DataProcessing
Agreement.

Capitalised terms not defined here have the meaning given in Regulation (EU) 2016/679 ("GDPR"). "Customer Personal Data" means personal data contained in Customer Data processed by CYBRET on behalf of Customer under the Agreement.

With respect to Customer Personal Data, Customer is the controller (or a processor acting on behalf of a third-party controller) and CYBRET is the processor. The duration, nature, purpose, categories of data, and categories of data subjects are described in Annex I.

CYBRET will process Customer Personal Data only on documented instructions from Customer, including the instructions contained in the Agreement, this DPA, and the configuration of the service made by Customer through the product. CYBRET will immediately inform Customer if, in its opinion, an instruction violates applicable data protection law.

Customer provides CYBRET with general authorisation to engage sub-processors in accordance with this section. CYBRET maintains a current list of sub-processors at Annex III and on the Trust Center. CYBRET will notify Customer at least 30 days before adding or replacing a sub-processor with access to Customer Personal Data. Customer may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection or Customer may terminate the affected service without penalty.

CYBRET imposes on each sub-processor obligations no less protective than those set out in this DPA and remains fully liable for their performance.

CYBRET ensures that persons authorised to process Customer Personal Data are bound by confidentiality obligations surviving termination of their engagement and receive appropriate training in data protection and information security.

CYBRET implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II. CYBRET reviews and updates these measures periodically; no update will materially reduce the overall level of protection.

CYBRET will notify Customer without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notifications are sent to the customer admin of record and include the information required by Article 33(3) GDPR to the extent known, with updates as the investigation progresses.

Taking into account the nature of the processing, CYBRET will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under Chapter III GDPR. Where a data subject contacts CYBRET directly, CYBRET will refer them to Customer unless another response is required by law.

Customer Personal Data stays in the region Customer selects at onboarding (US-East, EU-Central, or AP-Southeast). Where a transfer occurs from the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that the EU Commission's Standard Contractual Clauses (2021/914) are incorporated by reference on the following basis:

• Module 2 (controller-to-processor) where Customer is a controller;
• Module 3 (processor-to-processor) where Customer is itself a processor;
• The optional docking clause is selected; Clause 11 option (independent dispute body) is not selected;
• Governing law is the law of Ireland; the competent supervisory authority is the Irish DPC.

For UK transfers, the parties agree to the UK International Data Transfer Addendum to the EU SCCs, Version B1.0. For Swiss transfers, references to the GDPR are construed as references to the FADP where applicable.

CYBRET makes available to Customer information necessary to demonstrate compliance with Article 28 GDPR, including the current trust posture letter, penetration test summary, and — once issued — the SOC 2 Type II report and ISO 27001 certificate (both in progress; see the trust page for status). These satisfy the audit obligation for most customers.

If those materials are insufficient, Customer may request an on-site audit once per 12-month period, on 30 days' written notice, during business hours, subject to reasonable confidentiality and security measures and at Customer's cost. Audits must not disrupt CYBRET's operations or compromise the data of other customers.

On termination or expiry of the Agreement, CYBRET will, at Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by applicable law. Deletion is completed within 30 days and confirmed in writing on request.

A. List of parties

Data exporter: the Customer identified on the order form. Data importer: CYBRET AI, Inc., 2261 Market Street #4532, San Francisco, CA 94114, USA. Contact: privacy@cybret.ai.

B. Description of transfer

C. Competent supervisory authority

The Data Protection Commission (DPC) of Ireland, in its capacity as lead supervisory authority for CYBRET's EU establishment.

CYBRET implements, and maintains during the term of the Agreement, the following measures. This summary is controlling; the full statement is available under NDA via the Trust Center.

The current list of authorised sub-processors is published on the Trust Center. At the effective date of this DPA, CYBRET engages the following sub-processors with access to Customer Personal Data:

Customer will be notified of additions or replacements at least 30 days in advance, as described in Section 4.