain documented incident response procedures designed to identify, investigate, contain, mitigate, and remediate Security Incidents.

Processor shall notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a confirmed Security Incident, or reasonably suspecting that a Security Incident has occurred, affecting Customer Personal Data.

Where initial notification is made based on reasonable suspicion prior to full confirmation, Processor shall provide follow-up updates promptly as additional material information becomes reasonably available, including prompt confirmation where a Security Incident is confirmed.

Notice shall include reasonably available information regarding:

• nature of incident;
• categories of affected data;
• estimated records affected (if known);
• likely consequences;
• remediation steps taken or proposed;
• contact point for follow-up.

Processor’s notification shall not be construed as admission of fault or liability. Processor shall provide commercially reasonable cooperation and information necessary for Customer to investigate, mitigate, and comply with legally required notification obligations arising from a confirmed Security Incident.

12. RETURN AND DELETION

Upon termination or expiration of Services, Processor shall make Customer Personal Data available for export / retrieval for up to thirty (30) days following the effective date of termination or expiration, unless the Parties otherwise agree in writing or unless Processor is prevented from doing so by circumstances beyond its reasonable control (in which case Processor shall notify Customer promptly and use commercially reasonable efforts to make Personal Data available as soon as practicable).

Following such period, Processor shall delete or render inaccessible Customer Personal Data as soon as reasonably practicable, and in any event within ninety (90) days, except where retention is required for:

• legal obligations;
• tax / accounting retention;
• dispute preservation;
• fraud prevention / security logging;
• backup systems (which shall be deleted in the ordinary course within twelve (12) months of the deletion date);
• immutable archival systems maintained in ordinary course.

Any retained Personal Data remains subject to confidentiality and security obligations until securely deleted.

13. LIABILITY

All liability arising under this DPA shall be subject to the exclusions, disclaimers, and limitations of liability contained in the Agreement, which are incorporated herein by reference.

Claims under this DPA, including privacy claims, security claims, Sub-processor claims, and transfer claims, shall count toward the aggregate liability cap under the Agreement unless expressly stated otherwise therein.

14. ORDER OF PRECEDENCE

In the event of conflict:

• applicable SCCs / transfer mechanism shall govern transfer issues;
• this DPA shall govern privacy obligations;
• the Agreement shall govern commercial terms.

15. REGULATORY INVESTIGATIONS

In the event of an investigation by any data protection authority, regulator, or supervisory authority  that relates to the Processing of Customer Personal Data under this DPA, Processor shall:

• promptly notify Customer upon becoming aware of such investigation, to the extent legally permitted;
• provide reasonable cooperation and assistance to Customer in connection with such investigation, including making available relevant records, documentation, and personnel as reasonably required; and
• take no action on behalf of Customer in response to such investigation without Customer’s prior written consent, except where required by applicable law.

The costs of such cooperation shall be borne by Customer, except where the investigation was initiated primarily as a result of Processor’s breach of this DPA, negligence, or willful misconduct, in which case such costs shall be borne by Processor. All liability arising from this Section remains subject to the limitations of liability in the Agreement.

16. MISCELLANEOUS

If any provision of this DPA is invalid or unenforceable, remaining provisions remain in effect.

Except where mandatory law provides otherwise, governing law and dispute resolution provisions in the Agreement apply to this DPA.

No third-party beneficiaries are created under this DPA except rights mandatorily granted to Data Subjects by law.

Clauses relating to confidentiality, retained data, security, liability, and dispute resolution survive termination.

Execution. This DPA is deemed executed by the Parties and becomes effective upon execution of the Agreement (including by written agreement, Order Form, click-through acceptance, or other legally binding acceptance referencing the Agreement), without requiring separate signature of this DPA unless expressly agreed otherwise in writing.

Amendments: This DPA may only be amended by a written instrument signed by authorised representatives of both Parties. No amendment shall be effective unless it expressly states that it amends this DPA.

ANNEXURES

Annex I-A - LIST OF PARTIES & DESCRIPTION OF PROCESSING

Data Exporter: Customer, as identified in the Agreement.

Activities relevant to transfer: Receipt and use of Services; disclosure of Customer Personal Data to Processor in connection with Services
Role: Controller (or Processor where applicable)

Data Importer: Akto Io, Inc.,
Address: 95 Third Street, 2nd Floor, San Francisco, California 94103.
Contact: Ankush Jain — ankush@akto.io.

Activities relevant to transfer: Processing Customer Personal Data solely to provide Services under Agreement
Role: Processor (or Sub-processor where applicable)

Categories of Data Subjects

These may include:

• Customer authorized users;
• Customer employees / contractors;
• Customer end users where data is submitted through Services;
• Customer support contacts;
• individuals whose identifiers or technical metadata are included in Customer systems analyzed by Services.

Categories of Personal Data

These may include:

• name,
• business email,
• username / account ID,
• organization / role metadata,
• IP address / device identifiers,
• authentication metadata,
• API endpoint metadata,
• application telemetry,
• log / audit records,
• support communications,
• customer-configured content submitted to Services.

Sensitive Data

Processor does not intentionally require Special Category / Sensitive Personal Data for normal operation of Services. Customer shall avoid submitting such data unless expressly agreed in writing.

Nature of Processing

Collection, storage, organization, retrieval, analysis, transmission, support access, security monitoring, and deletion as necessary to provide Services.

Purpose

Provision, maintenance, support, security, and improvement of Services as described in the Agreement.

Duration

For the duration of the Agreement plus applicable deletion / backup retention cycles as set out in Section 12 of this DPA.

Annex I-B - DESCRIPTION OF TRANSFER

Frequency of Transfer

Continuous, for the duration of the Agreement, as triggered by Customer’s access to and use of the Services. Transfers occur on an ongoing basis each time the Services are accessed or Personal Data is submitted, processed, or retrieved by or on behalf of Customer.

Nature of Transfer

Transmission of Personal Data from Customer (Data Exporter) to Akto Io, Inc. (Data Importer) via encrypted network connection (TLS/HTTPS) for the purpose of providing the Services. Personal Data may be accessed remotely by Data Importer’s personnel for support, maintenance, and security purposes.

Purpose of Transfer

The transfer of Personal Data is necessary to enable Processor to provide the Services under the Agreement, including: API security testing and monitoring; application telemetry analysis; authentication and access management; customer support; security incident response; and service maintenance and improvement.

Retention Period

Personal Data is retained for the duration of the Agreement and deleted within ninety (90) days following expiration or termination, subject to the exceptions set out in Section 12 of this DPA (legal obligations, tax retention, dispute preservation, fraud prevention, and backup / archival cycles). Backup copies are deleted within twelve (12) months in the ordinary course.

Transfers to Sub-processors

Where Personal Data is transferred onward to Sub-processors listed in Annex III, such transfers are made solely for the purposes described in Annex III (hosting, authentication, analytics, support, and communications). All Sub-processors are contractually bound by data protection obligations no less protective than those in this DPA. Sub-processor transfers are made under lawful transfer mechanisms as required by applicable Data Protection Laws.

Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and, where applicable, Clause 13 of the EU Standard Contractual Clauses, based on the Data Exporter’s place of establishment. For UK transfers, the competent authority is the UK Information Commissioner’s Office (ICO).

ANNEX II — TECHNICAL & ORGANIZATIONAL MEASURES

Processor maintains an information security program aligned to commercially reasonable industry practices, including:

• governance and security leadership;
• written security policies;
• access control management;
• MFA; logging and monitoring;
• encryption in transit;
• encryption at rest where commercially reasonable;
• vulnerability scanning;
• patch management;
• incident response;
• disaster recovery;
• vendor management;
• secure SDLC;
• personnel confidentiality obligations;
• periodic security training;
• business continuity testing.

Security controls may evolve over time, provided overall security posture is not materially diminished.

ANNEX III — SUB-PROCESSORS